阅读说明：本技术 认证参数发送方法和装置以及认证参数处理方法和装置 (Parameters for authentication sending method and device and parameters for authentication treating method and apparatus ) 是由 谢振华 于 2019-04-18 设计创作，主要内容包括：本申请提出一种认证参数发送方法和装置以及认证参数处理方法和装置。其中,认证参数发送方法包括：接收认证请求消息；采用第一信息生成第二信息,采用所述第二信息生成认证标记(AUTN)；反馈包含所述第二信息及所述AUTN的认证参数。本申请能够降低终端侧的网络同步参数被非法获取的风险。(The application proposes a kind of parameters for authentication sending method and device and parameters for authentication treating method and apparatus.Wherein, parameters for authentication sending method includes: reception authentication request message；Second information is generated using the first information, certification mark (AUTN) is generated using second information；Parameters for authentication of the feedback comprising second information and the AUTN.The application can reduce the risk that the Network Synchronization parameter of terminal side is illegally accessed.)

1. a kind of parameters for authentication sending method, which is characterized in that the described method includes:

Receive authentication request message；

Second information is generated using the first information, certification mark AUTN is generated using second information；

Parameters for authentication of the feedback comprising second information and the AUTN.

2. the method according to claim 1, wherein the first information is network side time difference information.

3. according to the method described in claim 2, it is characterized in that, described generate the second information using the first information, comprising:

First check code is generated using the first information；

Second information is generated using first check code, includes the interior of first check code in second information Hold.

4. according to the method described in claim 2, it is characterized in that, further including generating the first verification using the first information Code；

The parameters for authentication of feedback also includes first check code.

5. the method according to claim 1, wherein the first information is to carry in the authentication request message The first token information.

6. a kind of parameters for authentication processing method, which is characterized in that the described method includes:

The parameters for authentication from the first core net functional node is received, the parameters for authentication includes the second information and certification mark AUTN；

Based on the second acquisition of information first information, the first information is verified；It sends to subscriber card comprising second letter The certification request of breath and AUTN；

Fail and receive the sync fail instruction of the subscriber card feedback, the first core net of Xiang Suoshu in response to the verification Functional node feedback network verifies failed message.

7. according to the method described in claim 6, it is characterized in that, the first information is network side time difference information.

8. the method according to the description of claim 7 is characterized in that the verification first information, comprising:

Whether the difference for judging terminal side time difference information and the network side time difference information is more than preset threshold；If super It crosses, then fails to the verification of the first information；Verification success if be no more than, to the first information.

9. the method according to the description of claim 7 is characterized in that the method also includes:

Certification in response to receiving the subscriber card feedback successfully indicates, the terminal side time difference is arranged using the first information Information.

10. method according to claim 8 or claim 9, which is characterized in that the parameters for authentication also includes the first check code, or It include the content of the first check code in second information described in person；First check code is using the first information and is based on first Algorithm generates；

The sync fail instruction to fail in response to the verification and receive the subscriber card feedback, the first core of Xiang Suoshu Heart net functional node feedback network verifies before failed message, further includes:

The first check code for including in the parameters for authentication is obtained, or is based on first check code of the second acquisition of information；

Verify first check code；If the verification success to first check code continues to execute described in response to institute It states verification failure and receives the sync fail instruction of the subscriber card feedback, Xiang Suoshu the first core net functional node feedback Network verifies failed message.

11. according to the method described in claim 10, it is characterized in that, verification first check code includes: using described the One information simultaneously generates the second check code based on first algorithm；

Judge whether second check code and first check code are identical, if identical, to first check code It verifies successfully.

12. according to the method described in claim 6, it is characterized in that, the first information is the first token information.

13. according to the method for claim 12, which is characterized in that the verification first information includes:

Using algorithm identical with first token information is generated, the second token information is calculated；

Judge whether second token information and first token information are identical, if identical, to the first information Verification success；If it is not the same, then failing to the verification of the first information.

14. a kind of message method, which is characterized in that the described method includes:

The message from user equipment is received, the content based on the message generates the first token information；

The authentication request message comprising first token information is sent to the second core net functional node.

15. a kind of parameters for authentication sending device, which is characterized in that described device includes:

First receiving module, for receiving authentication request message；

Generation module generates certification mark AUTN using second information for generating the second information using the first information；

Feedback module, for feeding back the parameters for authentication comprising second information and the AUTN.

16. device according to claim 15, which is characterized in that the first information is network side time difference information.

17. device according to claim 16, which is characterized in that the generation module is used for:

First check code is generated using the first information；

Second information is generated using first check code, includes the interior of first check code in second information Hold.

18. device according to claim 16, which is characterized in that the generation module is also used to: using first letter Breath generates the first check code；

The parameters for authentication of the feedback module feedback also includes first check code.

19. device according to claim 15, which is characterized in that the first information is to take in the authentication request message First token information of band.

20. a kind of parameters for authentication processing unit, which is characterized in that described device includes:

Second receiving module, for receiving the parameters for authentication from the first core net functional node, the parameters for authentication includes the Two information and certification mark AUTN；

Correction verification module verifies the first information for being based on the second acquisition of information first information；It is also used to subscriber card Send the certification request comprising second information and AUTN；

Processing module, for failing and receiving the sync fail instruction of the subscriber card feedback in response to the verification, to The first core net functional node feedback network verifies failed message.

21. device according to claim 20, which is characterized in that the first information is network side time difference information.

22. device according to claim 21, which is characterized in that the correction verification module is used for:

Whether the difference for judging terminal side time difference information and the network side time difference information is more than preset threshold；If super It crosses, then fails to the verification of the first information；Verification success if be no more than, to the first information.

23. device according to claim 21, which is characterized in that the processing module is also used to:

Certification in response to receiving the subscriber card feedback successfully indicates, the terminal side time difference is arranged using the first information Information.

24. according to claim 22 or 23 described devices, which is characterized in that the parameters for authentication also includes the first check code, or It include the content of the first check code in second information described in person；First check code is using the first information and is based on first Algorithm generates；

The processing module is used for: being obtained the first check code for including in the parameters for authentication, or is based on second information Obtain the first check code；Verify first check code；If the verification success to first check code, in response to described Verification failure and the sync fail instruction for receiving the subscriber card feedback, Xiang Suoshu the first core net functional node feedback net Network verifies failed message.

25. device according to claim 24, which is characterized in that the processing module is used for: using the first information And the second check code is generated based on first algorithm；Judge whether second check code and first check code are identical, Verification success if identical, to first check code.

26. device according to claim 20, which is characterized in that the first information is the first token information.

27. device according to claim 26, which is characterized in that the correction verification module is used for:

Using algorithm identical with first token information is generated, the second token information is calculated；

Judge whether second token information and first token information are identical, if identical, to the first information Verification success；If it is not the same, then failing to the verification of the first information.

28. a kind of message sending device, which is characterized in that described device includes:

Third receiving module, for receiving the message from user equipment, the content based on the message generates the first token letter Breath；

Sending module, for sending the authentication request message comprising first token information to the second core net functional node.

29. a kind of core net functional node sent for parameters for authentication, which is characterized in that the core net functional node packet It includes: processor and memory；

The memory is for storing instruction；

The processor is configured to reading described instruction to execute method as claimed in claim 1 to 5.

30. a kind of user equipment (UE) for parameters for authentication processing, which is characterized in that the UE includes: processor and memory；

The memory is for storing instruction；

The processor is configured to reading described instruction to execute the method as described in claim 6 to 13 is any.

31. a kind of core net functional node sent for message, which is characterized in that the core net functional node includes: place Manage device and memory；

The memory is for storing instruction；

The processor is configured to reading described instruction to execute method as claimed in claim 14.

32. a kind of communication system, which is characterized in that the system comprises core net functional node as claimed in claim 29, UE as claimed in claim 30 and core net functional node as claimed in claim 31.

33. a kind of storage medium, which is characterized in that the storage medium is stored with computer program, the computer program quilt Claim 1 to 14 described in any item methods are realized when processor executes.

Technical field

This application involves the communications fields, and in particular to a kind of parameters for authentication sending method and device and parameters for authentication processing Method and apparatus.

Background technique

Third generation partner program (3GPP, 3rd Generation Partnership Project) has formulated terminal The scheme being mutually authenticated with network is directed to each user by home subscriber server (HSS, Home Subscriber Server) Safeguard a Network Synchronization parameter SQNnw, the subscriber card of lane terminal, which also records, corresponding Network Synchronization parameter SQNms.HSS is User is every to generate a set of parameters for authentication, then adds 1 for SQNnw.When HSS receives authentication request message of the terminal for user, first A random string RAND is generated, then certification mark (AUTN, Authentication are generated based on RAND and SQNms Token), RAND and AUTN are then sent to terminal.RAND and AUTN are sent to the subscriber card in terminal by terminal.Subscriber card SQNnw is first calculated based on RAND and AUTN, then scheme corresponding with HSS generation AUTN is used to verify with RAND and SQNnw AUTN.If verified successfully to AUTN, judge whether the difference of SQNnw and SQNms (is greater than 0 and is less than k) in effective range； It is based on if the difference of SQNnw and SQNms not in effective range, returns to Network Synchronization Indication of Losing Efficacy and carry to terminal The information that SQNms is generated, terminal are sent Network Synchronization thrashing message to network side again and carry the information generated based on SQNms； If the difference of SQNnw and SQNms successfully indicates to terminal return authentication in effective range and SQNms=SQNnw is arranged. Fail if verified to AUTN, returns to network verification to terminal and unsuccessfully indicate.There are loopholes for the above process, and attacker has very much can SQNms can be illegally got from the Network Synchronization thrashing message that terminal is fed back using successful RAND and AUTN is authenticated in the early time Value, cause SQNms exposure.

Summary of the invention

In order to solve at least one above-mentioned technical problem, the embodiment of the present application provides following scheme.

The embodiment of the present application provides a kind of parameters for authentication sending method, and method includes:

Receive authentication request message；

Second information is generated using the first information, AUTN is generated using second information；

Parameters for authentication of the feedback comprising second information and the AUTN.

The embodiment of the present application provides a kind of parameters for authentication processing method, comprising:

The parameters for authentication from the first core net functional node is received, the parameters for authentication includes the second information and AUTN；

Based on the second acquisition of information first information, the first information is verified；It sends to subscriber card comprising described the The certification request of two information and AUTN；

Fail and receive the sync fail instruction of the subscriber card feedback, the first core of Xiang Suoshu in response to the verification Heart net functional node feedback network verifies failed message.

The embodiment of the present application provides a kind of message method, comprising:

The message from user equipment is received, the content based on the message generates the first token information；

The authentication request message comprising first token information is sent to the second core net functional node.

The embodiment of the present application provides a kind of parameters for authentication sending device, comprising:

First receiving module, for receiving authentication request message；

Generation module generates certification mark using second information for generating the second information using the first information AUTN；

Feedback module, for feeding back the parameters for authentication comprising second information and the AUTN.

The embodiment of the present application provides a kind of parameters for authentication processing unit, comprising:

Second receiving module, for receiving the parameters for authentication from the first core net functional node, the parameters for authentication packet Containing the second information and certification mark AUTN；

Correction verification module verifies the first information for being based on the second acquisition of information first information；Be also used to Family card sends the certification request comprising second information and AUTN；

Processing module, the sync fail for failing and receiving the subscriber card feedback in response to the verification refer to Show, Xiang Suoshu the first core net functional node feedback network verifies failed message.

The embodiment of the present application provides a kind of message sending device, comprising:

Third receiving module, for receiving the message from user equipment, the content based on the message generates first and enables Board information；

Sending module disappears for sending the certification request comprising first token information to the second core net functional node Breath.

The embodiment of the present application provide it is a kind of for parameters for authentication send core net functional node, comprising: processor and Memory；

The memory is for storing instruction；

The processor is configured to it is any described to execute the application parameters for authentication sending method to read described instruction Method.

The embodiment of the present application provides a kind of UE for parameters for authentication processing, comprising: processor and memory；

The memory is for storing instruction；

The processor is configured to it is any described to execute the application parameters for authentication processing method to read described instruction Method.

The embodiment of the present application provides a kind of core net functional node sent for message, comprising: processor and storage Device；

The memory is for storing instruction；

The processor is configured to reading described instruction to execute the method as described in the application message method.

The embodiment of the present application provides a kind of communication system, which includes the embodiment of the present application proposition for authenticating ginseng Core net functional node, the UE for parameters for authentication processing and the core net functional node for message transmission that number is sent.

The embodiment of the present application provides a kind of storage medium, which is stored with computer program, the computer Parameters for authentication sending method provided by the embodiments of the present application, parameters for authentication processing method are realized when program is executed by processor or are disappeared Cease sending method.

Parameters for authentication sending method provided by the embodiment of the present application, after receiving authentication request message, feedback includes The parameters for authentication of second information, wherein the second information is generated by the first information.Second information can provide verification for terminal side Foundation, reduce the risk that the Network Synchronization parameter of terminal side is illegally accessed.The embodiment of the present application also provides a kind of certifications Parameter processing method, after receiving parameters for authentication, based on the second acquisition of information first information for including in parameters for authentication, to One information is verified, and executes corresponding operation according to check results, so that the Network Synchronization parameter for reducing terminal side is non- The risk that method obtains.

Detailed description of the invention

Fig. 1 is a kind of parameters for authentication sending method implementation process schematic diagram of the embodiment of the present application；

Fig. 2 is a kind of parameters for authentication processing method implementation process schematic diagram one of the embodiment of the present application；

Fig. 3 is a kind of parameters for authentication processing method implementation process schematic diagram two of the embodiment of the present application；

Fig. 4 is a kind of message method implementation process schematic diagram of the embodiment of the present application；

Fig. 5 is the implementation process schematic diagram of the embodiment of the present application one；

Fig. 6 is the implementation process schematic diagram of the embodiment of the present application two；

Fig. 7 is the implementation process schematic diagram of the embodiment of the present application three；

Fig. 8 is the implementation process schematic diagram of the embodiment of the present application four；

Fig. 9 is a kind of parameters for authentication sending device structural schematic diagram of the embodiment of the present application；

Figure 10 is a kind of parameters for authentication processing device structure diagram of the embodiment of the present application；

Figure 11 is a kind of message sending device structural schematic diagram of the embodiment of the present application；

Figure 12 is the core net functional node structural schematic diagram of the embodiment of the present application；

Figure 13 is the UE structural schematic diagram of the embodiment of the present application；

Figure 14 is the schematic diagram of a communication network structure of the embodiment of the present application.

Specific embodiment

For the purposes, technical schemes and advantages of the application are more clearly understood, below in conjunction with attached drawing to the application Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application Feature can mutual any combination.

The embodiment of the present application proposes a kind of parameters for authentication sending method, if Fig. 1 is the certification ginseng that the embodiment of the present application proposes Number sending method implementation process schematic diagram, comprising:

S11: authentication request message is received；

S12: generating the second information using the first information, generates AUTN using second information；

S13: parameters for authentication of the feedback comprising second information and the AUTN.

In an exemplary embodiment, the above method can be applied to the second core net functional node in network (hereinafter referred to as " core net function 2 ").For example, authentication service function (AUSF, Authentication Server Function), HSS or uniform data management (UDM, Unified Data Management) functional node.

Core net function 2 receives certification request from the first core net functional node (hereinafter referred to as " core net function 1 ") and disappears Breath.The reception authentication request message can be user equipment certification request (UE Authentication Request) message.Core Heart net function 1 can be access and mobile management function to ps domain (AMF, Access and Mobility Management ) or mobility management entity (MME, Mobility Management Entity) Function.

In an exemplary embodiment, the above-mentioned first information is network side time difference information.Core net function 2 records Have initial time (start time), core net function 2 is restarted or restored if a failure occurs, requires continuing offer service Preceding recovery original start time.Above-mentioned network side time difference information can be core net function 2 according to current time and start The current time difference (referred to as S-TIME) that the difference of time obtains.

In an exemplary embodiment, core net function 2 can generate the second information based on S-TIME；Alternatively, core Heart net function 2 can be generated random string (RAND), and generate the second information based on S-TIME and RAND.Aforementioned second information It is specifically as follows challenge character string (CH).

In an exemplary embodiment, the second information is generated using the first information described in step S12, comprising:

First check code is generated using the first information；

Second information is generated using first check code, includes first check code in second information Content.

For example, core net function 2, which is based on S-TIME, generates CH1, or CH1 is generated based on S-TIME and RAND.Later, base The first check code is generated in CH1, the first check code can be indicated using (HASH).CH2 is generated using HASH again, CH2 is here Above-mentioned second information contains the content of HASH in CH2.

It in an exemplary embodiment, further include that the first check code is generated using the first information；

The parameters for authentication of feedback also includes first check code.

For example, core net function 2, which is based on S-TIME, generates CH1, or CH1 is generated based on S-TIME and RAND.Later, base HASH is generated in CH1.The parameters for authentication of feedback includes CH1, HASH and AUTN, and CH1 is above-mentioned second information here.

In an exemplary embodiment, the first message in step S12 is first carried in authentication request message Token information (TOKEN).Specifically, core net function 1 can directly acquire TOKEN from from the message of UE, and to core Net function 2 sends the authentication request message comprising TOKEN.Alternatively, core net function 1 can be calculated according to the message from UE The authentication request message comprising TOKEN is sent to TOKEN, and to core net function 2.

The specific calculation of above-mentioned parameters will be discussed in detail below in an example.

As shown in Fig. 2, the embodiment of the present application also proposes a kind of parameters for authentication processing method, comprising:

S21: receive the parameters for authentication from the first core net functional node, the parameters for authentication include the second information and AUTN；

S22: it is based on the second acquisition of information first information, verifies the first information；Send to subscriber card includes institute State the second information and the certification request of AUTN；

S23: in response to the verification failure and the sync fail that receives subscriber card feedback indicates, Xiang Suoshu the One core net functional node feedback network verifies failed message.

It, can be with alternatively, in response to the verification failure and the sync fail that receives subscriber card feedback indicates Any message is not fed back to the first core net functional node.

In an exemplary embodiment, the parameters for authentication processing method can be applied to user equipment (UE, User Equipment)。

In an exemplary embodiment, the first information is network side time difference information (S-TIME).

In an exemplary embodiment, the verification first information in the step S22 includes:

Whether the difference for judging terminal side time difference information and the network side time difference information is more than preset threshold；If It is more than then to fail to the verification of the first information；Verification success if be no more than, to the first information.

In an exemplary embodiment, the above method further include: in response to receiving recognizing for the subscriber card feedback It demonstrate,proves and successfully indicates, terminal side time difference information is arranged using the first information.

For example, terminal side time difference information can be CUR-STIME.When the certification that UE receives subscriber card feedback successfully refers to When showing, CUR-STIME=S-TIME is set.When receiving parameters for authentication in subsequent process, if it is judged that CUR-STIME > (S- TIME+ constant), then it is assumed that the difference of CUR-STIME and S-TIME is more than preset threshold, i.e., to the authentification failure of S-TIME；Such as Fruit judges CUR-STIME≤(S-TIME+ constant), then it is assumed that the difference of CUR-STIME and S-TIME is no more than default threshold Value, i.e., to the certification success of S-TIME.

Such as the implementation flow chart two that Fig. 3 is the embodiment of the present application parameters for authentication processing method, comprising:

S31: receive the parameters for authentication from the first core net functional node, the parameters for authentication include the second information and AUTN；Parameters for authentication also includes the content in the first check code or second information comprising the first check code；Described first Check code is generated using the first information and based on the first algorithm.

S22: it is based on the second acquisition of information first information, verifies the first information；Send to subscriber card includes institute State the second information and the certification request of AUTN；

S33: the first check code for including in the parameters for authentication is obtained, or is based on first school of the second acquisition of information Test code；

S34: verification first check code；If the verification success to first check code, thens follow the steps S23；

S23: failing in response to the verification to the first information and receives the sync fail of the subscriber card feedback Instruction, Xiang Suoshu the first core net functional node feedback network verify failed message.

In an exemplary embodiment, the first check code of verification in step S34 includes:

The second check code is generated using the first information and based on first algorithm；

Judge whether second check code and first check code are identical, if identical, to first verification The verification success of code.

For example, the first check code is HASH.When verifying HASH, UE uses the algorithm that HASH is generated with core net function 2 Identical algorithm generates XHASH；Compare XHASH and HASH, it is successful to the verification of HASH if the two is identical, otherwise verify Failure.

In an exemplary embodiment, first message is the first token information.The verification first of above-mentioned steps S22 is believed Breath includes:

Using algorithm identical with first token information is generated, the second token information is calculated；

Judge whether second token information and first token information are identical, if identical, to described first The verification success of information；If it is not the same, then failing to the verification of the first information.

For example, the first token information is TOKEN, the second token information is XTOKEN.When verifying HASH, UE is used and core The identical algorithm of algorithm that heart net function 2 generates TOKEN generates XTOKEN；Compare XTOKEN and TOKEN, if the two is identical, Then to the verification success of TOKEN, otherwise verification failure.

The application also proposes a kind of message method, if Fig. 4 is this method implementation process schematic diagram, comprising:

S41: receiving the message from user equipment, and the content based on the message generates the first token information；

S42: the authentication request message comprising first token information is sent to the second core net functional node.

In an exemplary embodiment, above-mentioned message method can be applied to core net function 1, core net function Energy 1 can be AMF or MME.

The application is described in detail with reference to embodiments.

Such as the implementation process schematic diagram that Fig. 5 is the embodiment of the present application one, comprising:

Core net function 1 of the step 501:UE into network sends message.

In one embodiment, core net function 1 can be AMF or MME.

Step 502: core net function 1 sends terminal authentication request message to core net function 2, for example sends UE Authentication Request message.

In one embodiment, core net function 2 is AUSF, HSS or UDM.

Step 503: the record of core net function 2 has initial time (start time), and core net function 2 is if a failure occurs Restart or restore, requires to restore original start time before continuing to provide service.Core net function 2 according to current time with The difference of start time obtains current time difference (S-TIME).

Core net function 2 is based on S-TIME and generates challenge character string (CH).In one embodiment, using the following formula (1) or (2) generate CH:

CH=S-TIME；……(1)

CH=SHA-256 (constant character string) xor S-TIME；……(2)

Wherein, SHA-256 () is SHA-256 function；

Xor is xor operation.

Alternatively, core net function 2 generates random string (RAND), and CH is generated based on S-TIME and RAND.In one kind In embodiment, CH is generated using the following formula (3) or (4):

CH=S-TIME | | RAND；……(3)

Wherein, | | it is concatenation.

CH=(SHA-256 (RAND) xor S-TIME) | | RAND ... (4)

Wherein, SHA-256 () is SHA-256 function；

Xor is xor operation；

| | it is concatenation.

Later, core net function 2 generates AUTN based on CH and SQNnw again.In one embodiment, using the following formula (5) AUTN is generated:

AUTN=(SQNnw xor F1k (CH)) | | F2k (SQNnw | | CH) ... (5)

Wherein, F1k () or F2k () is arbitrary key hash function or encryption function etc., such as HMAC-SHA-256 letter Number, key is user key, also has user key in the subscriber card of UE.

Step 504: core net function 2 sends CH and AUTN to core net function 1.

Step 505: core net function 1 forwards CH and AUTN to UE.

CH and AUTN are sent to the subscriber card on UE by step 506:UE.

Subscriber card verifies AUTN using CH, if verified successfully, subscriber card obtains SQNnw.Subscriber card judge SQNnw with Whether the difference for the SQNms that itself is saved is in effective range, if authenticating to UE feedback and successfully referring in effective range Show；If it exceeds effective range, then indicate to UE feedback network sync fail.If subscriber card fails to the verification of AUTN, It is unsuccessfully indicated to the verification of UE feedback network.

Based on the content of aforementioned subscriber card feedback, UE is performed the following operations:

Successfully indicate that CUR-STIME is arranged UE based on the certification received are as follows: CUR-STIME=S-TIME, and to core 1 return authentication success message of net function.

Alternatively, UE compares CUR-STIME and S-TIME, and foundation compares knot based on the Network Synchronization Indication of Losing Efficacy received Fruit executes corresponding operating.For example, UE returns to network verification to core net function 1 if CUR-STIME > (S-TIME+ constant) Failed message does not return to any message；Otherwise, UE returns to Network Synchronization thrashing message to core net function 1.

Alternatively, unsuccessfully indicating that UE returns to network to core net function 1 and verifies failed message based on the network verification received.

Fig. 6 is the implementation process schematic diagram of the embodiment of the present application two, and in the present embodiment, UE judges whether network uses New certificate scheme proposed by the present invention.As shown in Figure 6, comprising the following steps:

Step 601~602: it is described with step 501~502 in embodiment one identical.

Step 603: the record of core net function 2 has a start time, and core net function 2 is restarted or extensive if a failure occurs It is multiple, it requires to restore original start time before continuing to provide service.Core net function 2 is according to current time and start time Difference obtain S-TIME.

Core net function 2 is based on S-TIME, and using the formula (1) or (2) generation CH1 in the step 503 of embodiment 1. Specifically, the CH in formula (1) and (2) can be replaced with into CH1.

Alternatively, core net function 2 generates RAND, and it is based on S-TIME and RAND, in the step 503 using embodiment 1 Formula (3) or (4) generate CH1.Specifically, the CH in formula (3) and (4) can be replaced with into CH1.

Later, core net function 2 is based on CH1 and generates HASH.In one embodiment, using the following formula (6) or (7) Generate HASH:

HASH=SHA-256 (content of CH1 or part CH1)；……(6)

Wherein, SHA-256 () is SHA-256 function.

HASH=HMAC-SHA-256 (content of constant character string, CH1 or part CH1)；……(7)

Wherein, HMAC-SHA-256 () is HMAC-SHA-256 function.

Finally, core net function 2 is based on CH1 and SQNnw, generated using the formula (5) in the step 503 of above-described embodiment AUTN1.Wherein, the AUTN in formula (5) is replaced with into AUTN1, and the CH in formula (5) is replaced with into CH1.Alternatively, core Net function 2 is based on CH1 and HASH and generates CH2, such as CH2=CH1 | | HASH, " | | " it is concatenation；Later based on CH2 and SQNnw generates AUTN2 using the formula (5) in the step 503 of above-described embodiment.Wherein, the AUTN in formula (5) is replaced For AUTN2, and the CH in formula (5) is replaced with into CH2.

Step 604: core net function 2 sends CH1, HASH and AUTN1 to core net function 1, or sends CH2 and AUTN2. By the content in above-mentioned steps 603 as it can be seen that in view of CH2=CH1 | | HASH, therefore CH2 actually contains the interior of CH1 and HASH Hold.

Step 605: core net function 1 forwards CH1, HASH and AUTN1, or forwarding CH2 and AUTN2 to UE.

Step 606: CH1 and AUTN1 are sent to the subscriber card on UE by mobile terminal UE, or CH2 and AUTN2 is sent Subscriber card on to UE.

Subscriber card verifies AUTN1 using CH1, or verifies AUTN2 using CH2.If verified successfully, subscriber card is obtained SQNnw.Subscriber card judges the difference of the SQNnw and SQNms itself saved whether in effective range, if in effective range It is interior, then it authenticates to UE feedback and successfully indicates；If it exceeds effective range, then indicate to UE feedback network sync fail.If with Family card fails to the verification of AUTN1 or AUTN2, then unsuccessfully indicates to the verification of UE feedback network.

UE verifies the HASH.In one embodiment, UE calculates HASH from the CH2 that core net function 1 is sent, Or directly extract the HASH that core net function 1 is sent.Using the formula (6) or (7) calculating XHASH in upper step 603.Compare XHASH and HASH；Verification success if the two is identical, to HASH；Otherwise, fail to the verification of HASH.

If the verification success to HASH, based on the content of aforementioned subscriber card feedback, UE is executed and above-described embodiment Identical operation in step 506.If failed to the verification of HASH, based on the content of aforementioned subscriber card feedback, UE execute with Identical operation in the prior art, details are not described herein.(verification failure illustrates that core net function 2 is not retouched using step 503 The schemes generation parameters for authentication stated, therefore the method that the step 506 in Fig. 5 cannot be used to describe operates).

Such as the implementation process schematic diagram that Fig. 7 is the embodiment of the present application three, comprising:

Core net function 1 of the step 701:UE into network sends message.In one embodiment, core net function 1 It can be with AMF or MME.

Step 702: core net function 1 is based on some or all of above-mentioned message content and calculates TOKEN, than disappearing as described above User identifier in breath is as TOKEN (being equivalent to intercept operation) or TOKEN=SHA-256 (some or all of above-mentioned message Content).

Step 703: core net function 1 sends terminal authentication request message to core net function 2, for example sends UE Authentication Request message.Wherein, which carries TOKEN.

In one embodiment, core net function 2 is AUSF, HSS or UDM.

Step 704: core net function 2 is based on TOKEN and generates CH.In one embodiment, using the following formula (8) or (9) CH is generated:

CH=TOKEN；……(8)

CH=SHA-256 (constant character string) xor TOKEN；……(9)

Wherein, SHA-256 () is SHA-256 function；

Xor is xor operation.

Alternatively, core net function 2 generates RAND, and CH is generated based on TOKEN and RAND.In one embodiment, it adopts CH is generated with the following formula (10) or (11):

CH=TOKEN | | RAND；……(10)

Wherein, | | it is concatenation.

CH=(SHA-256 (RAND) xor TOKEN) | | RAND；……(11)

Wherein, SHA-256 () is SHA-256 function；

Xor is xor operation；

| | it is concatenation.

Later, core net function 2 generates AUTN based on CH and SQNnw again.In one embodiment, using the following formula (12) AUTN is generated:

AUTN=(SQNnw xor F1k (CH)) | | F2k (SQNnw | | CH) ... (12)

Wherein, F1k () and F2k () is arbitrary key hash function or encryption function etc., such as HMAC-SHA-256 letter Number, key is user key, also has user key in the subscriber card of UE).

Step 705: core net function 2 sends terminal authentication response message, the terminal authentication response to core net function 1 Message carries CH and AUTN.

Step 706: core net function 1 forwards user authentication response message to UE, and the user authentication response message carries CH and AUTN.

CH and AUTN are sent to the subscriber card on UE by step 707:UE.

Subscriber card verifies AUTN using CH, if verified successfully, subscriber card obtains SQNnw.Subscriber card judge SQNnw with Whether the difference for the SQNms that itself is saved is in effective range, if authenticating to UE feedback and successfully referring in effective range Show；If it exceeds effective range, then indicate to UE feedback network sync fail.If subscriber card fails to the verification of AUTN, It is unsuccessfully indicated to the verification of UE feedback network.

UE calculates TOKEN from the CH that core net function 1 is sent.UE verifies the TOKEN.In a kind of embodiment In, XTOKEN is calculated using with method identical in above-mentioned steps 702, compares XTOKEN and TOKEN；If the two is identical, Verification success to TOKEN；Otherwise, fail to the verification of TOKEN.

If the verification success to TOKEN, based on the content of aforementioned subscriber card feedback, UE is executed and phase in the prior art Same operation, details are not described herein.If failed to the verification of TOKEN, based on the Network Synchronization Indication of Losing Efficacy of family card feedback, Network verification failed message is returned to core net function 1 or does not return to any message.

Such as the implementation process schematic diagram that Fig. 8 is the embodiment of the present application four, comprising:

Core net function 1 of the step 801:UE into network sends message, and the message includes TOKEN.In a kind of implementation In mode, UE, which is used, calculates TOKEN with identical mode in the step 702 of above-described embodiment.Core net function 1 can be AMF Or MME.

Step 802: core net function 1 sends terminal authentication request message to core net function 2, for example sends UE Authentication Request message.Wherein, which carries TOKEN.

Step 803~805: identical as the description of the step 704 in above-described embodiment~706.

CH and AUTN are sent to the subscriber card on UE by step 806:UE.

Subscriber card verifies AUTN using CH, if verified successfully, subscriber card obtains SQNnw.Subscriber card judge SQNnw with Whether the difference for the SQNms that itself is saved is in effective range, if authenticating to UE feedback and successfully referring in effective range Show；If it exceeds effective range, then indicate to UE feedback network sync fail, carries and be based in the Network Synchronization Indication of Losing Efficacy The information that SQNms is generated.If subscriber card fails to the verification of AUTN, unsuccessfully indicated to the verification of UE feedback network.

UE calculates TOKEN from the CH that core net function 1 is sent.UE verifies the TOKEN.In a kind of embodiment In, XTOKEN is calculated using with method identical in above-mentioned steps 702, compares XTOKEN and TOKEN；If the two is identical, Verification success to TOKEN；Otherwise, fail to the verification of TOKEN.

If the verification success to TOKEN, based on the content of aforementioned subscriber card feedback, UE is executed and phase in the prior art Same operation, details are not described herein.If failed to the verification of TOKEN, based on the Network Synchronization Indication of Losing Efficacy of family card feedback, Network verification failed message is returned to core net function 1 or does not return to any message.

The embodiment of the present application also proposes that a kind of parameters for authentication sending device, Fig. 9 are that a kind of certification of the embodiment of the present application is joined Number sending device structural schematic diagram, comprising:

First receiving module 901, for receiving authentication request message；

Generation module 902 generates certification mark using second information for generating the second information using the first information AUTN；

Feedback module 903, for feeding back the parameters for authentication comprising second information and the AUTN.

In an exemplary embodiment, the first information is network side time difference information.

In an exemplary embodiment, the generation module 902 is used for:

First check code is generated using the first information；

Second information is generated using first check code, includes first check code in second information Content.

In an exemplary embodiment, the generation module 902 is also used to: generating first using the first information Check code；

The parameters for authentication that the feedback module 903 is fed back also includes first check code.

In an exemplary embodiment, the first information is the first token carried in the authentication request message Information.

The embodiment of the present application also proposes a kind of parameters for authentication processing unit, and Figure 10 is that a kind of certification of the embodiment of the present application is joined Number processing device structure diagram, comprising:

Second receiving module 1001, for receiving the parameters for authentication from the first core net functional node, the certification ginseng Number includes the second information and certification mark AUTN；

Correction verification module 1002 verifies the first information for being based on the second acquisition of information first information；It is also used to The certification request comprising second information and AUTN is sent to subscriber card；

Processing module 1003, for failing and receiving the sync fail of the subscriber card feedback in response to the verification Instruction, Xiang Suoshu the first core net functional node feedback network verify failed message.

In an exemplary embodiment, the first information is network side time difference information.

In an exemplary embodiment, the correction verification module 1002 is used for:

Whether the difference for judging terminal side time difference information and the network side time difference information is more than preset threshold；If It is more than then to fail to the verification of the first information；Verification success if be no more than, to the first information.

In an exemplary embodiment, the processing module 1003 is also used to:

Certification in response to receiving the subscriber card feedback successfully indicates, when terminal side is arranged using the first information Between poor information.

In an exemplary embodiment, the parameters for authentication also includes the first check code or second information In include the first check code content；First check code is generated using the first information and based on the first algorithm；

The processing module 1003 is used for: obtaining the first check code for including in the parameters for authentication, or based on described Second the first check code of acquisition of information；Verify first check code；If the verification success to first check code, rings Verification failure described in Ying Yu and the sync fail instruction for receiving the subscriber card feedback, Xiang Suoshu the first core net function section Point feedback network verifies failed message.

In an exemplary embodiment, the processing module 1003 is used for: using the first information and being based on institute It states the first algorithm and generates the second check code；Judge whether second check code and first check code are identical, if identical, Then to the verification success of first check code.

In an exemplary embodiment, the first information is the first token information.

In an exemplary embodiment, the correction verification module 1002 is used for:

Using algorithm identical with first token information is generated, the second token information is calculated；

Judge whether second token information and first token information are identical, if identical, to described first The verification success of information；If it is not the same, then failing to the verification of the first information.

The embodiment of the present application also proposes that a kind of message sending device, Figure 11 are that a kind of message of the embodiment of the present application sends dress Set structural schematic diagram, comprising:

Third receiving module 1101, for receiving the message from user equipment, content based on the message generates the One token information；

Sending module 1102 is asked for sending the certification comprising first token information to the second core net functional node Seek message.

The function of each module in each device of the embodiment of the present application may refer to the corresponding description in the above method, herein not It repeats again.

Figure 12 is the core net functional node structural schematic diagram of the embodiment of the present application, as shown in figure 12, the embodiment of the present application The core net functional node of offer includes: memory 1203 and processor 1204.The core net functional node can also include Interface 1201 and bus 1202.The interface 1201, memory 1203 are connected with processor 1204 by bus 1202.It is described Memory 1203 is for storing instruction.The processor 1204 is configured as reading described instruction to execute above-mentioned parameters for authentication hair The technical solution of delivery method or message method embodiment, it is similar that the realization principle and technical effect are similar, and details are not described herein again.

Figure 13 is the UE structural schematic diagram of the embodiment of the present application, and as shown in figure 13, UE provided by the embodiments of the present application includes: Memory 1303 and processor 1304.The UE can also include interface 1301 and bus 1302.The interface 1301, memory 1303 are connected with processor 1304 by bus 1302.The memory 1303 is for storing instruction.The processor 1304 It is configured as reading technical solution of the described instruction to execute above-mentioned object cell selection method embodiment, realization principle and skill Art effect is similar, and details are not described herein again.

Figure 14 is the communication system architecture schematic diagram of the embodiment of the present application, and as shown in figure 14, which includes: the first core The UE of net functional node, the second core net functional node and above-described embodiment.

The application provides a kind of storage medium, and the storage medium is stored with computer program, the computer program quilt Processor realizes the method in above-described embodiment when executing.

The above, the only exemplary embodiment of the application, are not intended to limit the protection scope of the application.

It should be understood by those skilled in the art that, terms user equipment covers the wireless user equipment of any suitable type, Such as mobile phone, portable data processing device, portable web browser or vehicle-mounted mobile platform.

In general, the various embodiments of the application can be in hardware or special circuit, software, logic or any combination thereof Middle realization.For example, some aspects can be implemented within hardware, and can be implemented in can be by controller, micro- for other aspects In the firmware or software that processor or other computing devices execute, although the application is without being limited thereto.

Embodiments herein can execute computer program instructions by the data processor of mobile device and realize, example Such as in processor entity, perhaps pass through hardware or the combination by software and hardware.Computer program instructions can be remittance Compile instruction, instruction set architecture (ISA) instruction, machine instruction, machine-dependent instructions, microcode, firmware instructions, state setting number According to or with one or more programming languages any combination source code or object code write.

The block diagram of any logic flow in illustrations can be with representation program step, or can indicate to be connected with each other Logic circuit, module and function, or can be with the combination of representation program step and logic circuit, module and function.Computer Program can store on a memory.Memory can have any type for being suitable for local technical environment and can be used Any suitable data storage technology is realized.Memory in the embodiment of the present application can be volatile memory or non-volatile Memory, or may include both volatile and non-volatile memories.Wherein, nonvolatile memory can be read-only memory (Read-Only Memory, ROM), programmable read only memory (Programmable ROM, PROM), erasable programmable are only Read memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, ) or flash memory etc. EEPROM.Volatile memory can be random access memory (Random Access Memory, RAM), As External Cache.RAM may include diversified forms, such as static random access memory (Static RAM, SRAM), Dynamic random access memory (Dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory (Synchronous DRAM, SDRAM), double data speed synchronous dynamic RAM (Double Data Rate SDRAM, DDR SDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced SDRAM, ESDRAM), synchronized links dynamic random access memory Device (Synchlink DRAM, SLDRAM) and direct rambus random access memory (Direct Rambus RAM, DR RAM).The memory of system and method described herein includes but is not limited to the storage of these and any other suitable type Device.

The processor of the embodiment of the present application can be any type for being suitable for local technical environment, such as, but not limited to logical With computer, special purpose computer, microprocessor, digital signal processor (Digital Signal Processor, DSP), specially With integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable logic device (Field-Programmable Gate Array, FGPA) either other programmable logic device, discrete gate or transistor Logical device, discrete hardware components or the processor based on multi-core processor framework.General processor can be microprocessor Or it is also possible to any conventional processor etc..Above-mentioned processor may be implemented or execute the public affairs in the embodiment of the present application The step of each method opened.Software module can be located at random access memory, flash memory, read-only memory, programmable read only memory Or in the storage medium of this fields such as electrically erasable programmable memory, register maturation.The storage medium is located at memory, The step of processor reads the information in memory, completes the above method in conjunction with its hardware.

By exemplary and unrestricted example, retouching in detail to the example embodiment of the application has had been provided above It states.But consider in conjunction with drawings and claims, a variety of modifications and adjustment to above embodiments carry out those skilled in the art Say it is it will be apparent that but without departing from the scope of the present invention.Therefore, appropriate range of the invention will be determined according to claim.