鉴权加密流程.docVIP

33102 分组域和电路域的鉴权加密流程是互相独立的。 目前SGSN实现的时候，可以实现两种处理：1、是否鉴权；2、隔多少次鉴权一次。可以配置间隔的次数。 对于加密来说，每次搭建Iu连接，就需要进行加密的重新协商。哪怕是由于进行业务引起的Iu连接建立。但是此时只是重新协商一致性校验的相关参数和加密算法，密钥CK和IK是不会变的（因为密钥的产生是在鉴权流程中根据RAND产生的，所以只有鉴权之后，才会产生新的密钥）。 3G是不能重用鉴权参数（5元组）的。因为AUTN中有跟时间同步相关的参数，所以无法重用。 鉴权流程 Figure 5: Authentication and key agreement Upon receipt of a request from the VLR/SGSN, the HE/AuC sends an ordered array of n authentication vectors (the equivalent of a GSM triplet) to the VLR/SGSN. The authentication vectors are ordered based on sequence number. Each authentication vector consists of the following components: a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. Each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM. When the VLR/SGSN initiates an authentication and key agreement, it selects the next authentication vector from the ordered array and sends the parameters RAND and AUTN to the user. Authentication vectors in a particular node are used on a first-in / first-out basis. The USIM checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to the VLR/SGSN. The USIM also computes CK and IK. The VLR/SGSN compares the received RES with XRES. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed. The established keys CK and IK will then be transferred by the USIM and the VLR/SGSN to the entities which perform ciphering and integrity functions. VLR/SGSNs can offer secure service even when HE/AuC links are unavailable by allowing them to use previously derived cipher and integrity keys for a user so that a secure connection can still be set up without the need for an authentication and key agreement. Authentication is in that case based on a shared integrity key, by means of data integrity protection of signalling messages (see 6.4). The authenticating parties shall be the AuC of the