CN101039311A

CN101039311A - Identification web page service network system and its authentication method

Info

Publication number: CN101039311A
Application number: CNA2006100344936A
Authority: CN
Inventors: 何承东
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2006-03-16
Filing date: 2006-03-16
Publication date: 2007-09-19
Anticipated expiration: 2026-03-16
Also published as: CN101039311B; WO2007104245A1

Abstract

The present invention discloses a system for a status identification net page operation network and authority identification method thereof. The system for a status identification net page operation network comprises a HSS, a BSF, an entity of network business application function/authority identification service/single-point authentication, a SP and an UE. The authority identification method comprises following steps: a communication process of the UE and the SP includes a GBA authority identification process and an ID-WSF authority identification process; during the GBA authority identification process, a guiding service functional entity generates a guiding affair mark and a period of validity of root secret-key, transmitts them to the UE, both the guiding service functional entity and the UE generates the root secret-key; during the ID-WSF authority identification process, an AS entity or an AS module generates a credit certificate required by user terminals for accessing a SSOS entity or a SSOS module; the single-point authentication entity/module generates declaration of authority identification and transmitts it to the UE, or the single-point authentication entity/module generates declaration of authority identification and the corresponding link thereof, a corresponding relationship table of the declaration of authority identification and the corresponding link is saved, and the link for declaration of authority identification is transmitted to the UE.

Description

A kind of identification web page service network system and method for authenticating thereof

Technical field

The present invention relates to Internet technical field and next generation network (NGN, Next GenerationNetworks) technical field and third generation partner program (3GPP, The ThirdGeneration Partnership Project) technical field, be specifically related to a kind of identification web page service network system (ID-WSF, Identity Web Service Framework) and method for authenticating thereof.

Background technology

As shown in Figure 1,3GPP has defined a kind of generic authentication architecture (GBA, GenericBootstrapping Architecture), generic authentication architecture is usually by IP multimedia service subsystem (IMS, IP Multimedia Core Network Subsystem) user terminal (UE, UserEquipment), guide service functional entity (BSF, Bootstrapping Server Function), the user attaching webserver (HSS, Home Subscribe Server), subscriber location function entity (SLF, Subscriber Locator Function) and Network Application Function (NAF, Network Application Function) form.UE is connected by the Ub interface with BSF, and UE is connected by the Ua interface with NAF, and BSF is connected by the Zh interface with HSS, and BSF is connected by the Zn interface with NAF, and BSF is connected by the Dz interface with SLF.BSF carries out mutual identity verification when being used for UE execution bootup process (bootstrapping), generates BSF and user's shared key K s simultaneously; Storage is used to describe the signed instrument of user profile among the HSS, and HSS also has the function that produces authentication information concurrently simultaneously; SLF is used for when having a plurality of HSS, assists BSF to search corresponding HSS; NAF is used to UE that Network is provided.

In the Ub interface, the flow process of UE execution bootup process (bootstrapping) is described as follows as shown in Figure 2:

When step 1:UE need use certain professional, carry out the mutual authentication process to BSF, then directly send authentication request and carry out mutual authentication to BSF if know this service needed.Otherwise, UE can be at first and the NAF contact of this business correspondence, if this NAF uses the GBA generic authentication architecture, and find that this UE does not also recognize each other the card process to BSF, NAF then notifies this UE to carry out mutual authentication with identity verification to BSF, and UE directly sends authentication request again and carries out mutual authentication to BSF then;

After step 2:BSF receives the authentication request of UE, at first obtain authentication vector information (AUTN, RAND, IK, CK, XRES) five-tuple of this UE to HSS;

Step 3～step 6:BSF adopts HTTP digest AKA agreement and UE to carry out two-way authentication and key agreement, finishes the mutual authentication of identity between UE and the BSF;

Step 7:BSF generates and shares root key Ks, and BSF has also defined a valid expiration date for sharing key K s, so that Ks is carried out regular update;

Step 8:BSF distributes a guiding Transaction Identifier (B-TID, bootstrapping transactionidentifier), is used to identify this authentication interacting transaction between BSF and the UE; BSF is with the private user identity (IMPI of this B-TID and root key Ks, UE, IMS Private identity) is associated, so that BSF can find out corresponding Ks according to this B-TID later on, BSF will guide the valid expiration date of Transaction Identifier and Ks expressly to send to UE together then;

Step 9:UE also generates the shared root key Ks identical with the BSF side.

After finishing above-mentioned steps, just shared a root key Ks between UE and the BSF, and UE can utilize formula:

Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id) or

Ks_Ext_NAF＝KDF(Ks，″gba-me″，RAND，IMPI，NAF_Id)、

Ks_Int_NAF＝KDF(Ks，″gba-u″，RAND，IMPI，NAF_Id)，

Shared key K s_ (the Ext/Int) _ NAF that derives between the NAF that derives and want to visit, wherein NAF_Id is formed by connecting by the protocol-identifier (UaID) on NAF that will visit and the Ua interface, RAND is a random number, IMPI is the private user identity of UE, " gba-me " and " gba-u " represents character string, KDF is the abbreviation of key derivative function, and the UE side has just been obtained this shared key K s_ (Ext/Int) _ NAF that derives like this.Remaining task is exactly how NAF obtains shared key K s_ (Ext/Int) _ NAF that this is derived.Have only NAF and UE all to obtain Ks_ (Ext/Int) _ NAF, could set up the escape way of both sides' communication.

The flow process that NAF obtains Ks_ (Ext/Int) _ NAF is described as follows as shown in Figure 3:

Shared key K s_ (Ext/Int) _ NAF that step 1:UE at first goes out to derive according to the above-mentioned derivation of equation, B-TID is a user name, Ks_ (Ext/Int) _ NAF is that password sends connection request to NAF, may set up the TLS link before this step in advance, to guarantee the communication security of Ua interface;

Step 2:NAF sends authentication request message to BSF after receiving the connection request of UE, wherein carries guiding Transaction Identifier B-TID and NAF host name;

Remain with B-TID on the step 3:BSF, IMPI, Ks, the key term of validity, the time started of the mutual authentication between BSF and the UE, use relevant GBA user security (GUSS is set, GBA User security setting) information such as, if BSF can find corresponding Ks according to this B-TID, then finish the authentication of relative users, BSF re-uses the above-mentioned formula identical with user side and calculates shared key K s_ (the Ext/Int) _ NAF that derives then, then in authentication response message Ks_ (Ext/Int) _ NAF, the valid expiration date of Ks_ (Ext/Int) _ NAF, the time started of the mutual authentication between BSF and the UE, and the user security setting (USS relevant with other application, User security setting) information is issued NAF, may comprise a plurality of USS among the GUSS, after NAF receives, preserve these information.

NAF and UE have also just shared key K s_ (the Ext/Int) _ NAF that is derived by Ks like this, thereby the two can carry out secure communication in follow-up communication.

In addition, Liberty Alliance engineering (LAP, Liberty Alliance Project) tissue has also defined some network architectures and standard, be used to realize visit to the Web business, it mainly comprises three sub-network architectures: the identify label alliance network architecture (ID-FF, Identity Federation Framework); Identification web page service network network framework (ID-WSF, Identity Web Service Framework) identify label business interface standard (ID-SIS, Identity Services Interface Specifications); Wherein ID-FF mainly comprises identify label alliance (Identity Federation) function and Single Sign On function (SSO, Single Sign On).ID-WSF is some Web business structures based on identify label of definition on the basis of ID-FF mainly, and some are simple, the customizable Web business of user so that provide.ID-SIS then defines some and the professional relevant interface specification of Web.The framework of ID-FF as shown in Figure 4, it mainly comprises three entity: UE, identification authentication provider entity (IdP, Identity Provider), service provider's entity (SP, Service Provider).Identify label alliance function is meant that UE has the identify label of oneself, i.e. user ID on IdP and SP.These identify labels can be formed an alliance.SSO is meant on the basis of above-mentioned identify label alliance function, as long as UE has passed through authentication on IdP, just equals also to have passed through simultaneously simultaneously authentication on all SP that form alliances.

ID-FF and GBA intercommunication framework as shown in Figure 5, UE has two kinds of authentication modes in this framework: a kind of UE of being is after authentication is passed through on the IdP, and IdP can directly return to UE with the authentication of this UE statement (Assertion); UE issues SP with this Assertion again; SP comes UE is carried out authentication by analyzing Assertion.Another kind be UE after authentication is passed through on the IdP, IdP can return to UE with the authentication of this UE statement link (Artifact); UE issues SP with this Artifact again; SP issues IdP with this Artifact by soap protocol again; IdP inquires about corresponding Assertion according to this Artifact, and returns to SP; Last SP comes UE is carried out authentication by analyzing Assertion.

The framework of ID-WSF as shown in Figure 6, it mainly comprises following several entity: user terminal (UE), identification authentication provider (IdP), service provider (SP), be used to use the professional consumer's entity of the Web (WSC of Web business, Web Service Consumer), be used to provide the Web service supplier entity (WSP of Web business, Web Service Provider), find Business Entity (DS, Discover Service).

The process of these entity cooperatings is as follows: at first WSP on DS, register its Web type of service that can provide; When UE visit WSC, WSC removes to inquire about addressable WSP to DS; The relevant WSP address of DS coupling, and offer WSC; WSC can represent the relevant WSP of UE visit then.WSC is relative with the function of WSP (perhaps SP), that is to say WSC in as certain WEB service consumer, also can be used as another one Web service supplier (WSP or SP).WSP or SP also can another one WEB service consumers (WSC) in as certain Web service supplier.

The further reduced form of above-mentioned framework as shown in Figure 7, wherein the function of WSC realizes on UE, and certain WSP can provide authentication business entity (AS, function AuthenticationService).Here the AS function among the ID-WSF is suitable with the IdP function among the ID-FF, is used to finish identify label Web service network authentication functions.Because Fig. 7 relates generally to the authentication affairs of ID-WSF, therefore omit DS.

Fig. 8 has introduced the network architecture of the ID-WSF of increase Single Sign On Business Entity (SSOS, Single-Sign-On Service), and its main workflow is as follows: at first UE and AS finish the AS authentication by the SASL protocol interaction; Authentication is returned address and the visit needed credential of SSOS (Credentials) of SSOS to UE by back AS; UE utilizes the Credentials visit SSOS that obtains from AS, carries out the SSOS authentication, and SSOS returns corresponding Assertion to UE authentication success back to UE; UE utilizes this Assertion to remove to visit relevant SP.

From top introduction as can be seen, on the one hand, UE and BSF obtain after root key Ks and the B-TID alternately in the generic authentication architecture, and all needing is respectively user name with B-TID, and Ks_ (Ext/Int) _ NAF is password authentication on each NAF, so that visit each NAF.This frequent authentication has strengthened fail safe, but has increased the complexity and the inconvenience of terminal operation.On the other hand, between each SP and SSOS, set up the identify label Security Association by the Single Sign On function in the identification web page service network network framework, and form a safe circles of trust, as long as on SSOS, passed through authentication, just equal also to have passed through authentication on all SP in the safe circles of trust under SSOS.Do not realize the method for intercommunication between these two kinds of network architectures in the prior art, cause the fail safe of ID-WSF communication not high enough, the generic authentication architecture user terminal operations is also easy inadequately, to the application scenarios of extending user terminal, make things convenient for user terminal to use existing diversified WEB service and cause many restrictions.

Summary of the invention

The technical problem to be solved in the present invention provides a kind of identification web page service network system and method for authenticating thereof, overcomes prior art and can't use the GBA authentication mode, the shortcoming that communications security is low in the UE to ID-WSF carries out the process of authentication.

The present invention adopts following technical scheme:

A kind of identification web page service network system, the user attaching webserver and the guide service functional entity that comprise generic authentication architecture, service provider's entity, user terminal, communicate by the Zh interface between the user attaching webserver and the guide service functional entity, communicate by the Ub interface between guide service functional entity and the user terminal, it is characterized in that: comprise Network application function/authentication service/Single Sign On Business Entity, it comprises the Network applied function module, the authentication service module, the Single Sign On business module, the Network applied function module is used to provide Network Application Function function, the authentication service module is used to provide the authentication service entity function, the Single Sign On business module is used to provide Single Sign On Business Entity function, communicate by the Zn interface between Network applied function module and the guide service functional entity, communicate by the Ua interface between Network applied function module and the user terminal.

Described identification web page service network system, wherein: Single Sign On business module and user terminal adopt Single Sign On that safety statement SGML describes and identify label federation protocol to carry out communicating by letter between the two, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; Authentication service module and user terminal adopt simple authenticated and safe floor agreement to carry out communicating by letter between the two, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; When communicating between Single Sign On business module and the service provider's entity, adopt Simple Object Access Protocol encapsulation communication information; When communicating between user terminal and the service provider's entity, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information.

A kind of identification web page service network system method for authenticating, comprise step: comprise two kinds of authentication processes in the communication process of the user terminal of identification web page service network system and service provider's entity, be respectively generic authentication architecture authentication process and identification web page service network network framework authentication process, in the generic authentication architecture authentication process, the guide service functional entity generates guiding Transaction Identifier, the root key term of validity, and send to user terminal, guide service functional entity and user terminal all generate root key; In identification web page service network network framework authentication process, authentication service entity or authentication service module generate user terminal access Single Sign On Business Entity or the needed credential of Single Sign On business module; Single Sign On Business Entity or Single Sign On business module generate the authentication statement and send to user terminal, perhaps Single Sign On Business Entity or Single Sign On business module generate authentication statement and corresponding authentication statement link, preserve the mapping table of authentication statement and authentication statement link, authentication statement link is sent to user terminal.

Described identification web page service network system method for authenticating, comprising step: user terminal sends identification web page service network network framework authentication request message to corresponding authentication service entities or authentication service module, authentication service entity or authentication service module send to user terminal and require it to carry out the challenge responses message of generic authentication architecture authentication, the guide service functional entity carries out the generic authentication architecture authentication to user terminal, authentication success rear line terminal sends generic authentication architecture authentication success response message, comprises the guiding Transaction Identifier and the root key term of validity in this authentication success response message; User terminal sends application request message to authentication service entity or authentication service module, authentication service entity or authentication service module are carried out authentication according to this application request message to user terminal, after authentication is passed through, send response message to user terminal, wherein comprise the address and the credential of Single Sign On Business Entity or Single Sign On business module.

Described identification web page service network system method for authenticating, comprising step: Single Sign On Business Entity or Single Sign On business module carry out identification web page service network network framework authentication to user terminal, authentication success rear line terminal sends identification web page service network network framework authentication success response message, comprises the authentication statement in this authentication success response message.

Described identification web page service network system method for authenticating, comprising step: Single Sign On Business Entity or Single Sign On business module carry out identification web page service network network framework authentication to user terminal, generate authentication statement and corresponding authentication statement link, preserve the mapping table of authentication statement and authentication statement link, in sending to the identification web page service network network framework authentication success response message of user terminal subsequently, comprise authentication statement link.

Described identification web page service network system method for authenticating, comprising step:

A1, user terminal send application request message to service provider's entity;

After A2, service provider's entity were received this application request message, the address that at first obtains authentication service entity or authentication service module sent response message then to user terminal, wherein carries the authentication request header field;

A3, user terminal send application request message to authentication service entity or authentication service module, wherein comprise simple authenticated and safe floor agreement request header field, and it comprises the authentication mechanism header field, comprise the authentication mode tabulation that user terminal is supported in the authentication mechanism header field;

A4, authentication service entity or authentication service module send challenge responses message to user terminal, wherein comprise simple authenticated and safe floor protocol responses header field, it comprises server authentication mechanism header field and challenge header field, the authentication mode that record authentication service entity or authentication service module are selected in the server authentication mechanism header field.

A5, user terminal and guide service functional entity are mutual, carry out the generic authentication architecture authentication;

A6, user terminal send application request message to authentication service entity or authentication service module, wherein comprise simple authenticated and safe floor agreement request header field, simple authenticated and safe floor agreement request header field comprise the challenge responses header field, and the challenge responses header field comprises guiding Transaction Identifier and Authentication Response summary info;

A7, authentication service entity or authentication service module are obtained information such as shared key, user security setting, the key term of validity, boot time by the Zn interface to the guide service functional entity, authentication service entity or authentication service module are according to receiving that simple authenticated and safe floor agreement request header field carry out authentication to user terminal, after authentication is passed through, send response message to user terminal, wherein comprise simple authenticated and safe floor protocol responses header field, the address and the credential of Single Sign On Business Entity or Single Sign On business module arranged in this header field.

Described identification web page service network system method for authenticating, wherein: support the user terminal of generic authentication architecture authentication and identification web page service network network framework authentication in the application request message of authentication service entity or the transmission of authentication service module, the generic authentication architecture sign being set simultaneously, if authentication service entity or authentication service module are found this generic authentication architecture sign, then informing user terminal starts the generic authentication architecture authentication process earlier, restart user identification web page service network network framework authentication process, otherwise informing user terminal only starts User Identity web page service network network framework authentication process.

Described identification web page service network system method for authenticating, wherein: described steps A 5 comprises step:

B1, user terminal send the generic authentication architecture authentication request message to the guide service functional entity, wherein comprise private user identity;

After B2, guide service functional entity are received this generic authentication architecture authentication request message, obtain the authentication vector of user terminal from the user attaching webserver;

B3, guide service functional entity send challenge message to user terminal, wherein carry authentication sequence number parameter and random parameter;

B4, user terminal are checked authentication sequence number parameter validity and are generated expected result;

B5, user terminal send message to the guide service functional entity, wherein carry private user identity, expected result;

B6, guide service functional entity are checked the validity of expected result and are generated root key;

B7, guide service functional entity send generic authentication architecture success response message to user terminal, wherein carry the guiding Transaction Identifier and the root key term of validity;

B8, user terminal are preserved the guiding Transaction Identifier and the root key term of validity, generate and preserve root key and shared key.

C1, user terminal send application request message according to the address of Single Sign On Business Entity or Single Sign On business module to Single Sign On Business Entity or Single Sign On business module;

C2, Single Sign On Business Entity or Single Sign On business module carry out authentication process according to the application request message content of receiving, authentication success rear line terminal sends success response message, wherein comprise the authentication statement, the digital signature of Single Sign On Business Entity or Single Sign On business module is arranged in the authentication statement;

C3, user terminal send application request message to service provider's entity, wherein comprise the authentication statement;

The statement of C4, service provider's entity handles authentication, the digital signature of checking Single Sign On Business Entity or Single Sign On business module, finish authentication to user terminal after, send response message to user terminal.

D1, user terminal send application request message according to the address of Single Sign On Business Entity or Single Sign On business module to Single Sign On Business Entity or Single Sign On business module;

D2, Single Sign On Business Entity or Single Sign On business module carry out authentication process according to the application request message content of receiving, generate authentication statement and corresponding authentication statement link, preserve the corresponding relation of authentication statement, authentication statement and corresponding authentication statement link, authentication success rear line terminal sends success response message, wherein comprises authentication statement link.

D3, user terminal send application request message to service provider's entity, wherein comprise authentication statement link;

D4, service provider's entity send application request message to Single Sign On Business Entity or Single Sign On business module, wherein comprise authentication statement link;

D5, Single Sign On Business Entity or Single Sign On business module find corresponding authentication statement according to authentication statement link, send response message to service provider's entity, wherein comprise the authentication statement, the digital signature of Single Sign On Business Entity or Single Sign On business module is arranged in the authentication statement;

The statement of D6, service provider's entity handles authentication, the digital signature of checking Single Sign On Business Entity or Single Sign On business module, finish authentication to user terminal after, send response message to user terminal.

Described identification web page service network system method for authenticating, wherein: simple authenticated and safe floor agreement request header field and simple authenticated and safe floor protocol responses header field are encapsulated by Simple Object Access Protocol.

Described identification web page service network system method for authenticating, wherein: when service provider's entity is received user terminal, Single Sign On Business Entity or Single Sign On business module send when withdrawing from link request message, perhaps when the session fair termination between service provider's entity and the user terminal, perhaps when the header field of the certification deadlines again time corresponding in the authentication statement that service provider's entity is received is expired, perhaps when in the statement of authentication that service provider's entity is received time limit, the header field time corresponding was expired the time, service provider's entity is requiring user terminal to re-authenticate subsequently with in the communication process of user terminal.

Described identification web page service network system method for authenticating, wherein: the following local security policy of configuration on authentication service entity or authentication service module: when user terminal is re-authenticated, if it is expired that both sides' shared key does not have, then only user terminal is carried out identification web page service network network framework authentication.

Described identification web page service network system method for authenticating, wherein: the following local security policy of configuration on authentication service entity or authentication service module: when user terminal is re-authenticated, if it is expired that both sides' shared key does not have, user terminal is carried out generic authentication architecture authentication and identification web page service network network framework authentication.

Technical scheme of the present invention is improved the ID-WSF of prior art and is expanded, increase the user attaching webserver and guide service functional entity and Network Application Function, and with original authentication service entity, the function of Single Sign On Business Entity and newly-increased Network application function are respectively by the Network applied function module of Network application function/authentication service/Single Sign On Business Entity, the authentication service module, the Single Sign On business module is realized, thereby realized the intercommunication of ID-WSF and GBA, overcome the shortcoming that to use GBA mode authentication in prior art ID-WSF carries out authentication to UE the process; A kind of identification web page service network system is provided and UE has been carried out the method for authentication, in the generic authentication architecture authentication process that increases, the guide service functional entity generates guiding Transaction Identifier, the root key term of validity, and send to user terminal, therefore guide service functional entity and user terminal all generate root key, have strengthened the fail safe of communicating by letter between UE and the service provider's entity.

Description of drawings

The present invention includes following accompanying drawing:

Fig. 1 is prior art generic authentication architecture (GBA) schematic diagram;

Fig. 2 is the flow chart that UE carries out bootup process (bootstrapping) in the prior art generic authentication architecture;

Fig. 3 is that prior art NAF obtains the flow chart of sharing key K s_ (Ext/Int) _ NAF;

Fig. 4 is the prior art identify label alliance network architecture (ID-FF) schematic diagram;

Fig. 5 is prior art ID-FF and GBA intercommunication configuration diagram;

Fig. 6 is prior art identification web page service network network framework (ID-WSF) schematic diagram;

Fig. 7 is the reduced form schematic diagram of prior art ID-WSF;

Fig. 8 is the ID-WSF schematic diagram that prior art comprises Single Sign On Business Entity (SSOS);

Fig. 9 is the network architecture schematic diagram of prior art GBA and ID-WSF intercommunication;

Figure 10 is Network application function/authentication service of the present invention/Single Sign On Business Entity schematic diagram;

Figure 11 is an identification web page service network system schematic diagram of the present invention;

Figure 12 is the present invention returns Assertion when to work as AS and SSOS be different entity to UE a method for authenticating flow chart;

Figure 13 is the present invention returns Artifact when to work as AS and SSOS be different entity to UE a method for authenticating flow chart;

Figure 14 is that the present invention uses Network application function/authentication service/Single Sign On Business Entity and returns the method for authenticating flow chart of Assertion to UE;

Figure 15 is that the present invention uses Network application function/authentication service/Single Sign On Business Entity and returns the method for authenticating flow chart of Artifact to UE.

Embodiment

Below in conjunction with drawings and Examples the present invention is described in further detail:

In order to improve the fail safe of prior art ID-WSF network service, realize the intercommunication of ID-WSF and GBA, as shown in figure 10, the invention provides a kind of Network application function/authentication service/Single Sign On Business Entity, it comprises Network applied function module, authentication service module, Single Sign On business module, the Network applied function module is used to provide Network Application Function function, the authentication service module is used to provide the authentication service entity function, and the Single Sign On business module is used to provide Single Sign On Business Entity function.As shown in figure 11, the invention provides a kind of identification web page service network system, it comprises the user attaching webserver and the guide service functional entity of generic authentication architecture, Network application function/authentication service/Single Sign On Business Entity, service provider's entity, user terminal, communicate by the Zh interface between the user attaching webserver and the guide service functional entity, communicate by the Ub interface between guide service functional entity and the user terminal, communicate by the Zn interface between Network applied function module and the guide service functional entity, communicate by the Ua interface between Network applied function module and the user terminal; Single Sign On business module and user terminal adopt Single Sign On that safety statement SGML describes and identify label federation protocol to carry out communicating by letter between the two, and can adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; User terminal and authentication service module adopt simple authenticated and safe floor agreement to carry out communicating by letter between the two, and can adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; Between Single Sign On business module and the service provider's entity, when communicating between user terminal and the service provider's entity, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information.

As shown in Figure 9, prior art provided a kind of when AS and SSOS when being different entity GBA and the network architecture of ID-WSF intercommunication, but corresponding authentication method not.

As shown in figure 12, the invention provides when AS and SSOS are different entity, UE is carried out authentication and returns the method for authenticating embodiment 1 of Assertion to UE; Shown in Figure 13, the invention provides when AS and SSOS are different entity, UE is carried out authentication and returns the method for authenticating embodiment 2 of Artifact to UE; As shown in figure 14, the invention provides the method for authenticating embodiment 3 that uses Network application function/authentication service/Single Sign On Business Entity and return Assertion to UE; As shown in figure 15, the invention provides the method for authenticating embodiment 4 that uses Network application function/authentication service/Single Sign On Business Entity and return Artifact to UE.Embodiment 1 is identical with the step of embodiment 3 and embodiment 2 and embodiment 4, just the function that Single Sign On Business Entity and authentication service entity are realized among embodiment 1 and the embodiment 2 is realized by Single Sign On business module of the present invention and authentication service module in embodiment 3 and embodiment 4.

Below by to the specifying of embodiment 1 and embodiment 2, set forth the implementation procedure of method for authenticating of the present invention:

The main points of method for authenticating of the present invention are in order to realize the intercommunication of GBA and ID-WSF, improve the fail safe of ID-WSF network service and use convenience, in the communication process of the user terminal of identification web page service network system and service provider's entity, comprise two kinds of authentication processes, be respectively generic authentication architecture authentication process and identification web page service network network framework authentication process, in the generic authentication architecture authentication process, the guide service functional entity generates the guiding Transaction Identifier, the root key term of validity, and send to user terminal, guide service functional entity and user terminal all generate root key; In identification web page service network network framework authentication process, authentication service entity or authentication service module generate user terminal access Single Sign On Business Entity or the needed credential of Single Sign On business module; Single Sign On Business Entity or Single Sign On business module generate the authentication statement and send to user terminal, perhaps Single Sign On Business Entity or Single Sign On business module generate authentication statement and corresponding authentication statement link, preserve the corresponding relation of authentication statement, authentication statement and authentication statement link, authentication statement link is sent to user terminal.

In embodiment 1 and embodiment 2, UE and AS hold consultation by the SASL agreement, adopt HTTP DIGEST authentication mode, if adopt other authentication modes, then digest-challenge header field (challenge header field) and digest-response header field (challenge responses header field) make the challenge header field and the challenge responses header field of corresponding authentication mode into.

Be explanation below to embodiment 1:

Step 1:UE sends HTTP Request message (application request message) to SP; For guaranteeing safety, can set up the TLS secure tunnel in advance between UE and the SP.

After step 2:SP received this HTTP Request message, the address that at first obtains AS sent a HTTP Response response message then to UE, wherein carries AuthnRequest header field (authentication request header field);

Step 3: since UE integrated the WSC entity function, after receiving the response message that comprises the AuthnRequest header field that SP returns, UE knows by the WSC on it pass through SASL (SimpleAuthentication and Security Layer, simple authenticated and safe floor) agreement carries out authentication to AS, rather than carry out authentication to IdP by HTTP DIGEST agreement, UE sends a HTTP Request message to AS, wherein carry SOAP (Simple Object Access Protocol, Simple Object Access Protocol) Feng Zhuan SASLRequest header field (simple authenticated and safe floor agreement request header field), wherein comprise the authentication mode tabulation that UE supports in the mechanism header field of SASLRequest header field (authentication mechanism header field), mechanism=" CRAM-MD5DIGEST-MD5 " for example, wherein DIGEST-MD5 represents HTTP DIGEST authentication mode;

Step 4:AS returns a HTTP Response response message and gives UE, wherein carry the SASLResponse header field (simple authenticated and safe floor protocol responses header field) of soap protocol encapsulation, the authentication mode that record AS selects from the authentication mode tabulation that UE supports in the serverMechanism header field of SASLResponse header field (for example serverMechanism=" DIGEST-MD5 " represents that the authentication mode that AS selects is HTTP DIGEST), and digest-challenge header field (challenge header field);

Step 5:UE sends the GBA authentication request message to BSF, wherein comprises private user identity (IMPI), requires to carry out mutual authentication with BSF;

After step 6:BSF receives the GBA authentication request message of UE, at first obtain the authentication vector information of this UE, authentication authorization and accounting vector (authentication sequence number parameter A UTN, random parameter RAND, Integrity Key IK, confidentiality key CK, _ expected results XRES) to HSS;

Step 7:BSF preserves XRES, IK, CK, and sends message to UE, wherein carries AUTN and RAND;

Step 8:UE operation AKA algorithm is checked AUTN validity with authentication BSF, and is generated expected result RES, and utilizes RAND to generate Integrity Key IK and confidentiality key CK;

Step 9:UE sends message to BSF, wherein carries IMPI, expected result RES;

Step 10:BSF compares the XRES of RES and preservation, if both consistent authentication of finishing UE, and would utilize the IK and the CK that preserve to generate root key Ks;

Step 11:BSF sends GBA success response message to UE, wherein carries the guiding Transaction Identifier (B-TID) and the root key Ks term of validity;

Step 12:UE preserves the B-TID and the root key Ks term of validity, and utilizes IK and CK to generate root key Ks, generates and preserve shared key K s (Ext/Int) NAF then;

Step 13:UE sends a HTTP Request message to AS once more, wherein carry the SASLRequest header field of soap protocol encapsulation, the mechanism header field of SASLRequest header field is filled in the authentication mode (the authentication mode here is HTTP DIGEST) that AS selects in the step 4, comprise the username header field in the digest-response header field of SASLRequest header field (challenge responses header field), the Authentication Response summary info of filling in B-TID in the username header field and calculating with key K s (Ext/Int) NAF;

Step 14:AS and NAF are on an entity, if there are not relevant Ks_ (Ext/Int) _ information such as NAF key among the AS, then can obtain information such as Ks_ (Ext/Int) _ NAF, USS, the key term of validity, boot time to BSF by the Zn interface, wherein USS may comprise some identify label alliance relevant informations;

Step 15: according to the Ks_ that obtains (Ext/Int) _ NAF key information, AS handles the digest-response in the above-mentioned SASLRequest header field, after the AS authentication is passed through, send the HTTPResponse response message to UE, wherein carry the SASLResponse header field of soap protocol encapsulation, wherein comprise SSOS address and ServiceType territory in ID-WSF EPR (EndpointReference) header field in the SASLResponse header field, the content in the ServiceType territory comprises urn:liberty:ssos:2004-04, and the visit needed credential of SSOS (Credentials) waits other SSO relevant informations;

Step 16:UE sends HTTP Request message according to the SS0S address that step 15 obtains to SSOS, with the needed Assertion of request visit SP, wherein carry the samlp2:AuthnRequest header field of soap protocol encapsulation, the sb:Correlation header field, the wsse:security header field, according to concrete application program and network model, the AuthnRequest header field may be that SP returns in the step 2, also may generate by UE oneself, wherein comprise the authentication operations that ask for something AuthnRequest recipient takes, wherein the ProtocolBinding header field is arranged to urn:liberty:iff:profiles:id-wsf, use the SAML protocol binding to indicate, the wsse:security header field comprises the needed credential of visit SSOS (Credentials) information of returning in the previous step, and the sb:Correlation header field is mainly used in response message and corresponding request message that SSOS is returned and associates;

Step 17:SSOS carries out authentication process according to the HTTP Request message content of receiving, authentication success back SSOS may tell UE to form identify label alliance with which SP, UE agrees and finishes identify label alliance with SP, SSOS returns HTTP Response response message then, wherein carry the samlp2:Response header field of soap protocol encapsulation, wherein the Response header field comprises the visit needed saml:Assertion header field of SP (digital signature that wherein comprises SSOS);

Step 18:UE sends HTTP Request message to SP once more, wherein carries the saml:Assertion header field that returns in the previous step of soap protocol encapsulation;

Step 19:SP handles above-mentioned saml:Assertion header field, and the digital signature of checking SSOS, according to the identify label alliance information of SSOS UE being finished authentication, returns a HTTPResponse message after the success.

Some explanation in addition:

According to the identify label strategy among the AuthnRequest, AS may require the necessary first execution in step 5～step 12 of UE at every turn, and execution in step 13 again, all regenerate to guarantee each user ID B-TID and key K s_ (Ext/Int) _ NAF.

Perhaps,

If set up Security Association between UE and the AS, and Ks_ (Ext/Int) _ NAF key does not have expired, execution in step 3～step 12 not then, direct execution in step 13, comprise the username header field in the digest-response header field in the SASLRequest header field of the HTTP Request request message that to be UE send to AS, fill in B-TID in the username header field and with the shared Authentication Response summary info that key K s_ (Ext/Int) _ NAF calculates.

If also do not set up Security Association between UE and the AS, then need first execution in step 3～step 12, carry out normal GBA bootup process and obtain B-TID and key information Ks_ (Ext/Int) _ NAF, and then execution in step 13.

If set up Security Association between UE and the AS, but Ks_ (Ext/Int) _ NAF key or will be expired, then also have existing B-TID in the step 3, and the Authentication Response summary info that calculates with key K s_ (Ext/Int) _ NAF, AS is by step 4 challenge UE then, UE is execution in step 5～step 12 again, carries out B-TID and shared key K s_ (Ext/Int) _ NAF that normal GBA authentication process obtains renewal, and then execution in step 13.

In addition, the UE that all supports for GBA among the present invention and two kinds of mechanism of SSO: UE in step 3 when AS sends the HTTP request, need carry a sign that expresses support for GBA mechanism, for example for based on ME (Mobile Equipment, mobile device) application is arranged in the User-Agent header field " 3gpp-gba "; To application, in the User-Agent header field, be arranged to " 3gpp-gba-uicc " based on UICC (Universal IntegratedCircuit Card, Universal Integrated Circuit Card).After AS finds that UE supports GBA, also carrying an expression in the challenge responses of step 4 needs UE to carry out the sign of GBA mechanism, for example for application based on ME, be provided with in the realm parameter in the digest-challenge header field " domain name of 3gpp-gba@NAF ", for application, in the realm of digest-challenge header field parameter, be provided with " domain name of 3gpp-gba-uicc@NAF " based on UICC.

If UE finds this sign in challenge responses, then knowing needs to carry out earlier GBA process (step 3～step 12), and then execution in step 13, otherwise direct execution in step 13, obtaining by existing SSO mechanism of user name wherein, password handled, for example can directly import username and password by the user to dialog box of user's bullet.

UE in step 13 once more when AS sends the HTTP request, the same with step 3, also need to carry a sign that expresses support for GBA mechanism, if AS finds this sign, then know the first execution in step 14 of needs, execution in step 15 then; Otherwise direct execution in step 15.

In addition, also can reach above-mentioned same purpose by configuration AS.Above-mentioned some be equally applicable to the following examples 2.

Be explanation below to embodiment 2:

Step 1:UE sends HTTP Request message to SP;

After step 2:SP received this HTTP Request message, the address that at first obtains AS sent a HTTP Response response message then to UE, wherein carries the AuthnRequest header field;

Step 3: since UE integrated the WSC entity function, after receiving the response message that comprises the AuthnRequest header field that SP returns, UE knows and carry out authentication by the SASL agreement to AS by the WSC on it, rather than carry out authentication to IdP by HTTP DIGEST agreement, UE sends a HTTP Request message to AS, wherein carry the SASLRequest header field of soap protocol encapsulation, wherein comprise the authentication mode tabulation that UE supports in the mechanism header field of SASLRequest header field, mechanism=" CRAM-MD5DIGEST-MD5 " for example, wherein DIGEST-MD5 represents HTTP DIGEST authentication mode; Step 4:AS returns a HTTP Response response message and gives UE, wherein carry the SASLResponse header field of soap protocol encapsulation, write down the authentication mode (for example the authentication mode of serverMechanism=" DIGEST-MD5 " expression AS selection is HTTP DIGEST) that AS selects in the serverMechanism header field of SASLResponse header field (server authentication mechanism header field) from the authentication mode tabulation that UE supports, and challenge header field digest-challenge;

Step 9:UE sends message to BSF, wherein carries IMPI, expected result RES;

Step 12:UE preserves the B-TID and the root key Ks term of validity, and utilizes IK and CK to generate root key Ks, generates and preserve shared key K s_ (Ext/Int) _ NAF then;

Step 13:UE sends a HTTP Request message to AS once more, wherein carry the SASLRequest header field of soap protocol encapsulation, wherein the mechanism header field in the SASLRequest header field is filled in the authentication mode (authentication mode in the present embodiment is HTTPDIGEST) that AS selects in the step 4, comprise the username header field among the challenge responses header field digest-response, fill in B-TID in the username header field, and the Authentication Response summary info that calculates with key K s_ (Ext/Int) _ NAF;

Step 14:AS and NAF are on an entity, if there are not relevant Ks_ (ext) _ information such as NAF key among the AS, then can obtain information such as Ks_ (Ext/Int) _ NAF, USS, the key term of validity, boot time to BSF by the Zn interface, wherein USS may comprise some identify label alliance relevant informations;

Step 15:AS handles above-mentioned SASLRequest header field, after the AS authentication is passed through, send HTTP Response response message to UE, wherein carry the SASLResponse header field of SOAP encapsulation, the ServiceType territory that comprises among the ID-WSF EPR in the SASLResponse header field (EndpointReference header field) in SSOS address, the SASLResponse header field is set to urn:liberty:ssos:2004-04, the needed credential of visit SSOS;

The SSOS that step 16:UE obtains to previous step sends HTTP Request message, with the needed Assertion of request visit SP, wherein carry the samlp2:AuthnRequest header field of soap protocol encapsulation, the sb:Correlation header field, the wsse:security header field, according to concrete application program and network model, the AuthnRequest header field may be that SP returns in the step 2, also may generate by UE oneself, wherein comprise the authentication operations that ask for something AuthnRequest recipient takes, wherein the ProtocolBinding header field is arranged to urn:liberty:iff:profiles:id-wsf, with the SAML protocol binding of indicating to use, the wsse:security header field comprises the needed credential of visit SSOS (Credentials header field) information of returning in the previous step, and the sb:Correlation header field is mainly used in response message and corresponding request message that SSOS is returned and associates;

Step 17:SSOS handles the HTTP Request message of receiving, generate corresponding Artifact and Assertion, and preservation relation between the two, return HTTP Response success response message then, wherein carry the samlp2:Response header field of soap protocol encapsulation; Wherein the Response header field comprises the Artifact header field of the needed saml:Assertion correspondence of visit SP;

Step 18:UE sends HTTPRequest message to SP once more, wherein carries the Artifact header field that returns in the step 17 of soap protocol encapsulation;

Step 19:SP sends HTTP Request message to SSOS, wherein carries the Artifact header field that the previous step of soap protocol encapsulation obtains, and request is used for the Assertion to the UE authentication process;

Step 20:SSOS finds corresponding Assertion according to Artifact, returns HTTP Response message then, wherein carries the saml:Assertion (digital signature that wherein comprises SSOS) of soap protocol encapsulation;

Step 21:SP handles above-mentioned saml:Assertion header field, and verifies its digital signature, according to the identify label alliance information of SSOS UE being finished authentication, returns a HTTPResponse message after the success.

After having finished the authentication process of the foregoing description 1 or embodiment 2, UE and SP can proceed communication, then must carry out authentication again to UE when following situation occurring:

When 1, SP receives the LogoutRequest message (withdrawing from link request message) that UE or SSOS send;

2, during the session normal termination between SP and the UE;

3, the ReauthenticateOnOrAfter header field (certification deadlines header field again) in the AuthenticationStatement header field (certification statement header field) among the Assertion that receives of SP is when time corresponding is expired;

4, the NotOnOrAfter header field (time limit header field) in the Conditions header field (condition header field) among the Assertion that receives of SP is when time corresponding is expired.

SP need indicate it to re-authenticate carrying out next time sending a new HTTP Response response message that carries AuthnRequest to UE when mutual with UE, carries out the flow process that begins from step 3 among embodiment 1 or the embodiment 2 later on.

For ID-WSF, when AS receives the HTTP Request message that UE sends, expired in the step 4 if Ks (ext) NAF does not also have, then go up the local security policy of configuration according to AS, can not carry out new GBA authentication process, also can carry out a new GBA authentication process.If do not carry out new GBA authentication process, then step 3～step 12, step 14 can be omitted, step 13, step 15, step 16 are identical with the message content of correspondence last time, SSOS need produce a new Assertion (for embodiment 2 in the step 17, also to produce new Artifact), all the other steps are constant.

If carry out new GBA process, then will re-execute among embodiment 1 or the embodiment 2 remaining institute in steps.

Though pass through with reference to the preferred embodiments of the present invention, the present invention is illustrated and describes, but those of ordinary skill in the art should be understood that, can do various changes to it in the form and details, and the spirit and scope of the present invention that do not depart from appended claims and limited.

Claims

1, a kind of identification web page service network system, the user attaching webserver and the guide service functional entity that comprise generic authentication architecture, service provider's entity, user terminal, communicate by the Zh interface between the user attaching webserver and the guide service functional entity, communicate by the Ub interface between guide service functional entity and the user terminal, it is characterized in that: comprise Network application function/authentication service/Single Sign On Business Entity, it comprises the Network applied function module, the authentication service module, the Single Sign On business module, the Network applied function module is used to provide Network Application Function function, the authentication service module is used to provide the authentication service entity function, the Single Sign On business module is used to provide Single Sign On Business Entity function, communicate by the Zn interface between Network applied function module and the guide service functional entity, communicate by the Ua interface between Network applied function module and the user terminal.

2, identification web page service network system according to claim 1, it is characterized in that: Single Sign On business module and user terminal adopt Single Sign On that safety statement SGML describes and identify label federation protocol to carry out communicating by letter between the two, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; Authentication service module and user terminal adopt simple authenticated and safe floor agreement to carry out communicating by letter between the two, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information; When communicating between Single Sign On business module and the service provider's entity, adopt Simple Object Access Protocol encapsulation communication information; When communicating between user terminal and the service provider's entity, adopt Simple Object Access Protocol or HTML (Hypertext Markup Language) encapsulation communication information.

3, a kind of identification web page service network system method for authenticating, it is characterized in that, comprise step: comprise two kinds of authentication processes in the communication process of the user terminal of identification web page service network system and service provider's entity, be respectively generic authentication architecture authentication process and identification web page service network network framework authentication process, in the generic authentication architecture authentication process, the guide service functional entity generates guiding Transaction Identifier, the root key term of validity, and send to user terminal, guide service functional entity and user terminal all generate root key; In identification web page service network network framework authentication process, authentication service entity or authentication service module generate user terminal access Single Sign On Business Entity or the needed credential of Single Sign On business module; Single Sign On Business Entity or Single Sign On business module generate the authentication statement and send to user terminal, perhaps Single Sign On Business Entity or Single Sign On business module generate authentication statement and corresponding authentication statement link, preserve the mapping table of authentication statement and authentication statement link, authentication statement link is sent to user terminal.

4, identification web page service network system method for authenticating according to claim 3, it is characterized in that, comprise step: user terminal sends identification web page service network network framework authentication request message to corresponding authentication service entities or authentication service module, authentication service entity or authentication service module send to user terminal and require it to carry out the challenge responses message of generic authentication architecture authentication, the guide service functional entity carries out the generic authentication architecture authentication to user terminal, authentication success rear line terminal sends generic authentication architecture authentication success response message, comprises the guiding Transaction Identifier and the root key term of validity in this authentication success response message; User terminal sends application request message to authentication service entity or authentication service module, authentication service entity or authentication service module are carried out authentication according to this application request message to user terminal, after authentication is passed through, send response message to user terminal, wherein comprise the address and the credential of Single Sign On Business Entity or Single Sign On business module.

5, identification web page service network system method for authenticating according to claim 4, it is characterized in that, comprise step: Single Sign On Business Entity or Single Sign On business module carry out identification web page service network network framework authentication to user terminal, authentication success rear line terminal sends identification web page service network network framework authentication success response message, comprises the authentication statement in this authentication success response message.

6, identification web page service network system method for authenticating according to claim 4, it is characterized in that, comprise step: Single Sign On Business Entity or Single Sign On business module carry out identification web page service network network framework authentication to user terminal, generate authentication statement and corresponding authentication statement link, preserve the mapping table of authentication statement and authentication statement link, in sending to the identification web page service network network framework authentication success response message of user terminal subsequently, comprise authentication statement link.

7, identification web page service network system method for authenticating according to claim 4 is characterized in that, comprises step:

8, identification web page service network system method for authenticating according to claim 7, it is characterized in that: support the user terminal of generic authentication architecture authentication and identification web page service network network framework authentication in the application request message of authentication service entity or the transmission of authentication service module, the generic authentication architecture sign being set simultaneously, if authentication service entity or authentication service module are found this generic authentication architecture sign, then informing user terminal starts the generic authentication architecture authentication process earlier, restart user identification web page service network network framework authentication process, otherwise informing user terminal only starts User Identity web page service network network framework authentication process.

9, identification web page service network system method for authenticating according to claim 7 is characterized in that, described steps A 5 comprises step:

10, identification web page service network system method for authenticating according to claim 5 is characterized in that, comprises step:

11, identification web page service network system method for authenticating according to claim 6 is characterized in that, comprises step:

12, according to claim 7,8,10,11 arbitrary described identification web page service network system method for authenticating, it is characterized in that: simple authenticated and safe floor agreement request header field and simple authenticated and safe floor protocol responses header field are encapsulated by Simple Object Access Protocol.

13, identification web page service network system method for authenticating according to claim 5, it is characterized in that: when service provider's entity is received user terminal, Single Sign On Business Entity or Single Sign On business module send when withdrawing from link request message, perhaps when the session fair termination between service provider's entity and the user terminal, perhaps when the header field of the certification deadlines again time corresponding in the authentication statement that service provider's entity is received is expired, perhaps when in the statement of authentication that service provider's entity is received time limit, the header field time corresponding was expired the time, service provider's entity is requiring user terminal to re-authenticate subsequently with in the communication process of user terminal.

14, identification web page service network system method for authenticating according to claim 6, it is characterized in that: when service provider's entity is received user terminal, Single Sign On Business Entity or Single Sign On business module send when withdrawing from link request message, perhaps when the session fair termination between service provider's entity and the user terminal, perhaps when the header field of the certification deadlines again time corresponding in the authentication statement that service provider's entity is received is expired, perhaps when in the statement of authentication that service provider's entity is received time limit, the header field time corresponding was expired the time, service provider's entity is requiring user terminal to re-authenticate subsequently with in the communication process of user terminal.

15, according to claim 13 or 14 described identification web page service network system method for authenticating, it is characterized in that: the following local security policy of configuration on authentication service entity or authentication service module: when user terminal is re-authenticated, if it is expired that both sides' shared key does not have, then only user terminal is carried out identification web page service network network framework authentication.

16, according to claim 13 or 14 described identification web page service network system method for authenticating, it is characterized in that: the following local security policy of configuration on authentication service entity or authentication service module: when user terminal is re-authenticated, if it is expired that both sides' shared key does not have, user terminal is carried out generic authentication architecture authentication and identification web page service network network framework authentication.