WO2008006309A1 - Method and apparatus for determining service type of key request - Google Patents

Method and apparatus for determining service type of key request Download PDF

Info

Publication number
WO2008006309A1
WO2008006309A1 PCT/CN2007/070185 CN2007070185W WO2008006309A1 WO 2008006309 A1 WO2008006309 A1 WO 2008006309A1 CN 2007070185 W CN2007070185 W CN 2007070185W WO 2008006309 A1 WO2008006309 A1 WO 2008006309A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
key
message
service
naf
Prior art date
Application number
PCT/CN2007/070185
Other languages
French (fr)
Chinese (zh)
Inventor
Yanmei Yang
Chengdong He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008006309A1 publication Critical patent/WO2008006309A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a method and apparatus for determining a key request service type. Background technique
  • multiple application service entities use a common structure for performing user identity verification, namely the Generic Authentication Architecture (GAA).
  • GAA Generic Authentication Architecture
  • the application of the universal authentication framework enables the user of the application service to check and verify the identity, and provides a key for secure communication for the user to access the application service.
  • the plurality of application services may be a multicast or broadcast service, a user certificate service, an information immediate service, or a proxy service.
  • FIG. 1 shows the structure of GAA:
  • the universal authentication framework is usually located by the UE (user;), the Bootstrapping Server Function (BSF), the Home Subscriber Server (HSS), and the location of the HSS.
  • the user location function entity (SLF, Subscriber Locator Function) and the network application function entity (NAF, Network Application Function).
  • the BSF is used for mutual authentication with the UE, and generates a shared key Ks of the BSF and the user.
  • the HSS stores a description file for describing user information, and the HSS also has the function of generating authentication information. Dz, Zh, Zn, Ub, and Ua are interfaces between entities.
  • the UE when the UE needs to use a certain service, it needs to contact the network application function entity NAF corresponding to the service, that is, the UE initiates a connection request to the NAF.
  • the UE If the NAF uses the GAA universal authentication framework, the UE first needs to authenticate with the BSF to verify the identity. After the authentication succeeds, the UE calculates the derived key Ks_NAF that communicates with the NAF based on the shared key Ks with the BSF, and sends the session transaction identifier (B-TID) containing the Ks information to the NAF, according to the received B. -TID obtains the derived key Ks_NAF of the shared key Ks from the BSF. In this way, the UE will It is possible to communicate securely with the NAF using the derived key Ks-NAF at the Ua port.
  • B-TID session transaction identifier
  • the network side needs to initiate a communication request to the UE, that is, push the service.
  • the NAF Before the NAF sends a push message to the user, it needs to go to the BSF to request the Ks-NAF derived key of the Ua port communication.
  • the BSF receives the key request from the NAF, first of all, it needs to know the NAF request type, that is, the Ua interface service communication type is a service initiated by the general UE or a push service initiated by the NAF;
  • the BSF also needs to distinguish between a general NAF-related key request and a Ks key renegotiation request. Then, according to the type of business, the corresponding processing is done.
  • the BSF needs to find whether there is a Ks key corresponding to the B-TID locally, and if not, an error message will be returned to the NAF; however, if it is a push service, and If the key corresponding to the user is not found, then the BSF needs to obtain a set of authentication vectors from the user home server HSS, and then calculate a new Ks and derived key and B-TID, and the authentication vector
  • the authentication token AUTN is sent to the NAF with the derived key and the B-TID.
  • the NAF when the NAF already has a NAF-related key that is protected by the UE, but because the key is valid, or for other reasons, the NAF wants to update the key and the original Bootstrapping session data. (Ks, B-TID, etc.), then the NAF needs to perform Ks key renegotiation with the BSF.
  • the BSF will obtain a set of authentication vectors from the HSS regardless of whether the existing Ks is valid, and then calculate a new Ks and derived key and B-TID, and will be in the authentication vector.
  • AUTN and derived keys and B-TID are sent to NAF.
  • a key request is sent to the BSF, that is, a self-boot authentication protocol information request (BIR, Bootstrapping-Info-Request).
  • BIR self-boot authentication protocol information request
  • the BSF finds the key Ks corresponding to the B-TID, it calculates the Ks derived key according to parameters such as NAF-ID (NAF identification) and Ks, RAND (random number), and then passes the self-guiding authentication protocol information.
  • a response (BIA, Bootstrapping-Info-Answer) message is sent to the NAF.
  • the current GAA push technology does not provide an effective solution for how the NAF notifies the BSF of its request type. This will cause the BSF to receive the NAF key request and not know how to make the request. The correct response. Summary of the invention
  • the embodiment of the present invention provides a method for determining a key request service type, which can effectively distinguish the Ua interface service communication type after receiving the key request, thereby correctly responding to the NAF request.
  • An embodiment of the present invention provides a method for determining a key request service type, including: carrying a request service type information in a request service key message;
  • the service type of the requested key application is a push service.
  • An embodiment of the present invention provides a system for determining a key request service type, including: a message generating unit, configured to carry a request push service type information in a request service key message;
  • the determining unit is configured to determine, according to the service type information carried in the request service key message, a service type of the requested key application as a push service.
  • the embodiment of the invention further provides a network application function entity, including:
  • a message generating unit configured to carry the request push service type information in the request service key message
  • a sending unit configured to send a request service key generated by the message generating unit and carrying the request to push the service type information; %, a packet, and a packet.
  • the embodiment of the present invention further provides a self-booting authentication protocol service function entity, including: a receiving unit, configured to receive a request service key message carrying the request push service type information; and a determining unit, configured to use the request service key according to the request
  • the service type information carried in the message determines that the service type of the requested key application is a push service.
  • the technical solution provided by the embodiment of the present invention carries the request service type information in the GAA request service key message, so that the BSF can determine the type of the requested service key according to the information, and correctly respond to the NAF request.
  • the invention can provide guarantee for the selection of the GAA push service key, thereby ensuring the security of the push service.
  • 1 is a schematic structural diagram of a general authentication framework in the prior art
  • 2 is a flow chart of an implementation of a preferred embodiment of the present invention. detailed description
  • the technical solution provided by the embodiment of the present invention is that, in the GAA push service, when the NAF sends a key secret request to the BSF, the BSF is notified of the key request type, so that the BSF responds correctly to the NAF request.
  • the DIAMETER message of the key request message BIR sent on the existing Zn interface may be extended, and the B-TID parameter in the BIR message is reused to transmit the user identity information, and the information is extended.
  • the other parameter value indicates the request type, or a parameter that identifies the user identity is added to the BIR message. Or extend the Zn interface to define a push service key request message similar to the existing BIR message.
  • Figure 2 is a flow diagram of an implementation of a preferred embodiment of the present invention:
  • Step 201 The NAF sends a service key request message to the BSF, where the BSF request type can be indicated as pushing.
  • the NAF Since in the normal GAA process, when the NAF needs to communicate with the UE using the GBA key, it will send a BIR authentication, authorization, accounting protocol Diameter message to the BSF, requesting the Ks-NAF key, and therefore in the GAA push service. In the modification, or by using some parameters in the existing BIR message, the BSF NAF may be notified that the key to be requested is to be used for push service communication.
  • AVPs - Existing GAA Push Processes BSF needs to know which user NAF wants to push information to. In order for the BSF to find the authentication information corresponding to the user, and to determine whether the NAF has the right to push the information to the user.
  • the NAF when the NAF requests a key from the BSF, it needs to send the identity of the user to the BSF, and instructs the BSF to request the service type to be push, that is, to notify the BSF that the key to be requested by the NAF is to be used for pushing the service communication.
  • the BSF may be notified by modifying or utilizing some parameters in the existing BIR message:
  • the key to be requested by the NAF is to be used for push service communication.
  • the following is a detailed description of the structure of the BIR message in the prior art.
  • User identification parameters can be carried in any of the following ways:
  • the BSF uses the B-TID parameter in the BIR message to convey a certain identity of the user, such as the user's IP Multimedia Subsystem Private User Identity (IMPI), International Mobile Subscriber Identity (IMSI), or International Mobile Subscriber Identifier (IPSI).
  • IMPI IP Multimedia Subsystem Private User Identity
  • IMSI International Mobile Subscriber Identity
  • IPSI International Mobile Subscriber Identifier
  • Subsystem public user An identification (IMPU) or the like used to identify the identity of the user.
  • the BSF After the BSF receives the BIR message, it can obtain the user identity from the parameter. In this case, other parameters need to be extended to assist the BSF to further distinguish whether the GBA push service.
  • the GAA-Service-Identifier parameter in the BIR message may be extended by a new value, or may be implemented by extending the value of the NAF-Id parameter, or may be implemented by extending the Vendor-Specific-Application-Id value. , or can be achieved by extending the Application-ID of the Diameter header.
  • the BSF can directly form the user identity itself carried in the Transaction-Identifier parameter carrying the B-TID.
  • the format is used to know whether or not the B-TID is carried, so as to further distinguish whether it is a normal GBA request or a GAApush, and does not need to extend other parameter values.
  • the BSF can determine whether the push service key request is based on whether the newly added user identity parameter or the B-TID parameter is included in the key request message sent by the NAF.
  • B-TID For example, if there is a B-TID parameter in the BIR message, it indicates that the normal UE initiates a key request for the service. If there is a User-Name or Public-Identity AVP parameter or other type of AVP parameter in the BIR message, it indicates a key request for the GBA push service.
  • the GAA-Service-Identifier or Application-ID parameter indicates to the BSF the type of request.
  • a Bootstrapping-Info-Push-Request (Built-in Authentication Protocol Push Request) message similar to a BIR message is defined.
  • Command-Code in the above Diameter header A new value is defined in the field to indicate the message command, and all the parameters that need to be carried in the GAA push service are defined in this new message.
  • the format of the message can be specified as:
  • Bootstrapping-Info-Push-Request:: ⁇ Diameter Header: 311, REQ, PXY, 16777220 >
  • the value of the Diameter Header 311 indicates that the message is a push service key request.
  • Step 202 After receiving the request message, the BSF determines the service type of the key application requested by the NAF according to the request type information carried in the message, and selects an available push service key for the NAF.
  • Step 203 When the NAF needs to update the push service key, send a push service key renegotiation request message to the BSF, and carry the request type information in the message.
  • the NAF needs to update the key and the original Bootstrapping session data (Ks, B). -TID, etc.).
  • the NAF needs to send a Ks key renegotiation request to the BSF.
  • the BSF After receiving the BSF, the BSF will obtain a new set of authentication vectors from the HSS regardless of whether the existing Ks has expired. Then a new Ks and derived key and B-TID are calculated, and the AUTN and derived key and B-TID in the authentication vector are sent to the NAF.
  • the Ks renegotiation request may use the same message as the push service key request.
  • the BSF can distinguish whether to push the service key request message or the Ks renegotiation request message in the following two manners.
  • the Ks renegotiation request message extends the push service key request message, that is, the Ks renegotiation request message and the push service key request message use the same Diameter Header and other common parameters, but only set special values for some parameters. To indicate that it is a Ks renegotiation request.
  • the request message carries a B-TID to indicate, or carries a special AVP parameter value, such as adding a GSID (GAA-Service-Identifier) or an application ID or a NAF-ID value.
  • the BSF can directly carry the user identity itself carried in the parameter Transaction-Identifier carrying the B-TID. Form the format to know if the user identity is a B-TID. And further distinguish whether it is a normal GBA request, or GAA push, do not need to extend other parameter values.
  • both the B-TID and the user's permanent identity can identify a user, so the message can carry the B-TID or carry the user's permanent identity.
  • a new value needs to be defined in the Command-Code field in the Diameter Header of the message. Indicates the message command and defines all the parameters that need to be carried in the GAA push service in this new message.
  • Bootstrapping-Info-Push-Request:: ⁇ Diameter Header: 312, REQ, PXY, 16777220 >
  • Step 204 After receiving the request message, the BSF reselects the push service key according to the request type information carried in the message for the NAF.
  • the following describes, respectively, the key request sent by the NAF in the present invention and the various implementation processes of the BSF determining the Ua interface service communication type according to the request.
  • the GAA push service key request message is sent to the BSF.
  • User identification information is carried in the request message.
  • the message can be sent in the following way:
  • BIR Use the BIR message of the Diameter protocol, and carry the user identity in the B-TID of the message. Know the information, and extend the existing GSID or Vendor-Specific-Application-Id or Application ID value or NAF-ID to inform BSF NAF that you want to push services on the Ua interface.
  • the value of B-TID represents the user identity.
  • logo The structure of the message is exactly the same as the existing BIRD's. It only extends the value of the parameter GSID or Vendor-Specific-Application-Id, or adds a new value to the NAF-ID or Application ID.
  • the BSF can know that the NAF needs to request the push service key according to the value of the extended parameter GSID or Vendor-Specific-Application-Id or the value of the NAF-ID or the Application ID. Then, the user identity is obtained from the value of the B-TID, and processed according to the existing GAA push process.
  • the GAF push service key request message is sent to the BSF, and the user identity information is carried in the request message.
  • the message may be sent in the following way:
  • the BIR message of the Diameter protocol is extended, that is, some parameters are added to the existing BIR message to indicate. If the NAF needs to notify the BSF of the user's private identity, the AVP parameter of the User-Name can be added to the BIR message. If the NAF needs to notify the BSF of the user's public identity, then the AVP parameter of the Public-Identity can be added to the BIR message. Similarly, if it is another type of identification, the corresponding AVP parameters are added.
  • the Vendor-Specific-Application-Id, or Application ID value, or NAF-ID is used to inform the BSF that the NAF wants to push the service mode on the Ua interface, and also adds the AVP parameter indicating the user identity.
  • the BSF After receiving the above request message, the BSF knows that the NAF is requesting the GAA push service key according to the type of the user identity provided by the NAF. That is, if there is a B-TID in the BIR, it indicates a key request for the normal UE to initiate the service; if the BIR message has the AVP parameter of the User-Name or Public-Identity and other types of AVP parameters, it indicates that the NAF initiates Push the key request for the business. Then follow the existing GAA push process for subsequent processing.
  • the GAA push service key request message is sent to the BSF, and the user identity information is carried in the request message.
  • the message can be sent in the following way:
  • the BSF can know that the message is a requesting GAA push service key according to the type of the request message, and can obtain the required information from each AVP parameter. Then you can follow the existing GAA push process for subsequent processing.
  • the NAF needs to send a push message to the UE, and the locally negotiated GAA push service key, the key needs to be updated for some reason and thus needs to update the existing Bootstrapping session data.
  • the NAF sends a push service key renegotiation request message to the BSF, where the request message carries user identity information, which may be a permanent identity identifier or a B-TID.
  • the push service key renegotiation request message can be implemented in the following manner:
  • the command code such as 312
  • the extended push service key request message is used as the push service key renegotiation request message, that is, the push service key renegotiation request message and the push service key request message use the same Diameter Header and other common parameters. Just set a special value for some parameters to indicate that it is a Ks renegotiation request. For example, the B-TID is carried in the request message to represent or carry a special AVP parameter.
  • Push service key renegotiation request message is the same as general push service key request A key request message, and the BSF records all NAF names that have requested the key from the BSF during a certain Ks validity period. For example, corresponding to a Ks, all NAFs that have used the Ks are saved in a NAF list. When the key request of any NAF in the list is received again within the validity period of the Ks, it is considered as a Ks renegotiation request.
  • the BSF can know that the message is a requesting GAA push service key according to the type of the request message, and can obtain the required information from each AVP parameter. Then you can follow the existing GAA push process for subsequent processing.
  • the technical solution provided by the embodiment of the present invention in the GAA push service is self-booting (Bossapping) by using the Diameter (New Generation Authentication, Authorization, Accounting Protocol) message sent on the existing Zn interface.
  • the BIR is extended by the BIR message, and the B-TID parameter in the BIR message is used to transmit the user identity information, and the other parameter value indication request type is extended, or the parameter identifying the user identity is added to the BIR message, so that the BSF is based on the BIR.
  • the B-TID parameter or the user identity information carried in the message can determine that the service key request is pushed, and the NAF request is correctly responded.
  • a push service key request message similar to the existing BIR message is defined.
  • the BSF can learn the Ua interface service type from the message type, so that the NAF can be selected for use.
  • Push business key can provide guarantee for the selection of the GAA push service key, thereby ensuring the security of the push service.

Abstract

A method for determining a service type of a key request comprises the steps of: carrying an information of the requested service type in the key message of the requested push service; determining the service type of the requested key applying according to the requested type information carried in the key message of the requested push service. An apparatus for determining a service type of a key request includes: a message generating unit for carrying an information of the requested service type in the key message of the requested push service; and a judging unit for determining the service type of the key applying requested by a network application function entity according to the requested type information carried in the key message of the requested push service.

Description

一种确定密钥请求业务类型方法及装置  Method and device for determining key request service type
本申请要求于 2006 年 07 月 04 日提交中国专利局、 申请号为 200610101049.1、发明名称为"通用鉴权框架中确定密钥请求业务类型方法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  This application claims priority to Chinese Patent Application No. 200610101049.1, entitled "Method for Determining Key Request Service Type in General Authentication Framework", filed on July 4, 2006, the entire contents of which are hereby incorporated by reference. Combined in this application. Technical field
本发明涉及网络通信技术领域, 具体涉及一种确定密钥请求业务类型 的方法及装置。 背景技术  The present invention relates to the field of network communication technologies, and in particular, to a method and apparatus for determining a key request service type. Background technique
在第三代无线通信标准中, 多种应用业务实体使用一个用于完成对用 户身份进行验证的通用结构,即通用鉴权框架( GAA, Generic Authentication Architecture )。 应用通用鉴权框架可实现对应用业务的用户进行检查和验证 身份, 并为用户访问应用业务提供安全通信的密钥。 所述多种应用业务可 以是多播或广播业务、 用户证书业务、 信息即时提供业务等, 也可以是代 理业务。  In the third generation of wireless communication standards, multiple application service entities use a common structure for performing user identity verification, namely the Generic Authentication Architecture (GAA). The application of the universal authentication framework enables the user of the application service to check and verify the identity, and provides a key for secure communication for the user to access the application service. The plurality of application services may be a multicast or broadcast service, a user certificate service, an information immediate service, or a proxy service.
图 1为 GAA的结构示意图:  Figure 1 shows the structure of GAA:
通用鉴权框架通常由 UE (用户;)、执行用户身份初始检查验证的自引导 鉴权协议服务功能实体( BSF, Bootstrapping Server Function )、 用户归属服 务器(HSS, Home Subscriber Server ), 定位 HSS的位置的用户位置功能实 体( SLF , Subscriber Locator Function )和网络应用功能实体( NAF , Network Application Function )组成。 BSF用于与 UE进行互验证身份, 同时生成 BSF 与用户的共享密钥 Ks; HSS中存储用于描述用户信息的描述文件, 同时 HSS 还兼有产生鉴权信息的功能。 Dz、 Zh、 Zn、 Ub、 Ua为各实体之间的接口。  The universal authentication framework is usually located by the UE (user;), the Bootstrapping Server Function (BSF), the Home Subscriber Server (HSS), and the location of the HSS. The user location function entity (SLF, Subscriber Locator Function) and the network application function entity (NAF, Network Application Function). The BSF is used for mutual authentication with the UE, and generates a shared key Ks of the BSF and the user. The HSS stores a description file for describing user information, and the HSS also has the function of generating authentication information. Dz, Zh, Zn, Ub, and Ua are interfaces between entities.
通常情况下, UE需要使用某种业务时, 需要和该业务对应的网络应用 功能实体 NAF联系, 即 UE主动向 NAF发起连接请求。 如果该 NAF使用 GAA 通用鉴权框架, 则 UE首先需要和 BSF进行互鉴权, 以验证身份。 鉴权成功 后, UE根据与 BSF的共享密钥 Ks计算出与 NAF加密通信的衍生密钥 Ks_NAF, 同时将包含 Ks信息的会话事务标识(B-TID )发送给 NAF, NAF 根据收到的 B-TID从 BSF获得共享密钥 Ks的衍生密钥 Ks— NAF。 这样, UE就 可以和 NAF使用衍生密钥 Ks— NAF在 Ua口进行安全通信。 Generally, when the UE needs to use a certain service, it needs to contact the network application function entity NAF corresponding to the service, that is, the UE initiates a connection request to the NAF. If the NAF uses the GAA universal authentication framework, the UE first needs to authenticate with the BSF to verify the identity. After the authentication succeeds, the UE calculates the derived key Ks_NAF that communicates with the NAF based on the shared key Ks with the BSF, and sends the session transaction identifier (B-TID) containing the Ks information to the NAF, according to the received B. -TID obtains the derived key Ks_NAF of the shared key Ks from the BSF. In this way, the UE will It is possible to communicate securely with the NAF using the derived key Ks-NAF at the Ua port.
在某些应用场景, 需要网络侧向 UE主动发起通信请求, 即推送(push ) 业务。 在 NAF向用户发送推送消息前, 需要先到 BSF请求 Ua口通信的 Ks— NAF衍生密钥。当 BSF收到 NAF发来的密钥请求时,首先,需要知道 NAF 请求类型, 即 Ua接口业务通信类型是属于一般的 UE主动发起的业务, 还是 由 NAF主动发起的推送业务; 如果是推送业务, BSF还需要区分是一般的 NAF相关密钥请求, 还是 Ks密钥重协商请求。 然后, 再根据业务类型做出 相应的处理。 比如, 如果是一般 UE发起业务, BSF收到请求后, 需要查找 本地是否存有与 B-TID对应的 Ks密钥,如果没有将会向 NAF返回一个出错消 息; 但是, 如果是推送业务, 并且找不到与用户对应的密钥, 那么 BSF就需 要从用户归属服务器 HSS获得一组鉴权向量, 然后, 计算出一个新的 Ks和 衍生密钥以及 B-TID , 并将鉴权向量中的认证令牌 AUTN与衍生密钥以及 B-TID发送给 NAF。 另外, 当 NAF已经具备一个和 UE进行通信保护的 NAF 相关密钥, 但是由于该密钥到了有效期, 或者其他原因, NAF想要更新密 钥以及原有的自引导鉴权协议( Bootstrapping )会话数据 ( Ks、 B-TID等 ), 那么 NAF就需要和 BSF进行 Ks密钥重协商。 在这种情况下, BSF不管已有的 Ks是否到了有效期, 都将从 HSS获得一组鉴权向量, 然后计算出一个新的 Ks和衍生密钥以及 B-TID , 并将鉴权向量中的 AUTN与衍生密钥以及 B-TID 发给 NAF。  In some application scenarios, the network side needs to initiate a communication request to the UE, that is, push the service. Before the NAF sends a push message to the user, it needs to go to the BSF to request the Ks-NAF derived key of the Ua port communication. When the BSF receives the key request from the NAF, first of all, it needs to know the NAF request type, that is, the Ua interface service communication type is a service initiated by the general UE or a push service initiated by the NAF; The BSF also needs to distinguish between a general NAF-related key request and a Ks key renegotiation request. Then, according to the type of business, the corresponding processing is done. For example, if the general UE initiates a service, after receiving the request, the BSF needs to find whether there is a Ks key corresponding to the B-TID locally, and if not, an error message will be returned to the NAF; however, if it is a push service, and If the key corresponding to the user is not found, then the BSF needs to obtain a set of authentication vectors from the user home server HSS, and then calculate a new Ks and derived key and B-TID, and the authentication vector The authentication token AUTN is sent to the NAF with the derived key and the B-TID. In addition, when the NAF already has a NAF-related key that is protected by the UE, but because the key is valid, or for other reasons, the NAF wants to update the key and the original Bootstrapping session data. (Ks, B-TID, etc.), then the NAF needs to perform Ks key renegotiation with the BSF. In this case, the BSF will obtain a set of authentication vectors from the HSS regardless of whether the existing Ks is valid, and then calculate a new Ks and derived key and B-TID, and will be in the authentication vector. AUTN and derived keys and B-TID are sent to NAF.
在现有 GAA技术中, 只提供了 UE发起业务这一种类型的通信安全的实 现方案。 当 NAF收到 UE的通信请求以后, 如果该请求携带 B-TID, 那么便 向 BSF发送一个密钥请求, 即自 引导鉴权协议信息请求 ( BIR , Bootstrapping-Info-Request )。 BSF查找到与 B-TID对应的密钥 Ks后, 便根据 NAF-ID ( NAF标识) 以及 Ks、 RAND (随机数)等参数计算出 Ks衍生密钥, 然后将其通过自引导鉴权协议信息应答(BIA, Bootstrapping-Info-Answer ) 消息发送给 NAF。 目前的 GAA推送技术中没有提供 NAF如何通知 BSF其请求类型的有效方 案, 这将会导致 BSF收到 NAF的密钥请求以后, 不知道对该请求如何做出 正确的响应。 发明内容 In the existing GAA technology, only one type of communication security implementation scheme of the UE initiated service is provided. After the NAF receives the communication request from the UE, if the request carries the B-TID, then a key request is sent to the BSF, that is, a self-boot authentication protocol information request (BIR, Bootstrapping-Info-Request). After the BSF finds the key Ks corresponding to the B-TID, it calculates the Ks derived key according to parameters such as NAF-ID (NAF identification) and Ks, RAND (random number), and then passes the self-guiding authentication protocol information. A response (BIA, Bootstrapping-Info-Answer) message is sent to the NAF. The current GAA push technology does not provide an effective solution for how the NAF notifies the BSF of its request type. This will cause the BSF to receive the NAF key request and not know how to make the request. The correct response. Summary of the invention
本发明实施例提供一种确定密钥请求业务类型方法, 在收到密钥请求 后能够有效地区分出 Ua接口业务通信类型, 从而对 NAF的请求做出正确 的响应。  The embodiment of the present invention provides a method for determining a key request service type, which can effectively distinguish the Ua interface service communication type after receiving the key request, thereby correctly responding to the NAF request.
本发明实施例提供一种确定密钥请求业务类型的方法, 包括: 在请求业务密钥消息中携带请求推送业务类型信息;  An embodiment of the present invention provides a method for determining a key request service type, including: carrying a request service type information in a request service key message;
根据该请求业务密钥消息中携带的业务类型信息确定所请求的密钥应用的 业务类型为推送业务。 And determining, according to the service type information carried in the request service key message, the service type of the requested key application is a push service.
本发明实施例提供一种确定密钥请求业务类型的系统, 包括: 消息生成单元, 用于在请求业务密钥消息中携带请求推送业务类型信 息;  An embodiment of the present invention provides a system for determining a key request service type, including: a message generating unit, configured to carry a request push service type information in a request service key message;
判断单元, 用于根据所述请求业务密钥消息中携带的业务类型信息确 定所请求的密钥应用的业务类型为推送业务。  The determining unit is configured to determine, according to the service type information carried in the request service key message, a service type of the requested key application as a push service.
本发明实施例还提供一种网络应用功能实体, 包括:  The embodiment of the invention further provides a network application function entity, including:
消息生成单元, 用于在请求业务密钥消息中携带请求推送业务类型信 息;  a message generating unit, configured to carry the request push service type information in the request service key message;
发送单元, 用于发送所述消息生成单元生成的、 携带请求推送业务类 型信息的请求业务密钥; % ,包、。  a sending unit, configured to send a request service key generated by the message generating unit and carrying the request to push the service type information; %, a packet, and a packet.
本发明实施例还提供一种自引导鉴权协议服务功能实体, 包括: 接收单元, 用于接收携带请求推送业务类型信息的请求业务密钥消息; 判断单元, 用于根据所述请求业务密钥消息中携带的业务类型信息确 定所请求的密钥应用的业务类型为推送业务。  The embodiment of the present invention further provides a self-booting authentication protocol service function entity, including: a receiving unit, configured to receive a request service key message carrying the request push service type information; and a determining unit, configured to use the request service key according to the request The service type information carried in the message determines that the service type of the requested key application is a push service.
本发明实施例提供的技术方案通过在 GAA请求业务密钥消息中携带请 求业务类型信息, 使 BSF根据该信息即可判断所请求的业务密钥的类型, 对 NAF的请求做出正确的响应。 利用本发明, 可以为 GAA推送业务密钥 的选择提供保障, 进而保障了推送业务的安全性。 附图说明  The technical solution provided by the embodiment of the present invention carries the request service type information in the GAA request service key message, so that the BSF can determine the type of the requested service key according to the information, and correctly respond to the NAF request. The invention can provide guarantee for the selection of the GAA push service key, thereby ensuring the security of the push service. DRAWINGS
图 1是现有技术中通用鉴权框架结构示意图; 图 2本发明的一个优选实施例的实现方法流程图。 具体实施方式 1 is a schematic structural diagram of a general authentication framework in the prior art; 2 is a flow chart of an implementation of a preferred embodiment of the present invention. detailed description
本发明实施例提供的技术方案, 在于在 GAA推送业务中, 在 NAF向 BSF发送钥密请求时, 通知 BSF其密钥请求类型, 使 BSF对 NAF的请求 做出正确的响应。 为了使 BSF能够识别 NAF的密钥请求类型, 可以对现有 的 Zn接口上发送的密钥请求消息 BIR的 DIAMETER消息进行扩展, 重用 BIR消息中的 B-TID参数传递用户身份标识信息, 同时扩展其他参数取值 指示请求类型, 或者在 BIR消息中增加标识用户身份标识的参数。 或者对 Zn接口进行扩展,定义一个类似于现有 BIR消息的推送业务密钥请求消息。  The technical solution provided by the embodiment of the present invention is that, in the GAA push service, when the NAF sends a key secret request to the BSF, the BSF is notified of the key request type, so that the BSF responds correctly to the NAF request. In order to enable the BSF to identify the key request type of the NAF, the DIAMETER message of the key request message BIR sent on the existing Zn interface may be extended, and the B-TID parameter in the BIR message is reused to transmit the user identity information, and the information is extended. The other parameter value indicates the request type, or a parameter that identifies the user identity is added to the BIR message. Or extend the Zn interface to define a push service key request message similar to the existing BIR message.
为了使本技术领域的人员更好地理解本发明方案, 下面结合附图和实 施方式对本发明作进一步的详细说明。  In order to make those skilled in the art better understand the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments.
参照图 2 , 图 2是本发明的一个优选实施例的实现流程图:  Referring to Figure 2, Figure 2 is a flow diagram of an implementation of a preferred embodiment of the present invention:
步骤 201 : NAF向 BSF发送业务密钥请求消息,在该消息中可以指示 BSF 请求类型为推送。  Step 201: The NAF sends a service key request message to the BSF, where the BSF request type can be indicated as pushing.
由于在正常 GAA流程中, 当 NAF需要使用 GBA密钥与 UE进行通信 时, 将会向 BSF发送一个 BIR的认证、 授权、 记帐协议 Diameter消息, 请 求 Ks— NAF密钥, 因此在 GAA推送业务中, 可以通过修改或者利用现有 BIR消息中某些参数来通知 BSF NAF所要请求的密钥是要用于推送业务通 信的。  Since in the normal GAA process, when the NAF needs to communicate with the UE using the GBA key, it will send a BIR authentication, authorization, accounting protocol Diameter message to the BSF, requesting the Ks-NAF key, and therefore in the GAA push service. In the modification, or by using some parameters in the existing BIR message, the BSF NAF may be notified that the key to be requested is to be used for push service communication.
现有技术中 BIR的结构如下:  The structure of the BIR in the prior art is as follows:
< Bootstrapping-Info-Request> ::=< Diameter Header: 311, REQ, PXY, 16777220 >  < Bootstrapping-Info-Request> ::=< Diameter Header: 311, REQ, PXY, 16777220 >
< Session-Id >  < Session-Id >
{ Vendor- Specific- Application-Id }  { Vendor- Specific- Application-Id }
{ Origin-Host } ; NAF地址  { Origin-Host } ; NAF address
{ Origin-Realm } ; NAF域名  { Origin-Realm } ; NAF domain name
{ Destination-Realm } ; BSF i或名  { Destination-Realm } ; BSF i or name
[ Destination-Host ] ; BSF地址  [ Destination-Host ] ; BSF address
* [ GAA-Service-Identifier ]; 业务标识 { Transaction-Identifier } ; B-TID( Bootstrapping ]\^>时身份标 i只 {NAF-ID } ; NAF ID * [ GAA-Service-Identifier ]; Business Identity { Transaction-Identifier } ; B-TID( Bootstrapping ] \^> when the identity is only {NAF-ID } ; NAF ID
[ GBA U- Awareness-Indicator ] ; 标识 NAF具备 GBA U功能 *[ AVP ]  [ GBA U- Awareness-Indicator ] ; Logo NAF with GBA U function *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
上述 Diameter header内容如下表 1所示:  The above Diameter header contents are shown in Table 1 below:
表 1 : 版本号 消息长度  Table 1: Version number Message length
命令标记 命令代码 (Command-Code )  Command tag command code (Command-Code)
应用标识 (Appl ication-ID)  Application ID (Appl ication-ID)
Hop-by-Hop 标识  Hop-by-Hop logo
End-to-End标识  End-to-End identifier
AVPs- 现有 GAA推送流程中规定: BSF需要知道 NAF要向哪个用户推送信 息。 以便于 BSF找到与该用户对应的认证信息, 以及判断 NAF是否有权向 该用户推送信息。  AVPs - Existing GAA Push Processes: BSF needs to know which user NAF wants to push information to. In order for the BSF to find the authentication information corresponding to the user, and to determine whether the NAF has the right to push the information to the user.
因此, NAF向 BSF请求密钥时, 需要将用户的身份标识发送给 BSF, 并指示 BSF请求业务类型为推送, 也就是说通知 BSF, NAF所要请求的密 钥是要用于推送业务通信的。  Therefore, when the NAF requests a key from the BSF, it needs to send the identity of the user to the BSF, and instructs the BSF to request the service type to be push, that is, to notify the BSF that the key to be requested by the NAF is to be used for pushing the service communication.
在本发明实施例中, 可以通过修改或者利用现有 BIR消息中某些参数 来通知 BSF: NAF所要请求的密钥是要用于推送业务通信的。 下面结合上 述现有技术中 BIR消息的结构对此分别进行详细说明。  In the embodiment of the present invention, the BSF may be notified by modifying or utilizing some parameters in the existing BIR message: The key to be requested by the NAF is to be used for push service communication. The following is a detailed description of the structure of the BIR message in the prior art.
1 . 利用现有 Zn 接口上发送的 Diameter 协议消息自引导鉴权 Bootstrapping密钥请求消息。  1. Self-boot authentication Bootstrapping key request message using the Diameter protocol message sent on the existing Zn interface.
可以通过以下任何一种方式携带用户标识参数:  User identification parameters can be carried in any of the following ways:
( 1 )利用 BIR消息中的 B-TID参数传递用户的某种身份标识, 比如用 户的 IP多媒体子系统私有用户身份标识( IMPI )、国际移动用户标识( IMSI, International Mobile Subscriber Identifier )或者 IP多媒体子系统公共用户身 份标识(IMPU )等用于识别用户身份的标识。 当 BSF收到 BIR消息后, 就可以从该参数中获得用户身份标识。 此时需要扩展其他参数来协助 BSF 进一步区分是否 GBA 推送业务。 例如, 可以通过对 BIR 消息中的 GAA-Service-Identifier 参数扩展一个新的取值实现、 或者可以通过扩展 NAF-Id参数的取值实现、 或者可以通过扩展 Vendor-Specific-Application-Id 取值实现, 或者可以通过扩展 Diameter header的 Application-ID来实现。 (1) Using the B-TID parameter in the BIR message to convey a certain identity of the user, such as the user's IP Multimedia Subsystem Private User Identity (IMPI), International Mobile Subscriber Identity (IMSI), or International Mobile Subscriber Identifier (IPSI). Subsystem public user An identification (IMPU) or the like used to identify the identity of the user. After the BSF receives the BIR message, it can obtain the user identity from the parameter. In this case, other parameters need to be extended to assist the BSF to further distinguish whether the GBA push service. For example, the GAA-Service-Identifier parameter in the BIR message may be extended by a new value, or may be implemented by extending the value of the NAF-Id parameter, or may be implemented by extending the Vendor-Specific-Application-Id value. , or can be achieved by extending the Application-ID of the Diameter header.
当 然 由 于 B-TID 的格式 比较特殊 ( 如 B-TID 后 缀是 " @BSF— servers— domain— name " ) , BSF 可以直接从原携带 B-TID 的 Transaction-Identifier参数里携带的用户身份标识本身组成格式来得知是否 携带了 B-TID, 从而进一步区分出是否是正常 GBA请求, 还是 GAApush, 不需要扩展其它参数值。  Of course, since the format of the B-TID is special (for example, the B-TID suffix is "@BSF_server_domain_name"), the BSF can directly form the user identity itself carried in the Transaction-Identifier parameter carrying the B-TID. The format is used to know whether or not the B-TID is carried, so as to further distinguish whether it is a normal GBA request or a GAApush, and does not need to extend other parameter values.
这几种方式都不需要增加 BIR消息的参数, 只是需要扩展某些参数值 即可。  These methods do not need to increase the parameters of the BIR message, but only need to extend some parameter values.
( 2 )在 BIR消息中增加标识用户身份标识的 AVP参数。 例如, 如果 NAF 需要将用户私有身份标识通知给 BSF, 那么可以在 BIR 消息中增加 User-Name的 AVP参数。 如果 NAF需要将用户公共身份标识通知给 BSF, 那么可以在 BIR消息中增加 Public-Identity 的 AVP参数。 如果是其他类型 的标识, 也可作类似处理, 例如, 放到 User-Name或者 Public-Identity中传 递, 或者增加类似的 AVP参数。 此时, BSF完全可以根据 NAF发送的密钥 请求消息中是否包含新增的用户身份标识参数或者 B-TID参数来判断是否 为推送业务密钥请求。 例如, 如果 BIR消息中有 B-TID参数, 那么表示正 常 UE 发起业务的密钥请求。 如果 BIR 消息中有 User-Name 或者 Public-Identity AVP参数或者其他类型的 AVP参数, 那么表示 GBA推送业 务的密钥请求。  (2) Add an AVP parameter identifying the user identity in the BIR message. For example, if the NAF needs to notify the BSF of the user's private identity, the AVP parameter of the User-Name can be added to the BIR message. If the NAF needs to notify the BSF of the user's public identity, the AVP parameter of the Public-Identity may be added to the BIR message. If it is another type of identifier, it can be similarly processed, for example, by passing it in User-Name or Public-Identity, or adding similar AVP parameters. At this time, the BSF can determine whether the push service key request is based on whether the newly added user identity parameter or the B-TID parameter is included in the key request message sent by the NAF. For example, if there is a B-TID parameter in the BIR message, it indicates that the normal UE initiates a key request for the service. If there is a User-Name or Public-Identity AVP parameter or other type of AVP parameter in the BIR message, it indicates a key request for the GBA push service.
( 3 )在 BIR 消息中增加标识用户身份标识的 AVP 参数, 同时扩展 (3) Add AVP parameters identifying the user identity in the BIR message, and expand at the same time
GAA-Service-Identifier或 Application-ID参数来向 BSF指示请求的类型。 The GAA-Service-Identifier or Application-ID parameter indicates to the BSF the type of request.
2. 重新定义一个 Zn接口上的 Diameter消息类型, 扩展 Zn口。  2. Redefine the Diameter message type on the Zn interface and expand the Zn port.
如定义一个类似于 BIR消息的 Bootstrapping-Info-Push-Request(自引导 鉴权协议信息推送请求)消息。可以在上述 Diameter头中的 Command-Code 字段中新定义一个值来表示该消息命令,并将 GAA推送业务中需要携带的 参数全部定义在这个新的消息里。 For example, a Bootstrapping-Info-Push-Request (Built-in Authentication Protocol Push Request) message similar to a BIR message is defined. Command-Code in the above Diameter header A new value is defined in the field to indicate the message command, and all the parameters that need to be carried in the GAA push service are defined in this new message.
可以将消息的格式规定为:  The format of the message can be specified as:
Bootstrapping-Info-Push-Request::=<Diameter Header: 311, REQ, PXY, 16777220 >  Bootstrapping-Info-Push-Request::=<Diameter Header: 311, REQ, PXY, 16777220 >
< Session-Id >  < Session-Id >
{ Vendor- Specific- Application-Id }  { Vendor- Specific- Application-Id }
{ Origin-Host }; NAF地址  { Origin-Host }; NAF Address
{ Origin-Realm } ; NAF域名  { Origin-Realm } ; NAF domain name
{ Destination-Realm }; BSF域名  { Destination-Realm }; BSF domain name
[ Destination-Host ] ; BSF地址  [ Destination-Host ] ; BSF address
* [ GAA-Service-Identifier ] ; 业务标识  * [ GAA-Service-Identifier ] ; Business ID
{ user identity } ; 用户标识  { user identity } ; user ID
{NAF-ID }; NAF标识  {NAF-ID }; NAF logo
[ GBA U- Awareness-Indicator ] ; 标识 NAF具备 GBA U功能 [ GBA U- Awareness-Indicator ] ; Identification NAF has GBA U function
{ 其它参数} ; 其他参数 { Other parameters} ; Other parameters
*[ AVP ]  *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
其中, 通过 Diameter Header的值 311 (或者其他未被使用的值 )表示 该消息为推送业务密钥请求。  The value of the Diameter Header 311 (or other unused value) indicates that the message is a push service key request.
步骤 202: BSF收到所述请求消息后, 根据该消息中携带的请求类型信 息确定 NAF请求的密钥应用的业务类型, 并为 NAF选择可用的推送业务密 钥。  Step 202: After receiving the request message, the BSF determines the service type of the key application requested by the NAF according to the request type information carried in the message, and selects an available push service key for the NAF.
可见, 本发明实施例通过利用或修改现有 BIR消息, 可以使 NAF将需要 请求的密钥所应用的业务类型简单、 有效地通知 BSF, 从而使 BSF根据该通 知做出正确的处理, 为 NAF选择出可用的密钥, 保障推送业务通信的安全 性。 步骤 203: 当 NAF需要更新推送业务密钥时, 向 BSF发送推送业务密钥 重协商请求消息, 并在该消息中携带请求类型信息。 It can be seen that, by using or modifying an existing BIR message, the NAF can directly and effectively notify the BSF of the service type to which the required key needs to be applied, so that the BSF can correctly process the NAF according to the notification. Select the available keys to secure the push service communication. Step 203: When the NAF needs to update the push service key, send a push service key renegotiation request message to the BSF, and carry the request type information in the message.
本技术领域人员知道,当 NAF已经具备一个和 UE进行通信保护的 NAF 相关密钥, 但是由于该密钥到了有效期, 或者其他原因, NAF需要更新密 钥以及原有的 Bootstrapping会话数据( Ks、 B-TID等)。 此时 NAF需要向 BSF发送 Ks密钥重协商请求, BSF收到后不管已有的 Ks是否到了有效期, 都将从 HSS获得一组新鉴权向量。 然后计算出一个新的 Ks和衍生密钥以 及 B-TID , 并将鉴权向量中的 AUTN与衍生密钥以及 B-TID发送给 NAF。  Those skilled in the art know that when the NAF already has a NAF-related key that is protected by the UE, but because the key is valid, or for other reasons, the NAF needs to update the key and the original Bootstrapping session data (Ks, B). -TID, etc.). At this time, the NAF needs to send a Ks key renegotiation request to the BSF. After receiving the BSF, the BSF will obtain a new set of authentication vectors from the HSS regardless of whether the existing Ks has expired. Then a new Ks and derived key and B-TID are calculated, and the AUTN and derived key and B-TID in the authentication vector are sent to the NAF.
在本发明实施例中, Ks重协商的请求可以使用与推送业务密钥请求相 同的消息。 具体可以通过以下两种方式使 BSF区分是推送业务密钥请求消 息还是 Ks重协商请求消息。  In the embodiment of the present invention, the Ks renegotiation request may use the same message as the push service key request. Specifically, the BSF can distinguish whether to push the service key request message or the Ks renegotiation request message in the following two manners.
( 1 ) Ks重协商请求消息扩展推送业务密钥请求消息, 即 Ks重协商请 求消息与推送业务密钥请求消息釆用相同的 Diameter Header以及其他共同 参数, 只是为某些参数设定特殊的值来表示是 Ks重协商请求。 比如, 在请 求消息中携带 B-TID来表示, 或者携带一个特殊的 AVP参数值来表示, 如 增加一个 GSID ( GAA-Service-Identifier )或者 application ID或者 NAF-ID 取值来表示。 当然由于 B-TID 的格式比较特殊 (如 B-TID 后缀是 "@BSF— servers— domain— name" ), BSF 还可直接从原携带 B-TID 的参数 Transaction-Identifier里携带的用户身份标识本身组成格式来得知用户身份 标识是否是 B-TID。 并从进一步区分出是否是正常 GBA请求, 还是 GAA push, 不需要扩展其它参数值。  (1) The Ks renegotiation request message extends the push service key request message, that is, the Ks renegotiation request message and the push service key request message use the same Diameter Header and other common parameters, but only set special values for some parameters. To indicate that it is a Ks renegotiation request. For example, the request message carries a B-TID to indicate, or carries a special AVP parameter value, such as adding a GSID (GAA-Service-Identifier) or an application ID or a NAF-ID value. Of course, since the format of the B-TID is special (for example, the B-TID suffix is "@BSF_server_domain_name"), the BSF can directly carry the user identity itself carried in the parameter Transaction-Identifier carrying the B-TID. Form the format to know if the user identity is a B-TID. And further distinguish whether it is a normal GBA request, or GAA push, do not need to extend other parameter values.
( 2 ) 由 BSF记录在某个 Ks有效期内向 BSF请求过密钥的所有 NAF 信息。 如对应于一个 Ks以一个 NAF列表保存所有使用过该 Ks的 NAF。 当在该 Ks有效期内, 再次收到列表内任何一个 NAF的密钥请求时, 就认 为是 Ks重协商请求。  (2) All NAF information recorded by the BSF to the BSF during the validity period of a Ks is recorded. If corresponding to a Ks, save all NAFs that have used the Ks in a NAF list. When the key request of any NAF in the list is received again within the validity period of the Ks, it is considered as a Ks renegotiation request.
另外, 还可以定义一个不同于推送业务密钥请求消息的新消息专门作 为 Ks重协商的密钥请求消息使用。 此时, B-TID和用户永久身份标识都可 以标识一个用户, 因此该消息可以携带 B-TID, 也可以携带用户永久标识。 该消息的 Diameter Header中的 Command-Code字段中需要新定义一个值来 表示该消息命令,并将 GAA推送业务中需要携带的参数全部定义在这个新 的消息中。 In addition, it is also possible to define a new message different from the push service key request message specifically for use as a key request message for Ks renegotiation. At this time, both the B-TID and the user's permanent identity can identify a user, so the message can carry the B-TID or carry the user's permanent identity. A new value needs to be defined in the Command-Code field in the Diameter Header of the message. Indicates the message command and defines all the parameters that need to be carried in the GAA push service in this new message.
比如, 可以规定如下所示的消息格式:  For example, you can specify the message format as follows:
Bootstrapping-Info-Push-Request::=<Diameter Header: 312, REQ, PXY, 16777220 >  Bootstrapping-Info-Push-Request::=<Diameter Header: 312, REQ, PXY, 16777220 >
< Session-Id >  < Session-Id >
{ Vendor- Specific- Application-Id }  { Vendor- Specific- Application-Id }
{ Origin-Host } ; Address of NAF  { Origin-Host } ; Address of NAF
{ Origin-Realm }; Realm of NAF  { Origin-Realm }; Realm of NAF
{ Destination-Realm } ; Realm of BSF  { Destination-Realm } ; Realm of BSF
[ Destination-Host ] ; Address of the BSF  [ Destination-Host ] ; Address of the BSF
* [ GAA-Service-Identifier ]; Service identifiers  * [ GAA-Service-Identifier ]; Service identifiers
{ user identity } ; user identity  { user identity } ; user identity
{NAF-ID } ; NAF— ID  {NAF-ID } ; NAF - ID
[ GBA U- Awareness-Indicator ]; GBA U awareness of the NAF [ GBA U- Awareness-Indicator ]; GBA U awareness of the NAF
{ 其它参数}; 其他参数 { Other parameters}; Other parameters
*[ AVP ]  *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
步骤 204: BSF收到所述请求消息后, 根据该消息中携带的请求类型信 息为 NAF重新选择推送业务密钥。  Step 204: After receiving the request message, the BSF reselects the push service key according to the request type information carried in the message for the NAF.
下面分别举例进一步详细说明本发明中 NAF发送的密钥请求及 BSF根 据该请求确定 Ua接口业务通信类型的各种实现过程。  The following describes, respectively, the key request sent by the NAF in the present invention and the various implementation processes of the BSF determining the Ua interface service communication type according to the request.
实施例 1 :  Example 1
1. 当 NAF需要向 UE发送推送消息, 但是本地没有已协商好的 GAA 推送业务密钥时, 向 BSF发送 GAA推送业务密钥请求消息。 在该请求消 息中携带用户身份标识信息。  1. When the NAF needs to send a push message to the UE, but there is no negotiated GAA push service key in the local area, the GAA push service key request message is sent to the BSF. User identification information is carried in the request message.
该消息可以釆用以下方式发送:  The message can be sent in the following way:
釆用 Diameter协议的 BIR消息, 并且在消息的 B-TID携带用户身份标 识信息, 同时扩展现有 GSID 或者 Vendor-Specific-Application-Id 或者 Application ID取值或者 NAF-ID, 用以告知 BSF NAF想要在 Ua接口进行 推送业务, B-TID的值代表的是用户身份标识。 消息的结构与现有 BIRD' 息完全一样, 只是扩展了参数 GSID或者 Vendor-Specific-Application-Id的 取值, 或者是对 NAF-ID或者 Application ID增加了新的取值。 Use the BIR message of the Diameter protocol, and carry the user identity in the B-TID of the message. Know the information, and extend the existing GSID or Vendor-Specific-Application-Id or Application ID value or NAF-ID to inform BSF NAF that you want to push services on the Ua interface. The value of B-TID represents the user identity. Logo. The structure of the message is exactly the same as the existing BIRD's. It only extends the value of the parameter GSID or Vendor-Specific-Application-Id, or adds a new value to the NAF-ID or Application ID.
2. BSF 收到上述请求消息后, 根据被扩展的参数 GSID 或者 Vendor-Specific-Application-Id取值或者 NAF-ID或者 Application ID的取值 可以得知, NAF所要请求的是推送业务密钥。 然后从 B-TID的取值中获得 用户身份标识, 并按照现有 GAA推送的流程进行处理。  2. After receiving the above request message, the BSF can know that the NAF needs to request the push service key according to the value of the extended parameter GSID or Vendor-Specific-Application-Id or the value of the NAF-ID or the Application ID. Then, the user identity is obtained from the value of the B-TID, and processed according to the existing GAA push process.
实施例 2:  Example 2:
1. 当 NAF需要向 UE发送推送消息, 但是本地没有已协商好的 GAA 推送业务密钥时, 向 BSF发送 GAA推送业务密钥请求消息, 并在请求消 息中携带用户身份标识信息。 该消息可能釆用以下方式发送:  1. When the NAF needs to send a push message to the UE, but the local GAA push service key is not negotiated, the GAF push service key request message is sent to the BSF, and the user identity information is carried in the request message. The message may be sent in the following way:
扩展 Diameter协议的 BIR消息, 即在现有的 BIR消息中增加某些参数 来表示。 如果 NAF需要将用户私有身份标识通知给 BSF, 那么可以在 BIR 消息里增加 User-Name的 AVP参数。 如果 NAF需要将用户公共身份标识 通知给 BSF, 那么可以在 BIR消息里增加 Public-Identity 的 AVP参数。 同 样如果是其他类型的标识, 就增加相应的 AVP参数。  The BIR message of the Diameter protocol is extended, that is, some parameters are added to the existing BIR message to indicate. If the NAF needs to notify the BSF of the user's private identity, the AVP parameter of the User-Name can be added to the BIR message. If the NAF needs to notify the BSF of the user's public identity, then the AVP parameter of the Public-Identity can be added to the BIR message. Similarly, if it is another type of identification, the corresponding AVP parameters are added.
比如, 将现有 BIR消息扩展为如下:  For example, extend an existing BIR message as follows:
< Bootstrapping-Info-Request> ::=<Diameter Header: 311, REQ, PXY, < Bootstrapping-Info-Request> ::=<Diameter Header: 311, REQ, PXY,
16777220 > 16777220 >
< Session-Id >
Figure imgf000012_0001
< Session-Id >
Figure imgf000012_0001
{ Destination-Realm } ; Realm of BSF  { Destination-Realm } ; Realm of BSF
[ Destination-Host ] ; Address of the BSF  [ Destination-Host ] ; Address of the BSF
* [ GAA Service-Identifier ] ; Service identifiers  * [ GAA Service-Identifier ] ; Service identifiers
{ Transaction-Identifier }; B-TID {NAF-ID } ; NAF ID { Transaction-Identifier }; B-TID {NAF-ID } ; NAF ID
[ user identity ] ; 用户的 IMPI  [ user identity ] ; user's IMPI
[Public-Identity ] ; 用户的公共身份标识  [Public-Identity ] ; User's public identity
[ GBA U- Awareness-Indicator ] ; GBA U awareness of the NAF *[ AVP ]  [ GBA U- Awareness-Indicator ] ; GBA U awareness of the NAF *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
除了上述示例中增加的两种 AVP 参数 ( [ user identity ] , [public-Identity ] ) , 还可以增加其他类型用户的身份标识 AVP参数。  In addition to the two AVP parameters added in the above example ( [ user identity ] , [public-Identity ] ), you can also add the identity AVP parameters of other types of users.
当然, 还可以釆用如实施例 1 所述的扩展现有 GSID , 或者 Of course, it is also possible to extend the existing GSID as described in Embodiment 1, or
Vendor- Specific- Application-Id, 或者 Application ID取值, 或者 NAF-ID, 用 以告知 BSF NAF想要在 Ua接口进行推送业务方式, 同时增加表示用户身 份标识的 AVP参数。 The Vendor-Specific-Application-Id, or Application ID value, or NAF-ID, is used to inform the BSF that the NAF wants to push the service mode on the Ua interface, and also adds the AVP parameter indicating the user identity.
2. BSF收到上述请求消息以后, 根据 NAF所提供的用户身份标识的类 型知道 NAF所要请求的是 GAA推送业务密钥。 也就是说, 如果 BIR中有 B-TID , 那么表示正常 UE 发起业务的密钥请求; 如果 BIR 消息中有 User-Name或者 Public-Identity 的 AVP参数以及其他类型的 AVP参数, 则 表示 NAF发起的推送业务的密钥请求。 然后再按照现有的 GAA推送流程 进行后面的处理。  2. After receiving the above request message, the BSF knows that the NAF is requesting the GAA push service key according to the type of the user identity provided by the NAF. That is, if there is a B-TID in the BIR, it indicates a key request for the normal UE to initiate the service; if the BIR message has the AVP parameter of the User-Name or Public-Identity and other types of AVP parameters, it indicates that the NAF initiates Push the key request for the business. Then follow the existing GAA push process for subsequent processing.
实施例 3:  Example 3:
1. 当 NAF需要向 UE发送推送消息, 但是本地没有已协商好的 GAA 推送业务密钥时, 便向 BSF发送 GAA推送业务密钥请求消息, 并在该请 求消息中携带用户身份标识信息。 该消息可以釆用以下方式发送:  1. When the NAF needs to send a push message to the UE, but the local GAA push service key is not negotiated, the GAA push service key request message is sent to the BSF, and the user identity information is carried in the request message. The message can be sent in the following way:
重新定义一个新的 Zn接口上的 DIAMETER消息类型, 也就是说要扩 展 Zn口。 比如, 定义一个名为 Bootstrapping-Info-Push-Request的消息, 并 给其新定义命令代码 (如 312), 并将 GAA推送中需要携带的参数全部定义 在这个新的消息里, 去掉 BIR中已有的但在 GAA推送中没有用到的参数, 如 B-TID。  Redefine the DIAMETER message type on a new Zn interface, which means to expand the Zn port. For example, define a message named Bootstrapping-Info-Push-Request, and give it a new definition of the command code (such as 312), and define all the parameters that need to be carried in the GAA push in this new message, remove the BIR. Some parameters that are not used in GAA push, such as B-TID.
可以釆用以下消息格式: < Bootstrapping-Info-push-Request> ::=<Diameter Header: 312, REQ, PXY, 16777220 > The following message formats can be used: <Bootstrapping-Info-push-Request>::=<Diameter Header: 312, REQ, PXY, 16777220 >
< Session-Id >  < Session-Id >
{ Vendor- Specific- Application-Id }  { Vendor- Specific- Application-Id }
{ Origin-Host } ; Address of NAF  { Origin-Host } ; Address of NAF
{ Origin-Realm } ; Realm of NAF  { Origin-Realm } ; Realm of NAF
{ Destination-Realm } ; Realm of BSF  { Destination-Realm } ; Realm of BSF
[ Destination-Host ]; Address of the BSF  [ Destination-Host ]; Address of the BSF
* [ GAA-Service-Identifier ] ; Service identifiers  * [ GAA-Service-Identifier ] ; Service identifiers
{NAF-ID } ; NAF— ID  {NAF-ID } ; NAF - ID
[ user identity ] ; 用户的 IMPI  [ user identity ] ; user's IMPI
[Public-Identity ] ; 用户的公共身份标识  [Public-Identity ] ; User's public identity
[ GBA U- Awareness-Indicator ] ; GBA U awareness of the NAF  [ GBA U- Awareness-Indicator ] ; GBA U awareness of the NAF
*[ AVP ]  *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
除了上述示例中增加的两种 AVP 参数 ( [ user identity ] , [public-Identity ] ). 还可以增加 GAA推送中需要携带的 AVP参数。  In addition to the two AVP parameters added in the above example ( [ user identity ] , [public-Identity ] ). You can also increase the AVP parameters that need to be carried in the GAA push.
2. BSF收到上述请求消息以后, 根据请求消息的类型, 便可知道该消 息是请求 GAA推送业务密钥的, 并且可以从各个 AVP参数中取得所需信 息。 然后便可按照已有 GAA推送流程, 进行后面的处理。  2. After receiving the above request message, the BSF can know that the message is a requesting GAA push service key according to the type of the request message, and can obtain the required information from each AVP parameter. Then you can follow the existing GAA push process for subsequent processing.
实施例 4:  Example 4:
1. 当 NAF需要向 UE发送推送消息, 并且本地已有协商好的 GAA推 送业务密钥, 但是该密钥由于某种原因需要更新并且由此需要更新已有的 Bootstrapping会话数据。 此时, NAF向 BSF发送推送业务密钥重协商请求 消息, 在该请求消息中携带用户身份标识信息, 该信息可以是永久身份标 识, 也可以是 B-TID。  1. When the NAF needs to send a push message to the UE, and the locally negotiated GAA push service key, the key needs to be updated for some reason and thus needs to update the existing Bootstrapping session data. At this time, the NAF sends a push service key renegotiation request message to the BSF, where the request message carries user identity information, which may be a permanent identity identifier or a B-TID.
推送业务密钥重协商请求消息可以釆用以下方式来实现:  The push service key renegotiation request message can be implemented in the following manner:
( 1 )重新定义一个新的 Zn接口上的 Diameter消息类型, 该消息不同 于推送业务密钥请求消息。如定义一个名为 Bootstrapping-Info-Push-Request 的消息。 并给其新定义命令代码(如 312) , 并将 GAA推送中需要携带的参 数全部定义在这个新的消息中,并去掉 BIR中已有的但在 GAA推送中没有 用到的参数, 如 B-TID。 (1) Redefine the Diameter message type on a new Zn interface, the message is different Push the service key request message. For example, define a message called Bootstrapping-Info-Push-Request. And give it a new definition of the command code (such as 312), and all the parameters that need to be carried in the GAA push are defined in this new message, and remove the parameters that are already in the BIR but are not used in the GAA push, such as B. -TID.
比如, 可以定义如下所示消息格式:  For example, you can define the message format as follows:
< Bootstrapping-Info-push-Request> ::=<Diameter Header: 313, REQ, PXY, 16777220 >  < Bootstrapping-Info-push-Request> ::=<Diameter Header: 313, REQ, PXY, 16777220 >
< Session-Id >  < Session-Id >
{ Vendor- Specific- Application-Id }  { Vendor- Specific- Application-Id }
Figure imgf000015_0001
Figure imgf000015_0001
[ user identity ] 用户的 IMPI  [ user identity ] User's IMPI
[Public-Identity ] 用户的公共身份标识  [Public-Identity ] User's public identity
[ GBA U- Awareness-Indicator ] 标识 NAF具备 GBA U功能  [ GBA U- Awareness-Indicator ] Logo NAF has GBA U function
*[ AVP ]  *[ AVP ]
* [ Proxy-Info ]  * [ Proxy-Info ]
* [ Route-Record ]  * [ Route-Record ]
除了上述示例中增加的两种 AVP 参数 ( [ user identity ] , [public-Identity ] )外, 还可以增加 GAA推送中需要携带的其他 AVP参数。  In addition to the two AVP parameters ( [ user identity ] , [public-Identity ] ) added in the above example, you can also add other AVP parameters that need to be carried in the GAA push.
( 2 )扩展推送业务密钥请求消息作为推送业务密钥重协商请求消息, 即推送业务密钥重协商的请求消息与推送业务密钥请求消息釆用相同的 Diameter Header以及其他共同参数。 只是为某些参数设定特殊的值来表示 是 Ks重协商请求。如在请求消息中携带 B-TID来表示或者携带一个特殊的 AVP参数。  (2) The extended push service key request message is used as the push service key renegotiation request message, that is, the push service key renegotiation request message and the push service key request message use the same Diameter Header and other common parameters. Just set a special value for some parameters to indicate that it is a Ks renegotiation request. For example, the B-TID is carried in the request message to represent or carry a special AVP parameter.
( 3 )推送业务密钥重协商请求消息与一般的推送业务密钥请求釆用同 一条密钥请求消息, 并由 BSF记录在某个 Ks有效期内向 BSF请求过密钥 的所有 NAF名, 如对应于一个 Ks以一个 NAF列表保存所有使用过该 Ks 的 NAF。 当在该 Ks有效期内, 再次收到列表内任何一个 NAF的密钥请求 时, 就认为是 Ks重协商请求。 (3) Push service key renegotiation request message is the same as general push service key request A key request message, and the BSF records all NAF names that have requested the key from the BSF during a certain Ks validity period. For example, corresponding to a Ks, all NAFs that have used the Ks are saved in a NAF list. When the key request of any NAF in the list is received again within the validity period of the Ks, it is considered as a Ks renegotiation request.
2. BSF收到上述请求消息以后, 根据请求消息的类型, 即可知道该消 息是请求 GAA推送业务密钥的, 并且可以从各个 AVP参数中取得所需信 息。 然后便可按照已有的 GAA推送流程, 进行后面的处理。  2. After receiving the above request message, the BSF can know that the message is a requesting GAA push service key according to the type of the request message, and can obtain the required information from each AVP parameter. Then you can follow the existing GAA push process for subsequent processing.
本领域技术人员可以理解, 上述实施例中的全部或部分单元或各步骤 是可以通过程序来指令相关硬件来实现, 所述程序可存储于计算机可读取 存储介质中, 所述存储介质, 如 ROM/RAM、 磁盘、 光碟等。 或者将它们 分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作成单 个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件结 合。  It will be understood by those skilled in the art that all or part of the units or steps in the foregoing embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, such as a storage medium, such as ROM/RAM, disk, CD, etc. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of modules or steps may be fabricated into a single integrated circuit module. Thus, the invention is not limited to any particular combination of hardware and software.
综上所述, 本发明实施例提供的技术方案在 GAA推送业务中, 通过对 现有的 Zn接口上发送的 Diameter (新一代认证、 授权、 记帐协议 )消息自 引导鉴权 ( Bootsrapping )密钥请求消息 BIR进行扩展, 利用 BIR消息中的 B-TID参数传递用户身份标识信息, 同时扩展其他参数取值指示请求类型 , 或者在 BIR消息中增加标识用户身份标识的参数,从而使 BSF根据 BIR消 息中携带的 B-TID参数或用户身份标识信息即可判断是推送业务密钥请求, 对 NAF的请求做出正确的响应。 或者通过对 Zn接口进行扩展, 定义一个 类似于现有 BIR消息的推送业务密钥请求消息, BSF收到该请求消息后从 消息类型即可得知 Ua接口业务类型, 从而为 NAF选定可以使用的推送业 务密钥。 利用本发明, 可以为 GAA推送业务密钥的选择提供保障, 进而保 障了推送业务的安全性。  In summary, the technical solution provided by the embodiment of the present invention in the GAA push service is self-booting (Bossapping) by using the Diameter (New Generation Authentication, Authorization, Accounting Protocol) message sent on the existing Zn interface. The BIR is extended by the BIR message, and the B-TID parameter in the BIR message is used to transmit the user identity information, and the other parameter value indication request type is extended, or the parameter identifying the user identity is added to the BIR message, so that the BSF is based on the BIR. The B-TID parameter or the user identity information carried in the message can determine that the service key request is pushed, and the NAF request is correctly responded. Or, by extending the Zn interface, a push service key request message similar to the existing BIR message is defined. After receiving the request message, the BSF can learn the Ua interface service type from the message type, so that the NAF can be selected for use. Push business key. The invention can provide guarantee for the selection of the GAA push service key, thereby ensuring the security of the push service.
虽然通过实施例描绘了本发明, 本领域普通技术人员知道, 本发明 有许多变形和变化而不脱离本发明的精神, 希望所附的权利要求包括这些 变形和变化而不脱离本发明的精神。  While the invention has been described by the embodiments of the present invention, it is understood that the invention

Claims

权 利 要 求 Rights request
1、 一种确定密钥请求业务类型的方法, 其特征在于, 包括: A method for determining a type of a key request service, comprising:
在请求业务密钥消息中携带请求推送业务类型信息;  Carrying the request service type information in the request service key message;
根据该请求业务密钥消息中携带的业务类型信息确定所请求的密钥应 用的业务类型为推送业务。  And determining, according to the service type information carried in the request service key message, the service type of the requested key application is a push service.
2、 根据权利要求 1所述的方法, 其特征在于, 所述在请求业务密钥消 息中携带请求推送业务类型信息包括:  The method according to claim 1, wherein the carrying the request service type information in the request service key message comprises:
扩展自引导鉴权协议信息请求 BIR消息中的参数;  Extending the self-booting authentication protocol information request parameters in the BIR message;
发送扩展后的 BIR消息给 BSF请求业务密钥, 并指示请求类型为推送 业务。  The extended BIR message is sent to the BSF to request a service key, and the request type is a push service.
3、 根据权利要求 2所述的方法, 其特征在于, 所述扩展自引导鉴权协 议信息请求 BIR消息中的参数通过以下方法实现:  The method according to claim 2, wherein the parameter of the extended self-booting authentication protocol request BIR message is implemented by the following method:
利用 BIR消息中的会话事务标识 B-TID字段来携带用户标识信息, 并 扩展 BIR消息中的通用鉴权框架业务标识 GSID、或者业务提供商应用标识、 或者 NAF标识、或者认证授权消息 Diameter头中的应用标识的取值来指示 请求类型信息。  Using the session transaction identifier B-TID field in the BIR message to carry the user identification information, and extending the universal authentication framework service identifier GSID, or the service provider application identifier, or the NAF identifier, or the authentication authorization message in the Diameter header in the BIR message. The value of the application identifier indicates the request type information.
4、 根据权利要求 2所述的方法, 其特征在于, 所述扩展自引导鉴权协 议信息请求 BIR消息中的参数通过以下方法实现:  The method according to claim 2, wherein the parameter in the extended self-booting authentication protocol request BIR message is implemented by the following method:
在 BIR消息中增加表示用户标识的 AVP参数和 /或指示请求类型信息的 AVP参数。  An AVP parameter indicating the user identification and/or an AVP parameter indicating the request type information is added to the BIR message.
5、 根据权利要求 4所述的方法, 其特征在于, 所述 AVP参数具体为: 表示用户私有身份标识的 AVP 参数; 或者表示用户公共身份标识的 The method according to claim 4, wherein the AVP parameter is specifically: an AVP parameter indicating a private identity of the user; or a public identity of the user.
AVP参数; 或者表示用户别名 pseudonym的 AVP参数。 AVP parameter; or AVP parameter representing the user alias pseudonym.
6、 根据权利要求 1所述的方法, 其特征在于, 所述在请求业务密钥消 息中携带请求推送业务类型信息通过以下方法实现:  The method according to claim 1, wherein the carrying the request service type information in the request service key message is implemented by the following method:
所述请求业务密钥消息为请求推送业务密钥的专用消息。  The request service key message is a dedicated message requesting a push service key.
7、 根据权利要求 1至 6中任一项所述的方法, 其特征在于, 所述在请 求业务密钥消息中携带请求推送业务类型信息包括:  The method according to any one of claims 1 to 6, wherein the requesting the service type information in the request service key message comprises:
扩展 Transaction-Identifier参数, 使其携带用户身份标识; 根据所述 Transaction-Identifier参数携带的用户身份标识格式确定请求 的密钥业务类型为推送业务。 Extend the Transaction-Identifier parameter to carry the user ID; Determining, according to the user identity identifier format carried in the Transaction-Identifier parameter, the requested key service type is a push service.
8、 根据权利要求 1至 6中任一项所述的方法, 其特征在于, 所述方法 进一步包括:  The method according to any one of claims 1 to 6, wherein the method further comprises:
BSF 记录在共享密钥有效期内向其请求过该共享密钥的衍生密钥的 The BSF records the derived key of the shared key to which the shared key was requested during the validity period of the shared key.
NAF信息; NAF information;
当在该共享密钥有效期内收到向其请求过该共享密钥的衍生密钥的 NAF的推送业务密钥请求时, 确定该请求为密钥重协商请求。  When the push service key request of the NAF to which the derived key of the shared key has been requested is received within the validity period of the shared key, it is determined that the request is a key renegotiation request.
9、 根据权利要求 1至 6中任一项所述的方法, 其特征在于, 进一步包 括:  The method according to any one of claims 1 to 6, further comprising:
当需要进行共享密钥重协商时, 发送指示请求类型为重协商的密钥重 协商请求消息。  When a shared key renegotiation is required, a key renegotiation request message indicating that the request type is renegotiation is sent.
10、 根据权利要求 9 所述的方法, 其特征在于, 所述指示请求类型为 重协商的密钥重协商请求消息是请求密钥重协商的专用消息。  10. The method according to claim 9, wherein the key re-negotiation request message indicating that the request type is re-negotiating is a dedicated message requesting key renegotiation.
11、 根据权利要求 9 所述的方法, 其特征在于, 所述指示请求类型为 重协商的密钥重协商请求消息是通过扩展请求推送业务密钥消息的方法实 现。  The method according to claim 9, wherein the key re-negotiation request message indicating that the request type is re-negotiated is implemented by a method of pushing a service key message by an extension request.
12、 根据权利要求 11所述的方法, 其特征在于, 所述扩展请求推送业 务密钥消息的方法为: 在所述密钥重协商请求消息中携带 B-TID; 或者在所 述密钥重协商请求消息中携带一个特殊的 AVP参数。  The method according to claim 11, wherein the method for pushing the service key message is: carrying the B-TID in the key renegotiation request message; or The negotiation request message carries a special AVP parameter.
13、 一种确定密钥请求业务类型的系统, 其特征在于, 包括: 消息生成单元, 用于在请求业务密钥消息中携带请求推送业务类型信 息;  A system for determining a key request service type, comprising: a message generating unit, configured to carry a request push service type information in a request service key message;
判断单元, 用于根据所述请求业务密钥消息中携带的业务类型信息确 定所请求的密钥应用的业务类型为推送业务。  The determining unit is configured to determine, according to the service type information carried in the request service key message, a service type of the requested key application as a push service.
14、 一种网络应用功能实体, 其特征在于, 包括:  14. A network application functional entity, comprising:
消息生成单元, 用于在请求业务密钥消息中携带请求推送业务类型信 息;  a message generating unit, configured to carry the request push service type information in the request service key message;
发送单元, 用于发送所述消息生成单元生成的、 携带请求推送业务类 型信息的请求业务密钥; % ,包、。 a sending unit, configured to send the request to push service class generated by the message generating unit Request service key for type information; %, package,.
15、 一种自引导鉴权协议服务功能实体, 其特征在于, 包括: 接收单元, 用于接收携带请求推送业务类型信息的请求业务密钥消息; 判断单元, 用于根据所述请求业务密钥消息中携带的业务类型信息确 定所请求的密钥应用的业务类型为推送业务。  A self-guided authentication protocol service function entity, comprising: a receiving unit, configured to receive a request service key message carrying a request to push service type information; and a determining unit, configured to use the request service key according to the request The service type information carried in the message determines that the service type of the requested key application is a push service.
PCT/CN2007/070185 2006-07-04 2007-06-26 Method and apparatus for determining service type of key request WO2008006309A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2006101010491A CN101102191B (en) 2006-07-04 2006-07-04 Method for identifying the style of secret key request service in general authentication framework
CN200610101049.1 2006-07-04

Publications (1)

Publication Number Publication Date
WO2008006309A1 true WO2008006309A1 (en) 2008-01-17

Family

ID=38922939

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070185 WO2008006309A1 (en) 2006-07-04 2007-06-26 Method and apparatus for determining service type of key request

Country Status (2)

Country Link
CN (1) CN101102191B (en)
WO (1) WO2008006309A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188229B (en) * 2011-12-30 2017-09-12 上海贝尔股份有限公司 The method and apparatus accessed for secure content
CN105282108B (en) * 2014-07-07 2018-10-23 上海交通大学 Intelligently guiding cut-in method in a kind of multi-media transmission system
CN108933662B (en) * 2017-05-26 2021-02-26 展讯通信(上海)有限公司 GBA-based authentication method, device and terminal
CN117177205A (en) * 2022-05-25 2023-12-05 中国移动通信有限公司研究院 Service authorization method, device, network function and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610364A (en) * 2003-10-23 2005-04-27 华为技术有限公司 A method for making network propel business to order

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1315348C (en) * 2003-09-09 2007-05-09 华为技术有限公司 Method for implementing intelligent service in general packet radio service (GPRS) system
CN1770913B (en) * 2004-11-02 2010-05-26 北京三星通信技术研究有限公司 Method for receiving multimedia broadcast and multicast service

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1610364A (en) * 2003-10-23 2005-04-27 华为技术有限公司 A method for making network propel business to order

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Generic Authentication Architecture (GAA): Zh and Zn interfac based on the Diameter protocol", 3GPP TS 29.109 V0.2.0, February 2004 (2004-02-01) *
CALHOUN P. ET AL.: "Diameter Base Protocol", IETF RFC 3588, September 2003 (2003-09-01) *

Also Published As

Publication number Publication date
CN101102191A (en) 2008-01-09
CN101102191B (en) 2010-12-08

Similar Documents

Publication Publication Date Title
US7984291B2 (en) Method for distributing certificates in a communication system
CN101616410B (en) Access method and access system for cellular mobile communication network
EP1811744B1 (en) Method, system and centre for authenticating in End-to-End communications based on a mobile network
JP5199405B2 (en) Authentication in communication systems
US20080294891A1 (en) Method for Authenticating a Mobile Node in a Communication Network
CN109936529B (en) Method, device and system for secure communication
WO2009062415A1 (en) An authentication method for request message and the apparatus thereof
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
WO2007104245A1 (en) An identity web service framework system and authentication method thereof
US8769281B2 (en) Method and apparatus for securing communication between a mobile node and a network
RU2424628C2 (en) Method and apparatus for interworking authorisation of dual stack operation
WO2010094244A1 (en) Method, device and system for performing access authentication
WO2008006312A1 (en) A realizing method for push service of gaa and a device
US8234497B2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
WO2012167500A1 (en) Method for establishing data security channel for tunnel
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
WO2008009232A1 (en) A method system and device for determining the mobile ip key and notifying the mobile ip type
WO2007147354A1 (en) Method and system for retrieving service key
WO2008006309A1 (en) Method and apparatus for determining service type of key request
US8615591B2 (en) Termination of a communication session between a client and a server
WO2012126299A1 (en) Combined authentication system and authentication method
KR101329150B1 (en) PANA Authentication Method and System
JP2003132028A (en) Access control system, access control server, electronic device, remote electronic device and access control method
TWI755951B (en) Communication system and communication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07721798

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07721798

Country of ref document: EP

Kind code of ref document: A1