CN100563156C - Realize that user profile reaches the method to subscriber terminal authority synchronously - Google Patents
Realize that user profile reaches the method to subscriber terminal authority synchronously Download PDFInfo
- Publication number
- CN100563156C CN100563156C CNB2005100075136A CN200510007513A CN100563156C CN 100563156 C CN100563156 C CN 100563156C CN B2005100075136 A CNB2005100075136 A CN B2005100075136A CN 200510007513 A CN200510007513 A CN 200510007513A CN 100563156 C CN100563156 C CN 100563156C
- Authority
- CN
- China
- Prior art keywords
- bsf
- user terminal
- authentication
- user profile
- tid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The invention discloses a kind of method that realizes that the user profile between a plurality of BSF is synchronous, even user terminal is once more during authentication, used the 2nd BSF of different last time of authentication, the 2nd BSF also can obtain the user profile of this user terminal from carrying out the BSF of mutual authentication operations with this user terminal, thereby the user profile that has guaranteed the UE of this initiation authentication request keeps synchronous in different BSF.The present invention also discloses a kind of method that under the situation of a plurality of BSF, realizes method for authenticating, on the synchronous basis of user profile, guaranteed that normal UE can both pass through authentication.In addition, the present invention also is provided with sign respectively for a plurality of BSF, has embodied the sign of BSF in the domain name of B-TID, like this, can indicate this B-TID is which BSF distributes, and is convenient to NAF and searches, thereby alleviated the traffic between the BSF, quickened processing procedure, saved Internet resources.
Description
Technical field
The present invention relates to the general authentication framework technical field in the third generation radio communication, be meant especially in same home network, to comprise under a plurality of BSF situations, realize that user profile reaches the method to subscriber terminal authority synchronously.
Background technology
In third generation wireless communication standard, general authentication framework is that of multiple applied business entity use is used to finish the universal architecture that user identity is verified, uses general authentication framework and can realize checking and identity verification using professional user.Above-mentioned multiple applied business can be multicast/broadcast business, user certificate business, information provides business etc. immediately, also can be agent service.
Figure 1 shows that the structural representation of general authentication framework.General authentication framework is made up of entity (BSF) 102, the user attaching webserver (HSS) 103 and the network application entity (NAF) 104 of user terminal (UE) 101, the checking of execution UE identity initial inspection usually.BSF 102 is used for and user terminal 101 mutual identity verifications, generates the shared key of BSF 102 and user terminal 101 simultaneously; Store description (Profile) file that is used to describe user profile among the HSS103, comprise all and subscriber-related descriptor such as User Identity among this Profile, HSS 103 also has the function that produces authentication vector information concurrently simultaneously.
When the user need use certain professional, if knowing, it needs to carry out mutual authentication to BSF, then directly and BSF alternately to carry out mutual authentication, otherwise, the user can be at first and the NAF contact of this business correspondence, if this NAF uses general authentication framework and needs the user to carry out authentication to BSF, then notify the user to use general authentication framework and carry out authentication, otherwise carry out other respective handling.
The card process of recognizing each other between UE and the BSF is: UE sends the request of authentication to BSF by default domain name BSF.MCC.MNC.3GPPnetwork.org, after BSF receives authentication request from UE, at first obtain the authentication information of this UE to HSS, HSS returns one or more groups authentication vector according to the sign of this UE to BSF.Because each group authentication vector can only use once, therefore HSS can return only enough nonrecoverable authentication vector information to BSF, but consider from the angle of saving the interface signaling resource, HSS can return many group authentication vector information for repeatedly authentication use to BSF usually, HSS also returns this user's user description information to BSF when returning to the BSF authentication vector.BSF carries out mutual authentication according to execution authentication and key agreement protocol (AKA) between authentication vector information of being obtained and the UE.Behind the authentication success, authenticated identity between UE and the BSF mutually and generated shared key K s simultaneously.Afterwards, BSF distributes a conversation affair mark (B-TID) to UE, and the form of this B-TID is RAND@BSF_servers_domain_name, and this B-TID is associated with Ks, and valid expiration date is arranged.
UE sends connection request to NAF after receiving this B-TID again, has carried this B-TID in this request message, and the UE lateral root calculates derivative key Ks_NAF according to Ks simultaneously.The NAF that receives request confirms to inquire about to BSF behind local this B-TID that does not have UE to carry, after BSF inquires this B-TID, use the derivative key Ks_NAF of the algorithm computation key K s identical with the UE side, send successful response message to NAF then, comprise the B-TID that NAF is required in this successful response, the derivative key Ks_NAF corresponding with this B-TID, and BSF is the valid expiration date of this key setting, the user description information that can also comprise if desired, this user.After NAF receives the success response message of BSF, just think that this UE is the legal UE through the BSF authentication, NAF and UE have also shared the key K s_NAF that is derived by Ks simultaneously.NAF and UE communicate protection by Ks_NAF in the communication process of back.
When UE finds that key K s or Ks_NAF will be soon expired, perhaps, NAF requires UE again when BSF carries out authentication, and UE will repeat above-mentioned step and carry out authentication to BSF again, to obtain new Ks and B-TID.
Above-mentioned is to describe with the situation that only comprises a BSF in the general authentication framework.In general authentication framework, also a plurality of BSF can be comprised, the bottleneck that occurs owing to a BSF overload can be avoided like this.In a general authentication framework, promptly in home network, exist a plurality of BSF to become a kind of development trend.
In a general authentication framework, there is the processing procedure of a plurality of BSF, basic identical with the processing procedure of having only a BSF.Below only to the difference comparative illustration.
The request that UE sends authentication by default domain name BSF.MCC.MNC.3GPPnetwork.org to BSF, in the practical operation of network, domain name resolves to the address of actual BSF by domain name resolution server (DNS).Under the situation of a BSF, through return the address of a BSF after the parsing of DNS to UE, UE is connected to BSF according to this address, and carries out subsequent operation; Under the situation of a plurality of BSF, DNS can return the address of a plurality of BSF, selects one at random for UE, and UE BSF selected with it gets in touch, and carries out subsequent operation; Perhaps, DNS selects a BSF address in a plurality of BSF address to return to UE according to pre-configured strategy, and UE is connected to certain BSF according to this address, and carries out subsequent operation.
Like this, if exist a plurality of BSF can have following situation in actual applications in a home network:
Supposing has three BSF in the home network, it is respectively BSF1, BSF2 and BSF3.If between BSF1 and certain UE executed mutual authentication, usually obtained many groups authentication vector so among this BSF1 at this UE, suppose this multicomponent Wei authentication vector 1, authentication vector 2 and authentication vector 3.This is because in order to save the interface signaling resource, HSS can return many group authentication vector information for repeatedly authentication use to BSF usually.Be certain to use authentication vector group 1 when this UE and BSF1 carry out authentication, this is because the use of authentication vector is conditional in proper order, promptly must use according to the number order of authentication vector.
When this UE need re-authenticate, if for a certain reason, such as, after getting in touch, UE and BSF1 in one default period, do not obtain the response of BSF1 etc., this UE and BSF2 carry out carrying out mutual authentication with desire alternately, then this BSF2 still can obtain the many groups authentication vector at this UE from HSS, suppose this multicomponent Wei authentication vector 4, authentication vector 5 and authentication vector 6.Be certain to use authentication vector 4 this moment when carrying out mutual authentication operations.Owing to can monitor the number order of institute's weight discriminating vector in UE, therefore, it is discontinuous that this moment, UE must monitor the numbering and the previous numbering of current applied authentication vector, can cause failed authentication like this.And the basic reason that causes failed authentication is owing to asynchronous the causing of the user profile at this UE between BSF1 and BSF2.This shows, produce probably because network side self make normal UE can not can not use professional phenomenon by authentication, and this phenomenon is irrational.
Have again because the form of B-TID is RAND@BSF_servers_domain_name, when authentication by back NAF during to BSF inquiry B-TID information, under the situation of a BSF, NAF only needs the BSF in this home network to inquire about to get final product; Under the situation of a plurality of BSF, NAF is domain name stochastic searching to a BSF according to B-TID, and to this BSF request B-TID information, if this BSF confirms this not this NAF institute information inquiring, then this receives from the BSF of the NAF request BSF of other in this home network successively and sends query requests, till inquiring the required information of this NAF, perhaps, till the BSF in this home network does not all find.
Because the sign that a plurality of BSF do not distinguish, thereby according to the domain name RAND@BSF_servers_domain_name of a certain B-TID, can not identify it is which BSF distributes, like this, cause NAF can not find correct BSF rapidly, make that network processes efficient is low.
Summary of the invention
In view of this, one object of the present invention is to provide a kind of method that realizes that the user profile between a plurality of BSF is synchronous, keeps synchronous so that initiate the user profile of the UE of authentication request in different BSF.
Another object of the present invention is to provide a kind of method that under the situation of a plurality of BSF, realizes method for authenticating, can both pass through authentication to guarantee normal UE.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method that realizes that the user profile between a plurality of BSF is synchronous, described a plurality of BSF belong in the same home network, and user terminal UE is when needing to carry out mutual authentication with BSF once more, and this method may further comprise the steps:
A, user terminal send authentication request to a BSF who carried out mutual authentication operations with this user terminal; The one BSF judge self current can not handle this request after, according to configuration in advance, do not return any information to user terminal, execution in step b then,
What perhaps, the 2nd BSF in home network sent the user profile comprise this user terminal acts on behalf of authentication request message, execution in step c then;
After b, the definite response message that does not receive within the predetermined time from a BSF of user terminal, reselect one the 2nd BSF, and to this 2nd BSF that reselects transmission authentication request, comprise the information of discerning a BSF in this authentication request, the 2nd BSF is according to the authentication request that receives, from a BSF, obtain and preserve the user profile of this user terminal, finish;
After c, the 2nd BSF confirm self can handle this authentication request, the user profile of this UE that from act on behalf of authentication request message, obtains and preserve.
Preferably, described the 2nd BSF of step b obtains the method for the user profile of this user terminal and is from a BSF:
The 2nd BSF sends the query requests of the IMPI that comprises user terminal to be checked to a BSF, the one BSF is according to the IMPI that preserves in advance and the corresponding relation of user profile, directly inquire the user profile of this user terminal, and with inquired about to user profile return to the 2nd BSF; Perhaps,
The 2nd BSF sends the query requests of the B-TID that comprises user terminal correspondence to be checked to a BSF, the one BSF inquires the IMPI of this user terminal earlier according to the corresponding relation of B-TID that preserves in advance and IMPI, again according to the IMPI that preserves in advance and the corresponding relation of user profile, inquire the user profile of this user terminal, and with inquired about to user profile return to the 2nd BSF.
Preferably, this method further comprises: for a plurality of BSF in the same home network are provided with sign respectively, described sign is a serial number in advance, perhaps, is the numbering by the coding rule decision of home network, or the title that can discern of home network.
Preferably, described user profile is authentication vector, B-TID, the information relevant with B-TID and user's descriptor, and perhaps, described user profile is B-TID, the information relevant with B-TID and user's descriptor.
Preferably, if include authentication vector in the user profile that a BSF preserves, then the 2nd BSF obtains user profile from a BSF after, further comprise: the authentication vector in this user profile that BSF deletion self is preserved.
A kind of method that under the situation of a plurality of BSF, realizes authentication, described a plurality of BSF belong in the same home network, and user terminal is when needing carry out mutual authentication with BSF once more, and this method may further comprise the steps:
A, user terminal UE send authentication request to a BSF who carried out mutual authentication operations with this user terminal; If user terminal does not obtain the response message of a BSF within the predetermined time, execution in step B then, if user terminal receives within the predetermined time that a BSF returns comprise the 2nd BSF information of can discerning carry out the notice of authentication, then execution in step C to the 2nd BSF;
B, user terminal are reselected one the 2nd BSF, and send the authentication request comprise the BSF information of discerning to the 2nd BSF, the 2nd BSF is according to the authentication request that receives, the user profile of obtaining and preserving this user terminal from a BSF, execution in step D then;
C, user terminal send authentication request according to the information that receives to this has obtained self user profile from a BSF the 2nd BSF;
In D, the 2nd BSF the user profile whether untapped authentication vector is arranged according to local this user terminal preserved of user profile judgement of this user terminal that from a BSF, obtains, if have, then use this untapped authentication vector and user terminal and carry out mutual authentication operations, otherwise, after the 2nd BSF obtains the authentication vector of this user terminal from HSS, carry out mutual authentication operations with user terminal.
Preferably, this method further comprises: in advance for a plurality of BSF in the same home network are provided with sign respectively, after the authentication success, BSF is the identification information that comprises self in the domain name of the B-TID that distributes of user terminal; Describedly be designated serial number for what a plurality of BSF in the same home network were provided with respectively in advance, perhaps, be numbering, perhaps the title that can discern of home network by the coding rule decision of home network.
Preferably, when the NAF in the network when BSF inquires about the B-TID information of certain user terminal, this method further comprises: according to the sign of the BSF in the B-TID domain name, NAF directly sends the request of inquiry B-TID to the BSF that distributes this B-TID.
Preferably, the process of carrying out the notice of authentication to the 2nd BSF that the described user terminal of steps A receives within the predetermined time that a BSF returns comprises the 2nd BSF information of can discerning may further comprise the steps:
The one BSF receives the authentication request from user terminal, judge self can't handle this authentication request after, the 2nd BSF in network sends the request message of acting on behalf of authentication of the user profile that comprises this user terminal;
The 2nd BSF obtains and preserves the user profile of acting on behalf of this user terminal in the authentication request after confirming self can handle this authentication request, the response of returning success for a BSF;
The one BSF receive after the success response that the 2nd BSF returns to user terminal return comprise the 2nd BSF information of can discerning carry out the notice of authentication to the 2nd BSF.
Preferably, described user profile is authentication vector, B-TID, the information relevant with B-TID and user's descriptor, and perhaps, described user profile is B-TID, the information relevant with B-TID and user's descriptor.
Use the synchronous method of user profile between a plurality of BSF of realization provided by the invention, even user terminal is once more during authentication, used the 2nd BSF of different last time of authentication, the 2nd BSF also can obtain the user profile of this user terminal from carrying out the BSF of mutual authentication operations with this user terminal, thereby the user profile that has guaranteed the UE of this initiation authentication request keeps synchronous in different BSF.The present invention also provides a kind of method that realizes method for authenticating under the situation of a plurality of BSF, on the synchronous basis of user profile, has guaranteed that normal UE can both pass through authentication.In addition, the present invention also is provided with sign respectively for a plurality of BSF, has embodied the sign of BSF in the domain name of B-TID, like this, can indicate this B-TID is which BSF distributes, and is convenient to NAF and searches, thereby alleviated the traffic between the BSF, quickened processing procedure, saved Internet resources.
Description of drawings
Figure 1 shows that the structural representation of general authentication framework;
Figure 2 shows that the schematic flow sheet of using embodiments of the invention one;
Figure 3 shows that the schematic flow sheet of using embodiments of the invention two.
Embodiment
Again the present invention is done detailed description further below in conjunction with drawings and the specific embodiments.
Thinking of the present invention is: when user terminal has used the 2nd BSF of different last time of authentication once more during authentication, the 2nd BSF can obtain the user profile of this user terminal from carrying out the BSF of mutual authentication operations with this user terminal, thereby the user profile that has guaranteed the UE of this initiation authentication request keeps synchronous in different BSF.In addition, on the synchronous basis of user profile, the present invention also provides a kind of method that realizes method for authenticating under the situation of a plurality of BSF, has guaranteed that normal UE can both pass through authentication.Have the present invention also to be provided with sign respectively for a plurality of BSF again, embodied the sign of BSF in the domain name of B-TID, like this, can indicate this B-TID is which BSF distributes, and is convenient to NAF and searches, and has improved network processes efficient.
If UE finds self applied key and is about to expire, perhaps, receive the information that self re-authenticates of requiring from NAF, all can carry out authentication operations once more, the condition that promptly triggers once more authentication is same as the prior art, no longer describes in detail at this.
Figure 2 shows that the schematic flow sheet of using embodiments of the invention one.In the present embodiment, in same home network, there are a plurality of BSF, and UE successfully carried out authentication operations mutually with certain BSF, below for sake of convenience, the former BSF that carried out mutual authentication operations with certain user terminal is called a BSF, note is made BSFo, and the new BSF that did not carry out mutual authentication operations with this user terminal that will be different from a BSF is called the 2nd BSF, and note is made BSFn.
Step 201, when UE carried out mutual authentication operations once more, it at first sent authentication request to BSFo.Because the information of preserving the BSF that carried out mutual authentication operations among the UE, so UE can find the last time successful execution to cross the BSFo of mutual authentication operations.In the present embodiment, because BSFo determines self can not handle current request according to self current state, then, do not return any response to UE according in advance configuration.
Within the predetermined time, if UE receives the success response information from BSFo, then proceed subsequent operation, process ends according to existing procedure; If UE does not obtain the response from BSFo, then execution in step 202.
Step 202, it is BSFn that UE selects a new BSF who did not carry out mutual authentication operations with this user terminal who is different from a BSF, and send authentication request to this BSFn, comprise the information that can discern with the BSFo that self carried out mutual authentication operations in this authentication request.
Above-mentioned UE selects the method for BSFn to be: UE reselects an IP address from the IP address of a plurality of BSF of self having preserved, making the pairing BSF in this IP address is BSFn; Perhaps, UE provides the default domain name of BSF, returns the address of BSF by DNS, and UE selects the address of a BSF at random or uses the pairing BSF in address that returns after being selected by DNS to be BSFn.
In the present embodiment, if in advance for a plurality of BSF in the same home network are provided with sign respectively, the information with the BSFo that self carried out mutual authentication operations can discerned that comprises in the so above-mentioned authentication request is the sign of the IP address of BSFo or the BSFo that has been provided with.
The sign of the BSF that has been provided with can be simple serial number, as 1,2,3 etc., also can be the numbering by the coding rule decision of home network, can also be the title that home network can be discerned.
Step 203, after BSFn receives authentication request from the IP address that comprises BSFo of UE or sign, send the user profile that inquiry sends the UE of authentication request to BSFo, if comprise User Identity (IMPI) in the authentication request that receives, then also comprise IMPI in the inquiry request message, if comprise B-TID in the authentication request that receives, then also comprise B-TID in the inquiry request message.
If the untapped authentication vector at this UE is arranged among the BSFo, then above-mentioned user profile comprises authentication vector, and B-TID, information relevant with B-TID and user description information; If not at the untapped authentication vector of this UE, then above-mentioned user profile comprises B-TID, information relevant with B-TID and user description information among the BSFo.
Step 204, after BSFo receives query requests from BSFn, if judge in this query requests and comprise IMPI, then according to the IMPI that preserves in advance and the corresponding relation of user profile, directly inquire the user profile of this UE, if judge in this query requests and comprise B-TID, then inquire the IMPI of this UE earlier according to the corresponding relation of B-TID that preserves in advance and IMPI, again according to the IMPI that preserves in advance and the corresponding relation of user profile, inquire the user profile of this UE, BSFo sends to BSFn with the user profile of being obtained.
If comprise authentication vector in the user profile, after then BSFo returns user profile to BSFn, delete the authentication vector of self preserving at once at this UE, and other user profile, then can temporarily not delete as B-TID and the information relevant with B-TID, making things convenient for still effective B-TID of NAF inquiry, when the term of validity of B-TID is deleted B-TID and relevant information at this UE again to after date BSFo.When BSF preserve at an IMPI promptly all B-TID of a UE all deleted after, BSFo deletes IMPI and the user description information of this UE again, thoroughly any descriptor of no longer preserving this UE.
Step 205, whether after BSFn receives the user profile that BSFo returns and preserves, judging has untapped authentication vector in this user profile, if having, then execution in step 207, otherwise execution in step 206.
Step 206, BSFn asks authentication vector and the user description information of this UE to HSS.Why asking user description information, is in order to upgrade the descriptor that conversion may take place simultaneously.
Step 207, BSFn and UE carry out mutual authentication operations.After the authentication success, BSFn is that UE distributes B-TID.
So far because BSFn can obtain the user profile of this UE from BSFo, the user profile of UE that has realized initiating authentication request in different BSF synchronously, avoided the normal user can not be simultaneously by the situation of authentication.
Figure 3 shows that the schematic flow sheet of using embodiments of the invention two.In the present embodiment, in same home network, there are a plurality of BSF, and UE successfully carried out authentication operations mutually with certain BSF, below for sake of convenience, the former BSF that carried out mutual authentication operations with certain user terminal is called a BSF, note is made BSFo, and the new BSF that did not carry out mutual authentication operations with this user terminal that will be different from a BSF is called the 2nd BSF, and note is made BSFn.
Step 301, when UE carried out mutual authentication operations once more, it at first sent authentication request to BSFo.Because the information of preserving the BSF that carried out mutual authentication operations among the UE, so UE can find the last time successful execution to cross the BSFo of mutual authentication operations.
Step 302, after BSFo receives authentication request from UE, because certain reason, as the overload etc. of self, determine self can not handle this authentication request again, then basis configuration in advance, notice BSFn carries out authentication to UE, promptly send the request message of acting on behalf of authentication, comprised the user profile of this UE in this request message to BSFn.
If the untapped authentication vector at this UE is arranged among the BSFo, then comprise authentication vector in the user profile, B-TID, information relevant and user description information with B-TID; If not at the untapped authentication vector of this UE, then user profile comprises B-TID, information relevant with B-TID and user description information among the BSFo.
Step 303, BSFn receives the request message from BSFo, after confirming self can carry out this operation, preserves the request message information of terminal user, then the response message that returns success to BSFo.
Step 304, after BSFo receives success response message from BSFn, judge in this user profile that has sent to BSFn and whether comprise authentication vector, if, delete the authentication vector of self preserving at once, and other user profile can not deleted temporarily then as B-TID and the information relevant with B-TID at this UE, making things convenient for still effective B-TID of NAF inquiry, when the term of validity of B-TID is deleted B-TID and relevant information at this UE again to after date BSFo.When BSF preserve at an IMPI promptly all B-TID of a UE all deleted after, BSFo deletes IMPI and the user description information of this UE again, thoroughly any descriptor of no longer preserving this UE.
Afterwards, BSFo notice UE carries out mutual authentication operations to BSFn, has comprised the IP address of BSFn in this notification message.In the present embodiment, if in advance for a plurality of BSF in the same home network are provided with sign respectively, can comprise the IP address of BSFo in the so above-mentioned notice or the sign of the BSFo that has been provided with.The method of sign that BSF specifically is set is identical with method among the last embodiment, no longer is repeated in this description at this.
Step 305, UE sends authentication request to BSFn, and the information that comprises in this authentication request and the existing authentication request is identical, need not increase any information.
Step 306, after BSFn receives authentication request from UE, judge local preserve at whether untapped authentication vector is arranged in the user profile of this UE, if having, then execution in step 307, otherwise execution in step 308
Step 307, BSFn asks authentication vector and the user description information of this UE to HSS.Why asking user description information, is in order to upgrade the descriptor that conversion may take place simultaneously.
Step 308, BSFn and UE carry out mutual authentication operations.After the authentication success, BSFn is that UE distributes B-TID.
So far because BSFn can obtain the user profile of this UE from BSFo, the user profile of UE that has realized initiating authentication request in different BSF synchronously, avoided the normal user can not be simultaneously by the situation of authentication.
For above-mentioned two embodiment, if set in advance the sign of BSF, then can embody the sign of BSF in the domain name of B-TID, can clearly indicate this B-TID like this is which BSF distributes, and is convenient to NAF and searches.For example, that supposes BSFn that UE connects is designated 11, and BSFn is that the B-TID that UE distributes is expressed as
RAND@11.BSF_servers_domain_nameLike this, NAF just is easy to find the BSF that preserves information needed, and no longer needs the BSF in the network to search successively when locating BSF by the domain name of B-TID, has improved network processes efficient.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to and replaces and improve, and all should be included within protection scope of the present invention.
Claims (10)
1, a kind of method that realizes that the user profile between a plurality of BSF is synchronous, described a plurality of BSF belong in the same home network, and user terminal UE is characterized in that this method may further comprise the steps when needing to carry out mutual authentication with BSF once more:
A, user terminal send authentication request to a BSF who carried out mutual authentication operations with this user terminal; The one BSF judge self current can not handle this request after, according to configuration in advance, do not return any information to user terminal, execution in step b then,
What perhaps, the 2nd BSF in home network sent the user profile comprise this user terminal acts on behalf of authentication request message, execution in step c then;
After b, the definite response message that does not receive within the predetermined time from a BSF of user terminal, reselect one the 2nd BSF, and to this 2nd BSF that reselects transmission authentication request, comprise the information of discerning a BSF in this authentication request, the 2nd BSF is according to the authentication request that receives, from a BSF, obtain and preserve the user profile of this user terminal, finish;
After c, the 2nd BSF confirm self can handle this authentication request, the user profile of this UE that from act on behalf of authentication request message, obtains and preserve.
2, method according to claim 1 is characterized in that, described the 2nd BSF of step b obtains the user profile of this user terminal from a BSF method is:
The 2nd BSF sends the query requests of the IMPI that comprises user terminal to be checked to a BSF, the one BSF is according to the IMPI that preserves in advance and the corresponding relation of user profile, directly inquire the user profile of this user terminal, and with inquired about to user profile return to the 2nd BSF; Perhaps,
The 2nd BSF sends the query requests of the B-TID that comprises user terminal correspondence to be checked to a BSF, the one BSF inquires the IMPI of this user terminal earlier according to the corresponding relation of B-TID that preserves in advance and IMPI, again according to the IMPI that preserves in advance and the corresponding relation of user profile, inquire the user profile of this user terminal, and with inquired about to user profile return to the 2nd BSF.
3, method according to claim 1, it is characterized in that, this method further comprises: for a plurality of BSF in the same home network sign is set respectively in advance, described sign is a serial number, perhaps, be numbering by the decision of the coding rule of home network, or the title that can discern of home network.
4, method according to claim 1, it is characterized in that, described user profile is authentication vector, B-TID, the information relevant with B-TID and user's descriptor, and perhaps, described user profile is B-TID, the information relevant with B-TID and user's descriptor.
5, method according to claim 4, it is characterized in that, if include authentication vector in the user profile that a BSF preserves, then the 2nd BSF obtains user profile from a BSF after, further comprise: the authentication vector in this user profile that BSF deletion self is preserved.
6, a kind of method that under the situation of a plurality of BSF, realizes authentication, described a plurality of BSF belong in the same home network, and user terminal is characterized in that this method may further comprise the steps when needing carry out mutual authentication with BSF once more:
A, user terminal UE send authentication request to a BSF who carried out mutual authentication operations with this user terminal; If user terminal does not obtain the response message of a BSF within the predetermined time, execution in step B then, if user terminal receives within the predetermined time that a BSF returns comprise the 2nd BSF information of can discerning carry out the notice of authentication, then execution in step C to the 2nd BSF;
B, user terminal are reselected one the 2nd BSF, and send the authentication request comprise the BSF information of discerning to the 2nd BSF, the 2nd BSF is according to the authentication request that receives, the user profile of obtaining and preserving this user terminal from a BSF, execution in step D then;
C, user terminal send authentication request according to the information that receives to this has obtained self user profile from a BSF the 2nd BSF;
In D, the 2nd BSF the user profile whether untapped authentication vector is arranged according to local this user terminal preserved of user profile judgement of this user terminal that from a BSF, obtains, if have, then use this untapped authentication vector and user terminal and carry out mutual authentication operations, otherwise, after the 2nd BSF obtains the authentication vector of this user terminal from HSS, carry out mutual authentication operations with user terminal.
7, method according to claim 6, it is characterized in that, this method further comprises: in advance for a plurality of BSF in the same home network are provided with sign respectively, after the authentication success, BSF is the identification information that comprises self in the domain name of the B-TID that distributes of user terminal; Describedly be designated serial number for what a plurality of BSF in the same home network were provided with respectively in advance, perhaps, be numbering, perhaps the title that can discern of home network by the coding rule decision of home network.
8, method according to claim 7, it is characterized in that, when the NAF in the network when BSF inquires about the B-TID information of certain user terminal, this method further comprises: according to the sign of the BSF in the B-TID domain name, NAF directly sends the request of inquiry B-TID to the BSF that distributes this B-TID.
9, according to claim 6,7 or 8 described methods, it is characterized in that the process of carrying out the notice of authentication to the 2nd BSF that the described user terminal of steps A receives within the predetermined time that a BSF returns comprises the 2nd BSF information of can discerning may further comprise the steps:
The one BSF receives the authentication request from user terminal, judge self can't handle this authentication request after, the 2nd BSF in network sends the request message of acting on behalf of authentication of the user profile that comprises this user terminal;
The 2nd BSF obtains and preserves the user profile of acting on behalf of this user terminal in the authentication request after confirming self can handle this authentication request, the response of returning success for a BSF;
The one BSF receive after the success response that the 2nd BSF returns to user terminal return comprise the 2nd BSF information of can discerning carry out the notice of authentication to the 2nd BSF.
10, method according to claim 6, it is characterized in that, described user profile is authentication vector, B-TID, the information relevant with B-TID and user's descriptor, and perhaps, described user profile is B-TID, the information relevant with B-TID and user's descriptor.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100075136A CN100563156C (en) | 2005-02-05 | 2005-02-05 | Realize that user profile reaches the method to subscriber terminal authority synchronously |
| PCT/CN2006/000100 WO2006081742A1 (en) | 2005-02-05 | 2006-01-20 | A method for realizing the user information synchronization and authenticating the user end |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100075136A CN100563156C (en) | 2005-02-05 | 2005-02-05 | Realize that user profile reaches the method to subscriber terminal authority synchronously |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1815954A CN1815954A (en) | 2006-08-09 |
| CN100563156C true CN100563156C (en) | 2009-11-25 |
Family
ID=36776953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100075136A Expired - Fee Related CN100563156C (en) | 2005-02-05 | 2005-02-05 | Realize that user profile reaches the method to subscriber terminal authority synchronously |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100563156C (en) |
| WO (1) | WO2006081742A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100466835C (en) * | 2006-09-22 | 2009-03-04 | 华为技术有限公司 | Recognition method and identification method for identification apparatus, communication system and equipment |
| CN101193424B (en) * | 2006-11-28 | 2010-10-13 | 中国移动通信集团公司 | An authentication method and device |
| CN109803261B (en) * | 2017-11-17 | 2021-06-22 | 华为技术有限公司 | Authentication method, equipment and system |
| CN113596830B (en) * | 2021-07-27 | 2023-03-24 | 中国联合网络通信集团有限公司 | Communication method, communication apparatus, electronic device, storage medium, and program product |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2293989A1 (en) * | 2000-01-07 | 2001-07-07 | Sedona Networks Corporation | Distributed subscriber management |
| JP2004537125A (en) * | 2001-07-24 | 2004-12-09 | ポロズニ,バリー | Wireless access system, method, signal, and computer program product |
| AU2003270036A1 (en) * | 2002-09-09 | 2004-03-29 | U.S. Encode Corporation | Systems and methods for secure authentication of electronic transactions |
-
2005
- 2005-02-05 CN CNB2005100075136A patent/CN100563156C/en not_active Expired - Fee Related
-
2006
- 2006-01-20 WO PCT/CN2006/000100 patent/WO2006081742A1/en not_active Application Discontinuation
Also Published As
| Publication number | Publication date |
|---|---|
| WO2006081742A1 (en) | 2006-08-10 |
| CN1815954A (en) | 2006-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110800331B (en) | Network verification method, related equipment and system | |
| KR100442594B1 (en) | Packet data service method for wireless telecommunication system and apparatus therefor | |
| KR100926724B1 (en) | User registration in communication system | |
| EP1552646B1 (en) | Method and apparatus enabling reauthentication in a cellular communication system | |
| KR101209071B1 (en) | Device management system and method of controlling the same | |
| CN100591013C (en) | Implementing authentication method and system | |
| CN101946455B (en) | One-pass authentication mechanism and system for heterogeneous networks | |
| EP1681793A1 (en) | A method for verifying the subscriber s validity | |
| AU2014410591B2 (en) | Connection establishment method, device, and system | |
| US20070050623A1 (en) | Method of obtaining the user identification for the network application entity | |
| US10601830B2 (en) | Method, device and system for obtaining local domain name | |
| US9369873B2 (en) | Network application function authorisation in a generic bootstrapping architecture | |
| CN105429988A (en) | IMS (Internet Protocol Multimedia Subsystem) registration method and IMS registration system based on multiple services | |
| CN104917605A (en) | Key negotiation method and device during terminal device switching | |
| CN100563156C (en) | Realize that user profile reaches the method to subscriber terminal authority synchronously | |
| US20120124649A1 (en) | Attachment method and system for Id-Loc-Split in an NGN | |
| CN113498060B (en) | Method, device, equipment and storage medium for controlling network slice authentication | |
| JP2009118267A (en) | Communication network system, communication network control method, communication control apparatus, communication control program, service control device and service control program | |
| CN100563159C (en) | Generic authentication system and visit the method that Network in this system is used | |
| CN100450283C (en) | Method for establishing trust relation of access end and service application entity | |
| EP2244497A1 (en) | Radio communication system and authentication processing unit selecting method | |
| CN100512137C (en) | A method for deleting session transaction ID and related information | |
| KR100933779B1 (en) | IP Multimedia Subsystem Network Registration Method and Registration System | |
| CN101312591B (en) | Method for authentication device to acquire security parameter related to home proxy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091125 Termination date: 20130205 |