CN101312591B - Method for authentication device to acquire security parameter related to home proxy - Google Patents
Method for authentication device to acquire security parameter related to home proxy Download PDFInfo
- Publication number
- CN101312591B CN101312591B CN2007101079947A CN200710107994A CN101312591B CN 101312591 B CN101312591 B CN 101312591B CN 2007101079947 A CN2007101079947 A CN 2007101079947A CN 200710107994 A CN200710107994 A CN 200710107994A CN 101312591 B CN101312591 B CN 101312591B
- Authority
- CN
- China
- Prior art keywords
- mip
- security parameter
- haaa
- request
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for adopting a right judger to attain the security parameter information correlated to a home agent, comprising steps that: (1) after receiving a MIP register request initialized by a terminal user, an external agent adopts a home agent HA address from the request to send a MIP correlation security parameter information acquisition request to the right judger; (2) when the right judger finds that the HA address sent from an attribution right judge authorization charging server HAAA in the contraction with the terminal user is inconsistent and the correlation security parameter information dose not exist, the right judger requests the HAAA for the security parameter information correlated with the HA in the MIP register request; (3) the HAAA responds to the acquisition request of the right judger and feedbacks the security parameter information. The invention resolves the problem such as that when the MIP user register request message arrives an external agent, and the HA address registered in the prior request is inconsistent to the HA address sent by the HAAA in the contraction of the user, the external agent can not attain the security parameter information correlated with the prior request HA from the right judger.
Description
Technical field
The present invention relates to the communications field, relate in particular in MIP (mobile IP protocol is hereinafter to be referred as the MIP) registration process a kind of method of authentication device to acquire security parameter related to home proxy.
Background technology
MIP is a series of IP mobility solutions based on existing IP network framework that proposed by IETF (internet engineering task group, be called for short IETF), and it has made up an opening and IP operation platform flexibly.Realize that MIP need comprise three logic function unit: MN (terminal use), FA (external agent), HA (home agent).
Fig. 1 is that MIP disposes Organization Chart in WIMAX (micro-wave access to global intercommunication) network, comprises following HAAA, AGW, four functional entitys of HA, MN:
User signing contract information in HAAA (ownership authentication authorized charging server) the management WIMAX network;
AGW (access business network gateway part) is the core network device of WIMAX system, and FA introduces the outside mobility of supporting IP in the AGW system as a functional module, and FA is not direct and HAAA is mutual; Authentication device (Authenticator) provides FA required security parameter; AGW provides the bottom bearer service for MIP, and the mutual need of MN and FA provide service channel by AGW;
HA provides MIP user's local route support; HA and HAAA are directly mutual, and HA obtains required security parameter from HAAA;
MN and FA, the security association between FA and the HA is set up by HAAA is leading.
Fig. 2 comprises the steps: for the registration process of prior art MIP under the HA of the current MIP user's request registration situation different with the signatory HA that issues from HAAA of user
Step 201, MN initiates the MIP register requirement;
Step 202, FA receives and handles this MIP register requirement; FA uses the terminal request signaling (being HA_Requested) in the HA signaling to send the MIP association key to authentication device in message and obtains request;
Step 203, authentication device find that the entrained MIP association key request of obtaining of the subscription signaling (being HA_subscribed) in the HA signaling signatory among request of obtaining of described MIP association key and the HAAA is inconsistent, return the MIP association key to FA and obtain failure response;
Step 204, FA obtains failure response to the MIP association key of returning and is transmitted to MN.
Normal MIP registration process, the HA IP address that MN chooses should be consistent with HAIP address signatory in HAAA; If take place inconsistent, related protocol has defined the selection priority of HA IP address, but how definition is not guaranteed that the external agent obtains the correct security parameter relevant with HA in this case and (is comprised HA root key association attributes, as: HA_RK (HA_Root Key, the HA root key), HA_RK Lifetime (HA life cycle), SPI (Security Parameter Index) etc.).
Summary of the invention
The invention provides a kind of method of authentication device to acquire security parameter related to home proxy, to solve as MIP user's login request message arrival FA, it is different from the HA address that HAAA issues that the HA address of current request registration and user contract, thereby FA can't obtain problem with current request HA associated safety parameter information from authentication device.
For solving the problems of the technologies described above, the invention provides a kind of method of authentication device to acquire security parameter related to home proxy,, be applied to comprise the steps: in the mobile IP protocol MIP registration process of the communications field
(1) external agent uses the home agent HA address in the described request to obtain request to authentication device transmission MIP associated safety parameter information after receiving the MIP register requirement that the terminal use initiates;
(2) described authentication device is if find that home agent HA address in the described request is inconsistent from belonging to the home agent HA address that authentication authorized charging server HAAA issues when signatory with described terminal use, and the associated safety parameter information does not exist, then the relevant security parameter information of home agent HA in described HAAA acquisition request and described MIP register requirement;
(3) described HAAA responds the request of obtaining of described authentication device, to its return with described MIP register requirement in the relevant security parameter information of home agent HA.
The method of the invention, wherein, in the described step (1), described associated safety parameter information comprises HA root key association attributes.
Further, described HA root key association attributes comprises HA root key HA_RK, HA HA life cycle Lifetime, Security Parameter Index SPI.
The method of the invention, wherein, in the described step (2), consistent from the home agent HA address that HAAA issues when described authentication device is signatory with described terminal use as if the home agent HA address in the discovery described request, then described external agent uses correct security parameter to handle described MIP register requirement.
The method of the invention, wherein, described method is applied under the normal MIP registration scenarios, if when home agent HA address in the log-on message and described terminal use are signatory from the home agent HA address that HAAA issues when inconsistent.
The method of the invention, wherein, described method also is applied in terminal band " dynamically HA expansion Dynamic HA Extension " the dynamic HA assigning process of request MIP.
The method of the invention, wherein, described step (3) comprises the steps: afterwards
(71) security parameter information that described authentication device is relevant with the home agent HA in the described MIP register requirement is transmitted to described external agent;
(72) described external agent uses described correct security parameter to transmit current MIP register requirement to HA;
(73) described HA asks security parameter to HAAA;
(74) described HAAA returns the result of response;
(75) described HA then returns correct registration response to described external agent if successfully handle described MIP register requirement;
(76) described external agent then transmits to described terminal use if successfully handle the MIP registration response of receiving.
The present invention adds the unexistent FA of an arbitrage stage protocol and triggers the mechanism that authentication device obtains HA RK and association attributes, solved as MIP user's login request message arrival FA, the HA (HA_Requested) of current request registration is different with the signatory HA (HA_subscribed) that issues from HAAA of user, thereby FA can't obtain problem with current request HA associated safety parameter information from authentication device, guarantees that the external agent can use correct secret key encryption to be about to be dealt into the MIP logon message of HA.
Description of drawings
Fig. 1 disposes Organization Chart for prior art MIP;
Fig. 2 is the registration process of prior art MIP under the HA of the current MIP user's request registration situation different with the signatory HA that issues from HAAA of user;
Fig. 3 not MIP user's registration process simultaneously of HA_Requested and HA_subscribed occurring for the embodiment of the invention.
Embodiment
Below in conjunction with drawings and Examples technical scheme of the present invention is described in detail.
Technical problem to be solved by this invention is to arrive FA when MIP user's login request message, the HA (HA_Requested) of current request registration is different with the signatory HA (HAsubscribed) that issues from HAAA of user, thereby FA can't obtain Security Association (SA) information relevant with current request HA from authentication device, thereby causes this user MIP registration process failure; In both cases, the present invention can be used: 1) under the normal MIP registration scenarios, if the HA address of registration message fixed length part with signatory different, 2) terminal band " Dynamic HA Extension (dynamically HA expansion) " asks the dynamic HA assigning process of MIP.
The present invention adds the unexistent FA of an arbitrage stage protocol and triggers the mechanism that authentication device obtains HA_RK and association attributes, guarantees that FA can use correct secret key encryption to be about to be dealt into the MIP logon message of HA.
Fig. 3 for the embodiment of the invention not MIP user's registration process simultaneously of HA_Requested and HA_subscribed occurring, comprise the steps:
Step 301, MN initiates the MIP register requirement;
Step 302, FA receives and handles this MIP register requirement; FA uses the HA (HA_Requested) of terminal request in the message to send the MIP association key to authentication device and obtains request;
Step 303, authentication device finds that HA (HA_subscribed) signatory among HA (HA_Requested) and the HAAA in the MIP register requirement is inconsistent, and the relevant security information of HA do not exist, then by the Radius agreement to the HAAA acquisition request HA_RK relevant with HA, HA Lifetime, SPI etc.;
Step 304, the key parameter of HAAA response authentication device obtains request;
Step 305 if authentication device successfully obtains the associated safety parameter, is then returned current sessions relevant HA_RK and association attributes thereof to FA;
Step 306, FA uses correct security parameter to transmit current MIP register requirement to HA;
Step 307, HA asks security parameter to HAAA;
Step 308, HAAA returns the result of response;
Step 309 if HA successfully handles this MIP register requirement, is then returned correct registration response to FA;
Step 310 if FA successfully handles the MIP registration response of receiving, is then transmitted to MN.
The above is preferred embodiment of the present invention only, is not to be used for limiting practical range of the present invention.Every according to equivalence variation and modification that the present invention did, all belong to the protection range of claim of the present invention.
Claims (7)
1. the method for an authentication device to acquire security parameter related to home proxy is applied to it is characterized in that in the mobile IP protocol MIP registration process of the communications field, comprises the steps:
(1) external agent uses the home agent HA address in the described request to obtain request to authentication device transmission MIP associated safety parameter information after receiving the MIP register requirement that the terminal use initiates;
(2) described authentication device is if find that home agent HA address in the described request is inconsistent from belonging to the home agent HA address that authentication authorized charging server HAAA issues when signatory with described terminal use, and the associated safety parameter information does not exist, then the relevant security parameter information of home agent HA in described HAAA acquisition request and described MIP register requirement;
(3) described HAAA responds the request of obtaining of described authentication device, to its return with described MIP register requirement in the relevant security parameter information of home agent HA.
2. method according to claim 1 is characterized in that in the described step (1), described associated safety parameter information comprises HA root key association attributes.
3. as method as described in the claim 2, it is characterized in that described HA root key association attributes comprises HA root key HA_RK, HA HA life cycle Lifetime, Security Parameter Index SPI.
4. method according to claim 1, it is characterized in that, in the described step (2), consistent from the home agent HA address that HAAA issues when described authentication device is signatory with described terminal use as if the home agent HA address in the discovery described request, then described external agent uses correct security parameter to handle described MIP register requirement.
5. method according to claim 1 is characterized in that described method is applied under the normal MIP registration scenarios, if when home agent HA address in the log-on message and described terminal use are signatory from the home agent HA address that HAAA issues when inconsistent.
6. method according to claim 1 is characterized in that, described method also is applied in terminal band " dynamically HA expansion Dynamic HA Extension " the dynamic HA assigning process of request MIP.
7. method according to claim 1 is characterized in that described step (3) comprises the steps: afterwards
(71) security parameter information that described authentication device is relevant with the home agent HA in the described MIP register requirement is transmitted to described external agent;
(72) described external agent uses correct security parameter to transmit current MIP register requirement to HA;
(73) described HA asks security parameter to HAAA;
(74) described HAAA returns the result of response;
(75) described HA then returns correct registration response to described external agent if successfully handle described MIP register requirement;
(76) described external agent then transmits to described terminal use if successfully handle the MIP registration response of receiving.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101079947A CN101312591B (en) | 2007-05-22 | 2007-05-22 | Method for authentication device to acquire security parameter related to home proxy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101079947A CN101312591B (en) | 2007-05-22 | 2007-05-22 | Method for authentication device to acquire security parameter related to home proxy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101312591A CN101312591A (en) | 2008-11-26 |
CN101312591B true CN101312591B (en) | 2011-08-10 |
Family
ID=40100972
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2007101079947A Expired - Fee Related CN101312591B (en) | 2007-05-22 | 2007-05-22 | Method for authentication device to acquire security parameter related to home proxy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101312591B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1653775A (en) * | 2002-04-15 | 2005-08-10 | 高通股份有限公司 | Method and apparatus for providing compatibility between elements of a wireless communication system |
CN1774906A (en) * | 2003-04-28 | 2006-05-17 | 思科技术公司 | Methods and apparatus for securing proxy mobile IP |
CN1890994A (en) * | 2003-12-03 | 2007-01-03 | 高通股份有限公司 | Methods and apparatuses for CDMA2000/gprs roaming |
-
2007
- 2007-05-22 CN CN2007101079947A patent/CN101312591B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1653775A (en) * | 2002-04-15 | 2005-08-10 | 高通股份有限公司 | Method and apparatus for providing compatibility between elements of a wireless communication system |
CN1774906A (en) * | 2003-04-28 | 2006-05-17 | 思科技术公司 | Methods and apparatus for securing proxy mobile IP |
CN1890994A (en) * | 2003-12-03 | 2007-01-03 | 高通股份有限公司 | Methods and apparatuses for CDMA2000/gprs roaming |
Non-Patent Citations (1)
Title |
---|
Network Working Group.Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4.《RFC3957,AAA Keys for Mobile IPv4》.2005, * |
Also Published As
Publication number | Publication date |
---|---|
CN101312591A (en) | 2008-11-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110800331B (en) | Network verification method, related equipment and system | |
CN101322428B (en) | Method and apparatus for distributing keying information | |
US9344412B2 (en) | Security key management in IMS-based multimedia broadcast and multicast services (MBMS) | |
EP1552646B1 (en) | Method and apparatus enabling reauthentication in a cellular communication system | |
CN110035037B (en) | Security authentication method, related equipment and system | |
EP1713289B1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
US7346039B2 (en) | Communication system | |
US20110010538A1 (en) | Method and system for providing an access specific key | |
US20120096529A1 (en) | Method and Device for Managing Authentication of a User | |
KR101037844B1 (en) | Method and server for providing a mobile key | |
JP2004241976A (en) | Mobile communication network system and method for authenticating mobile terminal | |
WO2008006314A1 (en) | A gateway system and the method for implementing various media accesses | |
WO2007106620A2 (en) | Method for authenticating a mobile node in a communication network | |
JP5044690B2 (en) | Dynamic Foreign Agent-Home Agent Security Association Assignment for IP Mobility System | |
Angermeier et al. | PAL-privacy augmented LTE: A privacy-preserving scheme for vehicular LTE communication | |
KR101367387B1 (en) | Appatus and method for user authentication to support PMIPv6 in Next Generation Networks | |
CN101312591B (en) | Method for authentication device to acquire security parameter related to home proxy | |
CN101355578B (en) | Compatible method and system for mobile IP application based on RADIUS and DIAMETER protocol | |
US8908871B2 (en) | Mobile internet protocol system and method for updating home agent root key | |
EP1833201B1 (en) | Method of managing interworking for the transfer of service sessions from a mobile network to a wireless local area network, and corresponding TTG gateway | |
KR20090065836A (en) | A method for providing seamless qos service in ip network using ip mobility control platform | |
CN108377570B (en) | Service data routing method and system and related equipment | |
JP5180085B2 (en) | Wireless terminal method and apparatus for establishing a connection | |
CN100495966C (en) | Marking and carrying method for subnetwork information in internet | |
EP2104307B1 (en) | Secure user-specific information transmission to a personal network server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110810 Termination date: 20150522 |
|
EXPY | Termination of patent right or utility model |