公开(公告)号：US08364121B2

公开(公告)日：2013-01-29

申请号：US13092413

申请日：2011-04-22

申请人： Jun Yan ,  Ying Wang ,  Chengdong He

发明人： Jun Yan ,  Ying Wang ,  Chengdong He

IPC分类号： H04M1/66

CPC分类号： H04L63/20 ,  H04L63/08 ,  H04L63/205 ,  H04L65/1016

摘要： A method of authentication in an IP Multimedia Subsystem (IMS) is provided. After receiving a Register message from a User Equipment (UE), a Proxy-Call Session Control Function (P-CSCF) locates a Connection Location Function (CLF) according to information contained in the Register message and a pre-configured corresponding relationship between the information contained in the Register message and the CLF. The P-CSCF obtains a query result by querying the CLF about attachment information of the UE in an access network, and sends the Register message carrying the query result to an Interrogating-Call Session Control Function (I-CSCF). The I-CSCF forwards the Register message carrying the query result to a Service-Call Session Control Function (S-CSCF). The S-CSCF authenticates the UE according to an authentication mechanism obtained from a User Profile Service Function (UPSF) or a Home Subscriber Server (HSS), and sends an authentication result to the UE.

摘要翻译： 提供了一种IP多媒体子系统（IMS）中的认证方法。 在从用户设备（UE）接收到注册消息之后，代理呼叫会话控制功能（P-CSCF）根据包含在注册消息中的信息定位连接位置功能（CLF），并且预先配置对应关系 注册消息和CLF中包含的信息。 P-CSCF通过查询CLF关于接入网络中的UE的附着信息来获得查询结果，并将携带查询结果的Register消息发送给询问 - 呼叫会话控制功能（I-CSCF）。 I-CSCF将携带查询结果的注册消息转发到服务呼叫会话控制功能（S-CSCF）。 S-CSCF根据从用户简档业务功能（UPSF）或归属用户服务器（HSS）获取的认证机制认证UE，并向UE发送认证结果。

公开(公告)号：US07974604B2

公开(公告)日：2011-07-05

申请号：US11842668

申请日：2007-08-21

申请人： Jun Yan ,  Ying Wang ,  Chengdong He

发明人： Jun Yan ,  Ying Wang ,  Chengdong He

IPC分类号： H04M1/66

CPC分类号： H04L63/20 ,  H04L63/08 ,  H04L63/205 ,  H04L65/1016

摘要： A method of authentication in an IMS includes: after receiving a Register message from a UE, locating, by a P-CSCF, a CLF according to information contained in the Register message and a pre-configured relationship; querying, by the P-CSCF, the CLF about NASS attachment information of the UE to obtain a query result, and sending the Register message carrying the query result to an I-CSCF; forwarding, by the I-CSCF, the Register message carrying the query result to a S-CSCF assigned by a UPSF or the HSS; authenticating the UE and sending an authentication result to the UE by the S-CSCF. In embodiments of the present invention, the UPSF or the HSS in the service layer determines the authentication mechanism of the user, and the S-CSCF implements the authentication, which is more reasonable. Embodiments of the present invention also provide combinations of NBA with other authentication mechanisms, thereby guarantees the authentication of the user after the NBA authentication fails.

摘要翻译： IMS中的认证方法包括：在接收到来自UE的注册消息之后，根据包含在所述注册消息中的信息和预先配置的关系，由P-CSCF定位CLF; 由P-CSCF询问CLF关于UE的NASS附件信息以获得查询结果，并将携带查询结果的Register消息发送到I-CSCF; 由I-CSCF将携带查询结果的注册消息转发给由UPSF或HSS分配的S-CSCF; 认证UE并通过S-CSCF向UE发送认证结果。 在本发明的实施例中，服务层中的UPSF或HSS确​​定用户的认证机制，并且S-CSCF执行认证，这更为合理。 本发明的实施例还提供NBA与其他认证机制的组合，从而保证在NBA认证失败之后用户的认证。

公开(公告)号：US09137660B2

公开(公告)日：2015-09-15

申请号：US13176217

申请日：2011-07-05

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04L29/06 ,  H04W12/06

CPC分类号： H04W12/06 ,  H04L63/0892 ,  H04L63/162

摘要： The present invention relates to a method and a system for authentication processing, a 3rd Generation Partnership Project (3GPP) Authentication, and Authorization Accounting (AAA) server, and a User Equipment (UE). The method includes: receiving an authentication request message that carries authentication mode indication information; determining an authentication mode according to the authentication mode indication information; and performing authentication processing according to the authentication mode. The system for authentication processing includes the 3GPP AAA server and a network device which enables the UE to access the 3GPP AAA server through the network device. Through the method and the system for authentication processing, the 3GPP AAA server and the UE provided herein, the authentication request message sent by the UE carries the authentication mode indication information which has different parameter values so that the 3GPP AAA server can distinguish different authentication modes and perform the authentication processing according to the determined authentication mode.

摘要翻译： 本发明涉及认证处理的方法和系统，第三代合作伙伴计划（3GPP）认证，授权计费（AAA）服务器和用户设备（UE）。 该方法包括：接收携带认证方式指示信息的认证请求消息; 根据认证模式指示信息确定认证模式; 并根据认证方式进行认证处理。 用于认证处理的系统包括3GPP AAA服务器和使得UE能够通过网络设备访问3GPP AAA服务器的网络设备。 通过认证处理的方法和认证系统，本文提供的3GPP AAA服务器和UE，由UE发送的认证请求消息携带具有不同参数值的认证方式指示信息，使得3GPP AAA服务器可以区分不同的认证方式 并根据确定的认证方式执行认证处理。

公开(公告)号：US08656169B2

公开(公告)日：2014-02-18

申请号：US12633948

申请日：2009-12-09

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04L29/06

CPC分类号： H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

摘要： A method for negotiating a security capability when a terminal moves is provided. When a user equipment (UE) moves from a second/third generation (2G/3G) network to a long term evolution (LTE) network, the method includes the following steps. A mobility management entity (MME) acquires a non-access signaling (NAS) security algorithm supported by the UE, and an authentication vector-related key or a root key derived according to the authentication vector-related key, selects an NAS security algorithm, derives an NAS protection key according to the authentication vector-related key or the root key, and sends a message carrying the selected NAS security algorithm to the UE. The UE derives an NAS protection key according to an authentication vector-related key thereof. A system for negotiating a security capability when a terminal moves, a UE, and an MME are further provided.

摘要翻译： 提供终端移动时用于协商安全能力的方法。 当用户设备（UE）从第二/第三代（2G / 3G）网络移动到长期演进（LTE）网络时，该方法包括以下步骤。 移动性管理实体（MME）获取由UE支持的非接入信令（NAS）安全算法，以及根据认证向量相关密钥导出的认证向量相关密钥或根密钥，选择NAS安全算法， 根据认证向量相关密钥或根密钥导出NAS保护密钥，并将携带所选NAS安全算法的消息发送给UE。 UE根据其认证向量相关密钥导出NAS保护密钥。 还提供了一种当终端移动时协商安全能力的系统，UE和MME。

公开(公告)号：US08774759B2

公开(公告)日：2014-07-08

申请号：US12503942

申请日：2009-07-16

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04M1/66

CPC分类号： H04W36/14 ,  H04L63/205 ,  H04W12/02 ,  H04W12/10 ,  H04W36/0038

摘要： A security capability negotiation method is applicable to perform security capability negotiation during a mobile network handover. The method includes the following processes: a second network receives a handover request sent by a first network; an access network entity of the second network selects a corresponding security capability, or an access network entity and a core network (CN) entity of the second network respectively select a corresponding security capability; the second network sends the selected security capability to a user equipment (UE) via the first network. Moreover, a security capability negotiation system is also provided. Consistent with the provided system and method, it may be unnecessary for the MME to know the security capability of the corresponding eNB in a certain manner during a handover from a 2G/3G network to an LTE network. Meanwhile, during the handover from the LTE network to the 3G network, the SGSN does not need to introduce new requirements.

摘要翻译： 安全能力协商方法适用于在移动网络切换过程中执行安全能力协商。 该方法包括以下处理：第二网络接收由第一网络发送的切换请求; 第二网络的接入网络实体选择对应的安全能力，或者第二网络的接入网实体和核心网（CN）实体分别选择对应的安全能力; 第二网络经由第一网络将所选择的安全能力发送给用户设备（UE）。 此外，还提供了安全能力协商系统。 与所提供的系统和方法一致，在从2G / 3G网络到LTE网络的切换期间，MME可能不必以某种方式知道对应的eNB的安全能力。 同时，在从LTE网络切换到3G网络的过程中，SGSN不需要引入新的要求。

公开(公告)号：US20100095123A1

公开(公告)日：2010-04-15

申请号：US12633948

申请日：2009-12-09

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04L9/32

CPC分类号： H04W12/04 ,  H04L9/0844 ,  H04L9/088 ,  H04L63/0492 ,  H04L63/062 ,  H04L63/0876 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/205 ,  H04L69/24 ,  H04L2463/061 ,  H04W8/02 ,  H04W12/10 ,  H04W12/12 ,  H04W36/0038

摘要： A method for negotiating a security capability when a terminal moves is provided. When a user equipment (UE) moves from a second/third generation (2G/3G) network to a long term evolution (LTE) network, the method includes the following steps. A mobility management entity (MME) acquires a non-access signaling (NAS) security algorithm supported by the UE, and an authentication vector-related key or a root key derived according to the authentication vector-related key, selects an NAS security algorithm, derives an NAS protection key according to the authentication vector-related key or the root key, and sends a message carrying the selected NAS security algorithm to the UE. The UE derives an NAS protection key according to an authentication vector-related key thereof. A system for negotiating a security capability when a terminal moves, a UE, and an MME are further provided.

摘要翻译： 提供终端移动时用于协商安全能力的方法。 当用户设备（UE）从第二/第三代（2G / 3G）网络移动到长期演进（LTE）网络时，该方法包括以下步骤。 移动性管理实体（MME）获取由UE支持的非接入信令（NAS）安全算法，以及根据认证向量相关密钥导出的认证向量相关密钥或根密钥，选择NAS安全算法， 根据认证向量相关密钥或根密钥导出NAS保护密钥，并将携带所选NAS安全算法的消息发送给UE。 UE根据其认证向量相关密钥导出NAS保护密钥。 还提供了一种当终端移动时协商安全能力的系统，UE和MME。

公开(公告)号：US20090298471A1

公开(公告)日：2009-12-03

申请号：US12535889

申请日：2009-08-05

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04M1/66

CPC分类号： H04W12/12 ,  H04L63/102 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/205 ,  H04W12/10 ,  H04W36/0038

摘要： A method for preventing bidding down attacks during motion of a User Equipment (UE) is provided. The method includes the UE sends a Tracking Area Update (TAU) Request message to a new MME, the TAU Request carries UE's security capabilities, the UE receives UE's security capabilities sent by the MME, and the UE checks whether the received UE's security capabilities are consistent with the stored UE's security capabilities. A system, an MME, and a UE for preventing bidding down attacks during motion of the UE are also provided. When the UE performs security capability negotiation with the MME, the UE can check whether the received security capabilities are consistent with the stored security capabilities, and determine whether a bidding down attack exists, and therefore may prevent bidding down attacks.

摘要翻译： 提供了一种用于在用户设备（UE）的运动期间防止投降攻击的方法。 该方法包括：UE向新MME发送跟踪区域更新（TAU）请求消息，TAU请求携带UE的安全能力，UE接收到UE发送的UE的安全能力，UE检查接收到的UE的安全性能是否为 与存储的UE的安全能力一致。 还提供了一种用于在UE的运动期间防止出价下降攻击的系统，MME和UE。 当UE与MME进行安全能力协商时，UE可以检查接收到的安全能力是否与存储的安全能力一致，并确定是否存在投标降级攻击，从而可以防止投标降级攻击。

公开(公告)号：US09060268B2

公开(公告)日：2015-06-16

申请号：US12717385

申请日：2010-03-04

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04L29/06 ,  H04W12/04 ,  H04W60/04 ,  H04W80/02

CPC分类号： H04W12/08 ,  H04L63/06 ,  H04L63/083 ,  H04L63/107 ,  H04L63/205 ,  H04M1/66 ,  H04W8/02 ,  H04W8/22 ,  H04W12/04 ,  H04W12/06 ,  H04W60/04 ,  H04W80/02 ,  H04W88/12

摘要： A method for negotiating security capabilities during movement of a User Equipment (UE) includes the following steps: a target network entity receives a Routing Area Update (RAU) Request from the UE; the entity obtains Authentication Vector (AV)-related keys deduced according to a root key, and sends the selected security algorithm to the UE; and the UE deduces the AV-related keys according to the root key of the UE. A system, SGSN, and MME for negotiating security capabilities during movement of a UE are also disclosed. The present invention is applicable to security capability negotiation between the UE and the network.

摘要翻译： 一种在用户设备（UE）移动期间协商安全能力的方法包括以下步骤：目标网络实体从UE接收路由区域更新（RAU）请求; 实体根据根密钥获得认证向量（AV）相关密钥，并将所选择的安全算法发送给UE; 并且UE根据UE的根密钥推断AV相关密钥。 还公开了用于在UE的移动期间协商安全能力的系统，SGSN和MME。 本发明适用于UE与网络之间的安全能力协商。

公开(公告)号：US08219064B2

公开(公告)日：2012-07-10

申请号：US12535889

申请日：2009-08-05

申请人： Chengdong He

发明人： Chengdong He

IPC分类号： H04M1/66

CPC分类号： H04W12/12 ,  H04L63/102 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/205 ,  H04W12/10 ,  H04W36/0038

摘要： A method for preventing bidding down attacks during motion of a User Equipment (UE) is provided. The method includes the UE sends a Tracking Area Update (TAU) Request message to a new MME, the TAU Request carries UE's security capabilities, the UE receives UE's security capabilities sent by the MME, and the UE checks whether the received UE's security capabilities are consistent with the stored UE's security capabilities. A system, an MME, and a UE for preventing bidding down attacks during motion of the UE are also provided. When the UE performs security capability negotiation with the MME, the UE can check whether the received security capabilities are consistent with the stored security capabilities, and determine whether a bidding down attack exists, and therefore may prevent bidding down attacks.

摘要翻译： 提供了一种用于在用户设备（UE）的运动期间防止投降攻击的方法。 该方法包括：UE向新MME发送跟踪区域更新（TAU）请求消息，TAU请求携带UE的安全能力，UE接收到UE发送的UE的安全能力，UE检查接收到的UE的安全性能是否为 与存储的UE的安全能力一致。 还提供了一种用于在UE的运动期间防止出价下降攻击的系统，MME和UE。 当UE与MME进行安全能力协商时，UE可以检查接收到的安全能力是否与存储的安全能力一致，并确定是否存在投标降级攻击，从而可以防止投标降级攻击。