CN102238484A - Method and system for group-based authentication in machine to machine communication systems - Google Patents

Method and system for group-based authentication in machine to machine communication systems Download PDF

Info

Publication number
CN102238484A
CN102238484A CN2010101539478A CN201010153947A CN102238484A CN 102238484 A CN102238484 A CN 102238484A CN 2010101539478 A CN2010101539478 A CN 2010101539478A CN 201010153947 A CN201010153947 A CN 201010153947A CN 102238484 A CN102238484 A CN 102238484A
Authority
CN
China
Prior art keywords
group
mtc equipment
authentication
equipment
mtc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010101539478A
Other languages
Chinese (zh)
Other versions
CN102238484B (en
Inventor
田甜
朱允文
韦银星
高峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010153947.8A priority Critical patent/CN102238484B/en
Priority to PCT/CN2011/071068 priority patent/WO2011131052A1/en
Publication of CN102238484A publication Critical patent/CN102238484A/en
Application granted granted Critical
Publication of CN102238484B publication Critical patent/CN102238484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]
    • H04W28/18Negotiating wireless communication parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/16Interfaces between hierarchically similar devices
    • H04W92/18Interfaces between hierarchically similar devices between terminal devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for group-based authentication in machine to machine communication systems, which comprises the following steps that: an authorization centre generates group authentication parameters according to the subscribed group information of Machine Type Communication (MTC) devices, and sends the group authentication parameters to access to security management equipment; and the access security management equipment generates authorization parameters for each MTC device according to the generated group authentication parameters, and authorizes the MTC devices in the group. The invention also discloses a system for group-based authentication in machine to machine communication systems, which comprises the MTC devices, the Access Security Management Equipment (ASME), and the authorization centre, wherein the authorization centre is used for generating the group authentication parameters according to the subscribed group information of the MTC devices, and sending the group authentication parameters to the ASME; and the ASME is used for generating the authorization parameters for each MTC device according to the generated group authentication parameters, and authorizing the MTC devices in the group. The authentication efficiency of the MTC devices is enhanced greatly.

Description

Machine in the communication system of machine based on the group authentication method and system
Technical field
The present invention relates to machine to the authentication techniques in the communication system of machine, relate in particular to a kind of machine to machine (M2M, in communication system Machine-to-Machine) based on the group authentication method and system.
Background technology
At the existing second generation (2G, 2nd Generation) and the third generation (3G, 3rd Generation) among the mobile network, the user who only has effective international mobile subscriber identity (IMSI, International MobileSubscriber Identification Number) just has the right to obtain service.
Authentication is promptly discerned the process of effective international mobile subscriber identity IMSI number.This is the part of mobile network's security management, is used for realizing mobile network's confidentiality, data integrity.Brief description is Authentication and Key Agreement mechanism (AKA, the Authentication and Key Agreement) verification process of universal mobile telecommunications system (UMTS, Universal Mobile Telecommunications System) once.EPS-AKA and UMTS-AKA are as broad as long in essence in evolved packet system (EPS, Evolved Packet System).Concrete verification process comprises following step:
(1) generate the authentication five-tuple: terminal is sent the request of access to attaching position register (HLR, Home LocationRegister)/AUC (AuC, The Authentication Centre).After receiving authorization data request group, VLR/SGSN generates the corresponding authentication vector, and each vector is made up of following 5 elements: random digit RAND, Expected Response XRES, ciphering key K, Integrity Key IK and authentication-tokens AUTN.
(2) the authentication five-tuple is sent to the VLR/SGSN of request.
(3) from a plurality of five-tuples that obtain, select one, send RAND (i), AUTN (i) to the user.
(4) universal subscriber identity module (USIM, Universal Subscriber Identity Module) card checks that AUTN (i) could accept, and for example AUTN (i) is made up of effective authentication-tokens.
(5) after terminal receives authentication request, at first calculate message authentication code XMAC, and with authentication token AUTN in message authentication code MAC relatively, if different, then send the refusal authentication message, and abandon verification process to SGSN/VLR.Whether the sequence number SQN that travelling carriage (MS, Mobile Station) checking simultaneously receives is in effective scope, if not in effective scope, MS then sends synchronization failure message to SGSN/VLR, abandons verification process.
(6) after above checking is passed through, just produce response RES (i), and send to VLR/SGSN; Compare RES (i) and XRES (i) by VLR/SGSN.Usim card calculates CK and IK simultaneously, is used for aloft interface ciphering and integrity protection.
But, existing mobile network optimization all is based on Human To Human (human-to-human) and design, and is not the best for machine-to-machine, machine to people (machine-to-human) or Human-to-Machine's (human-to-machine) application.
Development day by day and maturation along with the M2M technology, the diversification of M2M purposes, volatile growth will appear in the quantity of M2M terminal, according to estimates, the number of terminals of M2M will reach two orders of magnitude of handheld terminal quantity, if each M2M terminal independence calcaneus rete network authentication and transmission data, user-subscribed database/AUC is that HSS or HLR will generate the corresponding authentication vector and send to the access security management entity for Machine Type communication MTC (Machine TypeCommunication) equipment of each access, will be very big to existing network pressure, thus the service quality and the user experience of M2M service made a big impact.
Be deployed as the MTC equipment group that belongs to same MTC user as many MTC equipment, maybe be in when group when all MTC equipment that are in the same localities, also be very high for the authentication cost of all MTC equipment in the group, but also usually be unnecessary.When group not being optimized, each MTC equipment all must be certified individually, and like this, the signaling traffic load required owing to authentication in the system can increase along with authenticating to be carried out separately, even may cause network congestion.
Because the network authentication technology of current third generation partner program (3GPP, 3rd Generation Partnership Project) is difficult to satisfy the more and more huger MTC equipment of quantity from now on.So need a kind of authentication mechanism of MTC equipment of optimization significantly to reduce needed signaling quantity, especially reduce the pressure of core net.
Summary of the invention
In view of this, main purpose of the present invention be to provide a kind of machine in the communication system of machine based on the authentication method and the system of group, improve the efficient of MTC device authentication, can significantly reduce the signaling quantity in the existing network, alleviate the authentication load of existing network simultaneously.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of machine in the communication system of machine based on the authentication method of group, the group information that AUC is contracted according to MTC equipment, generation group parameters for authentication, and described group of parameters for authentication sent to the access security management equipment;
The access security management equipment according to the described group of parameters for authentication that generates, generates the authentication parameter at each described MTC equipment, and the MTC equipment in this group is carried out authentication.
Preferably, AUC is according to the group CAMEL-Subscription-Information under the Machine Type communication MTC equipment, before the generation group parameters for authentication:
The group root key of the group under the pre-configured MTC equipment of AUC and the root key of MTC equipment.
Preferably, AUC is according to the MTC device identification of carrying in the authentication request message of receiving, inquire about the CAMEL-Subscription-Information of this MTC equipment, signatory if this MTC equipment has group, described AUC generates corresponding group Ciphering Key according to group root key of organizing under the described MTC equipment and group id;
AUC generates the cryptographic Hash of the root key of described MTC equipment according to the root key and the hash algorithm of described MTC equipment.
Preferably, described group of parameters for authentication comprises: signatory group and the group membership's information under described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, the described MTC equipment.
Preferably, after receiving that MTC equipment adheres to request or service request, access security management equipment ASME is according to the MTC device identification of carrying in the described request message, and whether inquiry has existed the group parameters for authentication of group signatory under the described MTC equipment and described signatory group; If do not exist, to the authentication request of AUC's initiation to described MTC equipment; If exist, directly described MTC equipment authenticated by the access security management equipment.
Preferably, the access security management equipment is carried out verification process to described MTC equipment and is:
Described access security management equipment generates random number, random number according to the cryptographic Hash of described group of Ciphering Key, described MTC equipment root key, the generation of described access security management equipment, generation authenticates described MTC equipment at the Ciphering Key of described MTC equipment.
A kind of machine in the communication system of machine based on the group Verification System, comprise MTC equipment, ASME and AUC; Described AUC is used for the group information of being contracted according to Machine Type communication MTC equipment, generation group parameters for authentication, and described group of parameters for authentication sent to described access security management equipment;
Described access security management equipment is used for generating the authentication parameter at each described MTC equipment according to the described group of parameters for authentication that generates, and the MTC equipment in this group is carried out authentication.
Preferably, described AUC is used for the group root key of the affiliated group of pre-configured MTC equipment and the root key of MTC equipment; According to the MTC device identification of carrying in the authentication request message of receiving, inquire about the CAMEL-Subscription-Information of this MTC equipment, signatory if this MTC equipment has group, generate corresponding group Ciphering Key according to group root key of organizing under the described MTC equipment and group id; According to the root key and the hash algorithm of described MTC equipment, generate the cryptographic Hash of the root key of described MTC equipment.
Preferably, described group of parameters for authentication comprises: signatory group and the group membership's information under described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, the described MTC equipment.
Preferably, described access security management equipment, after being used to receive that MTC equipment adheres to request or service request, according to the MTC device identification of carrying in the described request message, whether inquiry has existed the group parameters for authentication of group signatory under the described MTC equipment and described signatory group; If do not exist, to the authentication request of AUC's initiation to described MTC equipment; If exist, described MTC equipment authenticated;
Described access security management equipment is used to generate random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, described random number, generates the Ciphering Key at described MTC equipment, and described MTC equipment is authenticated.
Among the present invention, the MTC equipment of sharing same group of CAMEL-Subscription-Information is divided into one group, like this, when the MTC device first in same group is carried out authentication, be when effectively not organizing parameters for authentication among the ASME, ASME initiates authentication request to AUC, AUC can send to ASME with corresponding Ciphering Key, finish authentication by ASME to MTC equipment, and when corresponding group of parameters for authentication arranged among the ASME, when the MTC equipment in this group carries out authentication, directly utilize corresponding Ciphering Key to authenticate and get final product to belonging to other MTC equipment in same group by this ASME, needn't allow AUC participate in authentication again to each MTC equipment, this has improved the efficient to the MTC device authentication undoubtedly, and, shared the load of AUC to the MTC device authentication, save the processing resource of network side, helped improving the Business Processing efficient of core-network side.
Description of drawings
Fig. 1 is the identifying procedure figure of the MTC equipment of first access in one group of MTC equipment in the UMTS network;
Fig. 2 is for having the identifying procedure figure that MTC equipment carried out authentication in one group of MTC equipment in the UMTS network;
Fig. 3 is the key Organization Chart of LTE/SAE;
Fig. 4 is the identifying procedure figure that shares the interior first MTC equipment of group of same CAMEL-Subscription-Information in the EPS network;
Fig. 5 is for having the identifying procedure figure that MTC equipment carried out authentication in one group of MTC equipment in the EPS network;
Fig. 6 for machine of the present invention in the communication system of machine based on the composition structural representation of Verification System of group.
Embodiment
Basic thought of the present invention is: the MTC equipment that will share same group of CAMEL-Subscription-Information is divided into one group, like this, when the MTC device first in same group is carried out authentication, be when effectively not organizing parameters for authentication among the ASME, ASME initiates authentication request to AUC, AUC can send to ASME with corresponding Ciphering Key, finish authentication by ASME to MTC equipment, and when corresponding group of parameters for authentication arranged among the ASME, when the MTC equipment in this group carries out authentication, directly utilize corresponding Ciphering Key to authenticate and get final product, needn't allow the authentication of AUC's participation again each MTC equipment to belonging to other MTC equipment in same group by this ASME.
For making the purpose, technical solutions and advantages of the present invention clearer, by the following examples and with reference to accompanying drawing, the present invention is described in more detail.
Figure 1 and Figure 2 is to share the interior MTC equipment group identifying procedure of group of same CAMEL-Subscription-Information in the 3G network, and wherein network element AS ME is specially VLR/SGSN, and user-subscribed database/AUC is specially HLR/AuC.Pre-configured group identity information, group root key Ksg information and MTC equipment root key Ksi information in being signed up as each MTC equipment of one group; The root key information of each MTC equipment and the CAMEL-Subscription-Information of group in the pre-configured group root key information that is signed up as one group MTC equipment in signatory center, group.
Fig. 1 is the identifying procedure figure of the MTC equipment of first access in one group of MTC equipment in the UMTS network, and as shown in Figure 1, this example MTC device authentication flow process specifically may further comprise the steps:
Step 101: the MTC equipment of the first access in the MTC equipment group of shared same CAMEL-Subscription-Information is initiated access/professional association requests, comprise this first MTC equipment mark information in the request message, concrete, the MTC equipment mark information in this example is the IMSI of MTC equipment.
Whether there has been the signatory group of information that comprises this MTC equipment in the step 102:VLR/SGSN inquiry self and organized Ciphering Key.
Step 103: in this example, because the authentication that the MTC equipment of current authentication carries out for the first MTC equipment in this group, so do not have the parameters for authentication information of the group that this MTC equipment contracts.VLR/SGSN initiates authentication request to HLR/AuC, carries MTC equipment I MSI information in the request.
Step 104:HLR/AuC according to MTC device identification inquire about its CAMEL-Subscription-Information, it is signatory to have group as this equipment, according to authentication policy, generates corresponding group Ciphering Key.Concrete, the group Ciphering Key is to generate corresponding Ciphering Key according to the corresponding authentication strategy, comprises the algorithm that some generate corresponding secret key in the authentication policy, as hash algorithm, generates the key schedule of Ciphering Key etc. in addition.Here, the group Ciphering Key comprises group random number RA NDg, group authentication-tokens AUTNg, set of encryption keys CKg, group Integrity Key IKg, group Expected Response XRESg five metamessages.Here, the key schedule and the hash algorithm of generation Ciphering Key can be existing any algorithms.Ciphering Key is generated by the relevant information of group root key and group CAMEL-Subscription-Information such as group identity information etc., because it is a prior art, repeats no more the generating mode of each parameter here.
Step 105:HLR/AuC returns the authentication vector data and responds to VLR/SGSN, comprise group authentication five-tuple in this message: group random number RA NDg, group authentication-tokens AUTNg, set of encryption keys CKg, group Integrity Key IKg, group Expected Response XRESg, also carry the CAMEL-Subscription-Information of this group simultaneously in the message, the CAMEL-Subscription-Information of group comprises this group id, and this organizes all MTC device identification IMSI.Send to the cryptographic Hash hash (Ksi) that also comprises the root key of each MTC equipment in the message of VLR/SGSN.Concrete, HLR/AuC calculates the cryptographic Hash of the root key of each MTC equipment according to the hash algorithm of setting.Among the present invention, by the unified cryptographic Hash that generates the root key of MT reconnaissance C equipment of AUC, mainly be the fail safe that guarantees authentication, the present invention preferably adopts this mode.
Step 106:VLR/SGSN preserves the group parameters for authentication that HLR/AuC sends, as Ciphering Key and corresponding cryptographic Hash etc., in parameter, find the hash (Ksi) of this MTC equipment correspondence, and generate random number RA NDi, generate XRESi according to hash (Ksi), RANDi and XRESg.Concrete, can find out its corresponding hash (Ksi) according to the MTC device identification.
Step 107:VLR/SGSN sends the subscription authentication request to MTC equipment, comprises RANDi in the message, RANDg, AUTNg and group authentication indication GA Indicator.
Step 108:MTC equipment uses the hash algorithm identical with HLR/AuC to calculate the cryptographic Hash hash (Ksi) of the Ksi of self MTC equipment root key, and based on this cryptographic Hash hash (Ksi) and RANDi, group confidentiality key CKg, the group Integrity Key KIg and the group Expected Response XRESg that utilize existing key algorithm to calculate, calculate the confidentiality key CKi of MTC equipment respectively, the Integrity Key IKi of MTC equipment and the response RESi of MTC equipment.
Step 109:MTC equipment returns the subscription authentication response to VLR/SGSN, comprises RESi in this response.
Step 110:VLR/SGSN is RESi and XRESi relatively, if consistent, then by authentication, otherwise authentification failure.
Step 111:VLR/SGSN is according to hash (Ksi) and RANDi, and CKg, KIg, generates CKi respectively, and IKi sends to radio network controller (RNC, Radio Network Controller) and is used for data encryption.
Step 112:MTC equipment uses CKi, IKi that data are carried out confidentiality, integrity protection respectively.
Fig. 2 is for having the identifying procedure figure that MTC equipment carried out authentication in one group of MTC equipment in the UMTS network, and as shown in Figure 2, this example MTC device authentication flow process specifically may further comprise the steps:
Step 201:MTC equipment is initiated access/professional association requests, comprises this MTC device identification (being IMSI in this example) in the request message.
Whether there has been the signatory group of information that comprises this MTC equipment in the step 202:VLR/SGSN inquiry self.
Step 203: VLR/SGSN finds corresponding signatory group the information having this MTC equipment and the group Ciphering Key of this group in this example, and VLR/SGSN generates random number RA NDi, according to RANDi, hash (Ksi) and XRESg generation XRESi.
Step 204:VLR/SGSN sends the subscription authentication request to MTC equipment, comprises RANDi, RANDg in the message, AUTNg and group authentication indication GA Indicator.
Step 205:MTC equipment uses the hash algorithm identical with HLR/AuC to calculate the cryptographic Hash hash (Ksi) of the Ksi of self, and go out CKg, IKg, the RESg of group based on this cryptographic Hash hash (Ksi) and RANDi and with existing algorithm computation, calculate CKi, IKi and the RESi of MTC equipment respectively.
Step 206:MTC equipment returns the subscription authentication response to VLR/SGSN, comprises RESi in this response.
Step 207:VLR/SGSN is RESi and XRESi relatively, if consistent, by authentication.
Step 208:VLR/SGSN is according to hash (Ksi) and CKg, and KIg generates CKi, and IKi sends to RNC and is used for data encryption.
Step 209:MTC equipment uses CKi, and IKi carries out confidentiality, integrity protection to data.
At Long Term Evolution (LTE, Long Term Evolution)/(SAE, SystemArchitechtureEvolution) in, because eNB is in an incomplete trust region, therefore the safety of LTE/SAE comprises two levels: Access Layer (AS, Access Stratum) and the safety of Non-Access Stratum (NAS, Non AccessStratum):
1) safety between Access Layer (AS) safety: UE and the eNB is mainly carried out the encryption and the integrity protection of AS signaling, the encryption protection of user's face UP.
2) safety between Non-Access Stratum (NAS) safety: UE and the MME is mainly carried out the encryption and the integrity protection of NAS signaling.
Fig. 3 is the key Organization Chart of LTE/SAE, as shown in Figure 3, comprises following key in the key hierarchy framework of LTE/SAE network:
1) cipher key shared between UE and HSS:
K: be stored among the USIM of MTC equipment and the permanent key of the AuC of AUC, genus group root key.
The key that CK/IK:AuC and USIM generate in the AKA verification process is right.Compare with UMTS, CK/IK should not leave HSS.
2) the shared intermediate key of administrative unit (ME, Management Element) and ASME:
K ASME: UE and HSS deduce the key that obtains according to CK/IK, are used to deduce lower floor's key.
3) the shared key of UE and eNB and MME:
K NASint: UE and MME are according to K ASMEThe key that deduction obtains is used to protect the integrality of NAS flow between UE and MME.
K NASenc: UE and MME are according to K ASMEThe key that deduction obtains is used to protect the confidentiality of NAS flow between UE and MME.
K ENB: UE and MME are according to K ASMEThe key that deduction obtains.K ENBAS layer key is used to derive.
K UPenc: UE and eNB are according to K ENBObtain with the identifier deduction of cryptographic algorithm, be used to protect the confidentiality of UP between UE and eNB.
K RRCint: UE and eNB are according to K ENBObtain with the identifier deduction of integral algorithm, be used to protect the integrality of RCC between UE and eNB.
K RRCenc: UE and eNB are according to K ENBObtain with the identifier deduction of cryptographic algorithm, be used to protect the confidentiality of RCC between UE and eNB.
Fig. 4 and Figure 5 shows that in the EPS network MTC device authentication flow process in the group of sharing same CAMEL-Subscription-Information, wherein network element AS ME is specially MME, and user-subscribed database/AUC is specially HSS.Pre-configured group identity information, group root key Ksg information and MTC equipment root key Ksi information in being signed up as each MTC equipment of one group; The root key information of each MTC equipment and the CAMEL-Subscription-Information of group in the pre-configured group root key information that is signed up as one group MTC equipment in signatory center, group.
Fig. 4 is the identifying procedure figure that shares the interior first MTC equipment of group of same CAMEL-Subscription-Information in the EPS network, and as shown in Figure 4, this example MTC device authentication flow process specifically may further comprise the steps:
Step 401: the MTC equipment of access is initiated access/professional association requests, comprises this user ID (IMSI) in the request message.
Whether there has been the signatory group of information that comprises this MTC equipment in the step 402:MME inquiry self and organized Ciphering Key.
Step 403: in this example, because the authentication that the MTC equipment of current authentication carries out for the first MTC equipment in this group, therefore do not have the information of the affiliated group of contracting of this MTC equipment.MME initiates authentication request, carries device identification in the request, is the IMSI of equipment in this example.
Step 404:HSS according to MTC device identification inquire about its CAMEL-Subscription-Information, it is signatory to have group as this equipment, according to authentication policy, generates corresponding group Ciphering Key.In this example, it is signatory that MTC equipment has group, then HSS generation group Ciphering Key.Concrete, include group random number RA NDg, group authentication-tokens AUTNg, group key collection identification code KSI according to group root key and the generation of corresponding key schedule ASMEG, access network element key K ASME, group Expected Response XRESg Ciphering Key.
Step 405:HSS returns the authentication vector data and responds to MME, comprises group random number RA NDg, group authentication-tokens AUTNg, group key collection identification code KSI in this message ASMEG, access network element key K ASME, group Expected Response XRESg, the CAMEL-Subscription-Information of group comprises this group id, this organizes all MTC device identifications.Send to the cryptographic Hash hash (Ksi) that also comprises the root key of each MTC equipment in the message of MME; Concrete, the root key calculating to each MTC equipment gets final product HSS according to the hash algorithm of setting.
Step 406:MME preservation group parameters for authentication finds the hash (Ksi) of this MTC equipment correspondence in parameter, generate random number RA NDi, according to hash (Ksi), RANDi and K ASMEGenerate K ASMEI, generate XRESi according to hash (Ksi), RANDi and XRESg.
Step 407:MME sends the subscription authentication request to MTC equipment, comprises RANDi, RANDg, AUTNg, KSI in the message ASMEG and group authentication indication GA Indicator.
The step 408:MTC equipment use hash algorithm identical with HSS calculates the cryptographic Hash hash (Ksi) of the Ksi of this MTC equipment self MTC equipment root key, and has group response RESg and the K that algorithm computation goes out now based on this cryptographic Hash hash (Ksi), RANDi and utilization ASME, calculate response RESi, the K of MTC equipment respectively ASMEI.。
Step 409:MTC equipment returns the subscription authentication response to MME, comprises RESi in this response.
Step 410:MME is RESi and XRESi relatively, if consistent, by authentication, otherwise authentification failure.
Step 411:MME is according to hash (Ksi), RANDi and K ASMEGenerate K ASMEI is based on K ASMEI generates K NASencI, K NASintI, K ENBI.Wherein, K NASencI, K NASintI is used to protect the NAS signaling between user and the MME, K ENBI is handed down to eNB, and eNB is based on K ENBiGenerate K UPencI, K RRCintI and K RRCencI.
Step 412:MTC equipment is based on K ASMEI generates K NASencI, K NASintI, K ENBI, wherein, K NASencI, K NASintI carries out confidentiality, integrity protection to data respectively.
Fig. 5 is for having the identifying procedure figure that MTC equipment carried out authentication in one group of MTC equipment in the EPS network, and as shown in Figure 5, this example MTC device authentication flow process specifically may further comprise the steps:
Step 501:MTC equipment is initiated access/professional association requests, comprises this user ID (IMSI) in the request message.
Whether there has been the signatory group of information that comprises this MTC equipment in the step 502:MME inquiry self.。
Step 503: MME finds information and this group Ciphering Key information of contracting and organizing under existing this MTC equipment in this example, and MME generates random number RA NDi, generates XRESi according to RANDi, hash (Ksi) and XRESg.
Step 504:MME sends the subscription authentication request to MTC equipment, comprises RANDi, RANDg in the message, AUTNg, KSI ASMEG and group authentication indication GA Indicator.
Step 505:MTC equipment uses the hash algorithm identical with HSS to calculate the cryptographic Hash hash (Ksi) of the Ksi of oneself, and calculates RESi based on this cryptographic Hash and RANDi and with having the RESg that algorithm calculates now.
Step 506:MTC equipment returns the subscription authentication response to MME, comprises RESi in this response.
Step 507:MME is RESi and XRESi relatively, if consistent, by authentication.
Step 508:MME is according to RANDi, hash (Ksi) and K ASMEGenerate K ASMEI is based on K ASMEI generates K NASencI, K NASintI, K ENBI.Wherein, K NASencI, K NASintI user protects the NAS signaling between user and the MME, K ENBI is handed down to eNB, and eNB is based on K ENBI generates K UPencI, K RRCintI and K RRCencI.
Step 509:MTC equipment is based on K ASMEI generates K NASencI, K NASintI, K UPencI, K RRCintI and K RRCencI carries out confidentiality, integrity protection to data.
Fig. 6 for machine of the present invention in the communication system of machine based on the composition structural representation of Verification System of group, as shown in Figure 6, machine of the present invention comprises MTC equipment 60, access security management equipment 61 and AUC 62 to the Verification System based on group in the communication system of machine, also have other network elements in the system, identical with network configuration of the prior art, wherein, described AUC 62, be used for the group information of being contracted according to MTC equipment, generation group parameters for authentication, and described group of parameters for authentication sent to described access security management equipment;
Access security management equipment 61 is used for generating the authentication parameter at each described MTC equipment according to the described group of parameters for authentication that generates, and the MTC equipment in this group is carried out authentication.
Further, AUC 62 is used for the group root key of the affiliated group of pre-configured MTC equipment and the root key of MTC equipment; According to the MTC device identification of carrying in the authentication request message of receiving, inquire about the CAMEL-Subscription-Information of this MTC equipment, signatory if this MTC equipment has group, generate corresponding group Ciphering Key according to group root key of organizing under the described MTC equipment and group id; According to the root key and the hash algorithm of described MTC equipment, generate the cryptographic Hash of the root key of described MTC equipment.
Further, described group of parameters for authentication comprises: signatory group and the group membership's information under described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, the described MTC equipment.
Further, access security management equipment 61, after being used to receive that MTC equipment adheres to request or service request, according to the MTC device identification of carrying in the described request message, whether inquiry has existed the group parameters for authentication of group signatory under the described MTC equipment and described signatory group; If do not exist, to the authentication request of AUC's initiation to described MTC equipment; If exist, described MTC equipment authenticated;
Further, access security management equipment 61 is used to generate random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, described random number, generates the Ciphering Key at described MTC equipment, and described MTC equipment is authenticated.
Above-mentioned ASME is VLR/SGSN, or MME; Described AUC is HLR/AuC, or is HSS.
Those skilled in the art are to be understood that, those skilled in the art are to be understood that, machine of the present invention is to being for realizing that aforesaid machine designs the authentication method based on group in the communication system of machine based on the Verification System of group in the communication system of machine, and the realization function of above-mentioned each network element can be understood with reference to the associated description of preceding method.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.

Claims (10)

  1. A machine in the communication system of machine based on the authentication method of group, it is characterized in that,
    The group information that AUC is contracted according to Machine Type communication MTC equipment, generation group parameters for authentication, and described group of parameters for authentication sent to the access security management equipment;
    The access security management equipment according to the described group of parameters for authentication that generates, generates the authentication parameter at each described MTC equipment, and the MTC equipment in this group is carried out authentication.
  2. 2. method according to claim 1 is characterized in that, AUC is according to the group CAMEL-Subscription-Information under the Machine Type communication MTC equipment, before the generation group parameters for authentication:
    The group root key of the group under the pre-configured MTC equipment of AUC and the root key of MTC equipment.
  3. 3. method according to claim 2 is characterized in that,
    AUC is according to the MTC device identification of carrying in the authentication request message of receiving, inquire about the CAMEL-Subscription-Information of this MTC equipment, if it is signatory that this MTC equipment has group, described AUC generates corresponding group Ciphering Key according to group root key of organizing under the described MTC equipment and group id;
    AUC generates the cryptographic Hash of the root key of described MTC equipment according to the root key and the hash algorithm of described MTC equipment.
  4. 4. according to claim 1 or 3 described methods, it is characterized in that described group of parameters for authentication comprises: signatory group and the group membership's information under described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, the described MTC equipment.
  5. 5. method according to claim 1 is characterized in that,
    After receiving that MTC equipment adheres to request or service request, access security management equipment ASME is according to the MTC device identification of carrying in the described request message, and whether inquiry has existed the group parameters for authentication of group signatory under the described MTC equipment and described signatory group; If do not exist, to the authentication request of AUC's initiation to described MTC equipment; If exist, directly described MTC equipment authenticated by the access security management equipment.
  6. 6. method according to claim 5 is characterized in that, the access security management equipment is carried out verification process to described MTC equipment and is:
    Described access security management equipment generates random number, random number according to the cryptographic Hash of described group of Ciphering Key, described MTC equipment root key, the generation of described access security management equipment, generation authenticates described MTC equipment at the Ciphering Key of described MTC equipment.
  7. A machine in the communication system of machine based on the Verification System of group, comprise MTC equipment, access security management equipment ASME and AUC; It is characterized in that,
    Described AUC is used for the group information of being contracted according to Machine Type communication MTC equipment, generation group parameters for authentication, and described group of parameters for authentication sent to described access security management equipment;
    Described access security management equipment is used for generating the authentication parameter at each described MTC equipment according to the described group of parameters for authentication that generates, and the MTC equipment in this group is carried out authentication.
  8. 8. system according to claim 7 is characterized in that,
    Described AUC is used for the group root key of the affiliated group of pre-configured MTC equipment and the root key of MTC equipment; According to the MTC device identification of carrying in the authentication request message of receiving, inquire about the CAMEL-Subscription-Information of this MTC equipment, signatory if this MTC equipment has group, generate corresponding group Ciphering Key according to group root key of organizing under the described MTC equipment and group id; According to the root key and the hash algorithm of described MTC equipment, generate the cryptographic Hash of the root key of described MTC equipment.
  9. 9. system according to claim 7 is characterized in that, described group of parameters for authentication comprises: signatory group and the group membership's information under described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, the described MTC equipment.
  10. 10. system according to claim 7 is characterized in that,
    Described access security management equipment, be used to receive that MTC equipment adheres to request or service request after, according to the MTC device identification of carrying in the described request message, whether inquiry has existed the group parameters for authentication of group signatory under the described MTC equipment and described signatory group; If do not exist, to the authentication request of AUC's initiation to described MTC equipment; If exist, described MTC equipment authenticated;
    Described access security management equipment is used to generate random number, according to described group of Ciphering Key, the cryptographic Hash of described MTC equipment root key, described random number, generates the Ciphering Key at described MTC equipment, and described MTC equipment is authenticated.
CN201010153947.8A 2010-04-22 2010-04-22 Based on the authentication method of group and system in the communication system of Machine To Machine Active CN102238484B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010153947.8A CN102238484B (en) 2010-04-22 2010-04-22 Based on the authentication method of group and system in the communication system of Machine To Machine
PCT/CN2011/071068 WO2011131052A1 (en) 2010-04-22 2011-02-17 Method and system for group-based authentication in machine to machine communication systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010153947.8A CN102238484B (en) 2010-04-22 2010-04-22 Based on the authentication method of group and system in the communication system of Machine To Machine

Publications (2)

Publication Number Publication Date
CN102238484A true CN102238484A (en) 2011-11-09
CN102238484B CN102238484B (en) 2016-03-30

Family

ID=44833687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010153947.8A Active CN102238484B (en) 2010-04-22 2010-04-22 Based on the authentication method of group and system in the communication system of Machine To Machine

Country Status (2)

Country Link
CN (1) CN102238484B (en)
WO (1) WO2011131052A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297224A (en) * 2012-02-23 2013-09-11 中国移动通信集团公司 Encryption key information distribution method and related device
CN103841082A (en) * 2012-11-22 2014-06-04 中国电信股份有限公司 Security capability negotiation method, system, service server and user terminal
CN104205898A (en) * 2012-02-16 2014-12-10 诺基亚通信公司 Method and system for group based service bootstrap in M2M environment
CN104641667A (en) * 2013-09-16 2015-05-20 华为技术有限公司 Network access method, device and system
WO2016107193A1 (en) * 2014-12-30 2016-07-07 中兴通讯股份有限公司 Method and device for data transmission in wireless communication network
CN106465117A (en) * 2014-04-30 2017-02-22 华为技术有限公司 Method, device and communication system for terminal to access communication network
CN107454077A (en) * 2017-08-01 2017-12-08 北京迪曼森科技有限公司 A kind of single-point logging method based on IKI ID authentications
WO2018077220A1 (en) * 2016-10-26 2018-05-03 Huawei Technologies Co., Ltd. System and method for massive iot group authentication
CN108112012A (en) * 2016-11-24 2018-06-01 中国移动通信有限公司研究院 The method for network authorization and device of a kind of group endpoints
CN108683690A (en) * 2018-08-27 2018-10-19 创新维度科技(北京)有限公司 Method for authenticating, user equipment, authentication device, authentication server and storage medium
CN112788571A (en) * 2021-01-14 2021-05-11 兰州大学 Group authentication method and system for machine type communication equipment in LTE network

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103096309B (en) * 2011-11-01 2016-08-10 华为技术有限公司 Generate method and the relevant device of group key
FR2990094A1 (en) 2012-04-26 2013-11-01 Commissariat Energie Atomique METHOD AND SYSTEM FOR AUTHENTICATING NODES IN A NETWORK

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101511082A (en) * 2008-02-15 2009-08-19 中国移动通信集团公司 Method, equipment and system for updating group cipher key
CN101640887A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, communication device and communication system
CN102215474A (en) * 2010-04-12 2011-10-12 华为技术有限公司 Method and device for carrying out authentication on communication equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1727329A1 (en) * 2005-05-23 2006-11-29 Siemens S.p.A. Method and system for the remote management of a machine via IP links of an IP multimedia subsystem, IMS
CN101212508B (en) * 2006-12-31 2011-12-28 康佳集团股份有限公司 Incoming call prompt method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101511082A (en) * 2008-02-15 2009-08-19 中国移动通信集团公司 Method, equipment and system for updating group cipher key
CN101640887A (en) * 2008-07-29 2010-02-03 上海华为技术有限公司 Authentication method, communication device and communication system
CN102215474A (en) * 2010-04-12 2011-10-12 华为技术有限公司 Method and device for carrying out authentication on communication equipment

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104205898A (en) * 2012-02-16 2014-12-10 诺基亚通信公司 Method and system for group based service bootstrap in M2M environment
CN103297224B (en) * 2012-02-23 2016-05-25 中国移动通信集团公司 Key information distribution method and relevant device
CN103297224A (en) * 2012-02-23 2013-09-11 中国移动通信集团公司 Encryption key information distribution method and related device
CN103841082A (en) * 2012-11-22 2014-06-04 中国电信股份有限公司 Security capability negotiation method, system, service server and user terminal
CN103841082B (en) * 2012-11-22 2017-05-31 中国电信股份有限公司 Safety ability consultation method and system, service server, user terminal
CN104641667B (en) * 2013-09-16 2018-10-02 华为技术有限公司 A kind of method for network access, equipment and system
CN104641667A (en) * 2013-09-16 2015-05-20 华为技术有限公司 Network access method, device and system
CN106465117B (en) * 2014-04-30 2020-11-06 华为技术有限公司 Method, device and communication system for accessing terminal to communication network
CN106465117A (en) * 2014-04-30 2017-02-22 华为技术有限公司 Method, device and communication system for terminal to access communication network
US10412604B2 (en) 2014-12-30 2019-09-10 Zte Corporation Method and device for data transmission in wireless communication network
CN105813201B (en) * 2014-12-30 2019-04-09 中兴通讯股份有限公司 Data transmission method and device in a kind of cordless communication network
CN105813201A (en) * 2014-12-30 2016-07-27 中兴通讯股份有限公司 Data transmission method and device in wireless communication network
WO2016107193A1 (en) * 2014-12-30 2016-07-07 中兴通讯股份有限公司 Method and device for data transmission in wireless communication network
WO2018077220A1 (en) * 2016-10-26 2018-05-03 Huawei Technologies Co., Ltd. System and method for massive iot group authentication
US10887295B2 (en) 2016-10-26 2021-01-05 Futurewei Technologies, Inc. System and method for massive IoT group authentication
CN108112012A (en) * 2016-11-24 2018-06-01 中国移动通信有限公司研究院 The method for network authorization and device of a kind of group endpoints
CN107454077A (en) * 2017-08-01 2017-12-08 北京迪曼森科技有限公司 A kind of single-point logging method based on IKI ID authentications
CN107454077B (en) * 2017-08-01 2020-05-19 北京迪曼森科技有限公司 Single sign-on method based on IKI identification authentication
CN108683690A (en) * 2018-08-27 2018-10-19 创新维度科技(北京)有限公司 Method for authenticating, user equipment, authentication device, authentication server and storage medium
CN108683690B (en) * 2018-08-27 2021-11-02 创新维度科技(北京)有限公司 Authentication method, user equipment, authentication device, authentication server and storage medium
CN112788571A (en) * 2021-01-14 2021-05-11 兰州大学 Group authentication method and system for machine type communication equipment in LTE network

Also Published As

Publication number Publication date
CN102238484B (en) 2016-03-30
WO2011131052A1 (en) 2011-10-27

Similar Documents

Publication Publication Date Title
CN102238484B (en) Based on the authentication method of group and system in the communication system of Machine To Machine
CN113016202B (en) Apparatus, method and computer readable storage medium for base station
US11178547B2 (en) Identity-based message integrity protection and verification for wireless communication
US10003965B2 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
KR101675088B1 (en) Mutual authentication method and system with network in machine type communication
CN108293223B (en) Data transmission method, user equipment and network side equipment
CN101931955B (en) Authentication method, device and system
EP2903322B1 (en) Security management method and apparatus for group communication in mobile communication system
US9270672B2 (en) Performing a group authentication and key agreement procedure
KR20170102864A (en) Mutual authentication between user equipment and an evolved packet core
EP3258718B1 (en) Gprs system key enhancement method, sgsn device, ue, hlr/hss and gprs system
WO2017025629A1 (en) Network access identifier including an identifier for a cellular access network node
US11343673B2 (en) Enhanced aggregated re-authentication for wireless devices
CN104285422A (en) Secure communications for computing devices utilizing proximity services
CN101951590B (en) Authentication method, device and system
CN101945387B (en) The binding method of a kind of access layer secret key and equipment and system
CN102137397A (en) Authentication method based on shared group key in machine type communication (MTC)
CN102457844B (en) Group key management method and system in the certification of a kind of M2M group
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
AU2017313215B2 (en) Authentication server of a cellular telecommunication network and corresponding UICC
CN102469458A (en) Group authentication method and system in M2M communication
Zhang et al. Dynamic group based authentication protocol for machine type communications
Lai et al. Security issues on machine to machine communications
KR101431214B1 (en) Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication
EP4047969A1 (en) Enhancements for authentication in cellular communication networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant