Disclosure of Invention
The application provides an authentication method and related equipment, wherein under the condition that RRC connection is not established between terminal equipment and network equipment, information required by authentication can be transmitted between the terminal equipment and the network equipment through a common channel, so that the authentication between the terminal equipment and the network equipment is realized.
The first aspect of the present application provides an authentication method, in which a network device receives a session request sent by a terminal device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device, the network device confirms that the terminal device passes authentication according to the session request, and the network device sends a session response to the terminal device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
The application provides an authentication method. Firstly, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, the session response being used to instruct the terminal device to authenticate the network device. In the scenario that no RRC connection is established between the terminal device and the network device, information required for authentication can be transferred between the terminal device and the network device through a common channel, so that authentication between the terminal device and the network device is realized.
In a possible implementation manner of the first aspect, the session request includes a user hidden identifier SUCI and a first response parameter.
In this possible implementation manner, the types of parameters possibly included in the session request are provided, so as to promote the feasibility of the scheme.
In one possible implementation manner of the first aspect, the network device includes an access and mobility management function AMF and an authentication service function AUSF, the network device confirms that the terminal device passes authentication according to the session request, including the AMF sending a first authentication request to AUSF, the first authentication request including the SUCI, the first response parameter and a first random parameter received by the terminal device, the AUSF confirming that the terminal device passes authentication according to the first authentication request, the AUSF sending a first authentication response to the AMF, the first authentication response including a second random parameter, a second response parameter, an authentication token AUTN and a security anchor function key Kseaf, and the AMF confirming that the terminal device passes authentication according to the first authentication response.
In the possible implementation manner, the network equipment adopts a two-step method to authenticate the terminal equipment, the authentication flow is embedded into the session establishment flow, the authentication is completed by using a pair of messages used by the session establishment on an air interface, the information interaction is less, the authentication flow is simple, and the power saving of the terminal equipment is facilitated.
In a possible implementation manner of the first aspect, the network device includes a unified data management function UDM, the AUSF acknowledging that the terminal device passes authentication according to the first authentication request includes that the AUSF sends first request information to the UDM according to the first authentication request, the first request information includes a first random parameter and SUCI, the first request information is used to instruct the UDM to send an authentication vector to the AUSF, the AUSF receives the authentication vector sent by the UDM, the authentication vector includes the second random parameter, a third response parameter, an encryption key CK, an integrity key IK and the AUTN, and the AUSF determines that the terminal device passes authentication according to the authentication vector.
In the possible implementation manner, the network equipment adopts a two-step method to authenticate the terminal equipment, the authentication flow is embedded into the session establishment flow, the authentication is completed by using a pair of messages used by the session establishment on an air interface, the information interaction is less, the authentication flow is simple, and the power saving of the terminal equipment is facilitated.
In a possible implementation manner of the first aspect, the session response includes the second random parameter, an AUTN, and configuration information, where the configuration information is used to indicate that the terminal device configures a session with a network device.
In this possible implementation manner, the types of parameters possibly included in the session response are provided, so that the feasibility of the scheme is improved.
In a possible implementation manner of the first aspect, the session request includes the SUCI.
In this possible implementation manner, the types of parameters possibly included in the session request are provided, so as to promote the feasibility of the scheme.
In a possible implementation manner of the first aspect, the network device confirms that the terminal device passes authentication according to the session request includes that the network device sends a second authentication request to the terminal device according to the session request, the second authentication request is used for indicating the terminal device to authenticate the network device, the network device receives a second authentication response sent by the terminal device, and the network device confirms that the terminal device passes authentication according to the second authentication response.
In this possible implementation, the authentication procedure between the terminal device and the network device may be implemented with or without simple modification of the algorithms or procedures of the existing UDMs and AUSF. The change of the existing network equipment is small, and the influence on the 2C network is small.
The second aspect of the present application provides an authentication method, in which a terminal device sends a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device, and the terminal device receives a session response sent by the network device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
The application provides an authentication method, in the scene that the RRC connection is not established between the terminal equipment and the network equipment, the information required by authentication can be transmitted between the terminal equipment and the network equipment through a common channel, so that the authentication between the terminal equipment and the network equipment is realized.
In a possible implementation manner of the second aspect, the session response includes configuration information, where the configuration information is used to indicate that the terminal device configures a session with a network device.
In a possible implementation manner of the second aspect, the session response further includes an authentication parameter, and the method further includes authenticating the network device by the terminal device according to the authentication parameter.
A third aspect of the application provides a network device comprising a process comprising a processor coupled with a memory for storing a computer program or instructions, the processor for executing the computer program or instructions in memory such that the method of the first aspect or any possible implementation of the first aspect is performed.
A fourth aspect of the application provides a terminal device comprising a process comprising a processor coupled to a memory for storing a computer program or instructions, the processor being for executing the computer program or instructions in memory such that the method of the second aspect or any of the possible implementations of the second aspect is performed.
A fifth aspect of the present application provides a computer readable storage medium storing a program causing a method of the first aspect or any possible implementation of the first aspect to be performed.
A sixth aspect of the present application provides a computer readable storage medium storing a program causing a method of the second aspect or any possible implementation of the second aspect to be performed.
A seventh aspect of the application provides a computer program product storing one or more computer-executable instructions which, when executed by the processor, cause the method of any one of the above-described first aspects or possible implementations of the first aspect to be performed.
An eighth aspect of the application provides a computer program product storing one or more computer-executable instructions which, when executed by the processor, cause the method of the second aspect or any one of the possible implementations of the second aspect to be performed.
A ninth aspect of the application provides a chip system comprising a processor for supporting a terminal device or a network device to perform the functions involved in the above aspects, such as transmitting or processing data and/or information involved in the above methods. In one possible design, the system on a chip also includes memory to hold the necessary program instructions and data. The chip system can be composed of chips, and can also comprise chips and other discrete devices.
From the above technical solutions, the embodiment of the present application has the following advantages:
The application provides an authentication method and related equipment. Firstly, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, the session response being used to instruct the terminal device to authenticate the network device. In the scenario that no RRC connection is established between the terminal device and the network device, information required for authentication can be transferred between the terminal device and the network device through a common channel, so that authentication between the terminal device and the network device is realized.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments of the invention fall within the scope of protection of the invention.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein.
In embodiments of the application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion that may be readily understood.
The term "and/or" in the present application is merely an association relation describing the association object, and means that three kinds of relations may exist, for example, a and/or B may mean that a exists alone, and a and B exist together, and B exists alone, wherein a and B may be singular or plural. Also, in the description of the present application, unless otherwise indicated, "a plurality" means two or more than two. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a, b, or c) of a, b, c, a-b, a-c, b-c, or a-b-c may be represented, wherein a, b, c may be single or plural.
The technical scheme of the embodiment of the application can be applied to various communication systems, such as a long term evolution (long term evolution, LTE) system, an LTE frequency division duplex (frequency division duplex, FDD) system, an LTE time division duplex (time division duplex, TDD) system, a fifth generation (5th generation,5G) system, namely a New Radio (NR) system, a future mobile communication system and the like.
The New air interface (NR) system supports a larger transmission bandwidth, more transceiver antenna arrays, a higher transmission rate and a more flexible, less granular scheduling mechanism than the long term evolution (long term evolution, LTE) system, and the above-described characteristics of the NR system provide a greater range of applicability.
Network security is an important function in 5G. For the procedure of radio resource control (radio resource control, RRC) connection in the 2C scenario, the 5G defines authentication and key agreement protocol (AKA) specific to the 5G, and bidirectional authentication and data encryption are performed by means of the 5G AKA. The bidirectional authentication means that the network device authenticates the terminal device, and the terminal device also authenticates the network device.
Fig. 1 is a schematic diagram of an embodiment of an authentication method based on RRC connection according to the present application.
In the embodiment of the application, the flow for establishing communication between the terminal equipment and the network equipment consists of three parts, namely a RACH access process, an RRC establishment process and a 5G AKA authentication process. Firstly, a terminal device initiates a random access request to access network equipment, and the terminal device receives a random access response sent by the access network equipment. And the terminal equipment sends an RRC establishment request to the access network equipment after confirming that the random access is successful according to the random access response. And the terminal equipment receives the RRC establishment response sent by the access network equipment, and starts to execute the 5G AKA authentication flow after confirming that the RRC establishment is successful according to the RRC establishment response. The following describes the 5G AKA authentication procedure in detail.
In the application, after the RRC connection is established between the terminal equipment and the access network equipment, the subsequent air interface information is transmitted through an uplink physical uplink shared channel (PUSCH SHARED CHANNEL) and a downlink physical downlink shared channel (physical downlink SHARED CHANNEL, PDSCH). Only the flow of authentication will be described here.
In the present application, the network device may be a core network device, and the network device may include an access and mobility management function (ACCESS AND mobility management function, AMF), an authentication service function (authentication server function, AUSF), and a unified data management function (unified DATA MANAGEMENT, UDM). The terminal equipment initiates a registration request to the AMF through the access network equipment, wherein the registration request comprises a user hidden identifier (subscription concealed identifier, SUCI), and after the AMF discovers that the registration request is an initial registration request, the AMF requests authentication to AUSF. After receiving the authentication request AUSF, the authentication vector is requested from the UDM, which generates the authentication vector and returns it to AUSF. AUSF converts the 5-tuple authentication vector into a 4-tuple authentication vector and sends it to the AMF. The AMF generates a RANDom number (RANDom number, RAND) and an authentication TokeN (AUthentication TokeN, AUTN) from the 4-tuple authentication vector, and transmits the generated RAND and AUTN to the terminal device, wherein the AUTN includes MAC data. The terminal equipment acquires the MAC data according to the AUTN, calculates whether the XMAC data is consistent with the MAC data, if so, considers that the network equipment passes authentication, and if not, considers that the network equipment does not pass authentication. After passing the authentication, a response parameter (RES) is calculated and sent to the AMF in the authentication response. The AMF calculates a hash response parameter (HRES) by RES, and determines whether the HRES is consistent with the expected hash response parameter (HXRES) so as to authenticate the terminal device. If the authentication is consistent, the authentication is passed, and if the authentication is inconsistent, the authentication is not passed. After the AMF authenticates the terminal device, the AMF sends authentication information including RES to AUSF for secondary authentication. AUSF compares if RES is consistent with the expected response (XRES) to authenticate the terminal device twice, if so, authentication is passed, and if not, authentication is not passed. After AUSF passes the authentication of the terminal equipment, AUSF returns authentication success information to the AMF.
However, in some scenarios, such as a 2B scenario, in order to reduce power consumption on the terminal device side, RRC connection is not generally required between the terminal device and the network device, and in the scenario without RRC connection, authentication cannot be performed between the terminal device and the network device.
The application provides an authentication method and related equipment under the condition that terminal equipment and network equipment are not connected with RRC. Firstly, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, the session response being used to instruct the terminal device to authenticate the network device. In the scenario that no RRC connection is established between the terminal device and the network device, information required for authentication can be transferred between the terminal device and the network device through a common channel, so that authentication between the terminal device and the network device is realized.
Fig. 2 is a schematic diagram of an application scenario of the authentication system provided by the present application.
Referring to fig. 2, in an embodiment of the present application, a network device, a radio access network, and a terminal device form an authentication system.
The authentication system provided by the application comprises a network device 101, a radio access network (radio access network, RAN) 102, a RAN103 and a RAN104, and a terminal device 105, a terminal device 106, a terminal device 107 and a terminal device 108. Wherein the network device 101 comprises AMFs 109, AUSF, 110 and UDM111,
Wherein, terminal device 105 and terminal device 106 perform data interaction with AMF109 included in network device 101 through RAN102, terminal device 107 performs data interaction with AMF109 included in network device 101 through RAN103, terminal device 108 performs data interaction with AMF109 included in network device 101 through RAN104, AMF109 performs data interaction with AUSF, AUSF, and UDM 111.
In the embodiment of the present application, only one network device, three RANs and four terminal devices are taken as examples for schematic description. In practical applications, optionally, the application scenario of the embodiment of the present application may include more or fewer RANs and terminal devices than those provided in the embodiment shown in fig. 2. The embodiment of the application does not limit the number of network devices, RANs and terminal devices.
The network device 101 in the embodiment of the present application may be a core network device, alternatively, the AMF, the AUSF, and the UDM may be integrated on the same device, and the AMF, the AUSF, and the UDM may be integrated on different devices, which is not limited herein.
In the application, the RAN is used for transmitting the information interacted between the network equipment and the terminal equipment, and the role in the authentication process is basically to transmit the information thoroughly.
In the application, AMF is used for initiating authentication flow in network equipment, processing authentication information of terminal equipment, obtaining authentication vector from AUSF, authenticating terminal equipment and generating encryption key.
In the application, AUSF is used for communicating with the UDM, obtaining an authentication vector from the UDM, processing the authentication vector, transmitting the authentication vector to the AMF, and authenticating the terminal equipment.
In the application, the UDM is used for storing account opening information and a user key and generating an authentication vector.
The terminal device in the embodiments of the present application may be a device that provides voice and/or data connectivity to a user, a handheld device with wireless connectivity, or other processing device connected to a wireless modem. The terminal device may be a mobile terminal, such as a mobile telephone (or "cellular" telephone) and a computer with a mobile terminal, for example, a portable, pocket, hand-held, computer-built-in or vehicle-mounted mobile device that exchanges voice and/or data with the network device. Such as personal communication services (personal communication service, PCS) phones, cordless phones, session Initiation Protocol (SIP) phones, wireless local loop (wireless local loop, WLL) stations, personal Digital Assistants (PDAs), and the like. The terminal device can also be called a system, subscriber unit (subscriber unit), subscriber station (subscriber station), mobile station (mobile), remote station (remote station), access point (access point), remote terminal (remote terminal), access terminal (ACCESS TERMINAL), user agent (user agent), user device (user device), or user equipment (user equipment), user station, remote station, user terminal (terminal equipment, TE), terminal, wireless communication device, and user agent or user equipment. In addition, the terminal device may also be a chip system for implementing the UE function. The specific examples are not limited herein.
The authentication method provided by the present application will be described based on the authentication system described in fig. 2.
Fig. 3 is a schematic diagram of an embodiment of an authentication method according to the present application. Referring to fig. 3, the authentication method includes steps 201 to 203.
201. The network equipment receives the session request sent by the terminal equipment on the uplink public channel, and correspondingly, the terminal equipment sends the session request to the network equipment on the uplink public channel.
In the application, RRC connection is not established between the terminal equipment and the network equipment, and information interaction between the terminal equipment and the network equipment cannot be realized through a special channel. Therefore, the terminal device sends a session request to the network device through the uplink common channel, where the session request is used to request the network device to authenticate the terminal device.
202. The network device confirms that the terminal device passes authentication according to the session request.
In the application, the session request comprises the authentication parameter, and the network equipment can authenticate the terminal equipment according to the authentication parameter contained in the session request.
203. The network device sends a session response to the terminal device on the downlink common channel, and correspondingly, the terminal device receives the session response sent by the network device on the downlink common channel.
In the application, RRC connection is not established between the terminal equipment and the network equipment, and information interaction between the terminal equipment and the network equipment cannot be realized through a special channel. Therefore, the network device sends a session response to the terminal device through the downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
In the embodiment shown in fig. 3, step 202 is implemented in a specific manner, and this specific manner will be described in detail below.
Mode 1 two-step authentication method
Fig. 4 is a schematic diagram of another embodiment of an authentication method according to the present application. Referring to fig. 4, in this embodiment, the network device may be a core network device, where the network device includes AMF, AUSF, and UDM, and the session request includes SUCI and a first response parameter (RES).
The AMF sends a first authentication request to AUSF.
In this embodiment, the first authentication request includes sui, RES, and R0 received by the terminal device. R0 is generated by the network device and the network device periodically updates R0. After receiving R0, the terminal device may calculate RES according to R0 and the account opening key, and further include RES and SUCI in the session request, and send the result to the AMF through the RAN.
AUSF sends a first request message to the UDM in accordance with the first authentication request.
In this embodiment, the first request information includes R0 and SUCI, and the first request information is used to instruct the UDM to send the authentication vector to AUSF.
AUSF receives the authentication vector sent by the UDM.
In the present application, the authentication vector includes a second random parameter (R1), an expected RESponse (eXpected RESponse, XRES), an encryption key (CK), an integrity key (INTEGRITY KEY, IK), and an authentication TokeN (aUthentication TokeN, AUTN). The UDM receives first request information, wherein the first request information comprises R0 and SUCI, generates an authentication vector according to R0, R1, a key of a terminal account opening and the like, and sends the authentication vector to AUSF. The algorithm is similar to 5G AKA. The terminal device calculates relevant parameters such as RES by using R0, and when UDM calculates XRES, R0 is used, and R1 is used for calculation CK, IK, AUTN.
AUSF determines that the terminal device is authenticated based on the authentication vector.
In the application, AUSF judges that the consistency of RES and XRES authenticates the terminal equipment, if RES and XRES are consistent, AUSF confirms that the terminal equipment passes authentication, and if RES and XRES are inconsistent, confirms that the terminal equipment does not pass authentication. AUSF confirms that the terminal device sends a first authentication response to the AMF after passing the authentication.
AUSF sends a first authentication response to the AMF.
In the present application, the first authentication RESponse includes a second random parameter (R1), a hash expected RESponse (hash eXpected RESponse, HXRES), AUTN, and a secure anchor function key (key for SEAF, kseaf).
The AMF confirms that the terminal equipment passes authentication according to the first authentication response.
In the application, AMF calculates HRES by RES and judges whether HRES is consistent with HXRES so as to authenticate the terminal equipment. If the AMF confirms that HRES is consistent with HXRES, the AMF confirms that the terminal device passes authentication. If the AMF confirms that HRES is inconsistent with HXRES, the AMF confirms that the terminal device fails authentication. After passing the authentication, the AMF allocates a session ID, allocates uplink traffic channel resources, calculates NAS encryption keys (key for NAS encryption, knasenc) and NAS integrity keys (keys for NAS INTEGRITY, knasint). The assigned session ID and uplink traffic channel resource data are encrypted and integrity protected using the key, and the encrypted data (session ID and traffic channel resource) and R1, AUTN are sent to the terminal device through the RAN.
In the application, after the network device confirms that the terminal device passes authentication, the session ID (Session Id) is used for identifying the user instead of adopting the user permanent identification (description PERMANENT IDENTIFIER, SUPI) in the process of carrying out service between the network device and the terminal device.
In the application, the encrypted data of the service contains the message sequence number, and the AMF needs to judge whether the message sequence number is increased or not so as to prevent replay attack of the service data. In order to prevent Session request replay attack, besides the periodic update of R0, the AMF needs to save the assigned Session Id and SUCI, and the corresponding RES and key information, if the Session Id is already assigned to the AMF SUCI, the flow of requesting the authentication vector from the UDM will not be triggered again, and the previously assigned data will be directly encrypted and then sent to the terminal.
In the application, in order to avoid that the Session Id is not updated for a long time, the system security is reduced, and a field can be added in the broadcasted system message to indicate whether the terminal re-authenticates and establishes the Session.
In the application, if the network equipment fails in the authentication process, the subsequent flow is terminated, the network elements included in the network equipment can send failure notification messages, and the air interface does not send messages and does not notify the terminal. Also, if authentication failure occurs, the terminal device does not notify the core network.
Mode two, four-step authentication method
Fig. 5 is a schematic diagram of another embodiment of an authentication method according to the present application. Referring to fig. 5, in this embodiment, the session request includes SUCI. The network devices include AMF, AUSF, and UDM.
The network device sends a second authentication request to the terminal device according to the session request.
In the present application, after the AMF included in the network device receives the session request, the AMF requests the authentication to AUSF. After receiving the authentication request AUSF, the authentication vector is requested from the UDM, which generates the authentication vector and returns it to AUSF. The AMF generates a RANDom number (RANDom number, RAND) and an authentication TokeN (AUthentication TokeN, AUTN) according to the 4-tuple authentication vector, and sends the generated RAND and AUTN to the terminal equipment in a second authentication request. The second authentication request is used to instruct the terminal device to authenticate the network device.
The network device receives a second authentication response sent by the terminal device.
In the application, the terminal equipment acquires the AUTN according to the second authentication request, wherein the AUTN comprises MAC data. The terminal equipment acquires the MAC data according to the AUTN, calculates whether the XMAC data is consistent with the MAC data, if so, considers that the network equipment passes authentication, and if not, considers that the network equipment does not pass authentication. After passing the authentication, the terminal calculates a response parameter (RES), and sends the response parameter (RES) to the AMF in a second authentication response.
The network device confirms that the terminal device passes authentication according to the second authentication response.
In the application, the network equipment acquires response parameters (RES) according to the second authentication response, and the AMF calculates hash response parameters (HRES) according to the RES, and judges whether the HRES is consistent with the expected hash response parameters (HXRES) so as to authenticate the terminal equipment. If the authentication is consistent, the authentication is passed, and if the authentication is inconsistent, the authentication is not passed. After the AMF authenticates the terminal device, the AMF sends authentication information including RES to AUSF for secondary authentication. AUSF compares if RES is consistent with the expected response (XRES) to authenticate the terminal device twice, if so, authentication is passed, and if not, authentication is not passed. After AUSF passes the authentication of the terminal equipment, AUSF replies authentication success information to the AMF.
In this embodiment, in the scenario that no RRC connection exists between the terminal device and the network device, information interacted between the terminal device and the network device is not transmitted through a physical uplink shared channel (physical downlink SHARED CHANNEL, PUSCH) and a Physical Downlink Shared Channel (PDSCH) but is transmitted through an uplink access channel and a downlink common control channel.
The application provides an authentication method and related equipment. Firstly, the network device receives a session request sent by the terminal device on an uplink common channel, and the network device can confirm that the terminal device passes authentication according to the session request. Then, the network device sends a session response to the terminal device on the downlink common channel, the session response being used to instruct the terminal device to authenticate the network device. In the scenario that no RRC connection is established between the terminal device and the network device, information required for authentication can be transferred between the terminal device and the network device through a common channel, so that authentication between the terminal device and the network device is realized.
The foregoing embodiments provide different implementations of an authentication method, and as shown in fig. 6, the network device 30 is configured to perform steps performed by the network device in the foregoing embodiments, where the performing steps and corresponding beneficial effects are specifically understood with reference to the foregoing corresponding embodiments, and are not described herein in detail, where the network device 30 includes:
a receiving unit 301, configured to receive a session request sent by a terminal device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;
a processing unit 302, configured to confirm that the terminal device passes authentication according to the session request;
a sending unit 303, configured to send a session response to the terminal device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
In one possible implementation, the session request includes a user hidden identifier SUCI and a first response parameter,
In a possible implementation manner, the network device includes an access and mobility management function AMF and an authentication service function AUSF;
The AMF sends a first authentication request to AUSF, wherein the first authentication request comprises the SUCI, the first response parameter and a first random parameter received by the terminal equipment;
the AUSF confirms that the terminal equipment passes authentication according to the first authentication request;
The AUSF sends a first authentication response to the AMF, the first authentication response including a second random parameter, a second response parameter, an authentication token AUTN, and a secure anchor function key Kseaf;
And the AMF confirms that the terminal equipment passes authentication according to the first authentication response.
In a possible implementation, the network device includes a unified data management function UDM;
The AUSF sends first request information to the UDM according to the first authentication request, the first request information including a first random parameter and SUCI, the first request information being used to instruct the UDM to send an authentication vector to the AUSF;
The AUSF receives the authentication vector sent by the UDM, where the authentication vector includes the second random parameter, a third response parameter, an encryption key CK, an integrity key IK, and the AUTN;
And AUSF determining that the terminal equipment passes authentication according to the authentication vector.
In a possible implementation manner, the session response includes the second random parameter, AUTN and configuration information, where the configuration information is used to indicate the session between the terminal device configuration and the network device.
In a possible implementation, the session request includes the SUCI.
In one possible implementation of the method, the method comprises,
The sending unit 303 is further configured to send a second authentication request to the terminal device according to the session request, where the second authentication request is used to instruct the terminal device to authenticate the network device;
the receiving unit 301 is further configured to receive a second authentication response sent by the terminal device;
The processing unit 302 is further configured to confirm that the terminal device passes authentication according to the second authentication response.
It should be noted that, because the content of information interaction and execution process between the modules of the network device 30 is based on the same concept as the method embodiment of the present application, the technical effects brought by the content are the same as the method embodiment of the present application, and the specific content can be referred to the description in the foregoing illustrated method embodiment of the present application, which is not repeated herein.
The foregoing embodiments provide different implementations of a network device 30, and the following provides a terminal device 40, as shown in fig. 7, where the terminal device 40 is configured to perform steps performed by the terminal device in the foregoing embodiments, and the performing steps and corresponding beneficial effects are specifically understood with reference to the foregoing corresponding embodiments, which are not described herein again, and the terminal device 40 includes:
A sending unit 401, configured to send a session request to a network device on an uplink common channel, where the session request is used to request the network device to authenticate the terminal device;
a receiving unit 402, configured to receive a session response sent by the network device on a downlink common channel, where the session response is used to instruct the terminal device to authenticate the network device.
In a possible implementation manner, the session response includes configuration information, where the configuration information is used to indicate that the terminal device configures a session with a network device.
In a possible implementation manner, the session response further comprises an authentication parameter, and the processing unit is configured to authenticate the network device according to the authentication parameter.
It should be noted that, because the content of information interaction and execution process between the modules of the terminal device 40 is based on the same concept as the method embodiment of the present application, the technical effects brought by the content are the same as the method embodiment of the present application, and the specific content can be referred to the description in the foregoing illustrated method embodiment of the present application, which is not repeated herein.
Referring to fig. 8, a schematic structural diagram of a communication device 50 is provided in an embodiment of the present application, where the communication device 50 includes a processor 502, a communication interface 503, a memory 501, and a bus 504. Wherein the communication interface 503, the processor 502, and the memory 501 are interconnected by a bus 504, the bus 504 may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, etc. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 8, but not only one bus or one type of bus. The communication device 50 may implement the functions of the network device in the embodiment shown in fig. 6 or the functions of the terminal device in the embodiment shown in fig. 7. The communication interface 503 may perform respective functions corresponding to the receiving unit and the transmitting unit in the network device or the terminal device in the above method example, and the processor 502 may perform functions performed by the processing unit included in the network device or the terminal device in the above method embodiment.
The following describes the respective constituent elements of the communication device 50 in detail with reference to fig. 7:
The processor 502 is a control center of the controller, and may be a central processing unit (central processing unit, CPU), an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application, such as one or more digital signal processors (DIGITAL SIGNAL processors, DSPs), or one or more field programmable gate arrays (field programmable GATE ARRAY, FPGAs).
The communication interface 503 is used to communicate with other devices.
The processor 502 may perform the operations performed by the network device 30 in the embodiment shown in fig. 6, and the processor 502 may perform the operations performed by the terminal device 40 in the embodiment shown in fig. 7, which are not described herein.
The embodiment of the application also provides a communication device 60, and the communication device 60 can be a terminal device or a chip. The communication means 60 may be adapted to perform the operations performed by the terminal device in the above-described method embodiments. Fig. 9 shows a simplified schematic diagram of a terminal device when the communication device 60 is a terminal device. The terminal device is illustrated as a mobile phone in fig. 9 for easy understanding and convenient illustration. As shown in fig. 9, the terminal device includes a processor, a memory, a radio frequency circuit, an antenna, and an input-output device. The processor is mainly used for processing communication protocols and communication data, controlling the terminal equipment, executing software programs, processing data of the software programs and the like. The memory is mainly used for storing software programs and data. The radio frequency circuit is mainly used for converting a baseband signal and a radio frequency signal and processing the radio frequency signal. The antenna is mainly used for receiving and transmitting radio frequency signals in the form of electromagnetic waves. Input and output devices, such as touch screens, display screens, keyboards, etc., are mainly used for receiving data input by a user and outputting data to the user. It should be noted that some kinds of terminal apparatuses may not have an input/output device.
When data need to be sent, the processor carries out baseband processing on the data to be sent and then outputs a baseband signal to the radio frequency circuit, and the radio frequency circuit carries out radio frequency processing on the baseband signal and then sends the radio frequency signal outwards in the form of electromagnetic waves through the antenna. When data is sent to the terminal equipment, the radio frequency circuit receives a radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data. For ease of illustration, only one memory and processor are shown in fig. 9, and in an actual end device product, one or more processors and one or more memories may be present. The memory may also be referred to as a storage medium or storage device, etc. The memory may be provided separately from the processor or may be integrated with the processor, as the embodiments of the application are not limited in this respect.
In the embodiment of the application, the antenna and the radio frequency circuit with the receiving and transmitting functions can be regarded as a receiving and transmitting unit of the terminal equipment, and the processor with the processing function can be regarded as a processing unit of the terminal equipment.
The terminal device comprises a transceiver unit 601 and a processing unit 602. The transceiver unit 601 may also be referred to as a transceiver, transceiver device, etc. The processing unit 602 may also be referred to as a processor, processing board, processing module, processing device, etc.
Alternatively, the device for implementing the receiving function in the transceiver unit 601 may be regarded as a receiving unit, and the device for implementing the transmitting function in the transceiver unit 601 may be regarded as a transmitting unit, that is, the transceiver unit 601 includes a receiving unit and a transmitting unit. The transceiver unit may also be referred to as a transceiver, transceiver circuitry, or the like. The receiving unit may also be referred to as a receiver, or receiving circuit, among others. The transmitting unit may also sometimes be referred to as a transmitter, or a transmitting circuit, etc.
For example, in one implementation, the transceiver unit 601 is configured to perform a receiving operation of the terminal device. The processing unit 602 is configured to perform a processing action on the terminal device side.
It should be understood that fig. 9 is only an example and not a limitation, and the above-described terminal device including the transceiving unit and the processing unit may not depend on the structure shown in fig. 9.
When the communication device 60 is a chip, the chip includes a transceiver unit and a processing unit. The receiving and transmitting unit can be an input/output circuit or a communication interface, and the processing unit can be an integrated processor or a microprocessor or an integrated circuit on the chip. The input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the output signal may be output to and transmitted by, for example and without limitation, a transmitter, and the input circuit and the output circuit may be different circuits or the same circuit, in which case the circuits function as the input circuit and the output circuit, respectively, at different times.
It should be noted that, because the content of information interaction and execution process between the modules of the apparatus 60 provided in the foregoing embodiment is based on the same concept as the method embodiment of the present application, the technical effects brought by the content are the same as the method embodiment of the present application, and the specific content may be referred to the description in the foregoing illustrated method embodiment of the present application, which is not repeated herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. The storage medium includes a usb disk, a removable hard disk, a read-only memory (ROM), a random-access memory (RAM, random access memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.