Network authentication method, and related device and system

US 11,075,752 B2
Filed: 01/16/2019
Issued: 07/27/2021
Est. Priority Date: 07/16/2016
Status: Active Grant

First Claim

Patent Images

1. A network authentication system, wherein the network authentication system comprises user equipment, a network authentication device, and a service authentication device, whereinthe service authentication device is configured to obtain reference information and generate a second shared key based on the reference information and a first shared key, wherein the first shared key is a shared key pre-configured between the user equipment and the service authentication device, and the reference information comprises information associated with at least one of the user equipment, the network authentication device, and the service authentication device;

the user equipment is configured to obtain the reference information and generate the second shared key with reference to the reference information and the first shared key;

the service authentication device is configured to send the second shared key to the network authentication device; and

the network authentication device is configured to receive the second shared key, wherein the second shared key is used by the user equipment and the network authentication device to generate a target shared key, and the target shared key is a shared key that protects secure data transmission and that is negotiated and agreed on by the network authentication device and the user equipment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention disclose a network system. The system includes user equipment, a network authentication device, and a service authentication device. The service authentication device is configured to obtain reference information and generate a second shared key with reference to the reference information and a first shared key, where the first shared key is a shared key pre-configured between the user equipment and the service authentication device; the user equipment is configured to obtain the reference information and generate the second shared key with reference to the reference information and the first shared key; the service authentication device is configured to send the second shared key to the network authentication device; and the network authentication device is configured to receive the second shared key, where the second shared key is used by the user equipment and the network authentication device to generate a target shared key.

13 Citations

20 Claims

1. A network authentication system, wherein the network authentication system comprises user equipment, a network authentication device, and a service authentication device, whereinthe service authentication device is configured to obtain reference information and generate a second shared key based on the reference information and a first shared key, wherein the first shared key is a shared key pre-configured between the user equipment and the service authentication device, and the reference information comprises information associated with at least one of the user equipment, the network authentication device, and the service authentication device;
- the user equipment is configured to obtain the reference information and generate the second shared key with reference to the reference information and the first shared key;
  
  the service authentication device is configured to send the second shared key to the network authentication device; and
  
  the network authentication device is configured to receive the second shared key, wherein the second shared key is used by the user equipment and the network authentication device to generate a target shared key, and the target shared key is a shared key that protects secure data transmission and that is negotiated and agreed on by the network authentication device and the user equipment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system according to claim 1, whereinthe network authentication device and the user equipment are configured to perform network authentication to generate the target shared key based on the second shared key.
  - 3. The system according to claim 2, whereinthe network authentication device and the user equipment are configured to perform network authentication to generate a third shared key;
    - and, whereinperforming network authentication to generate the target shared key based on the second shared key by the network authentication device and the user equipment comprises;
      
      performing network authentication based on the second shared key to generate a fourth shared key by the network authentication device and the user equipment; and
      
      generating the target shared key based on the third shared key and the fourth shared key by both the network authentication device and the user equipment.
  - 4. The system according to claim 1, wherein the generating a second shared key with reference to the reference information and a first shared key comprises:
    - performing, by the service authentication device and the user equipment, service authentication with reference to the reference information and the first shared key to generate the second shared key; and
      
      the network authentication device and the user equipment are configured to use the second shared key or a shared key derived from the second shared key as the target shared key.
  - 5. The system according to claim 4, whereinthe network authentication device is further configured to send the target shared key to the service authentication device;
    - the service authentication device is configured to receive the target shared key; and
      
      the service authentication device and the user equipment are configured to use the target shared key or the shared key derived from the target shared key as a shared key that protects secure data transmission and that is negotiated and agreed on by the service authentication device and the user equipment.
  - 6. The system according to claim 1, whereinthe network authentication device and the user equipment are configured to perform network authentication to generate a third shared key;
    - andgenerating a second shared key with reference to the reference information and a first shared key comprises;
      
      performing, by the service authentication device and the user equipment, service authentication with reference to the reference information and the first shared key to generate the second shared key; and
      
      generating, by both the network authentication device and the user equipment, the target shared key based on the second shared key and the third shared key.
  - 7. The system according to claim 1, whereinboth the network authentication device and the user equipment are configured to:
    - generate the target shared key based on the second shared key and a fifth shared key.
  - 8. The system according to claim 1, whereinthe reference information comprises a network parameter of a cellular network in which the network authentication device is located;
    - and, whereingenerating a second shared key with reference to the reference information and a first shared key comprises;
      
      performing service authentication based on the reference information and the first shared key to generate the second shared key; and
      
      the service authentication device is further configured to use the second shared key as the target shared key.
  - 9. The system according to claim 1, wherein the reference information comprises at least one of a network parameter of the cellular network in which the network authentication device is located and a service parameter of a target service.
  - 10. The system according to claim 9, wherein the service parameter comprises at least one of a service sequence number of the target service, an identifier of a key management center, a session identifier, a link identifier, an application identifier, a service identifier, a service level, a service data rate, a time delay, and a service server identifier;
    - and the network parameter comprises at least one of an operator identifier, an access network identifier, a service network identifier, a network type identifier, a network identifier of a local area network, a slice identifier, a bearer identifier, a quality of service identifier, and a flow identifier.

11. User equipment, comprising:
- an obtaining unit, configured to obtain reference information and generate a second shared key with reference to the reference information and a first shared key, wherein the first shared key is a shared key pre-configured between the user equipment and a service authentication device, the service authentication device is configured to obtain the reference information and generate the second shared key based on the reference information and the first shared key, and the service authentication device is further configured to send the second shared key to a network authentication device; and
  
  a generating unit, configured to generate a target shared key based on the second shared key, wherein the target shared key or a shared key derived from the target shared key is a shared key that protects secure data transmission and that is negotiated and agreed on by the network authentication device and the user equipment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The user equipment according to claim 11, wherein that the obtaining unit generates the target shared key based on the second shared key is specifically:
    - using the second shared key or a shared key derived from the second shared key as the target shared key.
  - 13. The user equipment according to claim 11, wherein that the obtaining unit generates the target shared key based on the second shared key is specifically:
    - the obtaining unit and the network authentication device perform network authentication based on the second shared key or based on a shared key derived from the second shared key to generate the target shared key.
  - 14. The user equipment according to claim 11, further comprising:
    - an authentication unit, configured to perform network authentication with the network authentication device to generate a third shared key, whereinthat the obtaining unit and the network authentication device perform network authentication based on the second shared key or based on the shared key derived from the second shared key to generate the target shared key is specifically;
      
      the obtaining unit and the network authentication device perform network authentication based on the second shared key to generate a fourth shared key; and
      
      generate the target shared key based on the third shared key and the fourth shared key.
  - 15. The user equipment according to claim 11, wherein that the generating unit generates the target shared key based on the second shared key is specifically:
    - the generating unit and the network authentication device perform network authentication to generate a third shared key; and
      
      generate the target shared key based on the second shared key and the third shared key;
      
      orrespectively use the second shared key and the third shared key as target shared keys to protect different types of data.
  - 16. The user equipment according to claim 11, wherein that the generating unit generates the target shared key based on the second shared key is specifically:
    - generating the target shared key based on the second shared key and a fifth shared key;
      
      orrespectively using the second shared key and a shared key derived from the fifth shared key as target shared keys for protecting different types of data, wherein the fifth shared key is a shared key pre-configured between the user equipment and the network authentication device.
  - 17. The user equipment according to claim 11, wherein that the obtaining unit generates the second shared key with reference to the reference information and the first shared key is specifically:
    - performing service authentication with the service authentication device with reference to the reference information, the first shared key, and a fifth shared key to generate the second shared key, wherein the fifth shared key is a shared key pre-configured between the user equipment and the network authentication device, and the service authentication device is configured to obtain the fifth shared key.
  - 18. The user equipment according to claim 11, wherein that the obtaining unit generates the second shared key with reference to the reference information and the first shared key is specifically:
    - the obtaining unit and the service authentication device perform service authentication with reference to the reference information and the first shared key to generate the second shared key.
  - 19. The user equipment according to claim 11, further comprising:
    - a first receiving unit, configured to receive network-side information from the network authentication device forwarded by the service authentication device, wherein the network-side information is generated by the network authentication device based on the fifth shared key and the obtained first shared key, and the fifth shared key is a shared key pre-configured between the user equipment and the network authentication device; and
      
      that the obtaining unit generates the second shared key with reference to the reference information and the first shared key is specifically;
      
      performing service authentication with the service authentication device with reference to a network parameter and the first shared key to generate the second shared key, wherein the network parameter comprises the network-side information.
  - 20. The user equipment according to claim 11, wherein the reference information comprises at least one of a network parameter of the cellular network in which the network authentication device is located and a service parameter of a target service and the service parameter comprises at least one of a service sequence number of the target service, an identifier of a key management center, a session identifier, a link identifier, an application identifier, a service identifier, a service level, a service data rate, a time delay, and a service server identifier;
    - and the network parameter comprises at least one of an operator identifier, an access network identifier, a service network identifier, a network type identifier, a network identifier of a local area network, a slice identifier, a bearer identifier, a quality of service identifier, and a flow identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Wu, Rong, Zhang, Bo, Gan, Lu
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gyorfi, Thomas A

Application Number

US16/248,778
Publication Number

US 20190149329A1
Time in Patent Office

923 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0892   by using authentication-aut...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0866   involving user or device id...

H04L 9/14   using a plurality of keys o...

H04L 9/321   involving a third party or ...

H04W 12/041   Key generation or derivation

H04W 12/069   using certificates or pre-s...

H04W 12/69   Identity-dependent

H04W 4/70   Services for machine-to-mac...

Network authentication method, and related device and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network authentication method, and related device and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links