JP2011120123A - Authentication system and authentication method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve a problem in a conventional art that an ultra-compact portable telephone base station permits unauthorized utilization at a place unintended by a telecommunication carrier. <P>SOLUTION: An AAA server (authentication server) 401 performs line authentication for checking whether a femto AP (ultra-compact portable telephone base station) 201 communicates through a predetermined line, and stores the result of line authentication in association with the IMSI of the femto AP. The AAA server determines, based on the stored result of line authentication, whether the line authentication of the femto AP having the IMSI is normally completed or not when receiving an access authentication request including the IMSI of the femto AP. When the line authentication is not normally completed, the server refuses the access authentication request. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an authentication system and an authentication method, and more particularly to a technique for authenticating whether or not a micro cellular phone base station is a valid base station.

As a recent technology related to mobile phones, there is a femtocell access point (hereinafter referred to as a femto AP) which is an ultra-small mobile phone base station that can be installed in a home. The femto AP is connected to a mobile phone network (network) via a line such as a commercial broadband line. Also, to ensure security, VPN (Virtual
Private network) is adopted. For this reason, the femto AP needs to perform access authentication in order to access the network.

  Femto AP access authentication is performed using an authentication server called an AAA (Authentication Authorization Accounting) server. Specifically, the AAA server receives an identifier called IMSI (International Mobile Subscriber Identity) from the femto AP, and performs access authentication using a technique called EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement). . More specifically, the femto AP transmits an access authentication request including the IMSI in order to access the network. When the access authentication request sent by the femto AP reaches the AAA server, the AAA server generates authentication information based on the received IMSI and sends it to the femto AP to confirm that the femto AP is correct. To do. The femto AP confirms that the AAA server is correct AAA from the received authentication information. Then, in order to have the AAA server authenticate that it is a correct femto AP, it generates authentication information and sends it to the AAA server. The AAA server that has received the authentication information from the femto AP confirms that the femto AP is correct, and transmits the authentication result to the femto AP.

  A VPN is allowed from the network to the femto AP that succeeded in access authentication. The femto AP provides a function as a base station to a mobile phone existing in an area covered by the femto AP through an allowed VPN.

  There is Patent Document 1 as a document related to such a femto AP. Patent Document 1 proposes a method of identifying position information of a femto AP whose position cannot be specified by GPS information from GPS information of a mobile terminal.

JP2009-232286

  Since the femto AP is ultra-small, it is easy to move and there is a risk of theft. When a femto AP is connected to a network through a line at a destination that has been illegally moved or stolen, the femto AP itself is legitimate, so it will succeed in the above-mentioned access authentication and operate as a base station. Become. As a result, unauthorized use is possible at a location that is not intended by the communication carrier.

  As a countermeasure against such unauthorized use, it is conceivable to apply the technique described in Patent Document 1 to manage the position of the femto AP so that it cannot be used as a base station at positions other than those registered in a regular manner. However, this method has a problem that it cannot be used in an environment where the position of the femto AP cannot be specified, there is an error in position detection itself, and it can be used even after moving within the same area range of GPS.

  The present invention has been proposed in view of such circumstances, and an object of the present invention is to provide an authentication system that solves the problem that the femto AP can be illegally used at a location that is not intended by the communication carrier. There is to do.

  An authentication system according to an aspect of the present invention performs line authentication for confirming whether or not an ultra-small mobile phone base station is communicating through a predetermined line, and uses the result of the line authentication as a result of the ultra-small mobile phone. When a line authentication means for storing in association with the IMSI of the base station and an access authentication request including the IMSI of the micro cellular phone base station is received, the channel authentication of the micro cellular phone base station having the IMSI is normal. An access authentication unit that determines whether or not the access authentication is completed based on the result of the line authentication stored in the line authentication unit, and rejects the access authentication request if the line authentication is not normally completed.

  Since the present invention is configured as described above, it is possible to prevent the femto AP from being illegally used at a location not intended by the communication carrier.

1 is a block diagram of a first embodiment of the present invention. FIG. 5 is a block diagram of an AAA server used in the second embodiment of the present invention. FIG. 5 is a block diagram of a femto AP used in the second embodiment of the present invention. It is a figure which shows the structural example of line | wire authentication information. It is a figure which shows the structural example of a line | wire authentication result. 6 is a sequence chart showing the operation of the second exemplary embodiment of the present invention. It is a sequence chart which shows an example of the detailed procedure (at the time of success) of line | wire authentication. It is a sequence chart which shows an example of the detailed procedure (at the time of failure) of line | wire authentication. It is a sequence chart which shows an example of the detailed procedure (at the time of success) of access authentication. It is a sequence chart which shows an example of the detailed procedure (at the time of failure) of access authentication. It is a figure which shows the condition which moved the femto AP installed in the normal place illegally.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

[First embodiment]
First, a first embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram of a first embodiment of the present invention.

  The first embodiment of the present invention includes a terminal 101 such as a mobile phone, a femto AP 201, an IP-Edge 301, and an AAA server 402.

  The femto AP 201 is a device having a function as an ultra-compact mobile phone base station, and is connected to the terminal 101 via a wireless line L1, and to the IP-Edge 301 via a line L2 such as Ethernet (registered trademark). The femto AP 201 stores an identifier called IMSI. The femto AP 201 performs line authentication using IMSI after power-on, and then performs access authentication. After successful access authentication, the femto AP 201 starts the operation of the terminal 101 as a base station.

  The IP-Edge 301 is a router device, and is connected to the femto AP 201 via a line L2, and is connected to the AAA server 401 via a network L3 such as an IP network. When this IP-Edge 301 relays the line authentication request transmitted from the femto AP 201 to the AAA server 401, the access line information (slot ID, port ID, VLAN ID, etc.) specifying the line L2 to which the femto AP 201 is connected is relayed. It is added to the line authentication request and transferred.

  The AAA server 401 is an authentication server device having a line authentication function and an access authentication function. In the line authentication function, authentication is performed by confirming whether or not the femto AP 201 is communicating through a predetermined line. Specifically, based on the IMSI and access line information added to the line authentication request sent from the femto AP 201 via the IP-Edge 301, the physical line of the femto AP 201 is a legitimate location (contracted location). Authenticate whether or not there is. On the other hand, in access authentication, only femto AP201 for which line authentication has been successfully completed is authenticated by EAP-AKA, and access from femto AP201 for which line authentication has not been completed successfully is performed. In response to the authentication request, the failure of access authentication is notified.

  According to the present embodiment, access authentication is not successful for a femto AP 201 for which line authentication has not been normally completed. A femto AP 201 that has illegally moved to a location other than the contracted location or a femto AP 201 that has been stolen and used in another location cannot succeed in line authentication, and therefore cannot succeed in access authentication. For this reason, it is possible to reliably prevent the femto AP 201 from being illegally used at a location not intended by the communication carrier.

  In this embodiment, access authentication and line authentication are performed using the IMSI of the femto AP. Therefore, line authentication uses the femto AP's MAC address, and access authentication uses the femto AP's IMSI, which reduces the number of identifiers used for authentication and facilitates management.

[Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIG. 2 and FIG. FIG. 2 is a block diagram of the AAA server used in the second embodiment of the present invention. FIG. 3 is a block diagram of a femto AP used in the second embodiment of the present invention.

  First, the configuration of the AAA server 401 used in the second embodiment of the present invention will be described in detail with reference to FIG.

  The AAA server 401 is an authentication server device having a line authentication function and an access authentication function. The AAA server 401 includes a communication interface unit (hereinafter referred to as a communication I / F unit) 411, a storage unit 412, and an arithmetic processing unit 413 as main functional units.

  The communication I / F unit 411 includes a dedicated data communication circuit and has a function of performing data communication with various devices such as the IP-Edge 301 connected via the network L3.

  The storage unit 412 includes a storage device such as a hard disk or a memory, and has a function of storing processing information and a program 414P necessary for various processes in the arithmetic processing unit 413. The program 414P is a program that implements various processing units by being read and executed by the arithmetic processing unit 413. An external device or a recording medium (both via a data input / output function such as the communication I / F unit 411) (Not shown) and read in advance and stored in the storage unit 414. Main processing information stored in the storage unit 412 includes line authentication information 414A and a line authentication result 414B.

  The line authentication information 414A is information used for line authentication. FIG. 4 is a configuration example of the line authentication information 414A. In the line authentication information 414A, an entry including a set of IMSI of a femto AP and regular access line information of the femto AP is registered. In the specific example of FIG. 4, access line information 1 is set corresponding to IMSI1, and access line information 2 is set corresponding to IMSI2. Examples of access line information include a combination of slot ID, port ID, and VLAN ID.

  The line authentication result 414B is information indicating the result of the line authentication performed immediately before. FIG. 5 is a configuration example of the line authentication result 414B. In this line authentication result 414B, an entry consisting of a combination of an IMSI of a femto AP and an authentication result indicating whether the result of the line authentication performed immediately before that femto AP has succeeded or failed is registered. Yes. In the specific example of FIG. 5, the fact that the line authentication has succeeded is set corresponding to IMSI1, and the fact that the line authentication has failed is set corresponding to IMSI2.

  The arithmetic processing unit 413 has a microprocessor such as a CPU and its peripheral circuits, and reads and executes the program 414P from the storage unit 412, thereby realizing various processing units by cooperating the hardware and the program 414P. It has a function to do. As main processing units realized by the arithmetic processing unit 413, there are a line authentication unit 415A and an access authentication unit 415B.

  The line authentication unit 415A has a function of performing line authentication of the femto AP based on the line authentication information 414A and a function of storing the line authentication result in the storage unit 412.

  The access authentication unit 415B has a function of performing access authentication for the femto AP whose line authentication success is recorded in the line authentication result 414B.

  Next, the configuration of the femto AP according to the second embodiment of the present invention will be described in detail with reference to FIG.

  The femto AP 201 is an ultra-small mobile telephone base station having a base station function of the terminal 101, a line authentication function, and an access authentication function. The femto AP 201 includes communication interface units (hereinafter referred to as communication I / F units) 211 and 212, a storage unit 213, and an arithmetic processing unit 214 as main functional units.

  The communication I / F unit 211 includes a dedicated data communication circuit, and has a function of performing data communication with various devices such as the IP-Edge 301 connected via the line L2. The communication I / F unit 212 includes a dedicated data communication circuit, and has a function of performing data communication with various devices such as the terminal 101 via the wireless line L1.

  The storage unit 213 includes a storage device such as a hard disk or a memory, and has a function of storing processing information and programs 215P necessary for various types of processing in the arithmetic processing unit 214. The program 215P is a program that realizes various processing units by being read and executed by the arithmetic processing unit 214. (Not shown) and is stored in the storage unit 213 in advance. The main processing information stored in the storage unit 213 is IMSI 215A.

  The IMSI 215A is an ID that uniquely identifies the femto AP 201. In line authentication, a MAC address is generally used, but in this embodiment, line authentication is performed using IMSI.

  The arithmetic processing unit 214 has a microprocessor such as a CPU and its peripheral circuits, and reads and executes the program 215P from the storage unit 213, thereby realizing various processing units by cooperating the hardware and the program 215P. It has a function to do. Main processing units realized by the arithmetic processing unit 214 include a line authentication unit 216A, an access authentication unit 216B, and a base station function unit 216C.

  The line authentication unit 216A has a function of performing line authentication with the AAA server 401 using the IMSI 215A.

  The access authentication unit 216B has a function of performing access authentication with the AAA server 401 using the IMSI 215A.

  The base station function unit 216C is a part that functions as a base station of the terminal 101. Since the base station function is general, detailed operations are not directly related to the present invention, and thus description thereof is omitted.

  Next, the operation of the present embodiment will be described with reference to the sequence chart of FIG.

  When the power is turned on (step S1), the femto AP 201 performs line authentication with the AAA server 401 (step S2). An example of the detailed procedure of this line authentication is shown in FIGS. FIG. 7 shows a procedure when the line authentication succeeds, and FIG. 8 shows a procedure when the line authentication fails.

  In the example of FIGS. 7 and 8, the femto AP 201 transmits a line authentication request with its own IMSI (or an ID uniquely generated therefrom) to the network L3 (step S21). This line authentication request is relayed by the IP-Edge 301, and the access line information of the femto AP 201 is added to the AAA server 401.

  The AAA server 401 reads the normal access line information corresponding to the IMSI added to the line authentication request from the line authentication information 414A, and uses the read normal access line information and the access line information added to the line authentication request. By comparing, it is authenticated whether or not the line authentication request source is valid (step S22).

  If both access line information matches, the AAA server 401 determines that the femto AP 201 is valid, and associates the line authentication result indicating that the line authentication is successful with the IMSI added to the line authentication request. The result 414B is stored (step S23). Next, the AAA server 401 transmits a reply with an IP address and information for accessing other networks to the femto AP 201 that has succeeded in the line authentication (step S24). The femto AP 201 that has received this reply can connect to the network L3 using the IP address added to the reply.

  On the other hand, if the access line information on both sides does not match, the AAA server 401 determines that the femto AP 201 is not valid, and responds to the IMSI added to the line authentication request with the line authentication result indicating that the line authentication has failed. In addition, it is stored in the line authentication result 414B (step S25). Next, the AAA server 401 notifies the reply to that effect to the femto AP 201 that has failed in the line authentication (step S26). The femto AP 201 that has received this reply cannot connect to the network L3 unless the IP address is falsified because the legitimate IP address has not been issued.

  Referring to FIG. 6 again, when the femto AP 201 completes the line authentication, it next performs access authentication with the AAA server 401 (step S3). An example of the detailed procedure of this access authentication is shown in FIGS. FIG. 9 shows a procedure when access authentication is successful, and FIG. 10 shows a procedure when access authentication fails.

  In the example of FIGS. 9 and 10, the femto AP 201 transmits an access authentication request with its own IMSI (or an ID uniquely generated therefrom) added to the AAA server 401 (step S31). The AAA server 41 refers to the line authentication result held corresponding to the IMSI added to the received access authentication request from the line authentication result 414B, and confirms whether or not the line authentication result is normally completed ( Step S32).

  If it is confirmed that the line authentication has not been performed or has not been successful, the AAA server 401 transmits an authentication failure notification to the femto AP 201 that is the access authentication request source (step S31). S33).

  On the other hand, when it is confirmed that the line authentication is successful, the AAA server 401 continues the access authentication process for the access authentication request source femto AP 201 as follows.

  First, the AAA server 401 generates authentication information (RAND, IK, CK, AUTN, RES) to confirm that the femto AP 201 is correct based on the received IMSI (step S34). Next, the AAA server 401 transmits AUTN, MAC, and RAND necessary for authentication of the femto AP 201 among the generated authentication information (step S35).

  The femto AP 201 generates authentication information (RAND, IK, CK, AUTN, RES) based on the received RAND (step S36). Then, the femto AP 201 confirms that the generated AUTN matches the received AUTN, and confirms that the AAA server 401 is a correct AAA server. Subsequently, the femto AP 201 transmits the generated RES and MAC as an authentication request to the AAA server 401 (step S37).

  The AAA server 401 confirms that the RES generated in step S34 matches the received RES, and confirms that the femto AP 201 is a correct femto AP (step S38). Then, the AAA server 401 transmits that the authentication is successful to the femto AP 201 (step S39). The AAA server 401 promptly displays the line authentication result of the femto AP 201 stored in the line authentication result 414B after the line authentication of the femto AP 201 is successful, in a state where the line authentication is not performed or the line authentication. You may make it rewrite in the state which has failed.

  Next, a situation as shown in FIG. 11 is assumed in which a femto AP installed at a normal place is illegally moved. In FIG. 11, a femto AP 201 is a femto AP used in a normal location, and a femto AP 202 is an illegally moved femto AP. Reference numeral 102 denotes a terminal similar to the terminal 101, and L4 denotes a line similar to the line L2.

  Consider authentication from Femto AP201. First, the femto AP 201 transmits a line authentication request to the AAA server 401 in order to perform line authentication. When this request passes through the IP Edge 301, the access line information of the line L2 is attached and the request reaches the AAA server 401. Since the femto AP 201 is used in a normal place, this line authentication is successful. Thereafter, the femto AP 201 transmits an access authentication request to the AAA server 401 in order to perform access authentication. The AAA server 401 confirms the line authentication result of the femto AP 201 based on the IMSI of the received access authentication request. Since the line authentication is successful, the femto AP 201 continues the access authentication process. If the access authentication is successful, the AAA server 401 notifies the success of the authentication, and the femto AP 201 can access the network.

  Next, consider the femto AP 202 that has been illegally moved. In order to perform line authentication, the line authentication request transmitted by the femto AP 202 is given access line information of the line L4 by the IP Edge 301 and reaches the AAA server 401. The AAA server 401 performs line authentication based on the received IMSI and access line information. However, the request for line authentication from the illegally moved femto AP 202 does not match the pre-registered access line information (slot ID). , Port ID and VLAN ID will be different), line authentication will not succeed.

  Even if the femto AP 202 verifies the IP address and performs access authentication without performing line authentication, the femto AP 202 does not perform line authentication, so access authentication does not succeed (access authentication by the AAA server 401). When the request is received, since the corresponding IMSI does not perform line authentication, the access authentication process is interrupted and an authentication error is returned to the femto AP 202).

  In this way, the femto AP that has been illegally moved cannot access the network and can prevent its use.

[Other embodiments]
The present invention is not limited to the above-described embodiment, and various other additions and changes can be made. For example, the present invention can be used in any system in which the femto AP requires line authentication and the AAA server can know the result of the line authentication. Therefore, even in a configuration in which the AAA server does not perform line authentication, the configuration can be applied as long as the result of the line authentication performed by another device can be notified to the AAA server. Specifically, the line authentication server device connected to the femto AP through the communication network includes a line authentication unit, and the access authentication unit is connected to the access authentication device connected to the femto AP and the line authentication server device through the communication network. You may make it prepare.

101 terminals
201 Femto AP
202 Femto AP
213 Memory
214 Arithmetic processing section
215P program
216A line authentication unit
216B Access authentication unit
216C Base station function
412 Memory unit
413 Arithmetic processor
414 Memory
414A line authentication information
414B line authentication result
414P program
415A line authentication unit
415B access authentication unit
L1 wireless line
L2 line
L3 network

Claims (8)

A line that performs line authentication for confirming whether or not the ultra-small mobile phone base station is communicating through a predetermined line and stores the result of the line authentication in association with the IMSI of the micro-mobile phone base station Authentication means;
When the access authentication request including the IMSI of the micro cell phone base station is received, whether or not the line authentication of the micro cell phone base station having the IMSI is normally completed is stored in the line authentication means. An authentication system comprising: an access authentication unit that makes a determination based on a result of the line authentication and rejects the access authentication request if the line authentication is not normally completed.   2. The authentication system according to claim 1, wherein the access authentication means performs authentication based on EAP-AKA for a micro cellular phone base station for which line authentication has been normally completed.   The line authentication means holds the access line information of the regular line in association with the IMSI of the micro cellular phone base station, and receives the line authentication request with the IMSI and the access line information added thereto. By comparing the access line information of the legitimate line held in association with the same IMSI as the IMSI added to the request and the access line information added to the line authentication request, 3. The authentication system according to claim 1, wherein authentication is performed to determine whether the small mobile phone base station is valid.   4. The authentication according to claim 1, wherein an authentication server device connected to the micro cellular phone base station through a communication network includes the line authentication unit and the access authentication unit. system.   An access authentication device provided with the line authentication means in a line authentication server device connected to the micro cellular phone base station through a communication network, and connected to the micro cellular phone base station and the line authentication server device through the communication network 4. The authentication system according to claim 1, further comprising: the access authentication unit. Perform line authentication to confirm whether or not the ultra-small mobile phone base station is communicating through a predetermined line, and store the result of the line authentication in association with the IMSI of the ultra-small mobile phone base station ,
When the access authentication request including the IMSI of the micro cellular phone base station is received, whether or not the channel authentication of the micro cellular phone base station having the IMSI is normally completed is stored in the stored circuit authentication. Judging based on the result, if the line authentication is not completed normally, the access authentication request is rejected.
An authentication method characterized by that. A line that performs line authentication for confirming whether or not the ultra-small mobile phone base station is communicating through a predetermined line and stores the result of the line authentication in association with the IMSI of the micro-mobile phone base station Authentication means;
When the access authentication request including the IMSI of the micro cell phone base station is received, whether or not the line authentication of the micro cell phone base station having the IMSI is normally completed is stored in the line authentication means. An authentication server comprising: an access authentication unit that makes a determination based on a result of the line authentication and rejects the access authentication request if the line authentication is not normally completed. Computer
A line that performs line authentication for confirming whether or not the ultra-small mobile phone base station is communicating through a predetermined line and stores the result of the line authentication in association with the IMSI of the micro-mobile phone base station Authentication means;
When the access authentication request including the IMSI of the micro cell phone base station is received, whether or not the line authentication of the micro cell phone base station having the IMSI is normally completed is stored in the line authentication means. A program for making a determination based on the result of the line authentication, and for functioning as an access authentication means for rejecting the access authentication request if the line authentication is not normally completed.

Images