EP-4738901-A2 - NETWORK ACCESS AUTHENTICATION METHOD AND DEVICE

Abstract

Embodiments of the prevent invention provide a network access authentication method and device. The method comprises: receiving an authentication request message sent by a first serving network, wherein the authentication request message carries a user equipment pseudonym identifier generated by a user equipment; determining whether a local user equipment pseudonym identifier is asynchronous with the user equipment pseudonym identifier generated by the user equipment; and obtaining, if the determination result is yes, an encrypted international mobile subscriber identity (IMSI) to carry out network access authentication on the user equipment. The embodiments of the present invention can solve the problem that a network access process in the related art does not provide a processing method for the case where the user equipment pseudonym identifier in the user equipment is asynchronous with the user equipment pseudonym identifier in a home network.

Inventors

• YOU, SHILIN
• LIU, HONGJUN
• CAI, JIYAN
• ZONG, ZAIFENG
• PENG, JIN
• LIN, ZHAOJI
• ZHANG, Yunyin

Assignees

• ZTE Corporation

Dates

Publication Date

20260506

Application Date

20170725

Claims (6)

1. A method for wireless communication, comprising: transmitting, by a user equipment, an attach request to a second serving network, wherein the attach request carries a temporary identifier to allow the second serving network to obtain a user context from a first serving network to which the user equipment had initially attached; receiving, by the user equipment, from the second serving network, an identifier request message after the second serving network being notified of a failure in retrieving the user context at the first serving network, wherein the identifier request message includes an identifier type indicating an encrypted subscription identity; and transmitting, by the user equipment, an identifier request response message from the user equipment including the encrypted subscription identity according to the identifier type in the identifier request message.
2. The method of claim 1, wherein the user equipment had initially attached to the first serving network by: transmitting, by the user equipment, an initial attach request to the first serving network; receiving, by the user equipment, an authentication request message from the first serving network, transmitting, by the user equipment, an authentication request response to the first serving network in response to the authentication request message, and receiving, by the user equipment, an attach success response from the first serving network, wherein the attach success response comprises the temporary identifier allocated to the user equipment.
3. The method of claims 1-2, wherein the encrypted subscription identity is determined by the user equipment using a public key.
4. The method of claim 1, wherein the identifier request response comprises a response value calculated by the user equipment based on an authentication token and a random number.
5. A user equipment comprising one or more , comprising: one or more processors; and a memory including processor executable code, wherein the processor executable code, upon execution by the one or more processors configures the one or more processor to cause the user equipment to implement a method of any of claims 1 to 4.
6. A non-transitory storage medium having code stored thereon, the code upon execution by one or more processors, causing the one or more processors to implement a method recited in any of claims 1 to 4.

Description

TECHNICAL FIELD Embodiments of the present disclosure relate to the technical field of communication, and in particular, to a network access authentication method and a network access authentication device. BACKGROUND Mobile communication has developed rapidly in more than 20 years, which has brought huge impacts on people's lifestyle, production, social and political, and economic aspects. Human society has entered an era of efficient information, and the demand for traffic applications in all aspects has been explosively increased. This will bring huge challenges to the future wireless mobile bandwidth system in terms of frequency, technology and operation. In addition to providing services for person-to-person communication, the future mobile network will provide access services for more and more Internet of Things terminals. Internet of Things access brings new challenges and opportunities to mobile networks. Different types of Internet of Things have different requirements for the networks. Some require networks to provide high real-time and high-reliability services, such as telemedicine, while others require regular small data transmission services, such as remote meter reading systems. For different traffic demands, mobile networks may need to be properly optimized to meet the traffic demands. More Internet of Things puts more different optimization requirements on mobile networks. Some of the optimization requirements may be contradictory to each other. Therefore, a converged core network may become unable to meet various demands of the Internet of Things. With the continuous upgrading of networks, 5G technology appears, and the privacy protection requirements for the network are getting increasingly higher. FIG. 1 is a schematic diagram of future 5G network access in related art. As shown in FIG. 1, user equipment completes initial registration in a serving network 1, and the serving network 1 obtains an authentication vector and user subscription data from a home network of the user equipment. The serving network 1 completes mutual authentication with the user equipment, and then the user equipment can attach to the serving network 2 for related data traffic. The serving network 1 and the serving network 2 include an access network and a core network, and the home network includes a user data center/authentication center. FIG. 2 is a schematic diagram of a process for protecting a user privacy with International Mobile Subscriber Identification Number (IMSI) when a user equipment accesses a serving network 1 in the related art. The IMSI is stored in a SIM card and can be used to distinguish effective information of a mobile subscriber, and has a total length no more than 15 digits of numbers from 0 to 9. The IMSI includes a Mobile Country Code (MCC) indicating the mobile subscriber's country code, which is of 3 digits. The MCC of China is 460. The Mobile Network Code (MNC) is the mobile network number, which consists of two or three digits (China Mobile's MNC is 00) for identifying the mobile communication network to which the mobile subscriber belongs; and a Mobile Subscriber Identification Number (MSIN) for identifying a certain mobile user in the communication network. The steps are as follows. In step S201, the user equipment partially encrypts the IMSI with a public key Kimsi. The security method is that the original MCC and the MNC are kept unchanged, and only the MSIN is encrypted. That is, the encrypted IMSI=MCC+MNC+ encryption function (MSIN, Kimsi), where the public key is the public key of the home network Kimsi. In step S202, the user equipment sends an initial attach request message to the serving network 1. The message carries an encrypted IMSI. In step S203, the serving network 1 searches for the home network of the user equipment according to the MCC and the MNC in the encrypted IMSI, and sends an authentication request message to the home network. The message carries the encrypted IMSI. In step S204, the home network decrypts the encrypted IMSI with the private key paired with the public key to obtain the decrypted IMSI, and identifies the user corresponding to the encrypted IMSI. In step S205, the home network sends an authentication request response message to the serving network 1. The message carries a user security context, i.e., a security vector set. In step S206, the home network uses a key K1 that is known to the user equipment to generate a user equipment alias identifier corresponding to the user equipment. The user equipment alias identifier is used to replace the IMSI or the encrypted IMSI, so that the serving network 1 can identify the home network corresponding to the user equipment according to the user equipment alias identifier in the subsequent processing. In step S207, the serving network 1 sends a user authentication request message to the user equipment. The message carries an authentication token AUTN and a random number RAND. The user equipment verifies th