Relay node authentication method, apparatus, and system

US 9,027,111 B2
Filed: 08/01/2012
Issued: 05/05/2015
Est. Priority Date: 02/01/2010
Status: Active Grant

First Claim

Patent Images

1. A relay node authentication method, comprising:

sending, by a relay node, an authentication request message to a peer node, the authentication request message comprises a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, wherein the peer node is a network side node or a security gateway in a security domain where the network side node is located; and

receiving, by the relay node, an authentication response message sent by the peer node, wherein the authentication response message comprises a certificate of the peer node, and authenticating the peer node according to the certificate of the peer node, wherein a security association is enabled to authenticate access of an element in a security domain other than the security domain of the network side node where the relay node is located,wherein before the sending, by the relay node, the authentication request message to the security gateway in the security domain where the network side node is located, the method further comprises;

determining whether a security domain where the relay node is located and the security domain where the network side node is located are the same security domain; and

if determining that the security domain where the relay node is located and the security domain where the network side node is located are not the same security domain, performing the sending, by the relay node, the authentication request message to the security gateway in the security domain where the network side node is located.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention disclose a relay node authentication method, apparatus, and system. The method provided in an embodiment of the present invention includes: sending, by a relay node, an authentication request message to a peer node, where the authentication request message includes a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, where the peer node is a network side node or a security gateway in a security domain where the network side node is located; and receiving, by the relay node, an authentication response message sent by the peer node, where the authentication response message includes a certificate of the peer node, and authenticating the peer node according to the certificate of the peer node.

14 Citations

12 Claims

1. A relay node authentication method, comprising:
- sending, by a relay node, an authentication request message to a peer node, the authentication request message comprises a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, wherein the peer node is a network side node or a security gateway in a security domain where the network side node is located; and
  
  receiving, by the relay node, an authentication response message sent by the peer node, wherein the authentication response message comprises a certificate of the peer node, and authenticating the peer node according to the certificate of the peer node, wherein a security association is enabled to authenticate access of an element in a security domain other than the security domain of the network side node where the relay node is located,wherein before the sending, by the relay node, the authentication request message to the security gateway in the security domain where the network side node is located, the method further comprises;
  
  determining whether a security domain where the relay node is located and the security domain where the network side node is located are the same security domain; and
  
  if determining that the security domain where the relay node is located and the security domain where the network side node is located are not the same security domain, performing the sending, by the relay node, the authentication request message to the security gateway in the security domain where the network side node is located.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the network side node is one of a donor evolved Node B of the relay node, a user equipment serving gateway, and a user equipment mobility management entity;
    - andthe sending, by the relay node, the authentication request message to the network side node comprises;
      
      in a process that the relay node establishes a radio resource control connection with the evolved Node B, or after the relay node establishes the radio resource control connection with the evolved Node B and before the relay node establishes a user plane IP connection, or after the relay node establishes the user plane IP connection, sending, by the relay node, an authentication request message to the donor evolved Node B of the relay node; and
      
      after the relay node establishes the user plane IP connection and before the relay node establishes S1 connections with the user equipment gateway and the user equipment mobility management entity, sending, by the relay node, an authentication request message to the user equipment gateway and the user equipment mobility management entity.
  - 3. The method according to claim 2, wherein in the process that the relay node establishes the radio resource control connection with the evolved Node B, the sending, by the relay node, the authentication request message to the donor evolved Node B of the relay node comprises:
    - carrying, by the relay node, the authentication request message in a radio resource control message, and sending the radio resource control message to the evolved Node B, wherein the authentication request message further comprises signature information of the relay node.
  - 4. The method according to claim 2, wherein after the relay node establishes the radio resource control connection with the evolved Node B and before the relay node establishes the user plane IP connection, the sending, by the relay node, the authentication request message to the donor evolved Node B of the relay node comprises:
    - after the relay node establishes the radio resource control connection with the evolved Node B and before the relay node establishes the user plane IP connection, carrying, by the relay node, the authentication request message in a new radio resource control message, and sending the new radio resource control message to the evolved Node B, wherein the authentication request message further comprises signature information of the relay node.
  - 5. The method according to claim 2, wherein after the relay node establishes the user plane IP connection, the sending, by the relay node, the authentication request message to the donor evolved Node B of the relay node comprises:
    - after the relay node establishes the user plane IP connection, sending, by the relay node, the authentication request message to a relay node serving gateway, and forwarding, by the relay node serving gateway, the authentication request message to the donor evolved Node B of the relay node.
  - 6. The method according to claim 1, further comprising:
    - if the peer node fails to authenticate the relay node, sending, by the peer node, a relay node authentication failure result and an identifier of the relay node to a relay node mobility management entity, so that the relay node mobility management entity detaches the relay node or adds the relay node to an insecure node list.
  - 7. The method according to claim 1, further comprising:
    - before an operation and management system performs local configuration on the relay node, sending, by the relay node and at a transport layer, an authentication request message to the operation and management system, so as to implement mutual authentication between the relay node and the operation and management system.

8. A relay node authentication method, comprising:
- sending, in or after an attachment process of a relay node, by a relay node mobility management entity, an authentication request message to the relay node, so that the relay node authenticates the relay node mobility management entity according to the authentication request message; and
  
  receiving, by the relay node mobility management entity, an authentication response message sent by the relay node, and authenticating the relay node according to the authentication response message, wherein security association is created to enable authentication of an element in a security domain other than a security domain where the relay node is located,wherein before the sending, by the relay node mobility management entity, the authentication request message to the relay node, the method further comprises;
  
  receiving, by the relay node mobility management entity, an attachment request sent by the relay node, wherein the attachment request comprises an identifier of the relay node; and
  
  if the relay node mobility management entity determines that the relay node does not have any attachment record according to the identifier of the relay node, performing the sending, by the relay node mobility management entity, the authentication request message to the relay node,wherein after the relay node mobility management entity determines that the relay node does not have any attachment record according to the identifier of the relay node and before the sending the authentication request message to the relay node, the method further comprises;
  
  determining, by the relay node mobility management entity and according to the identifier of the relay node, that the relay node is not in an insecure node list recorded by the relay node mobility management entity.

9. A relay node, comprising:
- computer hardware and non-transitory computer readable storage medium which stores an instruction when executed by the computer hardware implements;
  
  a sending unit, configured to send an authentication request message to a peer node, wherein the authentication request message comprises a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, wherein the peer node is a network side node or a security gateway in a security domain where the network side node is located;
  
  a receiving unit, configured to receive an authentication response message that the peer node sends according to the authentication request message, wherein the authentication response message comprises a certificate of the peer node; and
  
  an authenticating unit, configured to authenticate the peer node according to the certificate of the peer node received by the receiving unit, wherein a security association is enabled to authenticate access of an element in a security domain other than the security domain of the network side node where the relay node is locateda determining unit, configured to determine whether a security domain where the relay node is located and the security domain where the network side node is located are the same security domain before the sending unit sends the authentication request message to the security gateway in the security domain where the network side node is located; and
  
  when the determining unit determines that the security domain where the relay node is located and the security domain where the network side node is located are not the same security domain, invoke the sending unit to send the authentication request message to the security gateway in the security domain where the network side node is located.
- View Dependent Claims (10)
- - 10. The relay node according to claim 9, whereinthe sending unit is further configured to, before an operation and management system performs local configuration on the relay node, send, at a transport layer, an authentication request message of the relay node to the operation and management system, so as to implement mutual authentication between the relay node and the operation and management system.

11. A relay node mobility management entity, comprising:
- computer hardware and non-transitory computer readable storage medium which stores an instruction when executed by the computer hardware implements;
  
  a first sending unit, configured to send an authentication request message to a relay node in or after an attachment process of the relay node, so that the relay node authenticates the relay node mobility management entity according to the authentication request message;
  
  a first receiving unit, configured to receive an authentication response message that the relay node sends according to the authentication request message; and
  
  an authenticating unit, configured to authenticate the relay node according to the authentication response message, wherein security association is created to enable authentication of an element in a security domain other than a security domain where the relay node is located,a second receiving unit, configured to receive an attachment request sent by the relay node before the first sending unit sends the authentication request message to the relay node, wherein the attachment request comprises an identifier of the relay node; and
  
  a first determining unit, configured to determine whether the relay node has any attachment record according to the identifier of the relay node received by the second receiving unit; and
  
  when the first determining unit determines that the relay node does not have any attachment record according to the identifier of the relay node, invoke the first sending unit to send the authentication request message to the relay nodea second determining unit, configured to, after the first determining unit determines that the relay node does not have any attachment record and before the first sending unit sends the authentication request message to the relay node, determine, according to the identifier of the relay node, whether the relay node is in an insecure node list recorded by the relay node mobility management entity; and
  
  if the second determining unit determines that the relay node is not in the insecure node list recorded by the relay node mobility management entity, invoke the first sending unit to send the authentication request message to the relay node.

12. A relay node authentication system, comprising:
- a peer node;
  
  a relay node, configured to send an authentication request message to the peer node, wherein the authentication request message comprises a certificate of the relay node, so that the peer node authenticates the relay node according to the certificate of the relay node, wherein the peer node is a network side node or a security gateway in a security domain where the network side node is located; and
  
  the peer node, configured to receive the authentication request message sent by the relay node, wherein the authentication request message comprises the certificate of the relay node;
  
  authenticate the relay node according to the certificate of the relay node; and
  
  send an authentication response message to the relay node, wherein the authentication response message comprises a certificate of the peer node,wherein the relay node is further configured to receive the authentication response message sent by the peer node, wherein the authentication response message comprises the certificate of the peer node, and authenticate the peer node according to the certificate of the peer node, wherein a security association is enabled to authenticate access of an element in a security domain other than the security domain of the network side node where the relay node is located,the relay node is configured to determine whether a security domain where the relay node is located and the security domain where the network side node is located are the same security domain before sending the authentication request message to the security gateway in the security domain where the network side node is located, andwhen the relay node determines that the security domain where the relay node is located and the security domain where the network side node is located are not the same security domain, invokes sending of the authentication request message to the security gateway in the security domain where the network side node is located.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honor Device Company Limited
Original Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Inventors
Zhang, Dongmei, Zhang, Aiqin, Bi, Xiaoyu, Liu, Jing
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/564,173
Publication Number

US 20120297474A1
Time in Patent Office

1,007 Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

H04W 12/069   using certificates or pre-s...

H04W 76/15   Setup of multiple wireless ...

Relay node authentication method, apparatus, and system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Relay node authentication method, apparatus, and system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links