CN100469196C - Identification method for multi-mode terminal roaming among heterogenous inserting technology networks - Google Patents
Identification method for multi-mode terminal roaming among heterogenous inserting technology networks Download PDFInfo
- Publication number
- CN100469196C CN100469196C CNB2006100995373A CN200610099537A CN100469196C CN 100469196 C CN100469196 C CN 100469196C CN B2006100995373 A CNB2006100995373 A CN B2006100995373A CN 200610099537 A CN200610099537 A CN 200610099537A CN 100469196 C CN100469196 C CN 100469196C
- Authority
- CN
- China
- Prior art keywords
- network
- multimode terminal
- wlan
- sign
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
A method for certifying multimode terminal roam between heterogeneous access technical networks includes receiving request to log on the second network by the first network when multimode terminal is switched in the first network and it is required to be roamed to the second network, carrying identification-the second identification of multimode terminal to be set in the second network with said request, carrying out certification on multimode terminal by the second network through the first network and switching multimode terminal in the second network after multimode terminal passes through said certification.
Description
Technical field
The present invention relates to communication network users administrative skill field, be meant the authentication method that a kind of multimode terminal is roamed especially between heterogenous inserting technology networks.
Background technology
Fast development along with wireless communication technology and chip technology, communication terminal begins to possess two or more network interface gradually, for example, portable terminal (the Mobile Station that is used for mobile communications network, MS) possesses global system for mobile communications (Global System For Mobile Communication simultaneously, GSM) and universal mobile telecommunications system (Universal Mobile Telecommunications System, UMTS) two network interfaces can switch between GSM network and UMTS network.Personal computer such as portable computer possess wired local area network interface, WLAN (WirelessLocal Area Network simultaneously, WLAN) interface, mobile communications network interface, this mobile communications network interface can be supported GPRS (General Packet Radio Service by installing additional, GPRS) network interface card of function is realized, this appearance that possesses a plurality of network interfaces, can be operated in the user terminal under the various modes has greatly promoted the use of user to various communication networks.
At present, multimode terminal has various ways, roughly can be divided three classes.The first kind is based on the portable terminal of mobile communications network, and (for example, the MS that has has GSM interface and WLAN interface simultaneously for Moblie Station, MS) development and come.Second class is based on personal digital assistant, and (the PDA terminal at first possesses the WLAN interface, has added the interface of mobile communications networks such as GSM then, thereby can be linked in the mobile communications network for Personal DigitalAssistant, PDA) development and come.The main feature of this two Terminal Type is that volume is little, in light weight, and disposal ability a little less than.The 3rd class is based on portable computer (Portable PC) development and comes, and portable computer can be linked into the internet by " focus " after possessing the WLAN interface.Portable computer also can possess the interface that is linked into mobile communications network by plug-in card or with the MS ways of connecting, the disposal ability of the 3rd Terminal Type is more eager to excel in whatever one does than preceding two Terminal Types, it is convenient that constantly the dwindling of its volume and weight also makes it carry, and is subjected to user's welcome more.
(AuthenticationAuthorization Accounting, technical scheme AAA) has nothing in common with each other, and is separate, not contact between these AAA schemes for the user of different communication network and the access authentication of terminal, authentication and charging.In mobile communications network, user's identity information is stored in smart card with the cryptographic algorithm that is used for access authentication, and smart card is by interface and MS interactive information.When MS login mobile communications network, finish authentication and authentication by smart card and mobile communications network.This method fail safe is the highest.In WLAN, the method for following authentication and authentication is arranged generally: the one, usemame/password, the contracted user who promptly belongs to certain WLAN uses the usemame/password logging in network of this user's special use, the regular and WLAN clearing cost of use of user; Two are to use expense volume or prepaid card, when the user need use WLAN, can obtain to be used to login temporary user name and/or the password of WLAN by buying expenses volume or prepaid card.
When the user need use certain network, just need to accept and use the AAA scheme of this network, and be registered to this network.Though this method has satisfied the demand that the user uses heterogeneous networks, the user need with each network contraction that need use, make a plurality of networks all store same user's CAMEL-Subscription-Information, not only the user uses very inconveniently, also causes the bigger wasting of resources.
When the user does not contract with a plurality of mobile communications networks, because signature has roaming agreement between many mobile communications networks, thereby the user of different mobile communication network can be at different inter-network roamings, then there is not roaming agreement between many WLAN substantially, main because be that WLAN itself lacks and the similar user property administrative mechanism of mobile communications network.Like this, very naturally expect utilizing the user property administrative mechanism of mobile communications network to realize authentification of user, authentication and the charging of WLAN.Wherein a kind of mode is to come acquisition expense volume or prepaid card by mobile communications network.Also having a kind of mode is exactly that the CAMEL-Subscription-Information of user in mobile communications network is linked among the WLAN its user profile that authenticates as this user, for example, for solving mobile subscriber and terminal thereof the AAA problems when WLAN and the UMTS inter-network roaming, third generation partner program (3rd Generation Partnership Project, 3GPP) and (the European Telecommunications Standards Institute of ETSI, ETSI) special technical scheme authentication and cipher key agreement authentication Extended Protocol (Authentication and Key AgreementExtensible Authentication Protocol have all been proposed, EAP-AKA), subscriber identification module authentication extension agreement (Subscriber Identification Module Extensible Authentication Protocol, EAP-SIM) etc.These schemes help avoid the repeated construction of AAA system.
ETSI has proposed two kinds of diverse schemes at UMTS and WLAN intercommunication, is called close coupling pattern and loose coupling pattern.The close coupling pattern is with the novel radio access network of WLAN as the UMTS network, the business of all WLAN all will be passed through the UMTS core network, this not only needs to develop new Radio interface protocols between WLAN and the UMTS core network, also need to reconfigure GPRS (General Packet Radio Service, GPRS) service support node (Serving GPRSSupport Node, SGSN), GGSN (Gateway GPRS Support Node, GGSN), and aaa server, need newly-increased protocol contents and relevant configuration too complicated, expense is also very expensive.The loose coupling pattern is by the coupling gateway WLAN and UMTS core network to be coupled together, and the coupling gateway is used for the format conversion of information mutual between WLAN and the UMTS core network.As shown in Figure 1, WLAN user is when being linked into WLAN, if this user is signatory with WLAN, then this user can directly use the aaa server of WLAN to authenticate.If the user of certain UMTS network roams among the WLAN, but this user is not signatory with this WLAN, at this moment, if signed user's roaming agreement between the UMTS network at user place and the WLAN, then this user still can be linked among this WLAN, and the business of using this WLAN to provide.In the authentication process, need the information such as key used to be delivered to corresponding entity in the user attaching UMTS network of carrying out authentication and authentication in user identification code and the authentication process by WLAN and coupling gateway, be the aaa server of UMTS network and AUC (Authentication Center, AuC).Detailed process is as follows: when multimode terminal need use WLAN, send logging request to WLAN, carry sign ID_W and sign ID_U in UMTS network and the corresponding CAMEL-Subscription-Information of multimode terminal in WLAN in this logging request; After WLAN receives logging request, provide ID_U to the UMTS network of multimode terminal ownership by the coupling gateway; The network based ID_W of this UMTS determines that multimode terminal initiated logging request to WLAN, and behind the aaa server and the authentication of AuC of multimode terminal by the UMTS network, the UMTS network notice WLAN of its ownership is the Internet resources of this user's opening WLAN.WLAN uses the metering datas such as time of the Internet resources of WLAN to add up to this user, and detailed metering data is sent to this user's ownership UMTS network, finishes charging to the user by user's ownership UMTS network.This method has avoided the WLAN business to enter the UMTS core network, only needs the small number of devices such as aaa server in the UMTS core network are improved.
As user during from the UMTS netsurfing to WLAN, can use the portable terminal of two kinds of forms, a kind of is based on mobile phone, adds the WLAN access function, makes this mobile phone become dual-mode handset; A kind of is based on portable computer, and this computer is equipped with intelligent card reading device, makes it can support the WLAN access function.Generally speaking, because the information processing capability of computer is stronger than mobile phone, user's more options use a computer and are linked among the WLAN.When using a computer, for finishing access authentication, authentication and charging, the mobile subscriber need put into the smart card of its UTMS network the smart card reader module of computer, card reading module reads the user totem information that is stored in the smart card, and this computer uses these information to authenticate and authentication process then.
UMTS network that the 3GPP standard is mentioned and the authentication method in the WLAN intercommunication and the authentication method among the foregoing ETSI are basic identical, do not repeat them here.
No matter be loose coupling pattern or close coupling pattern, all will mainly on unsafe transmission channel and terminal platform, transmit for mobile subscriber self brings security threat with the UMTS network because belong to UMTS network and mobile subscriber's privacy informations such as identify label.
At first, and the access point of WLAN (Access Point, AP) air interface with the WLAN user terminal is unsafe, user data but transmits on this air interface in the mode of radio wave.Because the WLAN air interface is operated on the 2.5G frequency range more at present, anyone can eavesdrop with the computer or the easy wireless points scanning device of a band wireless network card.In addition, in order to meet 802.11 series standards, just present wireless network card must operate at the information that can listen to air interface under the perfect hash pattern, like this, for the assailant, the air interface of WLAN fragility has reduced the attack difficulty for the assailant.
Secondly, the network environment of WLAN is unsafe, and on the one hand, the security deployment of WLAN is imperfection very, and most of WLAN are almost without any safety measure, and the hacker can be very easily enters WLAN and launches a offensive by the WLAN air interface validated user that disguises oneself as; On the other hand, WLAN is connected with the Internet, and the Internet is the network of an opening, even can't dock access customer and carry out identity validation, also be difficult to each user is carried out the tracking of network behavior, like this, can initiate attack easily WLAN from the hacker of the Internet.
Once more, because computer also can be used as the terminal that inserts WLAN.Computer is a platform that disposal ability is powerful, interface is open.Computer has occurred 60 years, and along with the application of large scale integrated chip (LSI chip), computer is when volume reduces rapidly, and memory space constantly increases, and disposal ability constantly strengthens.(Operating System OS) also moves towards open source code from open interface to operation system of computer.The enhancing of computer process ability and the opening of operating system have brought a series of safety problems.Because the raising of disposal ability, the time of decoding enciphered message significantly reduces.The opening of operating system is that poisoning intrusion has brought very big facility, even special anti-virus software has been installed, also has the possibility that detects less than virus; Particularly some novel viruses also can only carried out killing afterwards; More there is computer hacker to pass through trojan horse, other people computer steal confidential information of Telnet easily, and utilize more powerful server computer to crack confidential information.When the smart card reader module of computer is read the user profile on the smart card and given that the related application module authenticates and during authentication process, these private informations just are exposed in this open environment of computer, these information are very likely stolen by malicious user and are utilized, if, will bring bigger potential safety hazard for user profile again based on above-described unsafe certification path.
In addition, in the loose coupling pattern, WLAN can belong to different operators respectively with the UMTS network, and this pattern can promote the interconnection and the intercommunication of WLAN and UMTS network.The contracted user of UMTS network is after roaming into WLAN, and its Internet resources operating position to WLAN is carried out record by WLAN.For the prepaid user, because need deduction cost of use in real time, WLAN needs in real time to the UMTS network inquiry, and upgrades the cost information on its charging account.For the user who pays in the back, WLAN just earlier the record relative users in certain metering period to the behaviour in service of the Internet resources of WLAN, after metering period ends, carry out disbursement and sattlement according to the behaviour in service and the UMTS network in its this cycle.Like this, UMTS network contraction user is only provided by WLAN the resource behaviour in service of WLAN.If WLAN operator purpose from malevolence may provide false settlement information, so just there is the possibility of the swindle of chargeing.In addition, because the contracted user of UMTS network logins WLAN and the process of the WLAN that logs off all needs through WLAN, the WLAN operator of malice can counterfeit UMTS network contraction process of user login, and the message of logging off that also can postpone even delay UMTS user arrives the UMTS network.
Summary of the invention
In view of this, main purpose of the present invention is the authentication method that provides a kind of multimode terminal to roam multimode terminal user and a network contraction to be got final product between heterogenous inserting technology networks, and the user provides great convenience for multimode terminal; Further, when first network of the current access of multimode terminal safe during, can make certification path safer in second network that this multimode terminal need roam into.
In order to achieve the above object, the authentication method that multimode terminal provided by the invention is roamed between heterogenous inserting technology networks, multimode terminal inserts the first signatory network, when multimode terminal inserts first network, in the time of need roaming to second network, the method includes the steps of:
A, first network receive the second network entry request of multimode terminal, carry second network identity and multimode terminal second sign in second network in this second network entry request;
The second network entry request that B, the first network based second ID authentication multimode terminal are initiated, first network notifies second network whether to admit the judgement of the second network entry request of this multimode terminal;
When C, second network were admitted the second network entry request of multimode terminal initiation, second network was verified the validity of the resource access token that multimode terminal obtains;
D, second network are permitted multimode terminal and are inserted after determining that the resource access token of multimode terminal is effective.
When multimode terminal inserts the access technology identical with first network using and with first network the 3rd network of contract signing relationship is arranged, before the described steps A, further comprise: multimode terminal sends the second network entry request to the 3rd network, and the 3rd network sends the second network entry request to first network.
Between described steps A and the step B, further comprise: first network based second network identity judges whether with second networks sign user's roaming agreement is arranged, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
Described first network determines with second networks sign user's roaming agreement is arranged, and between the step B, further comprise: the CAMEL-Subscription-Information of the first network based multimode terminal is judged the multimode terminal business whether signatory use second network provides, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
Between described steps A and the step B, further comprise: the CAMEL-Subscription-Information of the first network based multimode terminal is judged the multimode terminal business whether signatory use second network provides, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
Described first network is provided by the signatory business of using second network to provide of multimode terminal, and between the step B, further comprises: first network based second network identity judges whether with second networks sign user's roaming agreement is arranged, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
Between described steps A and the step B, further comprise: first network based second network identity sends the second network entry request to second network, second network requests, first network authenticates the second network entry request of multimode terminal, and provides the sign of second in its second network entry request of receiving to first network.
Described steps A further comprises: the corresponding relation between sign first sign and second of first network storage multimode terminal in first network identifies; Between described steps A and the step B, further comprise: first network sends the second network entry request that carries second sign described in the steps A to second network, and whether the multimode terminal under this second sign of second network requests, first network verification initiates logging request; Described step B, comprise: the first network based stored relation, corresponding first sign of second sign that provides with second network is provided, the multimode terminal of request first sign provides second sign, judge then from second sign of multimode terminal with whether consistently identify from second of second network, if then the second network entry request of multimode terminal notifies second network to admit the second network entry request of this multimode terminal by authentication; Otherwise the second network entry request of multimode terminal by authentication, does not notify second network not admit the second network entry request of this multimode terminal, finishes current flow process.
Described first network is a universal mobile telecommunications system UMTS network, and second network is WLAN WLAN; Corresponding relation between first sign described in the steps A and second sign is stored in the authenticating device of UMTS network; Described step B is: the authenticating device of WLAN sends pseudo-authentication verification request to the authenticating device of UMTS network, carry second sign of carrying in the WLAN logging request in this puppet authentication verification request, authenticating device in the UMTS network is according to stored relation, corresponding first sign of second sign that provides with second network is provided, multimode terminal to first sign sends pseudo-challenge request then, the authenticating device of multimode terminal in the UMTS network returns the pseudo-challenge response that carries second sign, whether the authenticating device judgement in the UMTS network identifies from second of multimode terminal and is consistent from second sign of second network, if, then the WLAN logging request of multimode terminal is by authenticating the second network entry request that the authenticating device of notice WLAN is admitted this multimode terminal; Otherwise the WLAN logging request of multimode terminal is not by authentication, and the second network entry request that the authenticating device of notice WLAN is not admitted this multimode terminal finishes current flow process.
Further carry the access device sign that inserts second network described in the steps A in the second network entry request; Between described step B and the step C, further comprise step C0: the second network based access device sign judges whether this access device is effective, if then continue execution in step C; Otherwise the second network entry request of not admitting multimode terminal to initiate finishes current flow process.
Before the described step B, further comprise: first network sends the second network entry request that carries first network identity to second network; Between described step B and the described step C0, further comprise: second network based first network identity judges whether with first networks sign user's roaming agreement is arranged, if then continue execution in step C0; Otherwise refusal multimode terminal second network is unavailable, finishes current flow process.
Described access device sign comes from second network in the broadcast of multimode terminal broadcasting.
Second network described in the step C is verified the validity of the resource access token that multimode terminal obtains, comprise step C1: the second network reservation access-in resource also generates a pair of resource access token, provide one of them resource access token information by first network to multimode terminal, another resource access token information of second network storage, the resource access token information that multimode terminal provides it to receive to second network, whether the resource access token information that second network is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
Described step C1, comprise: the authenticating device in second network sends resource reservation request to access device, access device is reserved access-in resource, after authenticating device receives that the resource reservation of access device is replied, generate a pair of resource access token, one of them resource access token information is offered the access device storage, and provide another resource access token information to multimode terminal by the authenticating device of first network, the resource access token information that multimode terminal provides it to receive to access device, whether the resource access token information that access device is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
Second network described in the step C is verified the validity of the resource access token that multimode terminal obtains, comprise step C2: first network generates a pair of resource access token for the second network insertion resource of reserving, directly provide one of them resource access token information to multimode terminal, and another resource access token information offered second network storage, the resource access token information that multimode terminal provides it to receive to second network, whether the resource access token information that second network is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
Described step C2, comprise: the authenticating device of first network sends resource reservation request to the access device of second network, this access device is reserved access-in resource, after the authenticating device of first network receives that resource reservation that access device returns is replied, generate a pair of resource access token, one of them resource access token information is sent to described access device storage, and directly provide another resource access token information to multimode terminal; Multimode terminal provides its resource access token information of receiving to access device, and whether the resource access token information that access device is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
Second network identity comes from described in the steps A: first network is in the broadcast of multimode terminal broadcasting; Or second network in the broadcast of multimode terminal broadcasting; Or come from first network and second network simultaneously in the broadcast of multimode terminal broadcasting.
Further comprise in the described broadcast: the use rate of second network, or access bandwidth, or supply the network information of multimode terminal reference, or above combination arbitrarily.
This method further comprises: multimode terminal is selected second network that will insert according to the use rate of described second network or the network information or the above combination arbitrarily of access bandwidth or the reference of confession multimode terminal.
This method further comprises: increase in the functional entity of participation authentication in first network and second network or modification authentication method protocol layer, increase in multimode terminal or modification authentication method protocol layer, first network and second network directly communicate; Or first communicate by intermediate equipment between network and second network.
After the described step D, further comprise: multimode terminal directly sends the request of logging off of second network to second network, and second network is closed the resource that multimode terminal uses; Or multimode terminal sends the request of logging off of second network by first network to second network, and second network is closed the resource that multimode terminal uses.
Described second network is closed after the resource of multimode terminal use, further comprises: multimode terminal notifies first network to close for the resource of second network of this multimode terminal use; Or second network notify the resource of second network that first network uses for this multimode terminal to close.
Among the present invention, multimode terminal is linked in first network, in the time of need roaming to second network, first network receives the second network entry request of multimode terminal, carry sign second sign of multimode terminal in second network in this second network entry request, second network authenticates multimode terminal by first network, multimode terminal inserts second network by the authentication back, like this, the multimode terminal user only needs and a network contraction, can roam to be linked into and have contract signing relationship with this subscription network, adopt in other network of different access technologies, need not multimode terminal user and each network contraction, for the user of multimode terminal brings great convenience.Because multimode terminal user's private informations such as CAMEL-Subscription-Information are only stored in its signatory home network, have strengthened the fail safe of multimode terminal user private information.And necessary authentication command that first network and second network are directly only mutual and necessary sign, not mutual identifying algorithm and key separately strengthened authenticating safety.
First network safe when second network; because the multimode terminal user can not be transferred into the second relatively poor network of fail safe at the private informations such as CAMEL-Subscription-Information of first network; protected multimode terminal user's private information better; strengthened the fail safe of multimode terminal user private information, for multimode terminal user's private information provides safety guarantee.
The request of logging off of second network of multimode terminal can at first be sent to first network among the present invention, first network need not by with these information of mutual acquisition of second network, like this, when charge information during, can effectively avoid the swindle of chargeing of the malice of second network from second network; And can effectively avoid the signatory multimode terminal login of second phishing, first network and the charging swindle carried out, and improved the accuracy and the reliability of charge information greatly, avoided the dispute of disbursement and sattlement between the heterogeneous networks.
In addition, the second network entry request of multimode terminal directly is sent to first network of its current access, no longer need send over by second network as prior art, like this, because current first network that inserted of multimode terminal, can use first network to finish the authentication that signs in to second network in advance, and greatly reduce multimode terminal at the needed authenticated time of the inter-network roaming of different access technologies.
In addition, the method that the present invention proposes can be carried out the improvement of protocol stack to the related functional entities in first network and second network, realize the directly mutual of authentication information between each functional entity, need not again the extra equipment that is used for information mutual between the two is carried out format conversion that increases, greatly reduce the construction and the maintenance cost of network.The present invention also can continue to use existing network system, need not the related functional entities in first network and second network is carried out the improvement of protocol stack, to reduce the influence to the existing network system to greatest extent.
In sum, the authentication method that the present invention proposes secondly from security standpoint, has embodied the thought of " simplifying practical, assurance safety " at first from user friendly angle.
Description of drawings
Fig. 1 shows WLAN and UMTS network interworking schematic diagram in the prior art;
Fig. 2 shows the interconnected schematic diagram that authentication method of the present invention is applied to WLAN and UMTS network;
Fig. 3 shows the first embodiment of the invention schematic flow sheet;
Fig. 4 shows first embodiment of the invention interacting message figure;
Fig. 5 shows first embodiment of the invention protocol stack schematic diagram;
Fig. 6 shows the interconnected schematic diagram that authentication method of the present invention is applied to WMAN and UMTS network;
Fig. 7 shows the interconnected schematic diagram that authentication method of the present invention is applied to cable network and UMTS network;
Fig. 8 shows the interconnected schematic diagram that authentication method of the present invention is applied to fixed network of future generation and other network.
Embodiment
Among the present invention, multimode terminal is linked in first network, and when needing to use second network, first network receives the second network entry request of multimode terminal, carries sign one second sign of multimode terminal in second network in this second network entry request; Whether the first network based second sign checking multimode terminal initiates the second network entry request, after first network notifies the second network multimode terminal to initiate the second network entry request really, second network verifies that to the validity of the resource access token that multimode terminal obtains second network can provide the resource access token to multimode terminal by first network; Second network is permitted multimode terminal and is inserted after determining that the resource access token of multimode terminal is effective.After this, multimode terminal uses second network to insert second network for the Internet resources of its reservation.Multimode terminal can be known second sign by the hardware of himself supporting second network.
The above first network access technology different, be heterogenous inserting technology with second network using.First network and second networks sign have user's roaming agreement.Like this, the multimode terminal user only needs and a network contraction, can roam to other network, avoids multimode terminal user and each network contraction, makes things convenient for multimode terminal user's use.First network safe when second network, promptly the fail safe of the access technology of first network using is higher, when multimode terminal need roam to relatively poor second network of fail safe, the multimode terminal user can not be transferred into the second relatively poor network of fail safe at the private informations such as CAMEL-Subscription-Information of first network, make certification path safer, avoid multimode terminal the user private informations such as CAMEL-Subscription-Information leakage or stolen by malice.
In addition, when multimode terminal withdraws from the login of second network, can directly send the request of logging off of second network, send this second network request of logging off by first network to second network then to first network.At this moment, because the request of logging off of second network at first arrives first network, first network can be judged the accuracy of the charge information that second network provides in view of the above, thereby effectively avoids the malice charging swindle of second network.
Be that UMTS network, second network are that WLAN is an example at first below, specific implementation process of the present invention is described in detail with first network.
Fig. 2 shows the interconnected schematic diagram that authentication method of the present invention is applied to WLAN and UMTS network, as shown in Figure 2, multimode terminal has UMTS interface and WLAN interface at least, after multimode terminal inserts the UMTS network, the business of using WLAN to provide if desired, yet because this multimode terminal is not signatory with corresponding WLAN, need authenticate it by the UMTS network, at this moment, the WLAN logging request of multimode terminal can be at first via the access network in the UMTS network, (the MobileSwitching Center of mobile switching centre, MSC)/VLR Visitor Location Register (Visitor Location Register, VLR) or SGSN, GGSN arrives the authenticating device as aaa server, the authenticating device as aaa server of authenticating device in the UMTS network in WLAN sends the WLAN logging request then, WLAN authenticates multimode terminal by the UMTS network then, multimode terminal inserts WLAN by after authenticating by AP.Carry the sign UE_WID of multimode terminal in WLAN in the above WLAN logging request, guarantee that the CAMEL-Subscription-Information of multimode terminal in the UMTS network can not be sent to unsafe WLAN.Authenticating device can be aaa server, or is AuC, or be attaching position register (HomeLocation Register, HLR).
Fig. 3 shows the first embodiment of the invention schematic flow sheet, and as shown in Figure 3, when WLAN and UMTS network interworking, concrete verification process may further comprise the steps:
Step 301: the multimode terminal with various modes wave point can be monitored the current corresponding wireless network covering that has or not by its each wave point under open state; When UMTS network and WLAN all had wireless coverage, multimode terminal preferentially used the UMTS interface of self, inserted the UMTS network according to the login mode that meets the UMTS standard.The UMTS network can be broadcasted the contract signing relationship of this UMTS network and other network in broadcast, carry sign in this broadcast with its signatory network, as with the sign W_ID of the WLAN of UMTS network contraction, like this, multimode terminal can listen to broadcast from the UMTS network by the UMTS interface, obtains information such as W_ID by the broadcast that listens to.In addition, owing to exist the WLAN of contract signing relationship also can in broadcast, broadcast the contract signing relationship of itself and UMTS network with the UMTS network, also carry W_ID, available AP identification list AP_ID_LIST and signatory information such as UMTS network identity U_ID in this broadcast, like this, multimode terminal can listen to broadcast from WLAN by self WLAN interface, obtains information such as W_ID, AP_ID_LIST, U_ID by the broadcast that listens to.Multimode terminal can also can pass through the broadcast of each interface monitoring from each corresponding network only by the broadcast of one of them interface monitoring from corresponding network.If multimode terminal is both by the broadcast of UMTS interface monitoring from the UMTS network, also by the broadcast of WLAN interface monitoring from WLAN, at this moment, can verify the availability of the W_ID that carries in the broadcast from the UMTS network by the W_ID that carries in the broadcast from WLAN, if include the W_ID that carries in the broadcast from the UMTS network among the W_ID that carries in the broadcast from WLAN, then show the W_ID that carries in the broadcast from the UMTS network be available with the signatory WLAN of UMTS; Otherwise, carry in the broadcast from the UMTS network with W_ID be the sign WLAN unavailable at present.Same method also can be used for the availability that multimode terminal is verified the UMTS network of U_ID sign.Above-mentioned from the UMTS network or from out of Memory such as the use rate that also can comprise wlan network in the broadcast of WLAN, access bandwidths, supply multimode terminal to select the WLAN that will insert.
Step 302: when multimode terminal need use professional that WLAN provides, because signatory with this WLAN, the UMTS network received the WLAN logging request of this multimode terminal.The WLAN logging request of described multimode terminal directly comes from the UMTS interface of multimode terminal, it specifically is treated to: multimode terminal sends the WLAN logging request by the UMTS interface of self to the UMTS network, carry in this WLAN logging request multimode terminal wish the sign W_ID of the WLAN that logins, when logining this WLAN the sign AP_ID of AP of process and the UE_WID that multimode terminal uses when login WLAN.Multimode terminal can be known its sign UE_WID in WLAN by the WLAN network interface card.If when the current UMTS network that inserts of multimode terminal was its ownership UMTS network, this multimode terminal directly sent the WLAN logging request to this UMTS network; If when the current UMTS network that inserts of multimode terminal was not its ownership UMTS network, this multimode terminal sent the WLAN logging request by its current UMTS network that inserts to the UMTS of its ownership network; In addition, if be provided with Gateway Location Register (Gateway Location Register in the network system, GLR), because GLR is positioned at the current UMTS network that inserts of multimode terminal, store the CAMEL-Subscription-Information of multimode terminal temporarily, therefore, multimode terminal can directly send the WLAN logging request to its current UMTS network that inserts.
After step 303:UMTS network is received the WLAN logging request of multimode terminal, judge whether self has roaming agreement with the WLAN signature that is designated W_ID, if then continue execution in step 304; Otherwise corresponding WLAN is unavailable for the notice multimode terminal, finishes current flow process.The UMTS network operation has the sign of having signed the WLAN of user's roaming agreement with it, like this, can know whether signed user's roaming agreement with corresponding WLAN by the WLAN sign.
Step 304:UMTS NetFind is to the CAMEL-Subscription-Information that is designated the multimode terminal of UE_UID in the UMTS network, judge the whether signatory WLAN of the use business of this multimode terminal, if, then UMTS network storage UE_UID and UE_WID are between the two or the corresponding relation between UE_UID, UE_WID and the W_ID three, and execution in step 305 then; Otherwise the WLAN logging request that the refusal multimode terminal is initiated finishes current flow process.The UMTS network operation of multimode terminal ownership has the CAMEL-Subscription-Information of terminal, can know whether the contracted use of WLAN business of multimode terminal according to the CAMEL-Subscription-Information of terminal.If be provided with GLR in the network system, owing to store the CAMEL-Subscription-Information of multimode terminal among the GLR temporarily, then whether signatory GLR can determine multimode terminal WLAN business according to the CAMEL-Subscription-Information of multimode terminal, and need not to carry out this step by the UMTS network of multimode terminal ownership.
The execution sequence of the above step 303 and step 304 is interchangeable, be after the UMTS network is received the WLAN logging request of multimode terminal, at first judge the whether signatory WLAN of the use business of multimode terminal, the use of WLAN business if multimode terminal has been contracted, continue then to judge whether this UMTS network has user's roaming agreement with the WLAN signature that is designated W_ID, if, then UMTS network storage UE_UID and UE_WID are between the two, or UE_UID, corresponding relation between UE_WID and the W_ID three, continue execution in step 305 then, otherwise, corresponding WLAN is unavailable for the notice multimode terminal, finishes current flow process; If multimode terminal is the use of signatory WLAN business not, then refuse the WLAN logging request that multimode terminal is initiated, finish current flow process.
Step 305:UMTS network sends the WLAN logging request to WLAN, carries UE_WID and AP_ID in this WLAN logging request.
After step 306:WLAN receives the WLAN logging request, judge whether the AP_ID that carries in the WLAN logging request is effective, promptly judge whether there is the AP that is designated AP_ID among the WLAN, if, then store the corresponding relation between UE_WID and the AP_ID, continue execution in step 307 then; Otherwise the WLAN logging request by UMTS network refusal multimode terminal is initiated finishes current flow process.
After WLAN received the WLAN logging request, can at first judge whether had user's roaming agreement with the UMTS networks sign, if can continue then to judge whether the AP_ID that carries in the WLAN logging request is effective; Otherwise the WLAN logging request by UMTS network refusal multimode terminal is initiated finishes current flow process.WLAN safeguards that the sign of having signed the UMTS network of user's roaming agreement with it is arranged, and like this, whether can know with corresponding UMTS networks sign user's roaming agreement by U_ID.
Whether step 307:WLAN request UMTS network verification multimode terminal initiates the WLAN logging request.
Whether step 308:UMTS network verification multimode terminal initiates the WLAN logging request, if then continue execution in step 309; Otherwise UMTS network notice WLAN authentication failed finishes current flow process.The concrete processing whether UMTS network verification multimode terminal initiates the WLAN logging request can be: WLAN is after the UMTS network provides the UE_WID that carries in the WLAN logging request, the UE_UID of the network based storage of UMTS and the corresponding relation between the UE_WID, determine UE_UID corresponding to UE_WID, ask corresponding multimode terminal that its UE_WID in WLAN is provided then, whether the UMTS network is judged consistent with the UE_WID from WLAN from the UE_WID of multimode terminal then, if then multimode terminal is initiated the WLAN logging request really; Otherwise multimode terminal was not initiated WLAN logging request, authentication failed.
Step 309~step 310:UMTS network notice WLAN is proved to be successful.WLAN generates a pair of resource access token after receiving that the WLAN from the UMTS network is proved to be successful notice, and provides the information of resource access token separately to multimode terminal with corresponding to the AP of AP_ID respectively.WLAN provides resource access token information by the UMTS network to multimode terminal.
Step 311: multimode terminal provides this resource access token information to AP after receiving the resource access token information that WLAN provides; After AP receives the resource access token information that multimode terminal provides, according to WLAN to the resource access token information that self provides, whether the resource access token information that the checking multimode terminal provides is effective, judge that promptly resource access token information that WLAN provides to this AP is whether consistent with the resource access token information that multimode terminal provides, if then continue execution in step 312; Otherwise, the WLAN logging request that the refusal multimode terminal is initiated.
The form of described resource access token information is varied, and for example, be access-in resource sign and resource use key, or be username and password, or the like.
Step 312~step 313:AP permits multimode terminal and inserts WLAN, and the Internet resources that multimode terminal uses WLAN to reserve insert WLAN.
In addition, access token also can be generated by the UMTS network, be that the UMTS network generates a pair of resource access token for the WLAN access-in resource of reserving, and directly provide one of them resource access token information to multimode terminal by the UMTS interface, and provide another resource access token information to WLAN, store by WLAN; Multimode terminal provides its resource access token information of receiving to WLAN, and whether the resource access token information that WLAN judges multimode terminal is consistent with self stored resource access token information, if then permit multimode terminal and insert WLAN; Otherwise the refusal multimode terminal inserts WLAN, finishes current flow process.
After multimode terminal inserts WLAN by AP, the business of using WLAN to provide; When multimode terminal does not need to use professional that WLAN provides, withdraw from the login of WLAN, at this moment, multimode terminal can directly send the WLAN request of logging off to WLAN, WLAN closes the Internet resources that multimode terminal uses after receiving the WLAN request of logging off, and multimode terminal withdraws from the login of WLAN; Then, multimode terminal can notify the UMTS network it withdrawed from WLAN login; Multimode terminal also can send the WLAN request of logging off to the UMTS network, transmit this WLAN request of logging off by the UMTS network to WLAN then, after WLAN receives the WLAN request of logging off, close the Internet resources that multimode terminal uses, multimode terminal withdraws from the login of WLAN, and the Internet resources that notice UMTS network WLAN provides are closed.Because when multimode terminal withdraws from the login of WLAN, the WLAN request of logging off has arrived the UMTS network, can make the UMTS network accurately know the time that multimode terminal is logged off, and the time that the multimode terminal of using of sending with WLAN is logged off compares, and then checking is effectively avoided chargeing from the malice of WLAN and is swindled from the accuracy of the charge information of WLAN.
Fig. 4 shows first embodiment of the invention interacting message figure, as shown in Figure 4, and when WLAN and UMTS network interworking, for simplifying title, aaa server in the UMTS network is called AAA_U, the aaa server among the WLAN is called AAA_W, the interacting message in the verification process may further comprise the steps:
Step 401: the multimode terminal with various modes wave point can be monitored the current corresponding wireless network covering that has or not by its each wave point under open state; When UMTS network and WLAN all had wireless coverage, multimode terminal preferentially used the UMTS interface of self, inserted the UMTS network according to the login mode that meets the UMTS standard.
Step 402: after multimode terminal inserts the UMTS network, owing to exist the WLAN of contract signing relationship will in broadcast, broadcast the contract signing relationship of itself and UMTS network with the UMTS network, also carry W_ID and AP_ID_LIST in this broadcast, like this, multimode terminal can listen to broadcast from WLAN by self WLAN interface, obtains information such as W_ID, AP_ID_LIST by the broadcast that listens to.
Step 403: when multimode terminal need use professional that WLAN provides, because it is not signatory with this WLAN, this multimode terminal sends the WLAN logging request by self the UMTS interface GGSN in the UMTS of its ownership network, carry in this WLAN logging request multimode terminal wish the W_ID of the WLAN that logins, when logining this WLAN the AP_ID and the UE_WID of multimode terminal in WLAN of AP of process.
After step 404:GGSN receives the WLAN logging request, send the signatory verification request of WLAN, carry UE_UID, W_ID and UE_WID in the signatory verification request of this WLAN to AAA_U.AAA_U receives that the WLAN signature that judges whether and be designated W_ID has roaming agreement, if then continue execution in step 405 from after the signatory verification request of the WLAN of GGSN; Otherwise corresponding WLAN is unavailable by GGSN notice multimode terminal, finishes current flow process.Safeguard the sign of the WLAN that roaming agreement has been arranged with its place UMTS networks sign among the AAA_U, like this, can know by the WLAN sign whether the UMTS network at its place has signed roaming agreement with corresponding WLAN.
Step 405:AAA_U sends WLAN service contracting verification request to HLR, carries UE_UID in this WLAN service contracting verification request.After HLR receives the verification request of WLAN service contracting, find the CAMEL-Subscription-Information of the multimode terminal that is designated UE_UID, judge the whether signatory WLAN of use business of this multimode terminal according to this CAMEL-Subscription-Information, if then continue execution in step 406; Otherwise, sending negative response to AAA_U, after AAA_U received negative response, the WLAN logging request by GGSN refusal multimode terminal is initiated finished current flow process.HLR safeguards the CAMEL-Subscription-Information that terminal is arranged, and can know whether the contracted use of WLAN business of multimode terminal according to the CAMEL-Subscription-Information of terminal.
Step 406:HLR returns affirmative acknowledgement to AAA_U, the use of notifying the corresponding multimode terminal of AAA_U to contract the WLAN business.
After step 407:AAA_U receives affirmative acknowledgement, storage UE_UID and UE_WID are between the two or the corresponding relation between UE_UID, UE_WID and the W_ID three, send the WLAN logging request according to the AAA_W of W_ID in this WLAN then, carry UE_WID and AP_ID in this WLAN logging request.After AAA_W receives the WLAN logging request, judge whether the AP_ID that carries in the WLAN logging request is effective, promptly judge whether there is the AP that is designated AP_ID among the WLAN, if, then store the corresponding relation between UE_WID and the AP_ID, continue execution in step 408 then; Otherwise, returning to AAA_U and to reject response, after AAA_U received and rejects response, the WLAN logging request by GGSN refusal multimode terminal is initiated finished current flow process.
Step 408:AAA_W sends pseudo-authentication verification request to AAA_U, carries UE_WID in this puppet authentication verification request, and this UE_WID carries in the WLAN logging request described in the step 407.
After step 409:AAA_U receives pseudo-authentication verification request, according to the UE_UID of storage and the corresponding relation between the UE_WID, determine UE_UID, send pseudo-challenge request to GGSN then, carry UE_UID in this puppet challenge request corresponding to UE_WID corresponding to UE_WID.
After step 410:GGSN receives pseudo-challenge request, send pseudo-challenge request, carry the AAA_U address in this puppet challenge request to the multimode terminal that with UE_UID is sign.
Step 411: after multimode terminal is received pseudo-challenge request by the UMTS interface, judge at first whether pseudo-challenge request is replying of WLAN logging request, if this multimode terminal determines self to initiate the WLAN logging request, should puppet challenge request be replying of WLAN logging request then, should correctly respond this puppet challenge request, at this moment, multimode terminal is according to the AAA_U address of carrying in the puppet challenge request, send pseudo-challenge response to AAA_U, carry the sign UE_WID of multimode terminal in WLAN in this puppet challenge response; If this multimode terminal determines self not initiate the WLAN logging request, then can not respond this puppet challenge request, or, reject response to the AAA_U transmission according to the AAA_U address.After AAA_U receives pseudo-challenge response, judge whether the UE_WID that carries in the pseudo-challenge response is with storage consistent with the corresponding UE_WID of UE_UID this multimode terminal, if, show that then corresponding multimode terminal initiated the WLAN logging request really, continue execution in step 412; Otherwise, showing that corresponding multimode terminal do not initiate the WLAN logging request, UMTS network notice WLAN authentication failed finishes current flow process.
Step 412:AAA_U sends pseudo-authentication verification success message to AAA_W, carries UE_WID in this puppet authentication verification success message.
After step 413:AAA_W receives pseudo-authentication verification success message,, carry UE_WID in this port resource reservation request to AP transmit port resource reservation request.AAA_W can store the corresponding relation between UE_WID and the AP_ID, like this, can determine AP_ID by UE_WID; Also can store corresponding relation between UE_UID, UE_WID, W_ID and the AP_ID, after multimode terminal is by checking, provides UE_WID and AP_ID by AAA_U to AAA_W, thereby make AAA_W can know corresponding AP_ID by AAA_U.
After step 414:AP receives resource reservation request,, send resource reservation to AAA_W then and reply, carry UE_WID and RES_ID during this resource reservation is replied for UE_WID distributes and reserves the access-in resource that is designated RES_ID.
After step 415:AAA_W receives that resource reservation is replied, be directed to same RES_ID and generate a pair of resource access token message, one of them carries UE_WID, AP_ID, RES_ID and resource and uses key S_KEY to the multimode terminal resource access token message that AAA_U sends in this multimode terminal resource access token message; Another is the AP resource access token message that sends to AP, carries UE_WID, RES_ID and S_KEY in this AP resource access token message, after AP receives AP resource access token message, and the corresponding relation between storage UE_WID, RES_ID and the S_KEY three.
After step 416:AAA_U receives multimode terminal resource access token message, send multimode terminal resource access token message, carry AP_ID, RES_ID and S_KEY in this multimode terminal resource access token message to multimode terminal.
Step 417: after multimode terminal is received multimode terminal resource access token message, send the request of access, carry UE_WID, RES_ID and S_KEY in this access request to AP corresponding to AP_ID.After AP receives the access request, judge whether the RES_ID that carries in the request of access is consistent with RES_ID and the S_KEY corresponding to the UE_WID that self store with S_KEY, if then continue execution in step 418; Otherwise, return admission reject to multimode terminal and reply, the WLAN logging request that the refusal multimode terminal is initiated.
Step 418~step 419:AP returns to insert to multimode terminal and allows to reply, and permits multimode terminal and inserts WLAN by AP, and multimode terminal uses reserved resource to insert WLAN.
In addition, AAA_U can be after definite multimode terminal have been initiated the WLAN logging request really, and the AP in WLAN sends resource reservation request, and AP reserves access-in resource, and returns resource reservation to AAA_U and reply; After AAA_U receives that resource reservation is replied, generate a pair of resource access token, one of them resource access token information sends to this AP, store by AP, and provide another resource access token information to multimode terminal by the UMTS network, and multimode terminal provides its resource access token information of receiving to AP, and whether the resource access token information that AP judges multimode terminal is consistent with self stored resource access token information, if then continue execution in step 418~step 419; Otherwise the refusal multimode terminal inserts WLAN, finishes current flow process.
After multimode terminal inserts WLAN by AP, the business of using WLAN to provide; When multimode terminal does not need to use professional that WLAN provides, withdraw from the login of WLAN, at this moment, multimode terminal can directly send the WLAN request of logging off by AP to AAA_W, AAA_W notice AP closes the Internet resources that multimode terminal uses, AP closes the Internet resources that multimode terminal uses, and multimode terminal withdraws from the login of WLAN; Multimode terminal also can send the WLAN request of logging off to AAA_U by GGSN, transmit this WLAN request of logging off by AAA_U to AAA_W then, after AAA_W receives the WLAN request of logging off, notice AP closes the Internet resources that multimode terminal uses, AP closes the Internet resources that multimode terminal uses, multimode terminal withdraws from the login of WLAN, and notice AAA_U Internet resources are closed.When if multimode terminal withdraws from the login of WLAN, transmit the WLAN request of logging off by AAA_U to AAA_W, can make AAA_U accurately know the time that multimode terminal is logged off, and the time that the multimode terminal of using of sending with WLAN is logged off compares, and then checking is effectively avoided chargeing from the malice of WLAN and is swindled from the accuracy of the charge information of AAA_W.
According to method described above, even the computer that inserts smart card is as the multimode terminal that inserts WLAN, because smart card directly carries out information interaction by UMTS interface and UMTS network, give open operating system and need not the UMTS information of the user on the smart card read, also need not in unsafe environment such as WLAN, to use, avoid being stolen by malice and utilizing of private information, improved the fail safe of the system that interconnects.
Fig. 5 shows first embodiment of the invention protocol stack schematic diagram, as shown in Figure 5, the authentication method that proposes according to the present invention, need the protocol stack of multimode terminal, GGSN, AAA_U, AP and AAA_W be improved, increase the authentication method protocol layer, or original authentication method protocol layer made amendment realizing the directly mutual of authentication information between each functional entity, and need not additionally to increase the equipment of similar coupling gateway, the construction and the maintenance cost of having saved network.If the protocol stack to multimode terminal, GGSN, AAA_U, AP and AAA_W does not improve, can continue to use the existing network system, finish authentication by intermediate equipment, for example, can continue to come information mutual between the two is carried out format conversion between two networks by equipment such as coupling gateways.
The sign UE_UID of multimode terminal in the UMTS network can be IMSI International Mobile Subscriber Identity (International Mobile Subscriber Identity, IMSI), also can be Temporary Mobile Subscriber Identity (TMSI, Temporary Mobile Subscriber Identity).The sign UE_WID of multimode terminal in WLAN is medium access control (Media Access Control, MAC) address.
Fig. 6 shows authentication method of the present invention and is applied to wireless MAN (Wireless MetropolitanArea Networks, WMAN) with the interconnected schematic diagram of UMTS network, as shown in Figure 6, multimode terminal has UMTS interface and WMAN interface at least, after multimode terminal inserts the UMTS network, the business of using WMAN to provide if desired, yet because this multimode terminal is not signatory with corresponding WMAN, need authenticate it by the UMTS network, at this moment, the WMAN logging request of multimode terminal is at first via the access network in the UMTS network, MSC/VLR or SGSN, GGSN arrives the authenticating device as aaa server, the authenticating device as aaa server of authenticating device in the UMTS network in WMAN sends the WMAN logging request then, WMAN authenticates multimode terminal by the UMTS network then, multimode terminal is by after authenticating, by the WMAN base station, router inserts WLAN.Carry the sign of multimode terminal in WMAN in the above WMAN logging request.Authenticating device can be the AAA_ server, or is AuC, or is HLR.
Fig. 7 shows the interconnected schematic diagram that authentication method of the present invention is applied to cable network and UMTS network, as shown in Figure 7, multimode terminal has UMTS interface and wired network interface at least, after multimode terminal inserts the UMTS network, the business of using cable network to provide if desired, yet because this multimode terminal is not signatory with corresponding cable network, need authenticate it by the UMTS network, at this moment, the cable network logging request of multimode terminal is at first via the access network in the UMTS network, MSC/VLR or SGSN, GGSN arrives the authenticating device as the AAA_ server, the authenticating device as aaa server of authenticating device in the UMTS network in cable network sends the cable network logging request then, cable network authenticates multimode terminal by the UMTS network then, multimode terminal passes through access device by after authenticating, router has access to spider lines.Carry the sign of multimode terminal in cable network in the above cable network logging request.Access device in the cable network can be Ethernet switch, also can be dialup access server, or the like.Described cable network can be the network based on twisted-pair feeder, also can be based on fiber network, also can be the network based on coaxial cable, or the like.
Fixed telephone network has adopted Softswitch technology to next generation network evolution the time, the parts-stored-program control exchange of its core network-realized that control plane and load plane are separated, and the realization of this functions of components is realized jointly by the network equipment that separates.(terminal in the fixed network also will be linked in the network by the IP packet mode for Internet Protocol, popularizing IP) along with Internet protocol.Because the whole world, IP address can reach, will allow the terminal in the fixed network to change access point, this development trend makes following fixed network also will solve terminal and moves and problem such as access control.
Fig. 8 shows the interconnected schematic diagram that authentication method of the present invention is applied to fixed network of future generation and other network, as shown in Figure 8, multimode terminal has fixed network interface of future generation and at least corresponding to the corresponding interface of other network, after multimode terminal inserts fixed network of future generation, the business of using other network to provide if desired, yet since this multimode terminal not with other network contraction, need authenticate it by fixed network of future generation, at this moment, other network entry request of multimode terminal is at first via the IAD in the fixed network of future generation, the soft switch functional unit, fixed network Home Location Register (Fixed Home LocationRegister, FHLR) arrival is as the authenticating device of aaa server, the authenticating device as aaa server of authenticating device in the fixed network of future generation then in other network sends other network entry request, other network authenticates multimode terminal by fixed network of future generation then, multimode terminal passes through access device by after authenticating, router inserts other network.Carry the sign of multimode terminal in other network in the above other network entry request.
Concrete verification process and the described detailed process of Fig. 3, Fig. 4 under the interconnected situation of diverse network are basic identical, therefore, do not repeat them here.
According to above description as seen, the authentication method that adopts the present invention to propose, multimode terminal only gets final product with a network contraction, when roaming to other network, other network can authenticate multimode terminal by the signatory network of this multimode terminal, the user of multimode terminal need not with each network signatory respectively again, for the user of multimode terminal brings great convenience.In addition, no matter multimode terminal whether with second network contraction, all authentication method that can adopt the present invention to propose.
Obviously, those skilled in the art can carry out various changes and modification to the present invention, and does not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (22)
1, the authentication method roamed between heterogenous inserting technology networks of a kind of multimode terminal, multimode terminal first network of contracting when multimode terminal inserts first network, in the time of need roaming to second network, is characterized in that the method includes the steps of:
A, first network receive the second network entry request of multimode terminal, carry second network identity and multimode terminal second sign in second network in this second network entry request;
The second network entry request that B, the first network based second ID authentication multimode terminal are initiated, first network notifies second network whether to admit the judgement of the second network entry request of this multimode terminal;
When C, second network were admitted the second network entry request of multimode terminal initiation, second network was verified the validity of the resource access token that multimode terminal obtains;
D, second network are permitted multimode terminal and are inserted after determining that the resource access token of multimode terminal is effective.
2, method according to claim 1, it is characterized in that, when multimode terminal inserts the access technology identical with first network using and with first network the 3rd network of contract signing relationship is arranged, before the described steps A, further comprise: multimode terminal sends the second network entry request to the 3rd network, and the 3rd network sends the second network entry request to first network.
3, method according to claim 1 is characterized in that, between described steps A and the step B, further comprises: first network based second network identity judges whether with second networks sign user's roaming agreement is arranged, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
4, method according to claim 3, it is characterized in that, described first network determines with second networks sign user's roaming agreement is arranged, and between the step B, further comprise: the CAMEL-Subscription-Information of the first network based multimode terminal is judged the multimode terminal business whether signatory use second network provides, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
5, method according to claim 1, it is characterized in that, between described steps A and the step B, further comprise: the CAMEL-Subscription-Information of the first network based multimode terminal is judged the multimode terminal business whether signatory use second network provides, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
6, method according to claim 5, it is characterized in that, described first network is provided by the signatory business of using second network to provide of multimode terminal, and between the step B, further comprise: first network based second network identity judges whether with second networks sign user's roaming agreement is arranged, if then continue execution in step B; Otherwise notice multimode terminal second network is unavailable, finishes current flow process.
7, method according to claim 1, it is characterized in that, between described steps A and the step B, further comprise: first network based second network identity sends the second network entry request to second network, second network requests, first network authenticates the second network entry request of multimode terminal, and provides the sign of second in its second network entry request of receiving to first network.
8, method according to claim 1 is characterized in that,
Described steps A further comprises: the corresponding relation between sign first sign and second of first network storage multimode terminal in first network identifies;
Between described steps A and the step B, further comprise: first network sends the second network entry request that carries second sign described in the steps A to second network, and whether the multimode terminal under this second sign of second network requests, first network verification initiates logging request;
Described step B, comprise: the first network based stored relation, corresponding first sign of second sign that provides with second network is provided, the multimode terminal of request first sign provides second sign, judge then from second sign of multimode terminal with whether consistently identify from second of second network, if then the second network entry request of multimode terminal notifies second network to admit the second network entry request of this multimode terminal by authentication; Otherwise the second network entry request of multimode terminal by authentication, does not notify second network not admit the second network entry request of this multimode terminal, finishes current flow process.
9, method according to claim 8 is characterized in that,
Described first network is a universal mobile telecommunications system UMTS network, and second network is WLAN WLAN;
Corresponding relation between first sign described in the steps A and second sign is stored in the authenticating device of UMTS network;
Described step B is: the authenticating device of WLAN sends pseudo-authentication verification request to the authenticating device of UMTS network, carry second sign of carrying in the WLAN logging request in this puppet authentication verification request, authenticating device in the UMTS network is according to stored relation, corresponding first sign of second sign that provides with second network is provided, multimode terminal to first sign sends pseudo-challenge request then, the authenticating device of multimode terminal in the UMTS network returns the pseudo-challenge response that carries second sign, whether the authenticating device judgement in the UMTS network identifies from second of multimode terminal and is consistent from second sign of second network, if, then the WLAN logging request of multimode terminal is by authenticating the second network entry request that the authenticating device of notice WLAN is admitted this multimode terminal; Otherwise the WLAN logging request of multimode terminal is not by authentication, and the second network entry request that the authenticating device of notice WLAN is not admitted this multimode terminal finishes current flow process.
10, method according to claim 1 is characterized in that,
Further carry the access device sign that inserts second network described in the steps A in the second network entry request;
Between described step B and the step C, further comprise:
C0, the second network based access device sign judge whether this access device is effective, if then continue execution in step C; Otherwise the second network entry request of not admitting multimode terminal to initiate finishes current flow process.
11, method according to claim 10 is characterized in that,
Before the described step B, further comprise: first network sends the second network entry request that carries first network identity to second network;
Between described step B and the described step C0, further comprise: second network based first network identity judges whether with first networks sign user's roaming agreement is arranged, if then continue execution in step C0; Otherwise refusal multimode terminal second network is unavailable, finishes current flow process.
12, method according to claim 10 is characterized in that, described access device sign comes from second network in the broadcast of multimode terminal broadcasting.
13, method according to claim 1 is characterized in that, second network described in the step C is verified the validity of the resource access token that multimode terminal obtains, being comprised:
C1, the second network reservation access-in resource also generate a pair of resource access token, provide one of them resource access token information by first network to multimode terminal, another resource access token information of second network storage, the resource access token information that multimode terminal provides it to receive to second network, whether the resource access token information that second network is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
14, method according to claim 13, it is characterized in that, described step C1, comprise: the authenticating device in second network sends resource reservation request to access device, access device is reserved access-in resource, after authenticating device receives that the resource reservation of access device is replied, generate a pair of resource access token, one of them resource access token information is offered the access device storage, and provide another resource access token information to multimode terminal by the authenticating device of first network, the resource access token information that multimode terminal provides it to receive to access device, whether the resource access token information that access device is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
15, method according to claim 1 is characterized in that, second network described in the step C is verified the validity of the resource access token that multimode terminal obtains, being comprised:
C2, first network generate a pair of resource access token for the second network insertion resource of reserving, directly provide one of them resource access token information to multimode terminal, and another resource access token information offered second network storage, the resource access token information that multimode terminal provides it to receive to second network, whether the resource access token information that second network is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
16, method according to claim 15, it is characterized in that, described step C2, comprise: the authenticating device of first network sends resource reservation request to the access device of second network, this access device is reserved access-in resource, and the authenticating device of first network generates a pair of resource access token after receiving that resource reservation that access device returns is replied, one of them resource access token information is sent to described access device storage, and directly provide another resource access token information to multimode terminal; Multimode terminal provides its resource access token information of receiving to access device, and whether the resource access token information that access device is judged multimode terminal is consistent with self stored resource access token information, if then continue execution in step D; Otherwise the second network entry request that the refusal multimode terminal is initiated finishes current flow process.
17, method according to claim 1 is characterized in that, second network identity comes from described in the steps A: first network is in the broadcast of multimode terminal broadcasting; Or second network in the broadcast of multimode terminal broadcasting; Or come from first network and second network simultaneously in the broadcast of multimode terminal broadcasting.
18, method according to claim 17 is characterized in that, further comprises in the described broadcast: the use rate of second network, or access bandwidth, or supply the network information of multimode terminal reference, or above combination arbitrarily.
19, method according to claim 18, it is characterized in that, this method further comprises: multimode terminal is selected second network that will insert according to the use rate of described second network or the network information or the above combination arbitrarily of access bandwidth or the reference of confession multimode terminal.
20, method according to claim 1 is characterized in that, this method further comprises:
Increase in the functional entity of participation authentication in first network and second network or modification authentication method protocol layer, increase in multimode terminal or modification authentication method protocol layer, first network and second network directly communicate;
Or first communicate by intermediate equipment between network and second network.
21, method according to claim 1 is characterized in that, after the described step D, further comprises:
Multimode terminal directly sends the request of logging off of second network to second network, and second network is closed the resource that multimode terminal uses;
Or multimode terminal sends the request of logging off of second network by first network to second network, and second network is closed the resource that multimode terminal uses.
22, method according to claim 21 is characterized in that, described second network is closed after the resource of multimode terminal use, further comprises:
Multimode terminal notifies first network to close for the resource of second network of this multimode terminal use;
Or second network notify the resource of second network that first network uses for this multimode terminal to close.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100995373A CN100469196C (en) | 2006-07-28 | 2006-07-28 | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100995373A CN100469196C (en) | 2006-07-28 | 2006-07-28 | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889781A CN1889781A (en) | 2007-01-03 |
| CN100469196C true CN100469196C (en) | 2009-03-11 |
Family
ID=37579039
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100995373A Active CN100469196C (en) | 2006-07-28 | 2006-07-28 | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100469196C (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222319B (en) * | 2007-01-10 | 2010-05-26 | 华为技术有限公司 | Cryptographic key distribution method and system in mobile communication system |
| US8005224B2 (en) | 2007-03-14 | 2011-08-23 | Futurewei Technologies, Inc. | Token-based dynamic key distribution method for roaming environments |
| CN101150870B (en) * | 2007-10-18 | 2012-06-20 | 中兴通讯股份有限公司 | Call processing method for multi-mode terminal |
| JP5521057B2 (en) * | 2010-03-09 | 2014-06-11 | アルカテル−ルーセント | Method and apparatus for authenticating user equipment |
| CN102547698B (en) * | 2010-12-22 | 2014-09-10 | 中国移动通信集团北京有限公司 | Authentication system, method and intermediate authentication platform |
| CN102158487A (en) * | 2011-04-01 | 2011-08-17 | 福建星网锐捷网络有限公司 | Network access control method, system and device |
| CN102960003B (en) * | 2011-06-30 | 2016-05-25 | 华为技术有限公司 | A kind of multimode list is treated the method and apparatus of terminal at network registry |
| CN102595405A (en) * | 2012-01-21 | 2012-07-18 | 华为技术有限公司 | Authentication method, system and equipment for network access |
| CN103384409A (en) * | 2012-05-03 | 2013-11-06 | 中国移动通信集团上海有限公司 | Method and system for accessing wireless local area networks and equipment |
| CN107666488A (en) * | 2017-10-16 | 2018-02-06 | 北京佰才邦技术有限公司 | A kind of authentication method, device, system and server |
| CN108770043B (en) * | 2018-05-15 | 2021-01-08 | 奇酷互联网络科技(深圳)有限公司 | Network marking method, device, readable storage medium and mobile terminal |
-
2006
- 2006-07-28 CN CNB2006100995373A patent/CN100469196C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1889781A (en) | 2007-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100469196C (en) | Identification method for multi-mode terminal roaming among heterogenous inserting technology networks | |
| US8533798B2 (en) | Method and system for controlling access to networks | |
| CN101150594B (en) | Integrated access method and system for mobile cellular network and WLAN | |
| DK2547134T3 (en) | IMPROVED SUBSCRIPTION AUTHENTICATION FOR UNAUTHORIZED MOBILE ACCESS SIGNALS | |
| US8885555B2 (en) | System and method for transferring wireless network access passwords | |
| EP1916867B1 (en) | A method for managing the local terminal equipment to access the network | |
| CN101577908B (en) | User equipment verification method, device identification register and access control system | |
| US20040162998A1 (en) | Service authentication in a communication system | |
| US20150327073A1 (en) | Controlling Access of a User Equipment to Services | |
| CN103354640A (en) | Authenticating a wireless device in a visited network | |
| CN101156364A (en) | Access control method, unit and system for user changing access network | |
| CN104581875B (en) | Femto cell cut-in method and system | |
| CN106105134A (en) | Improved end-to-end data protection | |
| EP1810473B1 (en) | Apparatus and method for fraud prevention when accessing through wireless local area networks | |
| CN103402201B (en) | A kind of WiFi-WiMAX heterogeneous wireless network authentication method based on pre-authentication | |
| CN100450110C (en) | System and method for intercommunicating with mobile network short message based on IP switch-in network | |
| WO2006079953A1 (en) | Authentication method and device for use in wireless communication system | |
| CN101621799A (en) | Method, device and system for processing terminal certificate authentication failure | |
| Leu et al. | Running cellular/PWLAN services: practical considerations for cellular/PWLAN architecture supporting interoperator roaming | |
| CN101990207A (en) | Access control method, home base station (HBS) and HBS authorization server | |
| US8200191B1 (en) | Treatment of devices that fail authentication | |
| CN106912047B (en) | Terminal authentication method, device and system | |
| CN100450283C (en) | Method for establishing trust relation of access end and service application entity | |
| CN108540493B (en) | Authentication method, user equipment, network entity and service side server | |
| CN110381486A (en) | A kind of method, Tag label and terminal for sharing VoWiFi business by NFC |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100083 No. 40, Haidian District, Beijing, Xueyuan Road Patentee after: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY Address before: 100083 No. 40, Haidian District, Beijing, Xueyuan Road Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210528 Address after: 100085 1st floor, building 1, yard 5, Shangdi East Road, Haidian District, Beijing Patentee after: DATANG MOBILE COMMUNICATIONS EQUIPMENT Co.,Ltd. Address before: 100083 No. 40, Haidian District, Beijing, Xueyuan Road Patentee before: CHINA ACADEMY OF TELECOMMUNICATIONS TECHNOLOGY |