WO2013023475A1 - Method for sharing user data in network and identity providing server - Google Patents

Method for sharing user data in network and identity providing server Download PDF

Info

Publication number
WO2013023475A1
WO2013023475A1 PCT/CN2012/076275 CN2012076275W WO2013023475A1 WO 2013023475 A1 WO2013023475 A1 WO 2013023475A1 CN 2012076275 W CN2012076275 W CN 2012076275W WO 2013023475 A1 WO2013023475 A1 WO 2013023475A1
Authority
WO
WIPO (PCT)
Prior art keywords
providing server
user
service
identity
service providing
Prior art date
Application number
PCT/CN2012/076275
Other languages
French (fr)
Chinese (zh)
Inventor
韦银星
符涛
吴强
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013023475A1 publication Critical patent/WO2013023475A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Definitions

  • the present invention relates to the field of communications and the Internet, and in particular, to a method for sharing user data in a network, a service providing server, an identity providing server, and a user equipment.
  • telecom operators and service providers provide services to users.
  • the telecommunication operators have the infrastructure of the communication network, providing users with rich access methods, such as Asymmetric Digital Subscriber Line (ADSL).
  • ADSL Asymmetric Digital Subscriber Line
  • 3G Third Generation
  • WLAN wireless local area network
  • Ethernet Ethernet access
  • service providers provide users with rich services, such as traditional portals Websites, e-commerce, internet communications, online banking and social networking.
  • the number of service providers on the Internet varies, and although some can provide innovative services, the number of users is slow to develop, and the number of users often becomes a bottleneck for business development.
  • an Identity Provider Identity Provider
  • the identity provider server provided by the identity provider usually has a relatively large user resource and can provide services such as authentication for other users or service providers.
  • Telecom operators have a large number of users and have the ability to provide servers with natural identity.
  • the telecommunications network is relatively closed and has a single business category.
  • an application server (AS) in the IP Multimedia System (IMS) can directly access the home subscriber server (Home Subscriber). Signing data for users in Server, HSS). The user decides which data to share by modifying the subscription information. For service providers on the Internet, the number is large, and new service providers are constantly appearing, and it is difficult to define subscription data in advance. Therefore, this solution has scalability problems.
  • the user subscription data is obtained from the HSS according to the trust relationship, but currently, the AS cannot flexibly control the access of the AS to the user subscription data.
  • IdM Identity Management
  • IdM Identity Management
  • service providers service providers
  • identity providers identity providers
  • the current solution is mainly to solve single sign-on problems, such as OpenID (IDID), Free Alliance. ( Liberty Alliance ) , Card Space , Generic Authentication Architecture ( GAA ) and Kerberos model. These schemes do not define user identity independently and are completed independently. The diversity of identities is inconvenient for users to use the Internet.
  • Open Authorization A protocol for resolving authorized access to user resource data on the Internet. It does not define how to use the unified method for users to identify, and does not define how to use it with the resources of the telecom operator.
  • the identity of the user is used for the identification of the user at the network layer, and can also be used for the identification of the user by the service provider, providing the user with a unified identity.
  • the service provider's service provider server securely shares the subscriber's subscriber data, which also limits the development of new services.
  • the embodiments of the present invention provide a method for sharing user data in a network, a service providing server, an identity providing server, and a user equipment, to solve the problem that the service providing server cannot securely share the user data of the telecommunication operator.
  • An embodiment of the present invention provides a method for sharing user data in a network, where the network includes an identity providing server and a resource server (RS), and the method includes:
  • the service providing server receives the access of the user equipment (UE);
  • the service providing server directly or indirectly acquires user-shared data authorized by the user from the RS.
  • the method further includes: the service providing server directly or indirectly completing service access authentication for the UE.
  • the service providing server directly completing the service access authentication to the UE includes: the service providing server obtaining a user security parameter from the identity providing server, and completing the service connection to the UE according to the user security parameter. Enter the certification.
  • the service providing server indirectly completing the service access authentication to the UE includes: the service providing server obtaining, by the identity providing server, a service access authentication result of the identity providing server to the UE.
  • the user security parameter is obtained by the identity providing server according to an access authentication result of the network to the UE.
  • the service access authentication result is that the identity providing server completes according to the access authentication result of the network to the UE.
  • the service providing server directly acquiring the user-shared user-shared data from the RS includes:
  • the service providing server acquires a token from the identity providing server, and directly acquires user shared data authorized by the user from the RS according to the token.
  • the service providing server obtains user-authorized user sharing data from the RS indirectly:
  • the service providing server acquires user shared data authorized by the user through the identity providing server.
  • the embodiment of the present invention further provides a service providing server, where the service providing server includes: a receiving module, configured to receive access by a user equipment (UE);
  • UE user equipment
  • the acquisition module is configured to obtain user-authorized user-shared data directly or indirectly from a resource server (RS).
  • RS resource server
  • the service providing server further includes:
  • the service access authentication module is configured to directly or indirectly complete service access authentication for the UE before the receiving module receives the access of the UE.
  • the service access authentication module is configured to obtain a user security parameter from an identity providing server, complete service access authentication to the UE according to the user security parameter, or obtain an office from the identity providing server.
  • the identity provides a service authentication result of the server to the UE.
  • the user security parameter is obtained by the identity providing server according to an access authentication result of the network to the UE; or
  • the service authentication result is that the identity providing server is completed according to the access authentication result of the network to the UE.
  • the obtaining module is configured to acquire a token from the identity providing server, directly acquire user-authorized user-shared data from the RS according to the token, or acquire user authorization by using the identity providing server. Users share data.
  • the embodiment of the present invention further provides an identity providing server, where the identity providing server includes: a network access authentication module, configured to authenticate a user equipment (UE) access network, and obtain user security parameters;
  • a network access authentication module configured to authenticate a user equipment (UE) access network, and obtain user security parameters;
  • the service access authentication module is configured to perform service access authentication for the UE according to the user security parameter obtained by the network access authentication module, and send the service access authentication result to the service providing server.
  • the identity providing server further includes:
  • the first sending module is configured to send the user security parameter obtained by the network access authentication module to the service providing server.
  • the user security parameter comprises a session key.
  • the identity providing server further includes:
  • a second sending module configured to: after the service access authentication module sends the service access authentication result or the first sending module sends the user security parameter to the service providing server, receive the data sent by the service providing server And requesting, according to the data request, obtaining user shared data authorized by the user from the resource server (RS), and transmitting the user shared data to the service providing server.
  • RS resource server
  • the second sending module is further configured to: send, by the service access authentication module, a service access authentication result or the first sending module to send the user security parameter to a service providing service After receiving the token request sent by the service providing server, sending a token to the service providing server according to the token request, so that the service providing server obtains a user from the RS according to the token Authorized users share data.
  • An embodiment of the present invention further provides a user equipment (UE), where the UE includes:
  • An access module configured to access a service providing server
  • a data processing module configured to receive a user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and provide the server to the identity according to the authorization result of the user data carried in the user data authorization request Returns the user-shared data shared by the user.
  • the access module is configured to access the service providing server after the UE uses the identifier to successfully access the network and obtain the service access authentication of the service providing server.
  • FIG. 1 is a schematic diagram of a scenario of user data in a shared network according to an embodiment of the present invention
  • Embodiment 1 of user data in a shared network is a schematic structural diagram of Embodiment 1 of user data in a shared network according to the present invention
  • Embodiment 2 of user data in a shared network is a schematic structural diagram of Embodiment 2 of user data in a shared network according to the present invention
  • Embodiment 4 is a signaling flowchart of Embodiment 1 of user data in a shared network according to the present invention
  • Embodiment 2 is a signaling flowchart of Embodiment 2 of user data in a shared network according to the present invention
  • Embodiment 6 is a signaling flowchart of Embodiment 3 of user data in a shared network according to the present invention.
  • FIG. 7 is a schematic structural diagram of a service providing server according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an identity providing server according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a user equipment according to the present invention. Preferred embodiment of the invention
  • FIG. 1 a schematic diagram of a scenario for sharing user data in a network according to an embodiment of the present invention.
  • a social network securely shares data of a user in a network, such as a contact list, where the sharing process includes:
  • Step 10 The user 100 accesses the network 102 and passes the authentication of the network 102.
  • Step 12 The user 100 accesses the social networking website 104;
  • Step 14 the social networking website 104 does not have the identity information of the user 100, the social networking website 104 finds the network 102 according to the configuration information or finds the network 102 by using the dynamic discovery protocol;
  • Step 16 The network 102 contacts the user 100, and the user 100 authorizes sharing of user data, such as a contact list;
  • Step 18 After the user 100 authorizes the shared user data, the network 102 continues the subsequent processing; Step 20, the network 102 returns the information shared by the user 100 to the social network 104, such as a contact list;
  • Step 22 When the user 106 accesses the social networking website 104 through the network 102, the user data shared by the user 100, such as a contact list, is used.
  • FIG. 2 it is a schematic diagram of the architecture of the user data in the shared network according to the present invention.
  • the network completes the routing of the data packet by using an Access Serving Node (ASN); the user equipment (UE) 200 identifies by using the ID. .
  • ASN Access Serving Node
  • the user equipment 200 is authenticated by the identity providing server, and the data shared by the user is directly obtained from the resource server (RS) 206, or the data shared by the user is acquired by the identity providing server 204.
  • the network includes, but is not limited to, a mobile communication network, an identification network.
  • the authentication between the UE 200 and the service providing server 208 is based on the result of the user access authentication.
  • the network does not pass the user's security credentials to the service providing server 208, so that the service providing server 208 cannot directly authenticate the user equipment 200, and the user authentication needs to be completed through the interface between the UE 200 and the identity providing server 204. .
  • the user equipment 200 refers to a user node, such as a mobile phone, a personal computer, etc.; the user equipment pre-configures or obtains an identification ID from the network; the user equipment owns a security credential, pre-shares the root key with the network, or sets Set a digital certificate.
  • the ID of the user equipment can use the international mobile subscriber identity
  • the ID of the user equipment is the Access Identifier (AID).
  • the capabilities of the user equipment include but are not limited to: Support Hypertext Transfer Protocol (HTTP) Digest authentication protocol; Support Session Initiation Protocol (SIP) Digest authentication protocol; Support Extensible Authentication Protocol (EAP) and EAP authentication methods ; Ability to derive new key material.
  • HTTP Hypertext Transfer Protocol
  • SIP Support Session Initiation Protocol
  • EAP Extensible Authentication Protocol
  • EAP Extensible Authentication Protocol
  • the access service node 202 is located at the boundary of the network, and is configured to provide an access service for the user equipment 200, maintain a connection between the terminal and the network, implement routing and forwarding of data packets, and cooperate with the identity providing server 204 to complete the UE 200. Access authentication.
  • the access service node is a GPRS service support node (Serving GPRS SUPPORT NODE, SGSN) and/or a Gateway GPRS Support Node (GGSN).
  • GGSN Gateway GPRS Support Node
  • the access service node is an ASN. .
  • the identity providing server 204 is responsible for creating, maintaining, and managing the identity information of the user in the network with the user identity ID as the core, and providing the user identity verification service.
  • the capabilities of the identity providing server 204 include, but are not limited to: providing network access authentication services; providing service access authentication services; supporting EAP functions; being able to obtain user information from the RS; and implementing identity management of the authentication center Features such as support for web features, HTTP (Hypertext Transfer Protocol), HTTP digest authentication protocol, Security Assertion Markup Language (SAML).
  • HTTP Hypertext Transfer Protocol
  • SAML Security Assertion Markup Language
  • the Resource Server (RS) 206 stores the user's security information, providing the user's attribute data and other data such as contact lists, avatars, photos, videos, and the like.
  • the service providing server 208 provides services to the user node 200, which may be Web-type services, such as a portal website or an electronic mall. Such services usually use Hypertext Transfer Markup Language (HTML)/HTTP; or non-Web-type services, such as electronic Mail, instant messaging, such services are usually based on transport layer protocols such as Transmission Control Protocol (TCP).
  • HTTP Hypertext Transfer Markup Language
  • HTTP Hypertext Transfer Markup Language
  • non-Web-type services such as electronic Mail
  • instant messaging such services are usually based on transport layer protocols such as Transmission Control Protocol (TCP).
  • TCP Transmission Control Protocol
  • Interface A located between the UE 200 and the ASN 202, providing bidirectional authentication of the UE 200 and the ASN 202, supporting but not limited to the EAP protocol
  • Interface B located between the ASN 202 and the identity providing server 204, transmitting the primary session key from the identity providing server 204 to the ASN 202; supporting but not limited to delivering the EAP payload through the Authentication Authorization Accounting (AAA) protocol;
  • AAA Authentication Authorization Accounting
  • the interface C is located between the identity providing server 204 and the RS 206, and the identity providing server 204 obtains the user's security information and other user data through the C214 interface.
  • the protocol of this interface includes but is not limited to: Support Diameter protocol.
  • Interface D Located between the UE 200 and the identity providing server 204, it supports the user's single sign-on service and supports secure shared data.
  • the protocol of this interface includes but is not limited to: Support HTTP Digest protocol; Support SIP Digest protocol; Support SAML protocol.
  • the interface E is located between the UE 200 and the service providing server 208.
  • the UE 200 accesses the service provided by the service providing server 208 through the interface.
  • the protocols of the interface include but are not limited to: support the HTTP protocol; support the transport layer protocol, such as TCP; SAML protocol; support Diameter protocol; support HTTPS protocol.
  • the interface F is located between the identity providing server 204 and the service providing server 208, and provides a single sign-on service to support secure shared data.
  • the protocol of this interface includes but is not limited to: Support HTTP protocol, support AAA protocol.
  • Interface G is located between the service providing server 208 and the RS 206, and the service providing server 208 obtains user related data through the interface.
  • the protocol of this interface includes but is not limited to: Support for the Diameter protocol.
  • FIG. 3 it is a schematic structural diagram of Embodiment 2 of user data in a shared network according to the present invention.
  • the difference between the architecture diagram and the architecture diagram shown in FIG. 2 is that, in the architecture diagram in this embodiment, the UE and the identity providing server are There is no interface between them; however, the network can pass user security information (such as identification, primary session key, key life cycle, etc.) to the service providing server 208, so that the service providing server 208 can directly authenticate the user device 200.
  • the user security information used by the UE 200 and the service providing server 208 is used as a result of the user's network access authentication.
  • FIG. 4 it is a signaling flowchart of Embodiment 1 of user data in a shared network according to the present invention.
  • the flowchart is completed based on the architecture shown in FIG. 2.
  • the UE 200 is authenticated by the identity providing server 204
  • the service providing server 208 obtains the token from the identity providing server 204, and directly acquires the user shared from the RS 206.
  • Data, the identity providing server 204 and the RS 206 have pre-configured templates for user data sharing, specifically which data is shared by the user.
  • the prerequisite for the process is that the link between the UE 200 and the ASN 202 has been established, and the UE
  • the user data process in the shared network includes: Step 220, ASN 202 sends an identity request to the UE 200;
  • Step 222 The UE 200 sends a response to the ASN 202, and carries the identity ID of the user in the response.
  • Step 224 The ASN 202 sends the response packet to the identity providing server 204, where the packet carries the user identity ID.
  • Step 226 The identity providing server 204 sends a packet carrying the ID to the RS 206 to request the key material.
  • Step 228 The RS 206 returns the key material to the identity providing server 204.
  • Step 230 The UE 200 and the identity providing server 204 negotiate security parameters, including the security protocols and session keys supported by the two parties.
  • the foregoing steps 220-230 are an access authentication process of the network to the UE;
  • Step 232 The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery;
  • Step 234 the service providing server 208 sends a redirect message to the UE 200, the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the redirect message header;
  • Step 236 The identity providing server 204 sends an unauthorized message to the UE 200.
  • Step 238 The UE 200 sends a digest authentication message to the identity providing server 204, where the ID is used as the username and the session key is used as the password.
  • Step 240 The identity providing server 204 verifies the identity of the user after receiving the digest authentication message.
  • Step 242 The identity providing server 204 requests the user data list from the RS 206, where the request carries the identity of the user.
  • Step 244 The RS 206 returns a user list to the identity providing server 204.
  • Step 246 The identity providing server 204 requests the user to authorize by sending a list of user data to the UE2000.
  • Step 248 The UE 200 returns a user authorization result to the identity providing server 204.
  • Step 250 The identity providing server 204 sends a redirect message to the UE 200.
  • the UE 200 contacts the service providing server 208 according to the address in the message header, where the message includes an index and an authorization code.
  • Step 254 The identity providing server 204 returns an access token to the service providing server 208, where the token includes information such as a key, a key life cycle, and the like;
  • Step 256 The service providing server 208 obtains the shared user data in batches from the RS 206, and the RS 206 performs security protection, such as confidentiality protection and integrity protection. After receiving the user data, the service providing server 208 reads the access token. Take these protected data;
  • Step 258 The service providing server 208 returns a result message to the UE 200.
  • Step 220a ASN 202 sends an EAP-Identity identity request to the UE 200;
  • Step 222a The UE 200 sends an EAP-Identity response to the ASN 202, and carries the identity ID of the user in the response, where the Type-Data in the EAP-Identity response is set to an ID.
  • Step 224a the ASN 202 sends an EAP payload (EAP-Payload) to the identity providing server 204 via the AAA protocol.
  • EAP-Payload EAP payload
  • the ASN 202 uses the EAP-Payload AVP (Attribute-Value Pair) of the Diameter-EAP-Request message to encapsulate the EAP-Identity payload;
  • RADIUS Remote User Dial-In Authentication Service
  • the EAP-Message attribute of the -Request message encapsulates the EAP-Identity payload;
  • Step 226a The identity providing server 204 sends the ID to the RS 206 through the Diameter protocol to obtain the key material, and specifically uses a Multimedia-Auth-Request (MAR). Carrying an ID;
  • MAR Multimedia-Auth-Request
  • Step 228a The RS 206 returns the key material to the identity providing server 204 through the Diameter protocol, and specifically carries a key material by using a Multimedia-Auth-Answer (MAA) message, where the ID is mapped to a user name (User-Name). )Attributes;
  • MAA Multimedia-Auth-Answer
  • Step 230a UE 200 and identity providing server 204 negotiate security parameters: (1) Negotiate EAP method (Method), such as EAP-authentication and key agreement (AKA), EAK-secure transport layer protocol (TLS), etc., for Diameter protocol
  • EAP-Payload AVP Attribute-Value Pair
  • the EAP-Payload AVP Attribute-Value Pair of the Diameter-EAP-Request message is used to encapsulate the payloads such as EAP-AKA and EAP-TLS.
  • RADIUS protocol RADIUS Access-Challenge and Access- are used. Accept encapsulates EAP-AKA, EAP-TLS and other payloads.
  • MSK Master Session Key
  • the EAP-Master-Session-Key AVP of the Diameter-EAP-Request message is used to carry the key material.
  • the VSA Vendable Service Provider ecific Attribute, specific vendor attribute
  • the MSK MSK
  • Step 232a The UE 200 sends an HTTP request to the service providing server 208, and selects to log in through the identity providing server 204 on the service providing server 208.
  • a URL Uniform Resource Locator
  • the service providing server 208 statically configures or dynamically discovers the URL address of the identity providing server 204, and the request message carries ⁇ 1 : AuthnRequest>;
  • Step 234a The service providing server 208 sends an HTTP redirect message to the UE 200, and the UE
  • Step 236a The identity providing server 204 sends an HTTP 401 Unauthorized message to the UE 200.
  • Step 238a The UE 200 sends an HTTP request message to the identity providing server 204, and uses the ID as the username and the MSK as the password to perform HTTP Digest authentication.
  • Step 240a After receiving the HTTP digest authentication message, the identity providing server 204 checks the local ID/MSK according to the ID, and performs the same HTTP Digest authentication algorithm. When the calculated results are consistent, Then pass the verification;
  • Step 242a The identity providing server 204 sends an ID to the RS 206 requesting user data list through the Diameter protocol, and uses a Push-Profile-Request message User Data attribute to carry a list of user data, where the ID is mapped to a User-Name attribute;
  • Step 244a RS 206 returns a user data list to the identity providing server 204 through the Diameter protocol, and uses a Push-Profile-Answer message User Data attribute to carry a list of user data, where the ID is mapped to the User-Name attribute;
  • Step 246a The identity providing server 204 sends a list of user data to the UE 200 via the HTTPS to request user authorization.
  • Step 248a after the user authorization, the UE 200 returns the user authorization data list to the identity providing server 204;
  • Step 250a the identity providing server 204 generates a SAML Artifact and an authorization code, and redirects the message to the UE 200 through HTTPS.
  • the UE 200 contacts the service providing server 208 according to the URL in the message header, where the SAML Artifact points to the structure of the SAML protocol message.
  • the data object, SAML Artifact is relatively small, can be embedded in the HTTP message;
  • Step 252a the service providing server 208 sends an HTTP GET request to the secondary identity providing server 204 via the HTTPS, where the message includes the SAML Artifact and the authorization code;
  • Step 254a The identity providing server 204 returns an access token to the service providing server 208 by using an HTTPS response message, where the token includes information such as a key, a key life cycle, and the like;
  • Step 256a The service providing server 208 obtains the shared user data in batches from the RS 206 through the Diameter protocol, and uses the Diameter Push-Request-Request/Answer message User Data attribute to acquire the data shared by the user in batches.
  • the RS 206 secures the data, such as confidentiality protection and integrity protection; after receiving the user data, the service providing server 208 reads the protected data with the access token;
  • Step 258a The service providing server returns an HTTP 200 OK message to the UE 200.
  • the above process is applicable to EAP-authenticated access such as ADSL, WLAN, and Ethernet.
  • the identity location separation network supports compatibility with existing terminals and access technologies, ie without changing the terminal and Access Network.
  • the UE 200 accesses the network according to the existing mode. After the access authentication, the network allocates an access identifier to the user equipment, and the user equipment and the network share the session key. The subsequent processing flow is completely consistent.
  • FIG. 5 it is a signaling flowchart of Embodiment 2 of user data in a shared network according to the present invention.
  • the embodiment is also implemented based on the architecture shown in FIG. 2, in this embodiment, the identity providing server 204 is used by the UE 200. The authentication is performed, and the service providing server 208 obtains the data shared by the user through the identity providing server 204, and specifically shares which data is authorized by the user, and the real identity information of the user may not be disclosed to the service providing server.
  • the prerequisite for the process is that the link between the UE 200 and the ASN 202 has been established, and the UE
  • the user data process in the shared network includes:
  • Step 302 The UE 200 passes the access authentication of the network. After the authentication ends, the UE 200 shares the session key with the identity providing server 204.
  • Step 302 may specifically include step 220 to step 230 in FIG. 4, and details are not described herein.
  • Step 304 The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery. ;
  • Step 306 the service providing server 208 sends a redirect message to the UE 200, the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the redirect message header;
  • Step 308 The identity providing server 204 sends an unauthorized message to the UE 200.
  • Step 310 The UE 200 sends a digest authentication message to the identity providing server 204, where the ID is used as the username and the session key is used as the password.
  • Step 312 The identity providing server 204 verifies the identity of the user after receiving the digest authentication message.
  • Step 314 The identity providing server 204 sends a redirect message to the service providing server 208, where the message includes an index.
  • Step 316 The service providing server 208 sends a request to the identity providing server 204 to authenticate the identity of the user, where the message includes an index.
  • Step 318 The identity providing server 204 returns the authentication result to the service providing server 208.
  • Step 320 The service providing server 208 requests the identity providing server 204 to share data, where the message includes an index.
  • Step 322 The identity providing server 204 requests user data from the RS 208, where the request includes a user ID.
  • Step 324 The RS 206 returns user data to the identity providing server.
  • Step 326 The identity providing server 204 sends a request to the UE 200 to request the user to authorize the data.
  • Step 332 the service providing server 208 returns a result message to the UE 200.
  • the HTTP and SAML protocols are used as an example to describe the user data flow in the secure shared network shown in Figure 5 as an application example:
  • Step 302a the UE 200 passes the access authentication of the network, and after the end of the authentication, the UE 200 shares the session key MSK with the identity providing server 204;
  • Step 304a The UE 200 sends an HTTP request to the service providing server 208, and selects to log in through the identity providing server 204 on the service providing server 208.
  • the URL (Uniform Resource Locator) address of the identity providing server is included in the header field of the HTTP request, and the service providing server 208 carries the ⁇ 1: AuthnRequest> by statically configuring or dynamically discovering the URL address of the identity providing server 204. ;
  • Step 306a the service providing server 208 sends an HTTP redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the URL address of the identity providing server in the HTTP redirect message header;
  • Step 308a The identity providing server 204 sends an HTTP 401 Unauthorized message to the UE 200.
  • Step 310a The UE 200 sends an HTTP request message to the identity providing server 204, using the ID.
  • MSK is used as the password to perform HTTP Digest authentication.
  • Step 312a After receiving the HTTP digest authentication message, the identity providing server 204 checks the local ID/MSK according to the ID and performs the same HTTP Digest authentication algorithm. If the calculation result is consistent, the verification succeeds;
  • Step 314a the identity providing server 204 generates a SAML Artifact, and sends an HTTPS redirect message to the service providing server 208, where the message carries a SAML Artifact, where the SAML Artifact points to a structured data object of the SAML protocol message, and the SAML Artifact is relatively small and can be embedded in the HTTP In the message;
  • Step 316a After receiving the SAML Artifact, the service providing server 208 sends an HTTPS request to the identity providing server 204, where the message carries the SAML Artifact; after receiving the message, the identity providing server 204 constructs the SAML assertion;
  • Step 318a the identity providing server 204 returns the SAML assertion to the service providing server 208 via HTTPS;
  • the HTTPS request is sent to the identity providing server 204 to request the shared user data, and the message carries the SAML Artifact.
  • the identity providing server 204 obtains the ID according to the SAML Artifact, and passes the Diameter.
  • Push-Profile-Request requests the user to share data to RS206;
  • Step 324a RS206 returns the user shared data to the identity providing server 204, and carries the user data through the Diameter Push-Profile-Answer message User Data attribute;
  • Step 326a The identity providing server 204 sends an HTTPS request to the UE 200 to request the user to authorize the shared data.
  • Step 328a After the user authorizes the shared user data, the result is returned to the identity providing server 204.
  • Step 330a after the user authorizes, the identity providing server 204 returns the data authorized by the user to the service providing server 208;
  • Step 332a the service providing server 208 returns an HTTP 200 OK message to the UE 200.
  • FIG. 6 is a signaling flowchart of Embodiment 3 of user data in a secure shared network according to the present invention. The flowchart is completed based on the architecture shown in FIG. 3.
  • the identity providing server 204 performs access authentication on the UE 200
  • the service providing server 208 authenticates the user identity, and then performs a user data process in the secure shared network.
  • the process is performed on the premise that the link between the UE 200 and the ASN 202 has been established, and the UE 200 has pre-configured the ID of the user or assigns an ID to the user by the network.
  • the process includes: Step 402: The UE 200 passes Access authentication of the network, after the end of the authentication, the UE 200 shares the session key with the identity providing server 204;
  • Step 404 The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery;
  • Step 406 The service providing server 208 sends an unauthorized message to the UE 200.
  • Step 408 The UE 200 sends a digest authentication message to the service providing server 208, where the ID is used as the username and the session key is used as the password.
  • Step 410 The service providing server 208 requests the identity providing server 204 for the security parameter of the user.
  • Step 412 The identity providing server 204 returns the security parameter of the user to the service providing server 208.
  • Step 414 The service providing server 208 verifies the identity of the user, and the verification process is based on the received digest authentication message and the security parameter of the user.
  • Step 416 The service providing server 208, the RS 206, the identity providing server 204, and the UE 200 perform a user data process in the secure shared network.
  • the process of securely sharing the data may be the same as the steps 252-258 in FIG. 4, and may be the same as the steps 320-332 in FIG. 5, and details are not described herein again.
  • an embodiment of the present invention further provides a service providing server, where the service providing server includes:
  • the receiving module 70 is configured to receive an access of the user equipment (UE);
  • the obtaining module 71 is configured to obtain the user authorization directly or indirectly from the resource server (RS) Users share data.
  • RS resource server
  • the service providing server may further include: a service access authentication module 72, configured to directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE.
  • a service access authentication module 72 configured to directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE.
  • the service access authentication module 72 is configured to obtain a user security parameter from the identity providing server, complete service access authentication to the UE according to the user security parameter, or obtain the identity providing server from the identity providing server.
  • the identity provides a service authentication result of the server to the UE.
  • the user security parameter is obtained by the identity providing server according to the access authentication result of the network to the UE; the service authentication result is that the identity providing server connects to the UE according to the network.
  • the certification results are completed.
  • the obtaining module 71 is configured to acquire a token from the identity providing server, and directly acquire user-authorized user-authorized data from the RS according to the token; or obtain by the identity providing server. User authorized users share data.
  • the service providing server can share the data shared by the user authorized by the user in the network.
  • the specific implementation process can be seen in Figure 4-6.
  • an embodiment of the present invention further provides an identity providing server, where the identity providing server includes:
  • the network access authentication module 80 is configured to authenticate the user equipment (UE) access network, and obtain user security parameters;
  • the service access authentication module 81 is configured to perform service access authentication for the UE according to the user security parameter obtained by the network access authentication module 80, and send the service access authentication result to the service providing server.
  • the user security parameter includes a session key.
  • the identity providing server may further include: a first sending module 82, configured to send the user security parameter obtained by the network access authentication module to the service providing server.
  • the identity providing server may further include: a second sending module 83, configured to: in the service access authentication module 81, access the service authentication result or the first sending module 82 After the user security parameter is sent to the service providing server, receiving a data request sent by the service providing server, obtaining user-authorized user shared data from the resource server (RS) according to the data request, and sending the user shared data to The service providing server.
  • a second sending module 83 configured to: in the service access authentication module 81, access the service authentication result or the first sending module 82 After the user security parameter is sent to the service providing server, receiving a data request sent by the service providing server, obtaining user-authorized user shared data from the resource server (RS) according to the data request, and sending the user shared data to The service providing server.
  • RS resource server
  • the second sending module 83 is further configured to: after the service access authentication module 81 sends the service access authentication result or the first sending module 82 sends the user security parameter to the service providing server, The service provides a token request sent by the server, and sends a token to the service providing server according to the token request, so that the service providing server obtains user-authorized user shared data from the RS according to the token.
  • the identity providing server lays a foundation for implementing the UE to access the service providing server, and also provides data for the user that provides the user authorization for the service providing server, or provides a token for the service providing server, so that the service providing server can obtain the user according to the token.
  • Authorized users share data.
  • the present invention further provides a user equipment (UE), where the UE includes: an access module 90, configured to access a service providing server;
  • UE user equipment
  • the data processing module 91 is configured to receive a user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and provide the identity according to the authorization result of the user data carried in the user data authorization request by the user.
  • the server returns the user-authorized user to share data.
  • the accessing module 92 is configured to access the service providing server after the UE uses the identifier to successfully access the network and obtain the service access authentication of the service providing server.
  • the UE After successfully accessing the network and obtaining the service access authentication of the service providing server, the UE can access the service providing server, and the authorized service providing server can share which data in the network, and then the service providing server can share the user in the network.
  • the data is shared by the user authorized by the UE.
  • the above method for sharing user data in the network, the service providing server, the identity providing server, and the user equipment enable the service providing server to securely share the user data of the telecommunications carrier.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method for sharing user data in a network, a service providing server, an identity providing server and user equipment, wherein the network includes an identity providing server and a resource server (RS). The method includes: a service providing server receiving access from user equipment (UE); the service providing server directly or indirectly acquiring user shared data authorized by a user from the RS. The method for sharing user data in a network, service providing server, identity providing server and user equipment above enable the service providing server to securely share the user data of telecommunication operators.

Description

共享网络中用户数据的方法和身份提供服务器  Method of sharing user data in a network and identity providing server
技术领域 Technical field
本发明涉及通讯领域和互联网领域, 尤其涉及一种共享网络中用户数据 的方法、 业务提供服务器、 身份提供服务器和用户设备。  The present invention relates to the field of communications and the Internet, and in particular, to a method for sharing user data in a network, a service providing server, an identity providing server, and a user equipment.
背景技术 Background technique
随着网络的普及和信息技术的发展, 人们越来越多地在网络空间中开展 业务活动, 如网上购物、 网络电话、 电子邮件、 博客、 即时通讯等。 通常, 由电信运营商和业务提供商向用户提供服务, 其中电信运营商拥有通讯网络 的基础设施, 为用户提供丰富的接入方式, 如非对称数字用户线路 ( Asymmetric Digital Subscriber Line , ADSL ) 接入、 第三代 ( The Third Generation, 3G )移动通信接入、 无线局域网 ( Wireless Local Area Network, WLAN )接入、 以太网接入等等; 业务提供商向用户提供丰富的业务, 如传 统门户网站、 电子商务、 网络通信、 网上银行和社交网络等。  With the popularity of the Internet and the development of information technology, people are increasingly doing business activities in the cyberspace, such as online shopping, Internet telephony, e-mail, blogs, instant messaging, and so on. Generally, telecom operators and service providers provide services to users. The telecommunication operators have the infrastructure of the communication network, providing users with rich access methods, such as Asymmetric Digital Subscriber Line (ADSL). In the third generation (The Third Generation, 3G) mobile communication access, wireless local area network (WLAN) access, Ethernet access, etc.; service providers provide users with rich services, such as traditional portals Websites, e-commerce, internet communications, online banking and social networking.
互联网上业务提供商规模不一, 有些虽然可以提供创新的业务, 但是用 户数量发展较慢, 用户数通常成为业务发展的瓶颈。 近年来, 互联网上出现 了一类提供身份服务的供应商, 称为身份提供商 (Identity Provider, 身份提供 服务器)。 身份提供商提供的身份提供服务器通常具有比较庞大的用户资源, 可以为其他用户或业务供应商提供身份验证等服务。 电信运营商的用户数巨 大, 具备了天然的身份提供服务器的能力, 但是与开放的互联网相比, 电信 网络相对封闭, 业务种类单一。 为了增强电信运营商的竟争能力, 而不是仅 仅为业务提供商提供管道, 电信运营商有必要成为业务价值链的一部分: 作 为身份提供服务器提供身份服务、 共享用户信息、 提供可信的安全服务、 提 供移动支付能力等; 业务提供商可以尽量重用电信运营商提供的各种能力, 专注于核心竟争力的业务; 对用户来说, 可以享受无缝的业务体验并提升安 全和个人隐私。  The number of service providers on the Internet varies, and although some can provide innovative services, the number of users is slow to develop, and the number of users often becomes a bottleneck for business development. In recent years, there has been a type of provider of identity services on the Internet, called an Identity Provider (Identity Provider). The identity provider server provided by the identity provider usually has a relatively large user resource and can provide services such as authentication for other users or service providers. Telecom operators have a large number of users and have the ability to provide servers with natural identity. However, compared with the open Internet, the telecommunications network is relatively closed and has a single business category. In order to enhance the competitiveness of telecom operators, rather than just providing a conduit for service providers, it is necessary for telecom operators to become part of the business value chain: providing identity services as an identity providing server, sharing user information, and providing trusted security services. Providing mobile payment capabilities, etc.; Service providers can reuse the capabilities provided by telecom operators to focus on core competitive services; for users, enjoy a seamless business experience and enhance security and personal privacy.
在相关的技术中, IP多媒体子系统 (IP Multimedia System , IMS)中应用服 务器( Application Server, AS )可以直接访问归属用户服务器 (Home Subscriber Server, HSS)中用户的签约数据。 用户通过修改签约信息决定共享哪些数据。 对于互联网上业务提供商来说, 其数量众多, 而且新的业务提供商不断出现, 事先很难定义签约数据。 因此这种方案存在可扩展性问题。 此外, 对于第三 方 AS来说, 根据信任关系来保证从 HSS中获取用户签约数据, 但是目前不 能灵活地控制 AS对用户签约数据的访问。 In the related technology, an application server (AS) in the IP Multimedia System (IMS) can directly access the home subscriber server (Home Subscriber). Signing data for users in Server, HSS). The user decides which data to share by modifying the subscription information. For service providers on the Internet, the number is large, and new service providers are constantly appearing, and it is difficult to define subscription data in advance. Therefore, this solution has scalability problems. In addition, for the third-party AS, the user subscription data is obtained from the HSS according to the trust relationship, but currently, the AS cannot flexibly control the access of the AS to the user subscription data.
在目前的身份管理 (Identity Management, IdM)中, 涉及到三个角色: 用 户、 业务提供商和身份提供服务器, 目前的解决方案主要是解决单点登录问 题, 如开放身份(OpenID ) , 自由联盟( Liberty Alliance ) , 卡片空间 (Card Space ) ,通用认证架构 ( Generic Authentication Architecture , GAA )和 Kerberos 模型等, 这些方案对用户身份的定义并不统一, 各自独立完成。 身份的多样 性给用户使用互联网的业务还是带来不便。  In the current Identity Management (IdM), there are three roles involved: users, service providers, and identity providers. The current solution is mainly to solve single sign-on problems, such as OpenID (IDID), Free Alliance. ( Liberty Alliance ) , Card Space , Generic Authentication Architecture ( GAA ) and Kerberos model. These schemes do not define user identity independently and are completed independently. The diversity of identities is inconvenient for users to use the Internet.
开放授权 (Open Authorization, OAuth)解决互联网中用户资源数据的授 权访问的协议, 对于用户没有釆用统一的方式进行标识, 没有定义如何与电 信运营商的资源一起来使用。  Open Authorization (OAuth) A protocol for resolving authorized access to user resource data on the Internet. It does not define how to use the unified method for users to identify, and does not define how to use it with the resources of the telecom operator.
目前的网络中, 用户的身份用于网络层对用户的识别, 也可以用于业务 提供商对用户的识别, 为用户提供了一个统一的身份。 但是目前还缺乏有效 的方法实现业务提供商的业务提供服务器安全地共享电信运营商的用户数 据, 这也限制新业务的开展。 发明内容  In the current network, the identity of the user is used for the identification of the user at the network layer, and can also be used for the identification of the user by the service provider, providing the user with a unified identity. However, there is currently no effective way to realize that the service provider's service provider server securely shares the subscriber's subscriber data, which also limits the development of new services. Summary of the invention
本发明实施例提供了一种共享网络中用户数据的方法、业务提供服务器、 身份提供服务器和用户设备, 以解决业务提供服务器无法安全地共享电信运 营商的用户数据的问题。  The embodiments of the present invention provide a method for sharing user data in a network, a service providing server, an identity providing server, and a user equipment, to solve the problem that the service providing server cannot securely share the user data of the telecommunication operator.
本发明实施例提供了一种共享网络中用户数据的方法, 所述网络包括身 份提供服务器和资源服务器(RS ) , 该方法包括:  An embodiment of the present invention provides a method for sharing user data in a network, where the network includes an identity providing server and a resource server (RS), and the method includes:
业务提供服务器接收用户设备 ( UE ) 的访问;  The service providing server receives the access of the user equipment (UE);
所述业务提供服务器从所述 RS 直接或间接地获取用户授权的用户共享 数据。 优选地, 所述业务提供服务器接收 UE的访问之前, 所述方法还包括: 所述业务提供服务器直接或间接地完成对所述 UE的业务接入认证。 优选地, 所述业务提供服务器直接地完成对 UE的业务接入认证包括: 所述业务提供服务器从所述身份提供服务器获得用户安全参数, 根据所 述用户安全参数完成对所述 UE的业务接入认证。 The service providing server directly or indirectly acquires user-shared data authorized by the user from the RS. Preferably, before the service providing server receives the access of the UE, the method further includes: the service providing server directly or indirectly completing service access authentication for the UE. Preferably, the service providing server directly completing the service access authentication to the UE includes: the service providing server obtaining a user security parameter from the identity providing server, and completing the service connection to the UE according to the user security parameter. Enter the certification.
优选地, 所述业务提供服务器间接地完成对 UE的业务接入认证包括: 所述业务提供服务器从所述身份提供服务器获得所述身份提供服务器对 所述 UE的业务接入认证结果。  Preferably, the service providing server indirectly completing the service access authentication to the UE includes: the service providing server obtaining, by the identity providing server, a service access authentication result of the identity providing server to the UE.
优选地, 所述用户安全参数是所述身份提供服务器根据所述网络对所述 UE的接入认证结果获得的。  Preferably, the user security parameter is obtained by the identity providing server according to an access authentication result of the network to the UE.
优选地, 所述业务接入认证结果是所述身份提供服务器根据所述网络对 所述 UE的接入认证结果完成的。  Preferably, the service access authentication result is that the identity providing server completes according to the access authentication result of the network to the UE.
优选地, 所述业务提供服务器从所述 RS 直接地获取用户授权的用户共 享数据包括:  Preferably, the service providing server directly acquiring the user-shared user-shared data from the RS includes:
所述业务提供服务器从所述身份提供服务器获取令牌, 根据所述令牌从 所述 RS直接地获取用户授权的用户共享数据。  The service providing server acquires a token from the identity providing server, and directly acquires user shared data authorized by the user from the RS according to the token.
优选地, 所述业务提供服务器从所述 RS 间接地获取用户授权的用户共 享数据包括:  Preferably, the service providing server obtains user-authorized user sharing data from the RS indirectly:
所述业务提供服务器通过所述身份提供服务器获取用户授权的用户共享 数据。  The service providing server acquires user shared data authorized by the user through the identity providing server.
本发明实施例还提供了一种业务提供服务器, 该业务提供服务器包括: 接收模块, 设置为接收用户设备 ( UE ) 的访问;  The embodiment of the present invention further provides a service providing server, where the service providing server includes: a receiving module, configured to receive access by a user equipment (UE);
获取模块, 设置为从资源服务器(RS )直接或间接地获取用户授权的用 户共享数据。  The acquisition module is configured to obtain user-authorized user-shared data directly or indirectly from a resource server (RS).
优选地, 所述业务提供服务器还包括:  Preferably, the service providing server further includes:
业务接入认证模块, 设置为在所述接收模块接收 UE的访问之前, 直接 或间接地完成对所述 UE的业务接入认证。 优选地, 所述业务接入认证模块, 是设置为从身份提供服务器获得用户 安全参数, 根据所述用户安全参数完成对所述 UE的业务接入认证; 或者, 从所述身份提供服务器获得所述身份提供服务器对所述 UE的业务认证结果。 The service access authentication module is configured to directly or indirectly complete service access authentication for the UE before the receiving module receives the access of the UE. Preferably, the service access authentication module is configured to obtain a user security parameter from an identity providing server, complete service access authentication to the UE according to the user security parameter, or obtain an office from the identity providing server. The identity provides a service authentication result of the server to the UE.
优选地, 所述用户安全参数是所述身份提供服务器根据所述网络对所述 UE的接入认证结果获得的; 或者  Preferably, the user security parameter is obtained by the identity providing server according to an access authentication result of the network to the UE; or
所述业务认证结果是所述身份提供服务器根据所述网络对所述 UE的接 入认证结果完成的。  The service authentication result is that the identity providing server is completed according to the access authentication result of the network to the UE.
优选地, 所述获取模块, 是设置为从所述身份提供服务器获取令牌, 根 据所述令牌从所述 RS 直接地获取用户授权的用户共享数据; 或者通过所述 身份提供服务器获取用户授权的用户共享数据。  Preferably, the obtaining module is configured to acquire a token from the identity providing server, directly acquire user-authorized user-shared data from the RS according to the token, or acquire user authorization by using the identity providing server. Users share data.
本发明实施例还提供了一种身份提供服务器, 该身份提供服务器包括: 网络接入认证模块, 设置为对用户设备 ( UE )接入网络进行认证, 并获 得用户安全参数;  The embodiment of the present invention further provides an identity providing server, where the identity providing server includes: a network access authentication module, configured to authenticate a user equipment (UE) access network, and obtain user security parameters;
业务接入认证模块, 设置为根据所述网络接入认证模块获得的用户安全 参数完成对所述 UE的业务接入认证, 并将业务接入认证结果发送给业务提 供服务器。  The service access authentication module is configured to perform service access authentication for the UE according to the user security parameter obtained by the network access authentication module, and send the service access authentication result to the service providing server.
优选地, 所述身份提供服务器还包括:  Preferably, the identity providing server further includes:
第一发送模块, 设置为将所述网络接入认证模块获得的用户安全参数发 送给所述业务提供服务器。  The first sending module is configured to send the user security parameter obtained by the network access authentication module to the service providing server.
优选地, 所述用户安全参数包括会话密钥。  Preferably, the user security parameter comprises a session key.
优选地, 所述身份提供服务器还包括:  Preferably, the identity providing server further includes:
第二发送模块, 设置为在所述业务接入认证模块将业务接入认证结果或 者所述第一发送模块将所述用户安全参数发送给业务提供服务器之后, 接收 所述业务提供服务器发送的数据请求,根据所述数据请求从资源服务器 ( RS ) 获得用户授权的用户共享数据, 并将所述用户共享数据发送给所述业务提供 服务器。  a second sending module, configured to: after the service access authentication module sends the service access authentication result or the first sending module sends the user security parameter to the service providing server, receive the data sent by the service providing server And requesting, according to the data request, obtaining user shared data authorized by the user from the resource server (RS), and transmitting the user shared data to the service providing server.
优选地, 所述第二发送模块, 还设置为在所述业务接入认证模块将业务 接入认证结果或者所述第一发送模块将所述用户安全参数发送给业务提供服 务器之后, 接收所述业务提供服务器发送的令牌请求, 根据所述令牌请求向 所述业务提供服务器发送令牌, 以便所述业务提供服务器根据所述令牌从所 述 RS中获得用户授权的用户共享数据。 Preferably, the second sending module is further configured to: send, by the service access authentication module, a service access authentication result or the first sending module to send the user security parameter to a service providing service After receiving the token request sent by the service providing server, sending a token to the service providing server according to the token request, so that the service providing server obtains a user from the RS according to the token Authorized users share data.
本发明实施例还提供了一种用户设备(UE ) , 该 UE包括:  An embodiment of the present invention further provides a user equipment (UE), where the UE includes:
访问模块, 设置为访问业务提供服务器;  An access module, configured to access a service providing server;
数据处理模块 , 设置为接收身份提供服务器根据所述业务提供服务器发 送的数据请求发送的用户数据授权请求, 根据用户对该用户数据授权请求中 携带的用户数据的授权结果, 向所述身份提供服务器返回用户授权的用户共 享数据。  a data processing module, configured to receive a user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and provide the server to the identity according to the authorization result of the user data carried in the user data authorization request Returns the user-shared data shared by the user.
优选地, 所述访问模块, 是设置为所述 UE釆用标识成功接入网络并获 得所述业务提供服务器的业务接入认证后, 访问所述业务提供服务器。  Preferably, the access module is configured to access the service providing server after the UE uses the identifier to successfully access the network and obtain the service access authentication of the service providing server.
上述共享网络中用户数据的方法、 业务提供服务器、 身份提供服务器和 用户设备, 使得业务提供服务器安全地共享电信运营商的用户数据。 附图概述  The above method for sharing user data in the network, the service providing server, the identity providing server, and the user equipment enable the service providing server to securely share the user data of the telecommunications carrier. BRIEF abstract
图 1为本发明实施例的共享网络中用户数据的场景示意图;  1 is a schematic diagram of a scenario of user data in a shared network according to an embodiment of the present invention;
图 2为本发明共享网络中用户数据实施例一的架构示意图;  2 is a schematic structural diagram of Embodiment 1 of user data in a shared network according to the present invention;
图 3为本发明共享网络中用户数据实施例二的架构示意图;  3 is a schematic structural diagram of Embodiment 2 of user data in a shared network according to the present invention;
图 4为本发明共享网络中用户数据实施例一的信令流程图;  4 is a signaling flowchart of Embodiment 1 of user data in a shared network according to the present invention;
图 5为本发明共享网络中用户数据实施例二的信令流程图;  5 is a signaling flowchart of Embodiment 2 of user data in a shared network according to the present invention;
图 6为本发明共享网络中用户数据实施例三的信令流程图;  6 is a signaling flowchart of Embodiment 3 of user data in a shared network according to the present invention;
图 7为本发明实施例的业务提供服务器的结构示意图;  FIG. 7 is a schematic structural diagram of a service providing server according to an embodiment of the present invention;
图 8为本发明实施例的身份提供服务器的结构示意图;  FIG. 8 is a schematic structural diagram of an identity providing server according to an embodiment of the present invention;
图 9为本发明的用户设备的结构示意图。 本发明的较佳实施方式  FIG. 9 is a schematic structural diagram of a user equipment according to the present invention. Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。 如图 1所示, 为本发明实施例共享网络中用户数据的场景示意图, 在该 实施例中, 社交网络安全地共享用户在网络中的数据, 如联系人列表, 该共 享过程包括: Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that In the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other. As shown in FIG. 1 , a schematic diagram of a scenario for sharing user data in a network according to an embodiment of the present invention. In this embodiment, a social network securely shares data of a user in a network, such as a contact list, where the sharing process includes:
步骤 10、 用户 100接入到网络 102, 通过了网络 102的认证;  Step 10: The user 100 accesses the network 102 and passes the authentication of the network 102.
步骤 12、 用户 100访问社交网站 104;  Step 12: The user 100 accesses the social networking website 104;
步骤 14、 社交网站 104没有用户 100的身份信息, 社交网站 104根据配 置信息找到网络 102或利用动态发现协议找到网络 102;  Step 14, the social networking website 104 does not have the identity information of the user 100, the social networking website 104 finds the network 102 according to the configuration information or finds the network 102 by using the dynamic discovery protocol;
步骤 16、 网络 102联系用户 100, 由用户 100授权共享用户数据, 如联 系人列表;  Step 16. The network 102 contacts the user 100, and the user 100 authorizes sharing of user data, such as a contact list;
步骤 18、用户 100授权共享的用户数据后, 由网络 102继续后面的处理; 步骤 20、 网络 102向社交网络 104返回用户 100共享的信息, 如联系人 列表;  Step 18: After the user 100 authorizes the shared user data, the network 102 continues the subsequent processing; Step 20, the network 102 returns the information shared by the user 100 to the social network 104, such as a contact list;
步骤 22、 用户 106通过网络 102访问社交网站 104时, 使用用户 100共 享的用户数据, 如联系人列表。  Step 22: When the user 106 accesses the social networking website 104 through the network 102, the user data shared by the user 100, such as a contact list, is used.
如图 2所示, 为本发明共享网络中用户数据实施例一的架构示意图, 网 络通过接入服务节点(ASN, Access Serving Node )完成数据包的路由; 用户 设备( UE ) 200用 ID来标识。 在网络中, 由身份提供服务器对用户设备 200 进行认证, 支持从资源服务器( Resource Server, RS ) 206直接获取用户共享 的数据, 或通过身份提供服务器 204获取用户共享的数据。 所述的网络包括 但不限于移动通信网络, 标识网。 所述 UE 200与业务提供服务器 208之间 的认证是基于用户接入认证的结果。 该架构中, 网络不会把用户的安全凭证 传递到业务提供服务器 208, 从而业务提供服务器 208不能直接对用户设备 200进行认证, 需要通过 UE 200和身份提供服务器 204之间的接口完成对用 户认证。 As shown in FIG. 2, it is a schematic diagram of the architecture of the user data in the shared network according to the present invention. The network completes the routing of the data packet by using an Access Serving Node (ASN); the user equipment (UE) 200 identifies by using the ID. . In the network, the user equipment 200 is authenticated by the identity providing server, and the data shared by the user is directly obtained from the resource server (RS) 206, or the data shared by the user is acquired by the identity providing server 204. The network includes, but is not limited to, a mobile communication network, an identification network. The authentication between the UE 200 and the service providing server 208 is based on the result of the user access authentication. In this architecture, the network does not pass the user's security credentials to the service providing server 208, so that the service providing server 208 cannot directly authenticate the user equipment 200, and the user authentication needs to be completed through the interface between the UE 200 and the identity providing server 204. .
用户设备 200指用户节点, 如手机、 个人电脑等; 用户设备预先配置或 从网络获取标识 ID; 用户设备拥有安全凭证, 与网络预共享根密钥, 或者设 置数字证书。在移动通信网络中, 用户设备的 ID可以用国际移动用户识别码The user equipment 200 refers to a user node, such as a mobile phone, a personal computer, etc.; the user equipment pre-configures or obtains an identification ID from the network; the user equipment owns a security credential, pre-shares the root key with the network, or sets Set a digital certificate. In the mobile communication network, the ID of the user equipment can use the international mobile subscriber identity
( IMSI )或移动用户综合业务数字网 ( MSISDN ) 来标识; 在标识网中, 用 户设备的 ID是接入标识符( Access Identifier, AID ) 。 用户设备的能力包括 但不限于: 支持超文本传输协议(HTTP )摘要(Digest )认证协议; 支持会 话初始协议 ( SIP ) Digest 认证协议; 支持扩展认证协议 ( Extensible Authentication Protocol, EAP )和 EAP认证方法; 能够推导出新的密钥材料。 (IMSI) or Mobile Subscriber Integrated Services Digital Network (MSISDN) to identify; In the identification network, the ID of the user equipment is the Access Identifier (AID). The capabilities of the user equipment include but are not limited to: Support Hypertext Transfer Protocol (HTTP) Digest authentication protocol; Support Session Initiation Protocol (SIP) Digest authentication protocol; Support Extensible Authentication Protocol (EAP) and EAP authentication methods ; Ability to derive new key material.
接入服务节点 202位于网络的边界处, 用于为用户设备 200提供接入服 务、 维护终端与网络的连接, 实现数据报文的路由和转发等功能, 与身份提 供服务器 204配合完成对 UE 200的接入认证。 在移动通信网络中, 接入服 务节点是 GPRS服务支持节点(Serving GPRS SUPPORT NODE, SGSN )和 / 或网关 GPRS支持节点 (Gateway GPRS Support Node, GGSN ) , 在标识网 中, 接入服务节点是 ASN。  The access service node 202 is located at the boundary of the network, and is configured to provide an access service for the user equipment 200, maintain a connection between the terminal and the network, implement routing and forwarding of data packets, and cooperate with the identity providing server 204 to complete the UE 200. Access authentication. In the mobile communication network, the access service node is a GPRS service support node (Serving GPRS SUPPORT NODE, SGSN) and/or a Gateway GPRS Support Node (GGSN). In the identification network, the access service node is an ASN. .
身份提供服务器 204在网络中是以用户身份 ID为核心,负责创建、维护、 管理用户的身份信息, 提供用户身份验证服务。 身份提供服务器 204的能力 包括但不限于: 提供网络接入认证服务; 提供业务接入认证服务; 支持 EAP 的功能; 能够从 RS 获取用户信息; 具体实现时可以对认证中心的功能增强 实现身份管理的功能, 如支持 Web功能、 HTTP ( Hypertext Transfer Protocol , 超文本传输协议)、 HTTP摘要认证协议、安全断言标记语言( Security Assertion Markup Language , SAML ) 。  The identity providing server 204 is responsible for creating, maintaining, and managing the identity information of the user in the network with the user identity ID as the core, and providing the user identity verification service. The capabilities of the identity providing server 204 include, but are not limited to: providing network access authentication services; providing service access authentication services; supporting EAP functions; being able to obtain user information from the RS; and implementing identity management of the authentication center Features such as support for web features, HTTP (Hypertext Transfer Protocol), HTTP digest authentication protocol, Security Assertion Markup Language (SAML).
资源服务器( RS ) 206存储用户的安全信息, 提供用户的属性数据和其 他数据, 如联系人列表、 头像、 照片、 视频等。  The Resource Server (RS) 206 stores the user's security information, providing the user's attribute data and other data such as contact lists, avatars, photos, videos, and the like.
业务提供服务器 208向用户节点 200提供业务, 可以是 Web类业务, 如 门户网站、电子商城,这类业务通常釆用超文本传输标记语言(HTML )/HTTP; 也可以是非 Web类业务, 如电子邮件, 即时通信, 这类业务通常基于传输层 的协议, 如传输控制协议 (Transmission Control Protocol, TCP)。  The service providing server 208 provides services to the user node 200, which may be Web-type services, such as a portal website or an electronic mall. Such services usually use Hypertext Transfer Markup Language (HTML)/HTTP; or non-Web-type services, such as electronic Mail, instant messaging, such services are usually based on transport layer protocols such as Transmission Control Protocol (TCP).
下面对图 2中各接口进行介绍:  The following describes each interface in Figure 2:
接口 A: 位于 UE 200和 ASN 202之间,提供 UE 200和 ASN 202的双向 认证, 支持但不限于 EAP协议; 接口 B: 位于 ASN 202和身份提供服务器 204之间, 从身份提供服务器 204传输主会话密钥到 ASN 202; 支持但不限于通过鉴别授权计费 (AAA ) 协议传递 EAP载荷; Interface A: located between the UE 200 and the ASN 202, providing bidirectional authentication of the UE 200 and the ASN 202, supporting but not limited to the EAP protocol; Interface B: located between the ASN 202 and the identity providing server 204, transmitting the primary session key from the identity providing server 204 to the ASN 202; supporting but not limited to delivering the EAP payload through the Authentication Authorization Accounting (AAA) protocol;
接口 C:位于身份提供服务器 204和 RS 206之间, 身份提供服务器 204 通过 C 214接口获取用户的安全信息以及其他用户数据。 该接口的协议包括 但不限于: 支持 Diameter协议。  The interface C is located between the identity providing server 204 and the RS 206, and the identity providing server 204 obtains the user's security information and other user data through the C214 interface. The protocol of this interface includes but is not limited to: Support Diameter protocol.
接口 D: 位于 UE 200和身份提供服务器 204之间, 支持用户的单点登 录服务, 支持安全共享数据。 该接口的协议包括但不限于: 支持 HTTP Digest 协议; 支持 SIP Digest协议; 支持 SAML协议。  Interface D: Located between the UE 200 and the identity providing server 204, it supports the user's single sign-on service and supports secure shared data. The protocol of this interface includes but is not limited to: Support HTTP Digest protocol; Support SIP Digest protocol; Support SAML protocol.
接口 E: 位于 UE 200和业务提供服务器 208之间, UE 200通过该接口 访问业务提供服务器 208提供的业务, 该接口的协议包括但不限于: 支持 HTTP协议; 支持传输层协议, 如 TCP; 支持 SAML协议; 支持 Diameter协 议; 支持 HTTPS协议。  The interface E is located between the UE 200 and the service providing server 208. The UE 200 accesses the service provided by the service providing server 208 through the interface. The protocols of the interface include but are not limited to: support the HTTP protocol; support the transport layer protocol, such as TCP; SAML protocol; support Diameter protocol; support HTTPS protocol.
接口 F: 位于身份提供服务器 204和业务提供服务器 208之间, 提供单 点登录服务, 支持安全共享数据。 该接口的协议包括但不限于: 支持 HTTP 协议, 支持 AAA协议。  The interface F is located between the identity providing server 204 and the service providing server 208, and provides a single sign-on service to support secure shared data. The protocol of this interface includes but is not limited to: Support HTTP protocol, support AAA protocol.
接口 G:位于业务提供服务器 208和 RS 206之间,业务提供服务器 208 通过该接口获取用户相关数据。 该接口的协议包括但不限于: 支持 Diameter 协议。  Interface G: is located between the service providing server 208 and the RS 206, and the service providing server 208 obtains user related data through the interface. The protocol of this interface includes but is not limited to: Support for the Diameter protocol.
如图 3所示, 为本发明共享网络中用户数据实施例二的架构示意图, 该 架构图与图 2所示架构图的区别在于, 本实施例中的架构图中, UE和身份提 供服务器之间没有接口; 但网络可以把用户安全信息(如标识, 主会话密钥, 密钥生命周期等)传递到业务提供服务器 208, 从而业务提供服务器 208能 直接对用户设备 200进行认证。 其中, 所述 UE 200与业务提供服务器 208 之间的认证所使用的用户安全信息^^于用户的网络接入认证的结果。 As shown in FIG. 3, it is a schematic structural diagram of Embodiment 2 of user data in a shared network according to the present invention. The difference between the architecture diagram and the architecture diagram shown in FIG. 2 is that, in the architecture diagram in this embodiment, the UE and the identity providing server are There is no interface between them; however, the network can pass user security information (such as identification, primary session key, key life cycle, etc.) to the service providing server 208, so that the service providing server 208 can directly authenticate the user device 200. The user security information used by the UE 200 and the service providing server 208 is used as a result of the user's network access authentication.
如图 4所示, 为本发明共享网络中用户数据实施例一的信令流程图, 该 流程图是基于图 2所示架构完成的, 在该实施例中, 由身份提供服务器 204 对 UE 200进行认证,业务提供服务器 208从身份提供服务器 204获取令牌, 从 RS 206直接获取用户共享的数据, 身份提供服务器 204和 RS 206已经预 先配置了用户数据共享的模板, 具体共享哪些数据由用户来授权。 As shown in FIG. 4, it is a signaling flowchart of Embodiment 1 of user data in a shared network according to the present invention. The flowchart is completed based on the architecture shown in FIG. 2. In this embodiment, the UE 200 is authenticated by the identity providing server 204, the service providing server 208 obtains the token from the identity providing server 204, and directly acquires the user shared from the RS 206. Data, the identity providing server 204 and the RS 206 have pre-configured templates for user data sharing, specifically which data is shared by the user.
该流程进行的前提条件是 UE 200和 ASN202之间的链路已经建立, UE The prerequisite for the process is that the link between the UE 200 and the ASN 202 has been established, and the UE
200已预先配置了用户的身份标识 ID; 该共享网络中用户数据过程包括: 步骤 220、 ASN 202发送身份请求至 UE 200; 200 has pre-configured the user's identity ID; the user data process in the shared network includes: Step 220, ASN 202 sends an identity request to the UE 200;
步骤 222、 UE 200发送响应至 ASN 202, 在响应中携带用户的身份 ID; 步骤 224、 ASN 202发送所述响应报文至身份提供服务器 204, 所述报 文携带用户身份 ID;  Step 222: The UE 200 sends a response to the ASN 202, and carries the identity ID of the user in the response. Step 224: The ASN 202 sends the response packet to the identity providing server 204, where the packet carries the user identity ID.
步骤 226、 身份提供服务器 204发送携带 ID的报文至 RS 206请求密钥 材料;  Step 226: The identity providing server 204 sends a packet carrying the ID to the RS 206 to request the key material.
步骤 228、 RS 206向身份提供服务器 204返回密钥材料;  Step 228: The RS 206 returns the key material to the identity providing server 204.
步骤 230、 UE 200和身份提供服务器 204协商安全参数, 包括双方支持 的安全协议和会话密钥;  Step 230: The UE 200 and the identity providing server 204 negotiate security parameters, including the security protocols and session keys supported by the two parties.
上述步骤 220-230为网络对 UE的接入认证过程;  The foregoing steps 220-230 are an access authentication process of the network to the UE;
步骤 232、 UE 200访问业务提供服务器 208的业务,业务提供服务器 208 通过静态配置或动态发现身份提供服务器 204的位置;  Step 232: The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery;
步骤 234、业务提供服务器 208发送重定向消息至 UE 200, UE 200根据 重定向消息头中身份提供服务器的地址把该消息发送至身份提供服务器 204;  Step 234, the service providing server 208 sends a redirect message to the UE 200, the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the redirect message header;
步骤 236、 身份提供服务器 204向 UE 200发送未授权消息;  Step 236: The identity providing server 204 sends an unauthorized message to the UE 200.
步骤 238、 UE200向身份提供服务器 204发送摘要认证消息,用 ID作为 用户名, 会话密钥作为密码;  Step 238: The UE 200 sends a digest authentication message to the identity providing server 204, where the ID is used as the username and the session key is used as the password.
步骤 240、 身份提供服务器 204收到摘要认证消息后验证用户的身份; 步骤 242、 身份提供服务器 204向 RS 206请求用户数据列表, 该请求中 携带用户的身份; 步骤 244、 RS 206向身份提供服务器 204返回用户列表; Step 240: The identity providing server 204 verifies the identity of the user after receiving the digest authentication message. Step 242: The identity providing server 204 requests the user data list from the RS 206, where the request carries the identity of the user. Step 244: The RS 206 returns a user list to the identity providing server 204.
步骤 246、 身份提供服务器 204通过向 UE2 00发送用户数据的列表,请 求用户授权;  Step 246: The identity providing server 204 requests the user to authorize by sending a list of user data to the UE2000.
步骤 248、 UE 200向身份提供服务器 204返回用户授权结果;  Step 248: The UE 200 returns a user authorization result to the identity providing server 204.
步骤 250、身份提供服务器 204发送重定向消息至 UE 200, UE 200根据 消息头中的地址联系业务提供服务器 208, 所述消息包括索引和授权码; 步骤 252、 业务提供服务器 208向身份提供服务器 204请求访问令牌, 所述请求中包含索引和授权码;  Step 250: The identity providing server 204 sends a redirect message to the UE 200. The UE 200 contacts the service providing server 208 according to the address in the message header, where the message includes an index and an authorization code. Step 252: The service providing server 208 provides the identity providing server 204 Requesting an access token, the request including an index and an authorization code;
步骤 254、 身份提供服务器 204向业务提供服务器 208返回访问令牌, 该令牌包含密钥、 密钥生命周期等信息;  Step 254: The identity providing server 204 returns an access token to the service providing server 208, where the token includes information such as a key, a key life cycle, and the like;
步骤 256、 业务提供服务器 208从 RS206中批量获取共享用户数据, RS 206对这些数据进行安全保护, 如机密性保护、 完整性保护; 业务提供服务 器 208收到这些用户数据后, 用访问令牌读取这些受保护的数据;  Step 256: The service providing server 208 obtains the shared user data in batches from the RS 206, and the RS 206 performs security protection, such as confidentiality protection and integrity protection. After receiving the user data, the service providing server 208 reads the access token. Take these protected data;
步骤 258、 业务提供服务器 208返回结果消息至 UE 200。  Step 258: The service providing server 208 returns a result message to the UE 200.
下面以 EAP、 AAA, HTTP和 SAML协议为例, 对图 4所示的安全共享 网络中用户数据流程以应用示例的形式进行描述: The following uses the EAP, AAA, HTTP, and SAML protocols as an example to describe the user data flow in the secure shared network shown in Figure 4 as an application example:
步骤 220a、 ASN 202发送 EAP-Identity身份请求至 UE 200;  Step 220a, ASN 202 sends an EAP-Identity identity request to the UE 200;
步骤 222a、 UE 200发送 EAP-Identity响应至 ASN 202 , 在响应中携带用 户的身份 ID , 其中 EAP-Identity响应中 Type-Data设置为 ID;  Step 222a: The UE 200 sends an EAP-Identity response to the ASN 202, and carries the identity ID of the user in the response, where the Type-Data in the EAP-Identity response is set to an ID.
步骤 224a、 ASN 202通过 AAA协议发送 EAP载荷( EAP-Payload )至身 份提供服务器 204。 对于 Diameter协议, 釆用 Diameter-EAP-Request消息的 EAP-Payload AVP ( Attribute- Value Pair, 属性 -值对 )来封装 EAP-Identity载 荷;对于远程用户拨号认证服务( RADIUS )协议,釆用 RADIUS Access-Request 消息的 EAP-Message属性来封装 EAP-Identity载荷;  Step 224a, the ASN 202 sends an EAP payload (EAP-Payload) to the identity providing server 204 via the AAA protocol. For the Diameter protocol, use the EAP-Payload AVP (Attribute-Value Pair) of the Diameter-EAP-Request message to encapsulate the EAP-Identity payload; for the Remote User Dial-In Authentication Service (RADIUS) protocol, use RADIUS Access. - The EAP-Message attribute of the -Request message encapsulates the EAP-Identity payload;
步骤 226a、 身份提供服务器 204通过 Diameter协议发送 ID至 RS 206 获取密钥材料,具体可釆用多媒体授权请求(Multimedia-Auth-Request, MAR) 携带 ID; Step 226a: The identity providing server 204 sends the ID to the RS 206 through the Diameter protocol to obtain the key material, and specifically uses a Multimedia-Auth-Request (MAR). Carrying an ID;
步骤 228a、 RS 206通过 Diameter协议向身份提供服务器 204返回密钥 材料, 具体可釆用多媒体授权应答(Multimedia-Auth-Answer, MAA)消息携 带密钥材料, 其中 ID映射为用户名 (User-Name )属性;  Step 228a: The RS 206 returns the key material to the identity providing server 204 through the Diameter protocol, and specifically carries a key material by using a Multimedia-Auth-Answer (MAA) message, where the ID is mapped to a user name (User-Name). )Attributes;
步骤 230a、UE 200和身份提供服务器 204协商安全参数: ( 1 )协商 EAP 方法(Method ) , 如 EAP-认证和密钥协商 (AKA ) , EAK-安全传输层协议 ( TLS ) 等, 对于 Diameter 协议, 釆用 Diameter-EAP-Request 消息的 EAP-Payload AVP ( Attribute- Value Pair, 属性-值对) 来封装 EAP-AKA, EAP-TLS等载荷; 对于 RADIUS协议, 釆用 RADIUS Access-Challenge和 Access-Accept封装 EAP-AKA, EAP-TLS等载荷。 ( 2 ) UE 200和身份提供 服务器 204协商 MSK ( Master Session Key, 主会话密钥) , 对于 Diameter 协议, 釆用 Diameter-EAP-Request消息的 EAP-Master-Session-Key AVP来携 带密钥材料; 对于 RADIUS协议, 通过 RADIUS Accept消息中 VSA ( Vendor 业务提供服务器 ecific Attribute, 特定供应商属性)来携带 MSK;  Step 230a, UE 200 and identity providing server 204 negotiate security parameters: (1) Negotiate EAP method (Method), such as EAP-authentication and key agreement (AKA), EAK-secure transport layer protocol (TLS), etc., for Diameter protocol The EAP-Payload AVP (Attribute-Value Pair) of the Diameter-EAP-Request message is used to encapsulate the payloads such as EAP-AKA and EAP-TLS. For the RADIUS protocol, RADIUS Access-Challenge and Access- are used. Accept encapsulates EAP-AKA, EAP-TLS and other payloads. (2) The UE 200 and the identity providing server 204 negotiate an MSK (Master Session Key). For the Diameter protocol, the EAP-Master-Session-Key AVP of the Diameter-EAP-Request message is used to carry the key material. For the RADIUS protocol, the VSA (Vendable Service Provider ecific Attribute, specific vendor attribute) in the RADIUS Accept message carries the MSK;
步骤 232a、 UE 200发送 HTTP请求至业务提供服务器 208, 在业务提供 服务器 208上选择通过身份提供服务器 204登录。在 HTTP请求的头字段中 带有身份提供服务器的 URL ( Uniform Resource Locator, 统一资源定位符 ) 地址,业务提供服务器 208通过静态配置或动态发现身份提供服务器 204的 URL地址, 所述请求消息中携带<1 : AuthnRequest>;  Step 232a: The UE 200 sends an HTTP request to the service providing server 208, and selects to log in through the identity providing server 204 on the service providing server 208. In the header field of the HTTP request, a URL (Uniform Resource Locator) address of the identity providing server is provided, and the service providing server 208 statically configures or dynamically discovers the URL address of the identity providing server 204, and the request message carries <1 : AuthnRequest>;
步骤 234a、 业务提供服务器 208发送 HTTP重定向消息至 UE 200, UE Step 234a: The service providing server 208 sends an HTTP redirect message to the UE 200, and the UE
200根据 HTTP重定向消息头中身份提供服务器的 URL地址把该消息发送至 身份提供服务器 204; 200 sends the message to the identity providing server 204 according to the URL address of the identity providing server in the HTTP redirect message header;
步骤 236a、 身份提供服务器 204 向 UE 200发送 HTTP 401 未授权 ( Unauthorized ) 消息;  Step 236a: The identity providing server 204 sends an HTTP 401 Unauthorized message to the UE 200.
步骤 238a、 UE200向身份提供服务器 204发送 HTTP请求消息, 用 ID 作为用户名, MSK作为密码, 进行 HTTP Digest认证;  Step 238a: The UE 200 sends an HTTP request message to the identity providing server 204, and uses the ID as the username and the MSK as the password to perform HTTP Digest authentication.
步骤 240a、 身份提供服务器 204收到 HTTP摘要认证消息后, 根据 ID 检查本地的 ID/MSK,进行同样的 HTTP Digest认证算法,计算的结果一致时, 则验证通过; Step 240a: After receiving the HTTP digest authentication message, the identity providing server 204 checks the local ID/MSK according to the ID, and performs the same HTTP Digest authentication algorithm. When the calculated results are consistent, Then pass the verification;
步骤 242a、 身份提供服务器 204通过 Diameter协议发送 ID至 RS 206 请求用户数据列表,釆用 Push-Profile-Request消息 User Data属性来携带用户 数据的列表, 其中 ID映射为 User-Name属性;  Step 242a: The identity providing server 204 sends an ID to the RS 206 requesting user data list through the Diameter protocol, and uses a Push-Profile-Request message User Data attribute to carry a list of user data, where the ID is mapped to a User-Name attribute;
步骤 244a、 RS 206通过 Diameter协议向身份提供服务器 204返回用户 数据列表,釆用 Push-Profile- Answer消息 User Data属性来携带用户数据的列 表, 其中 ID映射为 User-Name属性;  Step 244a, RS 206 returns a user data list to the identity providing server 204 through the Diameter protocol, and uses a Push-Profile-Answer message User Data attribute to carry a list of user data, where the ID is mapped to the User-Name attribute;
步骤 246a、身份提供服务器 204通过 HTTPS发送用户数据的列表至 UE 200请求用户授权;  Step 246a: The identity providing server 204 sends a list of user data to the UE 200 via the HTTPS to request user authorization.
步骤 248a、 用户授权后由 UE 200把用户授权数据列表返回至身份提供 服务器 204;  Step 248a, after the user authorization, the UE 200 returns the user authorization data list to the identity providing server 204;
步骤 250a、 身份提供服务器 204生成 SAML Artifact (工件)和授权码, 通过 HTTPS把消息重定向至 UE 200, UE 200根据消息头中的 URL联系 业 务提供服务器 208, 其中 SAML Artifact指向 SAML协议消息的结构化数据 对象, SAML Artifact比较小, 可以嵌在 HTTP消息中;  Step 250a, the identity providing server 204 generates a SAML Artifact and an authorization code, and redirects the message to the UE 200 through HTTPS. The UE 200 contacts the service providing server 208 according to the URL in the message header, where the SAML Artifact points to the structure of the SAML protocol message. The data object, SAML Artifact is relatively small, can be embedded in the HTTP message;
步骤 252a、 业务提供服务器 208通过 HTTPS发送 HTTP GET请求至从 身份提供服务器 204, 该消息中包含 SAML Artifact和授权码;  Step 252a, the service providing server 208 sends an HTTP GET request to the secondary identity providing server 204 via the HTTPS, where the message includes the SAML Artifact and the authorization code;
步骤 254a、 身份提供服务器 204通过 HTTPS响应消息向业务提供服务 器 208返回访问令牌, 该令牌包含密钥、 密钥生命周期等信息;  Step 254a: The identity providing server 204 returns an access token to the service providing server 208 by using an HTTPS response message, where the token includes information such as a key, a key life cycle, and the like;
步骤 256a、 业务提供服务器 208通过 Diameter协议从 RS 206中批量获 取共享用户数据, 釆用 Diameter推送签约请求(Push-Profile-Request ) /应答 ( Answer ) 消息 User Data属性来批量获取用户共享的数据。 RS 206对这些 数据进行安全保护, 如机密性保护、 完整性保护; 业务提供服务器 208收到 这些用户数据后, 用访问令牌读取这些受保护的数据;  Step 256a: The service providing server 208 obtains the shared user data in batches from the RS 206 through the Diameter protocol, and uses the Diameter Push-Request-Request/Answer message User Data attribute to acquire the data shared by the user in batches. The RS 206 secures the data, such as confidentiality protection and integrity protection; after receiving the user data, the service providing server 208 reads the protected data with the access token;
步骤 258a、 业务提供服务器返回 HTTP 200 OK消息至 UE 200。  Step 258a: The service providing server returns an HTTP 200 OK message to the UE 200.
上述流程适用于 ADSL、 WLAN和以太网等支持 EAP认证的接入。 对于 3G接入过程来说,釆用 AKA认证过程,认证过程结束后设置 MSK = CK || IK。  The above process is applicable to EAP-authenticated access such as ADSL, WLAN, and Ethernet. For the 3G access process, the AKA authentication process is used, and MSK = CK || IK is set after the authentication process ends.
身份位置分离网络支持与现有的终端和接入技术兼容, 即不改变终端和 接入网。在这种情况下, UE 200按照现有的方式接入网络,通过接入认证后, 网络给用户设备分配接入标识 ID, 此时用户设备和网络共享会话密钥。 后续 的处理流程完全一致。 The identity location separation network supports compatibility with existing terminals and access technologies, ie without changing the terminal and Access Network. In this case, the UE 200 accesses the network according to the existing mode. After the access authentication, the network allocates an access identifier to the user equipment, and the user equipment and the network share the session key. The subsequent processing flow is completely consistent.
如图 5所示, 为本发明共享网络中用户数据实施例二的信令流程图, 该 实施例也是基于图 2所示架构完成的,在该实施例中,由身份提供服务器 204 对 UE 200进行认证, 业务提供服务器 208通过身份提供服务器 204获取用 户共享的数据, 具体共享哪些数据由用户来授权, 用户的真实身份信息可以 不向业务提供服务器透露。 As shown in FIG. 5, it is a signaling flowchart of Embodiment 2 of user data in a shared network according to the present invention. The embodiment is also implemented based on the architecture shown in FIG. 2, in this embodiment, the identity providing server 204 is used by the UE 200. The authentication is performed, and the service providing server 208 obtains the data shared by the user through the identity providing server 204, and specifically shares which data is authorized by the user, and the real identity information of the user may not be disclosed to the service providing server.
该流程进行的前提条件是 UE 200和 ASN 202之间的链路已经建立, UE The prerequisite for the process is that the link between the UE 200 and the ASN 202 has been established, and the UE
200已预先配置了用户的身份标识 ID或者由网络给用户分配 ID;该共享网络 中用户数据过程包括: 200 has pre-configured the user's identity ID or assigns an ID to the user by the network; the user data process in the shared network includes:
步骤 302、 UE 200通过了网络的接入认证,认证结束后 UE 200与身份提 供服务器 204共享会话密钥;  Step 302: The UE 200 passes the access authentication of the network. After the authentication ends, the UE 200 shares the session key with the identity providing server 204.
步骤 302具体可以包括图 4中的步骤 220-步骤 230, 此处不再赘述; 步骤 304、 UE 200访问业务提供服务器 208的业务,业务提供服务器 208 通过静态配置或动态发现身份提供服务器 204的位置;  Step 302 may specifically include step 220 to step 230 in FIG. 4, and details are not described herein. Step 304: The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery. ;
步骤 306、业务提供服务器 208发送重定向消息至 UE 200, UE 200根据 重定向消息头中身份提供服务器的地址把该消息发送至身份提供服务器 204;  Step 306, the service providing server 208 sends a redirect message to the UE 200, the UE 200 sends the message to the identity providing server 204 according to the address of the identity providing server in the redirect message header;
步骤 308、 身份提供服务器 204向 UE 200发送未授权消息;  Step 308: The identity providing server 204 sends an unauthorized message to the UE 200.
步骤 310、 UE200向身份提供服务器 204发送摘要认证消息,用 ID作为 用户名, 会话密钥作为密码;  Step 310: The UE 200 sends a digest authentication message to the identity providing server 204, where the ID is used as the username and the session key is used as the password.
步骤 312、 身份提供服务器 204收到摘要认证消息后验证用户的身份; 步骤 314、身份提供服务器 204向业务提供服务器 208发送重定向消息, 所述消息包括索引;  Step 312: The identity providing server 204 verifies the identity of the user after receiving the digest authentication message. Step 314: The identity providing server 204 sends a redirect message to the service providing server 208, where the message includes an index.
步骤 316、 业务提供服务器 208向身份提供服务器 204发送请求以认证 用户的身份, 消息中包括索引; 步骤 318、 身份提供服务器 204向业务提供服务器 208返回认证结果; 步骤 320、 业务提供服务器 208向身份提供服务器 204请求用户共享数 据, 所述消息包括索引; Step 316: The service providing server 208 sends a request to the identity providing server 204 to authenticate the identity of the user, where the message includes an index. Step 318: The identity providing server 204 returns the authentication result to the service providing server 208. Step 320: The service providing server 208 requests the identity providing server 204 to share data, where the message includes an index.
步骤 322、 身份提供服务器 204向 RS 208请求用户数据, 所述请求包括 用户 ID;  Step 322: The identity providing server 204 requests user data from the RS 208, where the request includes a user ID.
步骤 324、 RS 206向身份提供服务器返回用户数据;  Step 324: The RS 206 returns user data to the identity providing server.
步骤 326、身份提供服务器 204发送请求至 UE 200,请求用户授权数据; 步骤 328、 UE 200向身份提供服务器 204返回用户授权的数据; 步骤 330、 身份提供服务器 204向业务提供服务器 208返回用户授权的 数据;  Step 326: The identity providing server 204 sends a request to the UE 200 to request the user to authorize the data. Step 328: The UE 200 returns the data authorized by the user to the identity providing server 204. Step 330: The identity providing server 204 returns the user authorization to the service providing server 208. Data
步骤 332、 业务提供服务器 208返回结果消息至 UE 200。  Step 332, the service providing server 208 returns a result message to the UE 200.
下面以 HTTP和 SAML协议为例, 对图 5所示的安全共享网络中用户数 据流程以应用示例的形式进行描述: The HTTP and SAML protocols are used as an example to describe the user data flow in the secure shared network shown in Figure 5 as an application example:
步骤 302a、 UE 200通过了网络的接入认证, 认证结束后 UE 200与身份 提供服务器 204共享会话密钥 MSK;  Step 302a, the UE 200 passes the access authentication of the network, and after the end of the authentication, the UE 200 shares the session key MSK with the identity providing server 204;
步骤 304a、 UE 200发送 HTTP请求至业务提供服务器 208, 在业务提供 服务器 208上选择通过身份提供服务器 204登录。在 HTTP请求的头字段中 带有身份提供服务器的 URL ( Uniform Resource Locator, 统一资源定位符 ) 地址,业务提供服务器 208通过静态配置或动态发现身份提供服务器 204的 URL地址, 携带<1 : AuthnRequest>;  Step 304a: The UE 200 sends an HTTP request to the service providing server 208, and selects to log in through the identity providing server 204 on the service providing server 208. The URL (Uniform Resource Locator) address of the identity providing server is included in the header field of the HTTP request, and the service providing server 208 carries the <1: AuthnRequest> by statically configuring or dynamically discovering the URL address of the identity providing server 204. ;
步骤 306a、 业务提供服务器 208发送 HTTP重定向消息至 UE 200, UE 200根据 HTTP重定向消息头中身份提供服务器的 URL地址把该消息发送至 身份提供服务器 204;  Step 306a, the service providing server 208 sends an HTTP redirect message to the UE 200, and the UE 200 sends the message to the identity providing server 204 according to the URL address of the identity providing server in the HTTP redirect message header;
步骤 308a、 身份提供服务器 204向 UE 200发送 HTTP 401 Unauthorized 消息;  Step 308a: The identity providing server 204 sends an HTTP 401 Unauthorized message to the UE 200.
步骤 310a、 UE 200向身份提供服务器 204发送 HTTP请求消息, 用 ID 作为用户名, MSK作为密码, 进行 HTTP Digest认证; Step 310a: The UE 200 sends an HTTP request message to the identity providing server 204, using the ID. As the username, MSK is used as the password to perform HTTP Digest authentication.
步骤 312a、 身份提供服务器 204收到 HTTP摘要认证消息后, 根据 ID 检查本地的 ID/MSK,进行同样的 HTTP Digest认证算法,计算的结果一致时, 则验证通过;  Step 312a: After receiving the HTTP digest authentication message, the identity providing server 204 checks the local ID/MSK according to the ID and performs the same HTTP Digest authentication algorithm. If the calculation result is consistent, the verification succeeds;
步骤 314a、 身份提供服务器 204生成 SAML Artifact, 向业务提供服务 器 208发送 HTTPS重定向消息, 消息中携带 SAML Artifact, 其中 SAML Artifact指向 SAML协议消息的结构化数据对象, SAML Artifact比较小, 可 以嵌在 HTTP消息中;  Step 314a, the identity providing server 204 generates a SAML Artifact, and sends an HTTPS redirect message to the service providing server 208, where the message carries a SAML Artifact, where the SAML Artifact points to a structured data object of the SAML protocol message, and the SAML Artifact is relatively small and can be embedded in the HTTP In the message;
步骤 316a、 业务提供服务器 208收到 SAML Artifact后, 向身份提供服 务器 204发送 HTTPS请求,消息中携带 SAML Artifact;身份提供服务器 204 收到该消息后, 构造 SAML断言;  Step 316a: After receiving the SAML Artifact, the service providing server 208 sends an HTTPS request to the identity providing server 204, where the message carries the SAML Artifact; after receiving the message, the identity providing server 204 constructs the SAML assertion;
步骤 318a、 身份提供服务器 204把 SAML断言通过 HTTPS返回给业务 提供服务器 208;  Step 318a, the identity providing server 204 returns the SAML assertion to the service providing server 208 via HTTPS;
步骤 320a、业务提供服务器 208验证 SAML断言的签名后,发送 HTTPS 请求至身份提供服务器 204,请求共享用户数据,消息中携带 SAML Artifact; 步骤 322a、 身份提供服务器 204根据 SAML Artifact, 获取 ID, 通过 Diameter Push-Profile-Request向 RS206请求用户共享数据;  After the service providing server 208 verifies the signature of the SAML assertion, the HTTPS request is sent to the identity providing server 204 to request the shared user data, and the message carries the SAML Artifact. Step 322a, the identity providing server 204 obtains the ID according to the SAML Artifact, and passes the Diameter. Push-Profile-Request requests the user to share data to RS206;
步骤 324a、 RS206 向身份提供服务器 204 返回用户共享数据, 通过 Diameter Push-Profile-Answer消息 User Data属性来携带用户数据;  Step 324a, RS206 returns the user shared data to the identity providing server 204, and carries the user data through the Diameter Push-Profile-Answer message User Data attribute;
步骤 326a、 身份提供服务器 204发送 HTTPS请求至 UE 200, 请求用户 授权共享的数据;  Step 326a: The identity providing server 204 sends an HTTPS request to the UE 200 to request the user to authorize the shared data.
步骤 328a、用户授权共享的用户数据后,结果返回身份提供服务器 204; 步骤 330a、用户授权后,由 身份提供服务器 204向业务提供服务器 208 返回用户授权的数据;  Step 328a: After the user authorizes the shared user data, the result is returned to the identity providing server 204. Step 330a, after the user authorizes, the identity providing server 204 returns the data authorized by the user to the service providing server 208;
步骤 332a、 业务提供服务器 208返回 HTTP 200 OK消息至 UE 200。  Step 332a, the service providing server 208 returns an HTTP 200 OK message to the UE 200.
如图 6所示,为本发明安全共享网络中用户数据实施例三的信令流程图, 该流程图是基于图 3所示架构完成的,在该实施例中,由身份提供服务器 204 对 UE 200进行接入认证, 业务提供服务器 208验证用户身份, 然后进行安 全共享网络中用户数据过程。 FIG. 6 is a signaling flowchart of Embodiment 3 of user data in a secure shared network according to the present invention. The flowchart is completed based on the architecture shown in FIG. 3. In this embodiment, the identity providing server 204 performs access authentication on the UE 200, the service providing server 208 authenticates the user identity, and then performs a user data process in the secure shared network.
该流程进行的前提条件是 UE 200和 ASN 202之间的链路已经建立, UE 200已预先配置了用户的身份标识 ID或者由网络给用户分配 ID;该过程包括: 步骤 402、 UE 200通过了网络的接入认证,认证结束后 UE 200与身份提 供服务器 204共享会话密钥;  The process is performed on the premise that the link between the UE 200 and the ASN 202 has been established, and the UE 200 has pre-configured the ID of the user or assigns an ID to the user by the network. The process includes: Step 402: The UE 200 passes Access authentication of the network, after the end of the authentication, the UE 200 shares the session key with the identity providing server 204;
步骤 404、 UE 200访问业务提供服务器 208的业务,业务提供服务器 208 通过静态配置或动态发现身份提供服务器 204的位置;  Step 404: The UE 200 accesses the service of the service providing server 208, and the service providing server 208 discovers the location of the identity providing server 204 by static configuration or dynamic discovery;
步骤 406、 业务提供服务器 208向 UE 200发送未授权消息;  Step 406: The service providing server 208 sends an unauthorized message to the UE 200.
步骤 408、 UE200向业务提供服务器 208发送摘要认证消息,用 ID作为 用户名, 会话密钥作为密码;  Step 408: The UE 200 sends a digest authentication message to the service providing server 208, where the ID is used as the username and the session key is used as the password.
步骤 410、 业务提供服务器 208向身份提供服务器 204请求用户的安全 参数;  Step 410: The service providing server 208 requests the identity providing server 204 for the security parameter of the user.
步骤 412、 身份提供服务器 204向业务提供服务器 208返回用户的安全 参数;  Step 412: The identity providing server 204 returns the security parameter of the user to the service providing server 208.
步骤 414、 业务提供服务器 208验证用户的身份, 所述验证过程根据收 到的摘要认证消息和用户的安全参数;  Step 414: The service providing server 208 verifies the identity of the user, and the verification process is based on the received digest authentication message and the security parameter of the user.
步骤 416、业务提供服务器 208, RS 206,身份提供服务器 204和 UE 200 进行安全共享网络中用户数据过程。  Step 416: The service providing server 208, the RS 206, the identity providing server 204, and the UE 200 perform a user data process in the secure shared network.
其中, 安全共享数据的过程可以和图 4中的步骤 252-258相同, 也可以 和图 5中的步骤 320-332相同, 此处不再赘述。  The process of securely sharing the data may be the same as the steps 252-258 in FIG. 4, and may be the same as the steps 320-332 in FIG. 5, and details are not described herein again.
如图 7所示, 本发明实施例还提供了一种业务提供服务器, 该业务提供 服务器包括: As shown in FIG. 7, an embodiment of the present invention further provides a service providing server, where the service providing server includes:
接收模块 70, 设置为接收用户设备 ( UE ) 的访问;  The receiving module 70 is configured to receive an access of the user equipment (UE);
获取模块 71 , 设置为从资源服务器(RS )直接或间接地获取用户授权的 用户共享数据。 The obtaining module 71 is configured to obtain the user authorization directly or indirectly from the resource server (RS) Users share data.
另外, 所述业务提供服务器还可以包括: 业务接入认证模块 72, 设置为 在所述接收模块接收 UE的访问之前,直接或间接地完成对所述 UE的业务接 入认证。  In addition, the service providing server may further include: a service access authentication module 72, configured to directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE.
具体地, 所述业务接入认证模块 72, 是设置为从身份提供服务器获得用 户安全参数, 根据所述用户安全参数完成对所述 UE的业务接入认证; 或者, 从所述身份提供服务器获得所述身份提供服务器对所述 UE的业务认证结果。 其中, 所述用户安全参数是所述身份提供服务器根据所述网络对所述 UE的 接入认证结果获得的; 所述业务认证结果是所述身份提供服务器根据所述网 络对所述 UE的接入认证结果完成的。  Specifically, the service access authentication module 72 is configured to obtain a user security parameter from the identity providing server, complete service access authentication to the UE according to the user security parameter, or obtain the identity providing server from the identity providing server. The identity provides a service authentication result of the server to the UE. The user security parameter is obtained by the identity providing server according to the access authentication result of the network to the UE; the service authentication result is that the identity providing server connects to the UE according to the network. The certification results are completed.
较佳的, 所述获取模块 71 , 是设置为从所述身份提供服务器获取令牌, 根据所述令牌从所述 RS 直接地获取用户授权的用户共享数据; 或者通过所 述身份提供服务器获取用户授权的用户共享数据。  Preferably, the obtaining module 71 is configured to acquire a token from the identity providing server, and directly acquire user-authorized user-authorized data from the RS according to the token; or obtain by the identity providing server. User authorized users share data.
该业务提供服务器可以共享网络中用户授权的用户共享数据, 具体实现 过程可参见图 4-图 6, 此处不再赘述。  The service providing server can share the data shared by the user authorized by the user in the network. The specific implementation process can be seen in Figure 4-6.
如图 8所示, 本发明实施例还提供了一种身份提供服务器, 该身份提供 服务器包括: As shown in FIG. 8, an embodiment of the present invention further provides an identity providing server, where the identity providing server includes:
网络接入认证模块 80 , 设置为对用户设备 ( UE )接入网络进行认证, 并 获得用户安全参数;  The network access authentication module 80 is configured to authenticate the user equipment (UE) access network, and obtain user security parameters;
业务接入认证模块 81 , 设置为根据所述网络接入认证模块 80获得的用 户安全参数完成对所述 UE的业务接入认证, 并将业务接入认证结果发送给 业务提供服务器。  The service access authentication module 81 is configured to perform service access authentication for the UE according to the user security parameter obtained by the network access authentication module 80, and send the service access authentication result to the service providing server.
其中, 所述用户安全参数包括会话密钥。  The user security parameter includes a session key.
另外, 所述身份提供服务器还可以包括: 第一发送模块 82, 设置为将所 述网络接入认证模块获得的用户安全参数发送给所述业务提供服务器。  In addition, the identity providing server may further include: a first sending module 82, configured to send the user security parameter obtained by the network access authentication module to the service providing server.
较佳的, 所述身份提供服务器还可以包括: 第二发送模块 83 , 用于在所 述业务接入认证模块 81将业务接入认证结果或者所述第一发送模块 82将所 述用户安全参数发送给业务提供服务器之后, 接收所述业务提供服务器发送 的数据请求, 根据所述数据请求从资源服务器(RS )获得用户授权的用户共 享数据, 并将所述用户共享数据发送给所述业务提供服务器。 所述第二发送 模块 83 , 还设置为在所述业务接入认证模块 81将业务接入认证结果或者所 述第一发送模块 82将所述用户安全参数发送给业务提供服务器之后 ,接收所 述业务提供服务器发送的令牌请求, 根据所述令牌请求向所述业务提供服务 器发送令牌, 以便所述业务提供服务器根据所述令牌从所述 RS 中获得用户 授权的用户共享数据。 Preferably, the identity providing server may further include: a second sending module 83, configured to: in the service access authentication module 81, access the service authentication result or the first sending module 82 After the user security parameter is sent to the service providing server, receiving a data request sent by the service providing server, obtaining user-authorized user shared data from the resource server (RS) according to the data request, and sending the user shared data to The service providing server. The second sending module 83 is further configured to: after the service access authentication module 81 sends the service access authentication result or the first sending module 82 sends the user security parameter to the service providing server, The service provides a token request sent by the server, and sends a token to the service providing server according to the token request, so that the service providing server obtains user-authorized user shared data from the RS according to the token.
该身份提供服务器为实现 UE访问业务提供服务器奠定了基础, 同时, 也为业务提供服务器提供用户授权的用户共享数据, 或者, 为业务提供服务 器提供令牌, 使得业务提供服务器根据令牌可以获得用户授权的用户共享数 据。  The identity providing server lays a foundation for implementing the UE to access the service providing server, and also provides data for the user that provides the user authorization for the service providing server, or provides a token for the service providing server, so that the service providing server can obtain the user according to the token. Authorized users share data.
如图 9所示, 本发明还提供了一种用户设备(UE ) , 该 UE包括: 访问模块 90, 设置为访问业务提供服务器; As shown in FIG. 9, the present invention further provides a user equipment (UE), where the UE includes: an access module 90, configured to access a service providing server;
数据处理模块 91 , 设置为接收身份提供服务器根据所述业务提供服务器 发送的数据请求发送的用户数据授权请求, 根据用户对该用户数据授权请求 中携带的用户数据的授权结果, 向所述身份提供服务器返回用户授权的用户 共享数据。  The data processing module 91 is configured to receive a user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and provide the identity according to the authorization result of the user data carried in the user data authorization request by the user. The server returns the user-authorized user to share data.
具体地, 所述访问模块 92, 是设置为所述 UE釆用标识成功接入网络并 获得所述业务提供服务器的业务接入认证后, 访问所述业务提供服务器。  Specifically, the accessing module 92 is configured to access the service providing server after the UE uses the identifier to successfully access the network and obtain the service access authentication of the service providing server.
该 UE可以在成功地接入网络并获得业务提供服务器的业务接入认证后, 访问业务提供服务器, 并由自己授权业务提供服务器可以共享网络中的哪些 数据, 然后业务提供服务器可以共享网络中用户通过 UE授权的用户共享数 据, 具体交互过程可参见图 4-图 6。  After successfully accessing the network and obtaining the service access authentication of the service providing server, the UE can access the service providing server, and the authorized service providing server can share which data in the network, and then the service providing server can share the user in the network. The data is shared by the user authorized by the UE. For the specific interaction process, refer to Figure 4-6.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 上述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art can understand that all or part of the above steps can be completed by a program to instruct related hardware, and the above program can be stored in a computer readable storage medium, such as read only. Memory, disk or disc, etc. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上实施例仅用以说明本发明的技术方案而非限制, 仅仅参照较佳实施 例对本发明进行了详细说明。 本领域的普通技术人员应当理解, 可以对本发 明的技术方案进行修改或者等同替换, 而不脱离本发明技术方案的精神和范 围, 均应涵盖在本发明的权利要求范围当中。  The above embodiments are only intended to illustrate the technical solutions of the present invention and are not to be construed as limiting the invention. It should be understood by those skilled in the art that the present invention may be modified or equivalently substituted without departing from the spirit and scope of the invention.
工业实用性 Industrial applicability
上述共享网络中用户数据的方法、 业务提供服务器、 身份提供服务器和 用户设备, 使得业务提供服务器安全地共享电信运营商的用户数据。  The above method for sharing user data in the network, the service providing server, the identity providing server, and the user equipment enable the service providing server to securely share the user data of the telecommunications carrier.

Claims

权 利 要 求 书 Claim
1、一种共享网络中用户数据的方法, 所述网络包括身份提供服务器和资 源服务器(RS ) , 该方法包括:  A method for sharing user data in a network, the network comprising an identity providing server and a resource server (RS), the method comprising:
业务提供服务器接收用户设备 ( UE ) 的访问; 以及  The service providing server receives access from the user equipment (UE);
所述业务提供服务器从所述 RS 直接或间接地获取用户授权的用户共享 数据。  The service providing server directly or indirectly acquires user-shared data authorized by the user from the RS.
2、 根据权利要求 1所述的方法, 其中:  2. The method of claim 1 wherein:
所述业务提供服务器接收 UE的访问的步骤之前, 所述方法还包括: 所述业务提供服务器直接或间接地完成对所述 UE的业务接入认证。  Before the step of the service providing server receiving the access of the UE, the method further includes: the service providing server directly or indirectly completing service access authentication for the UE.
3、 根据权利要求 2所述的方法, 其中: 3. The method of claim 2, wherein:
所述业务提供服务器直接地完成对 UE的业务接入认证的步骤包括: 所述业务提供服务器从所述身份提供服务器获得用户安全参数, 根据所 述用户安全参数完成对所述 UE的业务接入认证。  The step of the service providing server directly completing the service access authentication for the UE includes: obtaining, by the service providing server, a user security parameter from the identity providing server, and completing service access to the UE according to the user security parameter Certification.
4、 根据权利要求 2所述的方法, 其中:  4. The method of claim 2, wherein:
所述业务提供服务器间接地完成对 UE的业务接入认证的步骤包括: 所述业务提供服务器从所述身份提供服务器获得所述身份提供服务器对 所述 UE的业务接入认证结果。  The step of the service providing server indirectly completing the service access authentication for the UE includes: obtaining, by the service providing server, a service access authentication result of the identity providing server to the UE from the identity providing server.
5、 根据权利要求 3所述的方法, 其中:  5. The method of claim 3, wherein:
所述用户安全参数是所述身份提供服务器根据所述网络对所述 UE的接 入认证结果获得的。  The user security parameter is obtained by the identity providing server according to the access authentication result of the network to the UE.
6、 根据权利要求 4所述的方法, 其中:  6. The method of claim 4, wherein:
所述业务接入认证结果是所述身份提供服务器根据所述网络对所述 UE 的接入认证结果完成的。  The result of the service access authentication is that the identity providing server is completed according to the access authentication result of the network to the UE.
7、 根据权利要求 1-6任一权利要求所述的方法, 其中:  7. A method according to any of claims 1-6, wherein:
所述业务提供服务器从所述 RS 直接地获取用户授权的用户共享数据的 步骤包括: 所述业务提供服务器从所述身份提供服务器获取令牌, 根据所述令牌从 所述 RS直接地获取用户授权的用户共享数据。 The step of the service providing server directly acquiring user-authorized user shared data from the RS includes: The service providing server acquires a token from the identity providing server, and directly acquires user shared data authorized by the user from the RS according to the token.
8、 根据权利要求 1-6任一权利要求所述的方法, 其中:  8. A method according to any of claims 1-6, wherein:
所述业务提供服务器从所述 RS 间接地获取用户授权的用户共享数据的 步骤包括:  The step of the service providing server acquiring the user-authorized user sharing data from the RS to the ground includes:
所述业务提供服务器通过所述身份提供服务器获取用户授权的用户共享 数据。  The service providing server acquires user shared data authorized by the user through the identity providing server.
9、 一种业务提供服务器, 该业务提供服务器包括:  9. A service providing server, the service providing server comprising:
接收模块, 其设置为: 接收用户设备(UE ) 的访问; 以及  a receiving module, configured to: receive access by a user equipment (UE);
获取模块, 其设置为: 从资源服务器(RS )直接或间接地获取用户授权 的用户共享数据。  The obtaining module is configured to: directly or indirectly obtain user-authorized user shared data from a resource server (RS).
10、 根据权利要求 9所述的业务提供服务器, 所述业务提供服务器还包 括:  10. The service providing server according to claim 9, wherein the service providing server further comprises:
业务接入认证模块, 其设置为: 在所述接收模块接收 UE的访问之前, 直接或间接地完成对所述 UE的业务接入认证。  The service access authentication module is configured to: directly or indirectly complete the service access authentication of the UE before the receiving module receives the access of the UE.
11、 根据权利要求 10所述的业务提供服务器, 其中:  11. The service providing server according to claim 10, wherein:
所述业务接入认证模块是设置为:从身份提供服务器获得用户安全参数, 根据所述用户安全参数完成对所述 UE的业务接入认证; 或者, 从所述身份 提供服务器获得所述身份提供服务器对所述 UE的业务认证结果。  The service access authentication module is configured to: obtain a user security parameter from the identity providing server, complete service access authentication to the UE according to the user security parameter; or obtain the identity providing from the identity providing server. The service authentication result of the server to the UE.
12、 根据权利要求 11所述的业务提供服务器, 其中:  12. The service providing server according to claim 11, wherein:
所述用户安全参数是所述身份提供服务器根据所述网络对所述 UE的接 入认证结果获得的; 或者  The user security parameter is obtained by the identity providing server according to the access authentication result of the network to the UE; or
所述业务认证结果是所述身份提供服务器根据所述网络对所述 UE的接 入认证结果完成的。  The service authentication result is that the identity providing server is completed according to the access authentication result of the network to the UE.
13、 根据权利要求 9-12任一权利要求所述的业务提供服务器, 其中: 所述获取模块是设置为: 从所述身份提供服务器获取令牌, 根据所述令 牌从所述 RS 直接地获取用户授权的用户共享数据; 或者通过所述身份提供 服务器获取用户授权的用户共享数据。 The service providing server according to any one of claims 9 to 12, wherein: the obtaining module is configured to: acquire a token from the identity providing server, and directly from the RS according to the token Obtaining user-authorized user sharing data; or providing by the identity The server obtains data shared by users authorized by the user.
14、 一种身份提供服务器, 该身份提供服务器包括:  14. An identity providing server, the identity providing server comprising:
网络接入认证模块, 其设置为: 对用户设备 ( UE )接入网络进行认证, 并获得用户安全参数; 以及  a network access authentication module, configured to: authenticate a user equipment (UE) access network, and obtain user security parameters;
业务接入认证模块, 其设置为: 根据所述网络接入认证模块获得的用户 安全参数完成对所述 UE的业务接入认证, 并将业务接入认证结果发送给业 务提供服务器。  The service access authentication module is configured to: perform service access authentication for the UE according to the user security parameter obtained by the network access authentication module, and send the service access authentication result to the service providing server.
15、根据权利要求 14所述的身份提供服务器, 所述身份提供服务器还包 括:  The identity providing server according to claim 14, wherein the identity providing server further comprises:
第一发送模块, 其设置为: 将所述网络接入认证模块获得的用户安全参 数发送给所述业务提供服务器。  And a first sending module, configured to: send the user security parameter obtained by the network access authentication module to the service providing server.
16、 根据权利要求 14或 15所述的身份提供服务器, 其中:  16. An identity providing server according to claim 14 or 15, wherein:
所述用户安全参数包括会话密钥。  The user security parameter includes a session key.
17、根据权利要求 15所述的身份提供服务器, 所述身份提供服务器还包 括:  17. The identity providing server of claim 15, the identity providing server further comprising:
第二发送模块, 其设置为: 在所述业务接入认证模块将业务接入认证结 果或者所述第一发送模块将所述用户安全参数发送给业务提供服务器之后, 接收所述业务提供服务器发送的数据请求, 根据所述数据请求从资源服务器 ( RS )获得用户授权的用户共享数据, 并将所述用户共享数据发送给所述业 务提供服务器。  a second sending module, configured to: after the service access authentication module sends the service access authentication result or the first sending module sends the user security parameter to the service providing server, receiving the service providing server to send And the data request, obtaining user-authorized user shared data from the resource server (RS) according to the data request, and transmitting the user shared data to the service providing server.
18、 根据权利要求 17所述的身份提供服务器, 其中:  18. The identity providing server according to claim 17, wherein:
所述第二发送模块还设置为: 在所述业务接入认证模块将业务接入认证 结果或者所述第一发送模块将所述用户安全参数发送给业务提供服务器之 后, 接收所述业务提供服务器发送的令牌请求, 根据所述令牌请求向所述业 务提供服务器发送令牌, 以便所述业务提供服务器根据所述令牌从所述 RS 中获得用户授权的用户共享数据。  The second sending module is further configured to: after the service access authentication module sends the service access authentication result or the first sending module sends the user security parameter to the service providing server, receiving the service providing server The sent token request sends a token to the service providing server according to the token request, so that the service providing server obtains user-authorized user shared data from the RS according to the token.
19、 一种用户设备(UE ) , 该 UE包括: 访问模块, 其设置为: 访问业务提供服务器; 以及 19. A user equipment (UE), the UE comprising: An access module, which is configured to: access a service providing server;
数据处理模块, 其设置为: 接收身份提供服务器根据所述业务提供服务 器发送的数据请求发送的用户数据授权请求, 根据用户对该用户数据授权请 求中携带的用户数据的授权结果, 向所述身份提供服务器返回用户授权的用 户共享数据。  a data processing module, configured to: receive a user data authorization request sent by the identity providing server according to the data request sent by the service providing server, and send the identity to the identity according to the authorization result of the user data carried in the user data authorization request Provides the server to return user-authorized users to share data.
20、 根据权利要求 19所述的 UE, 其中:  20. The UE of claim 19, wherein:
所述访问模块是设置为: 所述 UE釆用标识成功接入网络并获得所述业 务提供服务器的业务接入认证后, 访问所述业务提供服务器。  The access module is configured to: after the UE uses the identifier to successfully access the network and obtain the service access authentication of the service providing server, access the service providing server.
PCT/CN2012/076275 2011-08-15 2012-05-30 Method for sharing user data in network and identity providing server WO2013023475A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110233110.9A CN102938757B (en) 2011-08-15 2011-08-15 The method and identity provider of user data in shared network
CN201110233110.9 2011-08-15

Publications (1)

Publication Number Publication Date
WO2013023475A1 true WO2013023475A1 (en) 2013-02-21

Family

ID=47697626

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/076275 WO2013023475A1 (en) 2011-08-15 2012-05-30 Method for sharing user data in network and identity providing server

Country Status (2)

Country Link
CN (1) CN102938757B (en)
WO (1) WO2013023475A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8959358B2 (en) * 2012-05-08 2015-02-17 Qualcomm Incorporated User-based identification system for social networks
CN104361519B (en) * 2014-10-31 2018-05-18 中国建设银行股份有限公司 A kind of implementation method of social networking service platform and social networking service platform
CN107241293A (en) * 2016-03-28 2017-10-10 杭州萤石网络有限公司 A kind of resource access method, apparatus and system
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment
CN114424600B (en) * 2019-09-30 2024-03-26 华为技术有限公司 Communication method, device, system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1454353A (en) * 2000-05-18 2003-11-05 艾利森电话股份有限公司 Personal service environment manager (PSEM)
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7454508B2 (en) * 2002-06-28 2008-11-18 Microsoft Corporation Consent mechanism for online entities
US7207058B2 (en) * 2002-12-31 2007-04-17 American Express Travel Related Services Company, Inc. Method and system for transmitting authentication context information
CN100517162C (en) * 2003-12-17 2009-07-22 甲骨文国际公司 Method and apparatus for personalization and identity management
US8418234B2 (en) * 2005-12-15 2013-04-09 International Business Machines Corporation Authentication of a principal in a federation
EP2194481A4 (en) * 2007-09-25 2014-12-10 Nec Corp Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program
CN101771677B (en) * 2008-12-31 2013-08-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
US8078870B2 (en) * 2009-05-14 2011-12-13 Microsoft Corporation HTTP-based authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1454353A (en) * 2000-05-18 2003-11-05 艾利森电话股份有限公司 Personal service environment manager (PSEM)
CN1856155A (en) * 2005-04-18 2006-11-01 华为技术有限公司 Method for user accessing information in next generation network
CN101686425A (en) * 2008-09-27 2010-03-31 中兴通讯股份有限公司 Method for providing service to whole network and service network system

Also Published As

Publication number Publication date
CN102938757A (en) 2013-02-20
CN102938757B (en) 2017-12-08

Similar Documents

Publication Publication Date Title
EP3752941B1 (en) Security management for service authorization in communication systems with service-based architecture
US10645583B2 (en) Security management for roaming service authorization in communication systems with service-based architecture
US20210282012A1 (en) Apparatus and method for providing mobile edge computing services in wireless communication system
JP4782139B2 (en) Method and system for transparently authenticating mobile users and accessing web services
US7984291B2 (en) Method for distributing certificates in a communication system
JP5934364B2 (en) Mobile device and method for secure online sign-up and provision for WI-FI hotspots using SOAP-XML technology
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
WO2007104245A1 (en) An identity web service framework system and authentication method thereof
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
JP2006515486A (en) Method and apparatus for enabling re-authentication in a cellular communication system
CN106254386B (en) A kind of information processing method and name mapping server
WO2020053481A1 (en) Network function authentication using a digitally signed service request in a communication system
WO2006097041A1 (en) A general authentication former and a method for implementing the authentication
US9241264B2 (en) Network access authentication for user equipment communicating in multiple networks
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
KR20200130141A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
WO2011063658A1 (en) Method and system for unified security authentication
WO2012126299A1 (en) Combined authentication system and authentication method
WO2013127342A2 (en) Ims single sign on combined authentication method and system
Živković et al. Authentication across heterogeneous networks
WO2011017851A1 (en) Method for accessing message storage server securely by client and related devices
Thagadur Prakash Enhancements to Secure Bootstrapping of Smart Appliances
Wiederkehr Approaches for simplified hotspot logins with Wi-Fi devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12824025

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12824025

Country of ref document: EP

Kind code of ref document: A1