CN101009919A - Authentication method based on the end-to-end communication of the mobile network - Google Patents
Authentication method based on the end-to-end communication of the mobile network Download PDFInfo
- Publication number
- CN101009919A CN101009919A CNA2006100333772A CN200610033377A CN101009919A CN 101009919 A CN101009919 A CN 101009919A CN A2006100333772 A CNA2006100333772 A CN A2006100333772A CN 200610033377 A CN200610033377 A CN 200610033377A CN 101009919 A CN101009919 A CN 101009919A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- entity
- business
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The related certification method bases on mobile network P2P communication to define a general certification frame fit to different mobile network standards that entities can build accredit relation, wherein it includes steps as negotiating certification way, mutual certifying and querying certification. This invention adds flexibility and security strategy for based-derived-key further mutual certification and one dialogue key for one time dialogue, and can simplify the re-certification process on some conditions.
Description
Technical field
The invention belongs to the network communication services technical field, particularly a kind of authentication method based on mobile network P communication.
Background technology
Most of application servers are when providing a certain business to the mobile subscriber, all should at first set up the relation of mutual trust with the user, for example between mobile subscriber and the authentication proxy, between mobile subscriber and PKIX (PKI-Public Key-Infrastructure) certificate agency, between mobile subscriber and the content providing server etc.In general, this trusting relationship is to establish in the mutual authentication process between mobile subscriber and application server.
In third generation wireless communication standard, general authentication framework (GAA-GeneralAuthentication Architecture) is that of multiple applied business entity use is used to finish the universal architecture that user identity is verified, uses general authentication framework and can realize checking and identity verification using professional user.Above-mentioned multiple applied business can be multicast/broadcast business, user certificate business, information provides business etc. immediately, also can be agent service.
Fig. 1 is the structural representation of GAA, and GAA is made up of entity (BSF) 102, the user attaching webserver (HSS) 103 and the Network application entity (NAF) 104 of user 101, the checking of execution user identity initial inspection usually.BSF102 is used for carrying out mutual identity verification with user 101, generates BSF102 and user's 101 shared key simultaneously; Storage is used to describe description (Profile) file of user profile among the HSS103, and HSS103 also has the function that produces authentication information concurrently simultaneously.
When the user need use certain professional, if it knows that this service needed carries out mutual authentication process to BSF, then directly carry out mutual authentication to BSF, otherwise, the user can be at first and the NAF contact of this business correspondence, if this NAF uses general authentication framework, and sends requesting users and also do not recognize each other the card process to BSF, then notify and send requesting users and carry out authentication to BSF.
The card process of recognizing each other between user and the BSF is: the user sends authentication request to BSF, comprise user's permanent identification (IMPI-International Mobile PermanentIdentity) or the permanent identification IMPI that is converted to by IMSI (International Mobile SubscriberIdentity) in the authentication request message, after BSF receives authentication request from the user, at first obtain this user's authentication information to HSS, BSF has also comprised user's permanent identification in the message of HSS request authentication, HSS finds this attribute of user information and generates authentication vector according to user's permanent identification and returns to BSF, and BSF is according to carrying out authentication between authentication information that is obtained and the user and key agreement protocol (AKA) carries out mutual authentication.After the authentication success, authenticated identity between user and the BSF mutually and generated shared key K s simultaneously, BSF has defined a valid expiration date for this key K s, so that Ks upgrades.Afterwards, BSF distributes a conversation affair mark (B-TID) to give the user, has comprised the valid expiration date of Ks when B-TID being sent to subscriber equipment (UE), and this B-TID is associated with Ks.Share key K s and use, can not leave user's UE and BSF, when the user communicates by letter with NAF, will use the key that derives by Ks as root key.
The user sends connection request to NAF after receiving this B-TID again, and has carried this B-TID in the request message, and user side calculates derivative key Ks_NAF according to Ks simultaneously.After NAF received request, this B-TID that whether has the user to carry at local search if NAF can not then inquire about to BSF at local search to this B-TID, had carried NAF sign and B-TID in this request query messages earlier.If BSF can not then notify NAF not this user's information at local search to this B-TID, at this moment, NAF will notify the user to carry out authentication to BSF.After if BSF inquires this B-TID, then use the derivative key Ks_NAF of the algorithm computation key K s identical with user side, send successful response message to NAF then, comprise the B-TID that NAF is required in this successful response, the derivative key Ks_NAF corresponding with this B-TID, and BSF is the valid expiration date of this key setting.After NAF receives the success response message of BSF, just think that this user is the validated user through the BSF authentication, NAF and user have also shared the key K s_NAF that is derived by Ks simultaneously.NAF and user communicate protection by Ks NAF in the communication process of back.
When finding that Ks will be soon expired, or NAF requires the user again when BSF carries out authentication, and the user will repeat above-mentioned step and carry out authentication to BSF again, to obtain new Ks and B-TID.
The deficiency of above-mentioned authentication method is:
1. the NAF in the general authentication framework (GAA) can only be as a functional entity among the mobile network, and can not make UE can not use the service resources in the network fully as the functional entity in the open network;
2. along with the enhancing day by day of abilities such as mobile terminal stores and processing, they also might provide professional themselves except the business of using other entities to provide, and GAA can not support this situation.Cause can not upgrade oneself function of portable terminal, commencing business provides service.
3.UE can only adopt authentication and a kind of mode of key agreement protocol (AKA) with the card mechanism of recognizing each other of BSF; Can not select suitable authentication mechanism at the authentication mode of Business Entity support and the business safety grade demand that this entity used or provided.The Business Entity that has might not supported this single AKA authentication mode, and perhaps the AKA authentication mode can not satisfy the service security level requirements, thereby it is unsuccessful or do not meet the service security demand to cause recognizing each other card.
4. carry privately owned identify label in the re-authentication request, easily reveal the confidentiality of UE identity;
5. do not have specified in more detail UE and NAF the card process of recognizing each other,, may use reason such as inconsistent to cause the intercommunication failure, cause the two communication success rate to descend because of derivative key if both sides use derivative key directly to carry out service communication based on derivative key.
Summary of the invention
For setting up universal authentication framework that is applicable to different mobile network's standards of mutual trust contextual definition between the dissimilar entities.The present invention proposes a universal authentication framework truly, wherein Ding Yi authentication mechanism can be held consultation and selects multiple authentication mechanism and authentication model, has increased the flexibility and the versatility of authentication mechanism.
Technical scheme of the present invention is as follows:
A kind of authentication method based on mobile network P communication is characterized in that, this method utilizes the entity authentication center to participate in finishing verification process between Business Entity, may further comprise the steps:
Steps A: authentication mode is determined at Business Entity and entity authentication center through consultation;
Step B: described Business Entity and described entity authentication center utilize the authentication mode of determining in the steps A to recognize each other card, obtain shared key material; And
Step C: carry out authentication challenge between described Business Entity and the described entity authentication center.
In the present invention, described Business Entity comprises service supplier, service subscriber, and be service subscriber be again service supplier.
Above-mentioned steps A also further comprises:
Steps A 1: Business Entity sends authentication request to the entity authentication center, the identify label of carrying this Business Entity in the request message with and selected authentication mode safe class;
Steps A 2: after authentication request message is received at described entity authentication center, search local safe class tabulation of preserving, find authentication protocol, the cryptographic algorithm of the network support that meets this safe class demand;
Steps A 3: authentication protocol, the cryptographic algorithm that described Business Entity is supported found at described entity authentication center in entity CAMEL-Subscription-Information database;
Steps A 4: authentication protocol and cryptographic algorithm that described entity authentication center is supported according to local policy matching network and Business Entity, determine and meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, and the result is returned to Business Entity; If do not meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, then return wrong indication to Business Entity.
Above-mentioned steps B also comprises: the temporary identity sign and the corresponding term of validity thereof are also distributed to described Business Entity in described entity authentication center, the intermediary service inquiry sign of intermediary service request mark that described temporary identity sign is a service subscriber or service supplier.
In the present invention, key material and the corresponding related preservation of safe class all will be shared with the Business Entity side in described entity authentication center.
Above-mentioned steps C can further comprise:
Step C11: service subscriber sends service request to service supplier, carries the open identify label of the intermediary service request mark and the service supplier of service subscriber in the described business request information;
Step C12: after service supplier is received service request, search the local intermediary service request mark of whether preserving service subscriber, to discern described service subscriber;
If preserve described sign, and have effective derivative key and the user real identification that is associated with this sign, both sides utilize this derivative key to begin business procedure;
If do not preserve described sign, then send query requests, and in inquiry request message, carry intermediary service request mark and the intermediary service of self the inquiry sign and the open identify label of service subscriber to the entity authentication center;
Step C13: after above-mentioned query requests is received at the entity authentication center, carry out the validity checking of identity or authority;
If check result is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier, and sends to service supplier after utilizing the shared key material encryption of entity authentication center and described service supplier;
If check result is illegal, mind-set corresponding business entity is sent out error message in the then described entity authentication, and indication corresponding business entity arrives entity authentication center authenticating identity again;
Step C14: described service supplier deciphering obtains derivative key, and the intermediary service request mark of derivative key, service subscriber and the open identify label association of service supplier are kept at this locality;
Step C15: service subscriber calculates identical derivative key in this locality, and identifies the related this locality that is kept at the intermediary service inquiry of service supplier;
Step C16: service subscriber and service supplier use derivative key begin the business procedure between them.
Wherein, the validity checking of identity or authority specifically may further comprise the steps described in the step C13:
Described entity authentication center judges whether the intermediary service request mark of described service subscriber is effective, and searches entity CAMEL-Subscription-Information database according to the true identity sign of service subscriber and judge whether described service subscriber has the right to use this business;
Described entity authentication center judges whether the intermediary service inquiry sign that described service supplier provides is effective, and judges whether it has the right to provide this business.
As a kind of improvement of the present invention, described step C also can further comprise:
Step C21: when service subscriber need obtain a certain business, at first check local professional permission ticket of whether having preserved corresponding to this business, if have, then leap to step C25, if do not have, then send professional permission ticket request, carry the intermediary service request mark of described service subscriber in the described request message to the entity authentication center, and the open identify label of the service supplier of this business;
Step C22: after above-mentioned query requests is received at described entity authentication center, carry out the validity checking of identity or authority;
If check result is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier, in addition, the entity authentication center also produces a professional permission ticket that comprises derivative key, service subscriber identity information and service supplier identity information, utilizes the shared key material of itself and described service supplier to encrypt described professional permission ticket;
If check result is illegal, mind-set corresponding business entity is sent out error message in the then described entity authentication, and indication corresponding business entity arrives entity authentication center authenticating identity again;
Step C23: the described service subscriber of mind-set sends the professional permission ticket after the described encryption in the described entity authentication;
Step C24: after service subscriber is received described professional permission ticket, adopt the parameter identical to produce an identical derivative key in this locality with algorithm with the entity authentication center;
Step C25: service subscriber sends service request to described service supplier, and carries described professional permission ticket;
Step C26: service supplier is deciphered described professional permission ticket, obtains derivative key;
Step C27: service supplier returns the service request success response to service subscriber;
Step C28: service subscriber and service supplier use derivative key begin the business procedure between them.
Wherein, the validity checking of identity or authority specifically may further comprise the steps described in the step C22:
Described entity authentication center judges whether the intermediary service request mark of described service subscriber is effective, and searches entity CAMEL-Subscription-Information database according to the true identity sign of service subscriber and judge whether described service subscriber has the right to use this business;
Described entity authentication center also obtains the intermediary service inquiry sign of service supplier according to the open identify label of service supplier, and whether judges effectively according to intermediary service inquiry sign whether this service supplier has the right to provide this business.
In addition, utilize the shared key material of itself and described service subscriber to encrypt described derivative key by the entity authentication center, and the derivative key after will encrypting sends to service subscriber, thereby service subscriber needn't be recomputated in this locality draw derivative key, but obtain derivative key by deciphering.
As another kind of improvement the of the present invention, described step C also can comprise:
Step C31: when service subscriber uses a certain business of service supplier at needs, at first service request, the open identify label of carrying the intermediary service request mark and the described service supplier of described service subscriber in the request message are proposed to the entity authentication center;
Step C32: the validity of the intermediary service request mark of described service subscriber is checked at described entity authentication center, and the CAMEL-Subscription-Information of described service subscriber, to determine described service subscriber whether this professional authority of request is arranged;
Step C33: if described service subscriber is legal, then described entity authentication center is transmitted service request for it and is given described service supplier;
If described service subscriber is illegal, the mind-set service subscriber is sent out error message in the then described entity authentication, and the signatory person of informing business arrives entity authentication center authenticating identity again;
Step C34: described service supplier returns the service request response, is carrying the intermediary service inquiry sign of oneself in the response;
Step C35: the validity of described intermediary service inquiry sign is checked at described entity authentication center, and the CAMEL-Subscription-Information of described service supplier, whether has the right to provide this business to determine described service subscriber;
If described service supplier is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier;
If described service supplier is illegal, the mind-set service supplier is sent out error message in the described entity authentication, and the informing business supplier arrives entity authentication center authenticating identity again;
Step C36: the mind-set service subscriber sends the service request success response in the entity authentication, and sends the derivative key of being encrypted by the shared key material of described entity authentication center and service supplier to described service supplier;
Step C37: described service subscriber adopts parameter and the algorithm computation derivative key identical with the entity authentication center after receiving the service request success response of entity authentication center transmission;
Step C38: service subscriber and service supplier use derivative key begin the business procedure between them.
In the present invention; behind the derivative key that described service subscriber and service supplier obtain to share; before the each service communication of beginning; utilize described derivative key to carry out the card of recognizing each other between both sides earlier; and further generate the session key of protecting this time communication security, utilize described session key to protect this time service communication then.
In addition, the shared key material at described Business Entity and entity authentication center has the term of validity.
In the present invention, when described entity authentication center finds that the temporary identity sign of the shared key material at Business Entity and entity authentication center or Business Entity is in inferior mode of operation, described entity authentication center indicates described Business Entity to initiate the re-authentication request, and indicates the re-authentication reason.
Described Business Entity is received the re-authentication indication, and after knowing the re-authentication reason, described Business Entity is initiated the re-authentication request to described entity authentication center, and carries the temporary identity sign in the re-authentication request,
After the re-authentication request was received at described entity authentication center, the temporary identity sign according to described Business Entity need not to consult authentication mode, directly adopts the authentication mode of original use between them to recognize each other card.
In the present invention, described entity authentication center is found that the temporary identity of the shared key material at Business Entity and entity authentication center or Business Entity identifies to be in and is cancelled or during destroy state, when perhaps described entity authentication center can not find relevant identity information and key information according to the temporary identity sign, EAC indicates described Business Entity to initiate the re-authentication request, and indicates the re-authentication reason.
Described Business Entity is received the re-authentication indication, and after knowing the re-authentication reason, described Business Entity is initiated the re-authentication request to described entity authentication center, and carries privately owned identify label in the re-authentication request;
After the re-authentication request is received at described entity authentication center, consult authentication mode again with described Business Entity.
In addition, described derivative key has the term of validity.
In the present invention, when described service supplier found that described derivative key is in time mode of operation, described service supplier indicated described service subscriber to initiate the re-authentication request, and indicates the re-authentication reason.
Described service subscriber is received the re-authentication indication, and after knowing the re-authentication reason, described service subscriber is initiated the re-authentication request to described entity authentication center, and carries the temporary identity sign in the re-authentication request;
After the re-authentication request was received at described entity authentication center, the temporary identity sign according to described service subscriber need not to consult authentication mode, directly adopts the authentication mode of original use between them to recognize each other card.
In the present invention, described entity supplier finds that described derivative key is in and cancels or during destroy state, when perhaps described entity supplier can not find relevant identity information and key information according to the temporary identity sign, described entity supplier indicates described service subscriber to initiate the re-authentication request, and indicates the re-authentication reason.
Described service subscriber is received the re-authentication indication, and after knowing the re-authentication reason, described service subscriber is initiated the re-authentication request to described entity authentication center, and carries privately owned identify label in the re-authentication request;
After the re-authentication request is received at described entity authentication center, consult authentication mode again with described service subscriber.
The beneficial effect that technical solution of the present invention is brought is:
1. service supplier can be the application server among the mobile network, also can be the application server in the open network, can also be powerful portable terminal, makes that the spendable service resources of service subscriber is abundanter.
2. this certificate scheme supports that updating mobile terminal is the situation of service supplier, has well satisfied the demand that powerful portable terminal needs provide business service.
3. Business Entity and entity authentication center recognizes each other card and can carry out the negotiation of authentication mode according to authentication mode and service security level requirements that entity is supported, the card mode of recognizing each other that adopts is that entity and network are all supported and meets the service security level requirements, makes that recognizing each other card carries out more smooth and have higher safety guarantee.
4. service subscriber and service supplier need further be recognized each other the session key of card and generation one-time pad characteristic based on derivative key, make authentication mechanism more safe and reliable, have guaranteed the success rate of service communication.
5. re-authentication request most cases carries the temporary identity sign of entity, helps protecting the confidentiality of entity identities.
Description of drawings
Fig. 1 is the structural representation of general authentication framework (GAA);
Fig. 2 is the schematic diagram of the end-to-end communication authentication framework based on the mobile network of the present invention;
Fig. 3 consults and recognizes each other the block diagram of card process for the authentication mode between Business Entity and the entity authentication center;
Fig. 4 is the block diagram of the authentication challenge process at Business Entity and entity authentication center;
The end to end authentication model schematic diagram of Fig. 5 for combining with the Kerberos model;
Fig. 6 is the block diagram of the authentication challenge process that combines with the Kerberos model;
The end to end authentication model schematic diagram of Fig. 7 for combining with the Mediation model;
Fig. 8 is the block diagram of the authentication challenge process that combines with the Mediation model.
Embodiment
Further specify the present invention below in conjunction with drawings and Examples, but not as a limitation of the invention.
Fig. 2 has shown the end-to-end communication authentication framework based on the mobile network of the present invention.This framework is applicable to different mobile network's standards, its role is to setting up the mutual trust relation between the dissimilar Business Entities, and be a general authentication framework truly.The network element that relates to is except 3 kinds of Business Entities: service subscriber (Service Subscriber, SS) 201, be service subscriber be again service supplier (Service Subscriber and Provider, SSP) 202, service supplier (ServiceProvider, SP) beyond 203, in carrier network, also there is an entity authentication center (EntityAuthentication Center, EAC) 204 and entity CAMEL-Subscription-Information databases (EntitySubscription Database, ESD) 205.
Most of application servers are when providing a certain business to the mobile subscriber, all should be at first and the user set up the relation of mutual trust (for example between mobile subscriber and the authentication proxy, between mobile subscriber and the PKI certificate agency, between mobile subscriber and the content providing server etc.).In general, this trusting relationship is to establish in the mutual authentication process between mobile subscriber and application server.Along with mobile network's development, professional type is also more and more diversified: service supplier no longer is simple carrier network itself, can also be the third party content provider beyond the carrier network, even can be mobile subscriber itself.The application service that some mobile subscriber also no longer only can use network to provide is provided, can also in network, other users provides some services.
Service supplier has three kinds among the present invention: the AS of operator, third party AS and mobile subscriber, service subscriber has two kinds: general common mobile subscriber or third party AS.The mobile subscriber not only can be a service subscriber but also can be service supplier like this, can be service subscriber and third party AS both can be a service supplier.So to network entity, no longer simple differentiation user and service supplier, but be divided into three kinds:
SS (Service Subscriber)-simple service subscriber, it can only apply for business.(being generally common mobile subscriber);
SSP (Service Subscriber and Provider)-be service subscriber is again a service supplier.(can be common mobile subscriber, also can be third-party AS);
SP (Service Provider)-simple service supplier.(AS of carrier network or the SP of external network).
In addition, EAC finishes and carries out with Business Entity that authentication method is consulted and the process of authentication, and to the identity and the entity requests of communication entity end to end or the legitimacy check of service authority is provided, also has functions such as the derivative key of generation.ESD preserves the CAMEL-Subscription-Information of entity, CAMEL-Subscription-Information comprises the COS that this entity is signatory, or the COS that provides of this entity, or not only comprise the COS that this entity is signatory but also comprise COS that this entity provides or the like, and the authentication mode supported of this entity and authenticated data etc.The CAMEL-Subscription-Information of entity should be preserved with the privately owned identify label of entity.
Service supplier can provide professional to other entity, and perhaps should at first there be contract signing relationship in service subscriber with network, and CAMEL-Subscription-Information is deposited among the ESD before other entity requests business.
Before each service subscriber and other entities communicate in the network, should arrive first EAC and consult authentication mode, and finish the card process of recognizing each other identity.
In the present invention, the authentication mode between Business Entity and EAC is consulted and is recognized each other the card process and should be initiated by Business Entity, as shown in Figure 3:
Step 301: at first, Business Entity select automatically ask or provide professional (as video conference business) corresponding safe class demand (for example being high safety grade);
Step 302: Business Entity sends authentication request to EAC, the identify label of carrying this Business Entity in the request message with and relevant information such as selected authentication mode safe class;
After step 303:EAC receives authentication request message, search local safe class tabulation of preserving, find authentication protocol, the cryptographic algorithm of the network support that meets this safe class demand; For example, Http AKA is exactly the network in a kind of wireless network and the mutual authentication protocol of terminal, carries out this agreement and can make the both sides of communication authenticate the other side's identity mutually, and generate identical key the both sides of communication.
Step 304:EAC is according to identify label this Business Entity authentication information of inquiry in the CAMEL-Subscription-Information of ESD storage of Business Entity, i.e. authentication protocol, cryptographic algorithm and other relevant parameter of Business Entity support;
Step 305:ESD returns authentication protocol, cryptographic algorithm and other relevant parameter that this Business Entity is supported to EAC;
Authentication protocol and cryptographic algorithm that step 306:EAC supports according to local policy matching network and Business Entity, determine and meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, if do not meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, then return wrong indication to Business Entity;
Step 307:EAC comprises authentication protocol and cryptographic algorithm with selected authentication mode, returns to Business Entity;
Step 308: after Business Entity is received information, authentication mode is confirmed;
Step 309: next, Business Entity and EAC use selected authentication protocol and cryptographic algorithm is recognized each other card, and behind authentication success, both sides obtain to share key material.
If Business Entity is a portable terminal, sharing key material so just can be to share key (Ks), if Business Entity is the application server (AS) in a mobile core network territory, Business Entity and the entity authentication center EAC shared key material that may negotiate in recognizing each other the card process is SA (key and the key algorithm information of the secure communication that the Business Entity both sides consult in Security Association, i.e. security association---IPSec (the Internet Protocol Security) agreement) so;
Step 310:EAC is to the success response of Business Entity return authentication, and the distribution service entity temporary identity sign and the corresponding term of validity: 1) if the Business Entity that sends authentication request to EAC is service subscriber (SS/SSP), then EAC will distribute an intermediary service request mark ISR-ID to it, to use when other entity requests is professional.2) if the Business Entity that sends authentication request to EAC is service supplier (SP/SSP), then EAC will distribute an intermediary service inquiry sign IAC-ID to it, using when EAC inquires about the authentication scenario of SS;
Step 311:EAC will share key material and the corresponding related preservation of safe class with the Business Entity side.
Finished and recognized each other after the card, the authentication challenge process is carried out at Business Entity and entity authentication center.As shown in Figure 4, a kind of specific implementation of authentication challenge process is as follows:
Step 401:SS (or SSP) proposes service request to the SP that service can be provided (or another SSP).Comprised in the service request that (UID, it is the identify label of getting in touch with other Business Entity for intermediary service request mark (ISR-ID) that the authentication of SS front obtains and the open identify label of SP.Same Business Entity provides the different business should corresponding different UID, and promptly UID can distinguish different business);
After step 402:SP receives service request, search the local ISR-ID that whether preserves SS, to discern described SS; If preserve the effective derivative key of described sign and related preservation and Business Entity true identity information etc. with it, both sides begin to utilize derivative key to carry out business procedure, if information such as SP discovery derivative key or temporary identity sign are in time mode of operation or have been cancelled or destroyed, then SP indicates this SS to initiate the re-authentication request, the concrete grammar that re-authentication the is initiated description that sees below; If do not preserve described sign, then send query requests, and in inquiry request message, carry ISR-ID and IAC-ID of self and the UID of SS to EAC, execution in step 403 then;
After step 403:EAC receives the authentication challenge request message, at first inquire about and judge IAC-ID whether effectively and SP whether have the right to provide this business, and then inquiry and judge whether effective whether ISR-ID and SS have the right to ask this business.If the verification passes, then EAC generates derivative key for the two;
The inquiry of step 404:EAC response authentication.
If the authentication challenge success, the key that newly derives can be encrypted by SP and EAC cipher key shared material in response message, sends to SP.Otherwise, if the unsuccessful error message that returns of authentication challenge, and carry out re-authentication to EAC, the description that sees below of the concrete grammar of re-authentication initiation by EAC notice corresponding business entity;
Step 405:SP deciphering obtains derivative key, and with derivative key, the term of validity, the ISR-ID of SS and the UID of SP are related to be preserved;
Step 406:SP returns service request response to SS;
Step 407:SS utilizes identical parameter and key algorithm to calculate identical derivative key in this locality; Wherein, described key algorithm can adopt: DES (data encryption standard), 3-DES (triple des), AES (Advanced Encryption Standard) 256, AES1024 etc., and wherein 256 and 1024 is key lengths;
Step 408:SS and SP use derivative key begin the business procedure between them.
Behind the derivative key that SS and SP obtain to share; before the each service communication of beginning; can also utilize described derivative key to carry out the card of recognizing each other between both sides earlier, and further generate the session key Kr-SS-SP of this time of protection communication security, utilize described session key to protect this time service communication then.
Authenticate the trusting relationship set up between Business Entity and the EAC and have a term of validity (have the term of validity, derivative key and have the term of validity, the temporary identity sign has the term of validity) as sharing key material.The term of validity is soon expired or expired, and Business Entity need arrive and carry out the re-authentication process between the EAC, sets up new trusting relationship.
Identify residing situation difference according to shared key material or temporary identity, Business Entity can have following state:
Inferior mode of operation: it is soon expired to share key material, derivative key or temporary identity sign, can not carry out cryptographic calculation with this shared key material again this moment but enough its deciphering of energy and checking entity identities.
Cancel state: it is expired to share key material, derivative key or temporary identity sign, and has removed the corresponding relation of the true identity of shared key material or temporary identity and this entity.
Destroy state: the relative recording of sharing key material, derivative key or temporary identity sign is deleted.
When satisfying one of following situation, need to initiate the re-authentication process:
1.EAC find that according to local corresponding strategies the shared key material of Business Entity and EAC or temporary identity sign are in time mode of operation, EAC indicates this entity to initiate the re-authentication request.
Be in and cancel or destroy state 2.EAC find to share key material or temporary identity sign according to local corresponding strategies, EAC indicates this entity to initiate the re-authentication request.
3.EAC in the time of can not finding relevant identity information and key information according to the temporary identity sign (destroy state), EAC indicates this entity to initiate the re-authentication request.
4.SP when finding that according to local corresponding strategies derivative key is in time mode of operation, SP indicates this SS to initiate the re-authentication request.
5.SP finding according to local corresponding strategies that derivative key is in cancels or during destroy state, SP indicates this SS to initiate the re-authentication request.
6.SP in the time of can not finding corresponding identity information and key information according to the temporary identity sign (destroy state), SP indicates this SS to initiate the re-authentication request.
In the re-authentication indication that above-mentioned EAC sends, indicate the reason of re-authentication.Be in time mode of operation if reason is shared key material or temporary identity sign, Business Entity identifies oneself with temporary identity in the re-authentication request so.After EAC receives request,, need not to consult authentication mode, directly adopt the original authentication mode that uses to recognize each other card according to the temporary identity sign.If reason is to share key material or temporary identity sign to be in and to cancel or destroy state, or but can not find when needing to use key material according to temporary identity, so Business Entity in the re-authentication request with privately owned identify label oneself.Need consult authentication mode again, the re-authentication process is identical with initial verification process.
Equally, in the re-authentication indication that above-mentioned SP sends, indicate the reason of re-authentication.Be in time mode of operation if reason is shared key material or temporary identity sign, SS identifies oneself with temporary identity in the re-authentication request so.After EAC receives request,, need not to consult authentication mode, directly adopt the original authentication mode that uses to recognize each other card according to the temporary identity sign.If reason is to share key material or temporary identity sign to be in and to cancel or destroy state, or but can not find when needing to use key material according to temporary identity, so SS in the re-authentication request with privately owned identify label oneself.Need consult authentication mode again, the re-authentication process is identical with initial verification process.
Wherein, as follows to illustrating of the term of validity and time mode of operation: the term of validity with shared key material is an example, the term of validity of supposing shared key material is 48 hours, and set 44~48 hours and in the scope be and be in time mode of operation, survived 45 hours the time when shared key material, just can judge that sharing key material has been in the inferior mode of operation of life cycle.
As Fig. 5 and Fig. 6, when entity authentication center EAC has the kerberos server function, can adopt the authentication challenge mode that combines with the Kerberos model, concrete steps are as follows:
Step 601, when service subscriber SS need obtain a certain business, at first check local professional permission ticket of whether having preserved corresponding to this business, if have, then leap to step 605,, then send professional permission ticket request to entity authentication center EAC if do not have, carry the intermediary service request mark ISR-ID of described service subscriber SS in the described request message, and the open identify label UID of the service supplier SP of this business;
Step 602 after described entity authentication center EAC receives request, is carried out the validity checking of identity and authority.At first inquire about ISR-ID and whether judge effectively whether this service subscriber SS has the right to use this business, obtain the temporary identity sign IAC-ID of service supplier SP then according to the UID of service supplier SP, and whether judge effectively according to IAC-ID whether this service supplier SP has the right to provide this business;
If above-mentioned check result is legal, described entity authentication center EAC is according to the identity information of described service subscriber SS and service supplier SP, and the shared key material of described service subscriber SS and entity authentication center EAC calculates a derivative key K-SSP/SP who is used to protect service communication between described service subscriber SS and the service supplier SP; Entity authentication center EAC also produces a professional permission ticket SGT who comprises derivative key, service subscriber SS identity information and service supplier SP identity information, utilizes the shared key material of itself and described service supplier SP to encrypt described professional permission ticket SGT;
If check result is illegal, send error message, described entity authentication center EAC notifies corresponding entity to arrive entity authentication center authenticating identity again;
Step 603, the professional permission ticket of entity authentication center EAC after described service subscriber SS sends described encryption;
Step 604, service subscriber SS adopts the parameter identical with entity authentication center EAC to produce an identical derivative key with algorithm in this locality after receiving described professional permission ticket SGT;
Step 605, service subscriber SS sends service request to described service supplier SP, and carries described professional permission ticket SGT;
Step 606, service supplier SP deciphers described professional permission ticket SGT, obtains derivative key.
Step 607, service supplier SP returns the service request success response to service subscriber SS.
Step 608, service subscriber SS and service supplier SP use derivative key begin the business procedure between them.
Except adopting above-mentioned steps, entity authentication center EAC also can utilize the shared key material of itself and described service subscriber SS to encrypt described derivative key, and the derivative key after will encrypting sends to service subscriber SS, thereby service subscriber SS needn't be recomputated in this locality draw derivative key, but obtain derivative key by deciphering.
Equally; behind the derivative key that SS and SP obtain to share; before the each service communication of beginning; can also utilize described derivative key to carry out the card of recognizing each other between both sides earlier; and further generate the session key Kr-SS-SP that protects this time communication security, utilize described session key to protect this time service communication then.
As shown in Figure 7 and Figure 8.When entity authentication center EAC has the TTP function of serving as arbitrator's identity, also can adopt the authentication challenge mode of Mediat ion model combination, concrete steps are as follows:
Step 801, when service subscriber SS uses a certain business of service supplier SP at needs, at first propose service request, carry the intermediary service request mark ISR-ID of described service subscriber SS and the open identify label UID of described service supplier SP in the request message to entity authentication center EAC;
Step 802, described entity authentication center EAC checks the validity of the intermediary service request mark ISR-ID of described service subscriber SS, and the CAMEL-Subscription-Information of described service subscriber SS, to determine described service subscriber SS whether this professional authority of request is arranged;
Step 803, if described service subscriber SS is legal, then described entity authentication center EAC transmits service request for it and gives described service supplier SP;
If described service subscriber SS is illegal, then described entity authentication center EAC sends out error message to service subscriber SS, and the signatory person SS of informing business arrives entity authentication center EAC authenticating identity again;
Step 804, described service supplier SP returns the service request response, is carrying the intermediary service inquiry sign IAC-ID of oneself in the response;
Step 805, described entity authentication center EAC checks the validity of described intermediary service inquiry sign IAC-ID, and the CAMEL-Subscription-Information of described service supplier SP, whether has the right to provide this business to determine it;
If described service supplier SP is legal, then described entity authentication center EAC is according to the identity information of described service subscriber SS and service supplier SP, and the shared key material of described service subscriber SS and entity authentication center EAC calculates a derivative key that is used to protect service communication between described service subscriber SS and the service supplier SP;
If described service supplier SP is illegal, described entity authentication center EAC sends out error message to service supplier SS, and informing business supplier SP arrives entity authentication center EAC authenticating identity again;
Step 806, entity authentication center EAC sends the service request success response to service subscriber SS, and sends the derivative key of being encrypted by the shared key material of described entity authentication center EAC and service supplier SP to described service supplier SP;
Step 807, described service subscriber SS adopts parameter and the algorithm computation derivative key identical with entity authentication center EAC after receiving the service request success response of entity authentication center EAC transmission;
Step 808, service subscriber and service supplier use derivative key begin the business procedure between them.
Equally; behind the derivative key that SS and SP obtain to share; before the each service communication of beginning; can also utilize described derivative key to carry out the card of recognizing each other between both sides earlier; and further generate the session key Kr-SS-SP that protects this time communication security, utilize described session key to protect this time service communication then.
More than be that preferred typical embodiment of the present invention is described, other similar situation, as SSP during as Business Entity, its identity in communication can change, when it is under the requested service situation, it is identical with the processing mode of above-mentioned SS, and when it is under the situation that provides professional, it is identical with the processing mode of above-mentioned SP.Therefore, common variation and replacement that those skilled in the art carries out within the scope of the present invention all should be included in the scope of protection of the invention.
Claims (22)
1. the authentication method based on mobile network P communication is characterized in that, this method utilizes the entity authentication center to participate in finishing verification process between Business Entity, may further comprise the steps:
Steps A: authentication mode is determined at Business Entity and entity authentication center through consultation;
Step B: described Business Entity and described entity authentication center utilize the authentication mode of determining in the steps A to recognize each other card, obtain shared key material; And
Step C: carry out authentication challenge between described Business Entity and the described entity authentication center.
2. the authentication method based on mobile network P communication according to claim 1 is characterized in that described Business Entity comprises service supplier, service subscriber, and be service subscriber be again service supplier.
3. the authentication method based on mobile network P communication according to claim 1 is characterized in that described steps A further comprises:
Steps A 1: Business Entity sends authentication request to the entity authentication center, the identify label of carrying this Business Entity in the request message with and selected authentication mode safe class;
Steps A 2: after authentication request message is received at described entity authentication center, search local safe class tabulation of preserving, find authentication protocol, the cryptographic algorithm of the network support that meets this safe class demand;
Steps A 3: authentication protocol, the cryptographic algorithm that described Business Entity is supported found at described entity authentication center in entity CAMEL-Subscription-Information database;
Steps A 4: authentication protocol and cryptographic algorithm that described entity authentication center is supported according to local policy matching network and Business Entity, determine and meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, and the result is returned to Business Entity; If do not meet the safe class demand and authentication protocol and cryptographic algorithm that both sides support, then return wrong indication to Business Entity.
4. the authentication method based on mobile network P communication according to claim 1, it is characterized in that, described step B also comprises: the temporary identity sign and the corresponding term of validity thereof are also distributed to described Business Entity in described entity authentication center, the intermediary service inquiry sign of intermediary service request mark that described temporary identity sign is a service subscriber or service supplier.
5. the authentication method based on mobile network P communication according to claim 4 is characterized in that: key material and the corresponding related preservation of safe class all will be shared with the Business Entity side in described entity authentication center.
6. the authentication method based on mobile network P communication according to claim 1 is characterized in that described step C further comprises:
Step C11: service subscriber sends service request to service supplier, carries the open identify label of the intermediary service request mark and the service supplier of service subscriber in the described business request information;
Step C12: after service supplier is received service request, search the local intermediary service request mark of whether preserving service subscriber, to discern described service subscriber;
If preserve described sign, and have effective derivative key and the user real identification that is associated with this sign, both sides utilize this derivative key to begin business procedure;
If do not preserve described sign, then send query requests, and in inquiry request message, carry intermediary service request mark and the intermediary service of self the inquiry sign and the open identify label of service subscriber to the entity authentication center;
Step C13: after above-mentioned query requests is received at the entity authentication center, carry out the validity checking of identity or authority;
If check result is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier, and sends to service supplier after utilizing the shared key material encryption of entity authentication center and described service supplier;
If check result is illegal, mind-set corresponding business entity is sent out error message in the then described entity authentication, and indication corresponding business entity arrives entity authentication center authenticating identity again;
Step C14: described service supplier deciphering obtains derivative key, and the intermediary service request mark of derivative key, service subscriber and the open identify label association of service supplier are kept at this locality;
Step C15: service subscriber calculates identical derivative key in this locality, and identifies the related this locality that is kept at the intermediary service inquiry of service supplier;
Step C16: service subscriber and service supplier use derivative key begin the business procedure between them.
7. the authentication method based on mobile network P communication according to claim 6 is characterized in that the validity checking of identity described in the step C13 or authority specifically may further comprise the steps:
Described entity authentication center judges whether the intermediary service request mark of described service subscriber is effective, and searches entity CAMEL-Subscription-Information database according to the true identity sign of service subscriber and judge whether described service subscriber has the right to use this business;
Described entity authentication center judges whether the intermediary service inquiry sign that described service supplier provides is effective, and judges whether it has the right to provide this business.
8. the authentication method based on mobile network P communication according to claim 1 is characterized in that described step C further comprises:
Step C21: when service subscriber need obtain a certain business, at first check local professional permission ticket of whether having preserved corresponding to this business, if have, then leap to step C25, if do not have, then send professional permission ticket request, carry the intermediary service request mark of described service subscriber in the described request message to the entity authentication center, and the open identify label of the service supplier of this business;
Step C22: after above-mentioned query requests is received at described entity authentication center, carry out the validity checking of identity or authority;
If check result is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier, in addition, the entity authentication center also produces a professional permission ticket that comprises derivative key, service subscriber identity information and service supplier identity information, utilizes the shared key material of itself and described service supplier to encrypt described professional permission ticket;
If check result is illegal, mind-set corresponding business entity is sent out error message in the then described entity authentication, and indication corresponding business entity arrives entity authentication center authenticating identity again;
Step C23: the described service subscriber of mind-set sends the professional permission ticket after the described encryption in the described entity authentication;
Step C24: after service subscriber is received described professional permission ticket, adopt the parameter identical to produce an identical derivative key in this locality with algorithm with the entity authentication center;
Step C25: service subscriber sends service request to described service supplier, and carries described professional permission ticket;
Step C26: service supplier is deciphered described professional permission ticket, obtains derivative key;
Step C27: service supplier returns the service request success response to service subscriber;
Step C28: service subscriber and service supplier use derivative key begin the business procedure between them.
9. the authentication method based on mobile network P communication according to claim 8 is characterized in that the validity checking of identity described in the step C22 or authority specifically may further comprise the steps:
Described entity authentication center judges whether the intermediary service request mark of described service subscriber is effective, and searches entity CAMEL-Subscription-Information database according to the true identity sign of service subscriber and judge whether described service subscriber has the right to use this business;
Described entity authentication center also obtains the intermediary service inquiry sign of service supplier according to the open identify label of service supplier, and whether judges effectively according to intermediary service inquiry sign whether this service supplier has the right to provide this business.
10. the authentication method based on mobile network P communication according to claim 8, it is characterized in that, utilize the shared key material of itself and described service subscriber to encrypt described derivative key by the entity authentication center, and the derivative key after will encrypting sends to service subscriber, thereby service subscriber needn't be recomputated in this locality draw derivative key, but obtain derivative key by deciphering.
11. the authentication method based on mobile network P communication according to claim 1 is characterized in that described step C further comprises:
Step C31: when service subscriber uses a certain business of service supplier at needs, at first service request, the open identify label of carrying the intermediary service request mark and the described service supplier of described service subscriber in the request message are proposed to the entity authentication center;
Step C32: the validity of the intermediary service request mark of described service subscriber is checked at described entity authentication center, and the CAMEL-Subscription-Information of described service subscriber, to determine described service subscriber whether this professional authority of request is arranged;
Step C33: if described service subscriber is legal, then described entity authentication center is transmitted service request for it and is given described service supplier;
If described service subscriber is illegal, the mind-set service subscriber is sent out error message in the then described entity authentication, and the signatory person of informing business arrives entity authentication center authenticating identity again;
Step C34: described service supplier returns the service request response, is carrying the intermediary service inquiry sign of oneself in the response;
Step C35: the validity of described intermediary service inquiry sign is checked at described entity authentication center, and the CAMEL-Subscription-Information of described service supplier, whether has the right to provide this business to determine described service subscriber;
If described service supplier is legal, then described entity authentication center produces a derivative key that is used to protect service communication between described service subscriber and the service supplier;
If described service supplier is illegal, the mind-set service supplier is sent out error message in the described entity authentication, and the informing business supplier arrives entity authentication center authenticating identity again;
Step C36: the mind-set service subscriber sends the service request success response in the entity authentication, and sends the derivative key of being encrypted by the shared key material of described entity authentication center and service supplier to described service supplier;
Step C37: described service subscriber adopts parameter and the algorithm computation derivative key identical with the entity authentication center after receiving the service request success response of entity authentication center transmission;
Step C38: service subscriber and service supplier use derivative key begin the business procedure between them.
12. according to claim 6,8 or 11 described authentication methods based on mobile network P communication; it is characterized in that; behind the derivative key that service subscriber and service supplier obtain to share; before the each service communication of beginning; utilize described derivative key to carry out the card of recognizing each other between both sides earlier; and further generate the session key of protecting this time communication security, utilize described session key to protect this time service communication then.
13., it is characterized in that the shared key material at described Business Entity and entity authentication center has the term of validity according to the described authentication method of arbitrary claim in the claim 1 to 11 based on mobile network P communication.
14. the authentication method based on mobile network P communication according to claim 13, it is characterized in that, when described entity authentication center finds that the temporary identity sign of the shared key material at Business Entity and entity authentication center or Business Entity is in inferior mode of operation, described entity authentication center indicates described Business Entity to initiate the re-authentication request, and indicates the re-authentication reason.
15. the authentication method based on mobile network P communication according to claim 14 is characterized in that:
Described Business Entity is received the re-authentication indication, and after knowing the re-authentication reason, described Business Entity is initiated the re-authentication request to described entity authentication center, and carries the temporary identity sign in the re-authentication request,
After the re-authentication request was received at described entity authentication center, the temporary identity sign according to described Business Entity need not to consult authentication mode, directly adopts the authentication mode of original use between them to recognize each other card.
16. the authentication method based on mobile network P communication according to claim 13, it is characterized in that, described entity authentication center is found that the temporary identity of the shared key material at Business Entity and entity authentication center or Business Entity identifies to be in and is cancelled or during destroy state, when perhaps described entity authentication center can not find relevant identity information and key information according to the temporary identity sign, EAC indicates described Business Entity to initiate the re-authentication request, and indicates the re-authentication reason.
17. the authentication method based on mobile network P communication according to claim 16 is characterized in that:
Described Business Entity is received the re-authentication indication, and after knowing the re-authentication reason, described Business Entity is initiated the re-authentication request to described entity authentication center, and carries privately owned identify label in the re-authentication request;
After the re-authentication request is received at described entity authentication center, consult authentication mode again with described Business Entity.
18. according to the described authentication method based on mobile network P communication of arbitrary claim in the claim 6 to 11, it is characterized in that: described derivative key has the term of validity.
19. the authentication method based on mobile network P communication according to claim 18, it is characterized in that: when described service supplier finds that described derivative key is in time mode of operation, described service supplier indicates described service subscriber to initiate the re-authentication request, and indicates the re-authentication reason.
20. the authentication method based on mobile network P communication according to claim 19 is characterized in that:
Described service subscriber is received the re-authentication indication, and after knowing the re-authentication reason, described service subscriber is initiated the re-authentication request to described entity authentication center, and carries the temporary identity sign in the re-authentication request;
After the re-authentication request was received at described entity authentication center, the temporary identity sign according to described service subscriber need not to consult authentication mode, directly adopts the authentication mode of original use between them to recognize each other card.
21. the authentication method based on mobile network P communication according to claim 18, it is characterized in that: described entity supplier finds that described derivative key is in and cancels or during destroy state, when perhaps described entity supplier can not find relevant identity information and key information according to the temporary identity sign, described entity supplier indicates described service subscriber to initiate the re-authentication request, and indicates the re-authentication reason.
22. the authentication method based on mobile network P communication according to claim 21 is characterized in that:
Described service subscriber is received the re-authentication indication, and after knowing the re-authentication reason, described service subscriber is initiated the re-authentication request to described entity authentication center, and carries privately owned identify label in the re-authentication request;
After the re-authentication request is received at described entity authentication center, consult authentication mode again with described service subscriber.
Priority Applications (11)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100333772A CN101009919A (en) | 2006-01-24 | 2006-01-24 | Authentication method based on the end-to-end communication of the mobile network |
| JP2008551629A JP5123209B2 (en) | 2006-01-24 | 2006-12-26 | Method, system, and authentication center for authentication in end-to-end communication based on a mobile network |
| CN2006800117305A CN101156352B (en) | 2006-01-24 | 2006-12-26 | Authentication method, system and authentication center based on mobile network P2P communication |
| PCT/CN2006/003601 WO2007085175A1 (en) | 2006-01-24 | 2006-12-26 | Authentication method, system and authentication center based on end to end communication in the mobile network |
| KR1020087020544A KR101009330B1 (en) | 2006-01-24 | 2006-12-26 | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network |
| AT07001329T ATE442730T1 (en) | 2006-01-24 | 2007-01-22 | METHOD, SYSTEM AND CENTER FOR AUTHENTICATION IN END-TO-END COMMUNICATIONS BASED ON MOBILE NETWORK |
| DE602007002308T DE602007002308D1 (en) | 2006-01-24 | 2007-01-22 | Method, system and center for authentication in end-to-end mobile network communications |
| EP07001329A EP1811744B1 (en) | 2006-01-24 | 2007-01-22 | Method, system and centre for authenticating in End-to-End communications based on a mobile network |
| US11/848,092 US7984298B2 (en) | 2006-01-24 | 2007-08-30 | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network |
| US13/160,152 US8468353B2 (en) | 2006-01-24 | 2011-06-14 | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network |
| JP2012198258A JP2012253817A (en) | 2006-01-24 | 2012-09-10 | Authentication method and system in mobile-network-based end-to-end communication, and authentication center |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006100333772A CN101009919A (en) | 2006-01-24 | 2006-01-24 | Authentication method based on the end-to-end communication of the mobile network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101009919A true CN101009919A (en) | 2007-08-01 |
Family
ID=38697973
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006100333772A Pending CN101009919A (en) | 2006-01-24 | 2006-01-24 | Authentication method based on the end-to-end communication of the mobile network |
| CN2006800117305A Active CN101156352B (en) | 2006-01-24 | 2006-12-26 | Authentication method, system and authentication center based on mobile network P2P communication |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006800117305A Active CN101156352B (en) | 2006-01-24 | 2006-12-26 | Authentication method, system and authentication center based on mobile network P2P communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN101009919A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| WO2009076811A1 (en) * | 2007-12-14 | 2009-06-25 | Huawei Technologies Co., Ltd. | A method, a system, a client and a server for key negotiating |
| CN101677440A (en) * | 2008-09-18 | 2010-03-24 | 华为技术有限公司 | Method, system and safe gateway of access point authentication |
| WO2010063190A1 (en) * | 2008-12-04 | 2010-06-10 | 华为终端有限公司 | Method, device and system for negotiating authentication mode |
| CN101232378B (en) * | 2007-12-29 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Authentication accessing method of wireless multi-hop network |
| CN102014382A (en) * | 2009-09-04 | 2011-04-13 | 中兴通讯股份有限公司 | Update method and system of session key |
| CN101478755B (en) * | 2009-01-21 | 2011-05-11 | 中兴通讯股份有限公司 | Network security HTTP negotiation method and related apparatus |
| CN101772020B (en) * | 2009-01-05 | 2011-12-28 | 华为技术有限公司 | Method and system for authentication processing, 3GPP authentication authorization accounting server and user device |
| CN104854916A (en) * | 2013-01-17 | 2015-08-19 | 英特尔Ip公司 | Device-to-device finding adopting direct wireless signal |
| CN107256365A (en) * | 2017-07-04 | 2017-10-17 | 烟台大学 | One kind protection citizen ID certificate copy technology for safely applying |
| CN107820242A (en) * | 2016-09-14 | 2018-03-20 | 中国移动通信有限公司研究院 | A kind of machinery of consultation of authentication mechanism and device |
| CN108064040A (en) * | 2012-09-06 | 2018-05-22 | 皇家Kpn公司 | Establish device-to-device communication session |
| CN109462605A (en) * | 2018-12-17 | 2019-03-12 | 北京邮电大学 | A kind of IM communication system and its communication means |
| CN112437068A (en) * | 2020-11-12 | 2021-03-02 | 东信和平科技股份有限公司 | Authentication and key agreement method, device and system |
| CN112995090A (en) * | 2019-12-02 | 2021-06-18 | 中国电信股份有限公司 | Authentication method, device and system for terminal application and computer readable storage medium |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572705B (en) * | 2009-06-08 | 2012-02-01 | 西安西电捷通无线网络通信股份有限公司 | System and method for realizing bi-directional platform authentication |
| CN107623668A (en) | 2016-07-16 | 2018-01-23 | 华为技术有限公司 | A kind of method for network authorization, relevant device and system |
| WO2018014535A1 (en) * | 2016-07-16 | 2018-01-25 | 华为技术有限公司 | Network verification method and associated apparatus and system |
| CN108650098B (en) * | 2018-05-08 | 2021-04-20 | 创新先进技术有限公司 | Method and device for user-defined verification mode |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FI19991733A (en) * | 1999-08-16 | 2001-02-17 | Nokia Networks Oy | Authentication in a mobile communication system |
| KR20040075380A (en) * | 2003-02-20 | 2004-08-30 | 삼성전자주식회사 | Method for encrypting data of access VPN |
| US7549048B2 (en) * | 2004-03-19 | 2009-06-16 | Microsoft Corporation | Efficient and secure authentication of computing systems |
-
2006
- 2006-01-24 CN CNA2006100333772A patent/CN101009919A/en active Pending
- 2006-12-26 CN CN2006800117305A patent/CN101156352B/en active Active
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| WO2009076811A1 (en) * | 2007-12-14 | 2009-06-25 | Huawei Technologies Co., Ltd. | A method, a system, a client and a server for key negotiating |
| CN101232378B (en) * | 2007-12-29 | 2010-12-08 | 西安西电捷通无线网络通信股份有限公司 | Authentication accessing method of wireless multi-hop network |
| US8656153B2 (en) | 2007-12-29 | 2014-02-18 | China Iwncomm Co., Ltd. | Authentication access method and authentication access system for wireless multi-hop network |
| CN101677440A (en) * | 2008-09-18 | 2010-03-24 | 华为技术有限公司 | Method, system and safe gateway of access point authentication |
| WO2010063190A1 (en) * | 2008-12-04 | 2010-06-10 | 华为终端有限公司 | Method, device and system for negotiating authentication mode |
| US9137660B2 (en) | 2009-01-05 | 2015-09-15 | Huawei Technologies Co., Ltd. | Method and system for authentication processing, 3GPP AAA server and user equipment |
| CN101772020B (en) * | 2009-01-05 | 2011-12-28 | 华为技术有限公司 | Method and system for authentication processing, 3GPP authentication authorization accounting server and user device |
| CN101478755B (en) * | 2009-01-21 | 2011-05-11 | 中兴通讯股份有限公司 | Network security HTTP negotiation method and related apparatus |
| CN102014382A (en) * | 2009-09-04 | 2011-04-13 | 中兴通讯股份有限公司 | Update method and system of session key |
| CN108064040A (en) * | 2012-09-06 | 2018-05-22 | 皇家Kpn公司 | Establish device-to-device communication session |
| CN104854916A (en) * | 2013-01-17 | 2015-08-19 | 英特尔Ip公司 | Device-to-device finding adopting direct wireless signal |
| CN104854916B (en) * | 2013-01-17 | 2019-01-15 | 英特尔Ip公司 | Device-to-device discovery is carried out using direct radio signal |
| CN107820242A (en) * | 2016-09-14 | 2018-03-20 | 中国移动通信有限公司研究院 | A kind of machinery of consultation of authentication mechanism and device |
| CN107256365A (en) * | 2017-07-04 | 2017-10-17 | 烟台大学 | One kind protection citizen ID certificate copy technology for safely applying |
| CN109462605A (en) * | 2018-12-17 | 2019-03-12 | 北京邮电大学 | A kind of IM communication system and its communication means |
| CN112995090A (en) * | 2019-12-02 | 2021-06-18 | 中国电信股份有限公司 | Authentication method, device and system for terminal application and computer readable storage medium |
| CN112995090B (en) * | 2019-12-02 | 2022-11-08 | 中国电信股份有限公司 | Authentication method, device and system for terminal application and computer readable storage medium |
| CN112437068A (en) * | 2020-11-12 | 2021-03-02 | 东信和平科技股份有限公司 | Authentication and key agreement method, device and system |
| CN112437068B (en) * | 2020-11-12 | 2022-07-12 | 东信和平科技股份有限公司 | Authentication and key agreement method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101156352B (en) | 2010-11-17 |
| CN101156352A (en) | 2008-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101009919A (en) | Authentication method based on the end-to-end communication of the mobile network | |
| CN111355745B (en) | Cross-domain identity authentication method based on edge computing network architecture | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
| CN101051898B (en) | Certifying method and its device for radio network end-to-end communication | |
| CN1929371B (en) | Method for negotiating key share between user and peripheral apparatus | |
| US20020120844A1 (en) | Authentication and distribution of keys in mobile IP network | |
| US20060253424A1 (en) | Method for verifying the validity of a user | |
| CN109088857B (en) | Distributed authorization management method in scene of Internet of things | |
| CN1921682B (en) | Method for enhancing key negotiation in universal identifying framework | |
| KR20080089500A (en) | Authentication method, system and authentication center based on end to end communication in the mobile network | |
| US20080137859A1 (en) | Public key passing | |
| CN110808829A (en) | SSH authentication method based on key distribution center | |
| He et al. | An accountable, privacy-preserving, and efficient authentication framework for wireless access networks | |
| CN105553666A (en) | Security authentication system and method for smart power terminal | |
| KR100723835B1 (en) | System for key authentication/service with one time authentication code and method therefor | |
| CN101192927B (en) | Authorization based on identity confidentiality and multiple authentication method | |
| Monteuuis et al. | Securing pki requests for c-its systems | |
| CN100450305C (en) | Safety service communication method based on general authentification frame | |
| Hanumanthappa et al. | Privacy preserving and ownership authentication in ubiquitous computing devices using secure three way authentication | |
| Chien et al. | A hybrid authentication protocol for large mobile network | |
| CN213938340U (en) | 5G application access authentication network architecture | |
| CN110891067B (en) | Revocable multi-server privacy protection authentication method and revocable multi-server privacy protection authentication system | |
| CN1929377B (en) | Method and system for communication identification query | |
| JP3914193B2 (en) | Method for performing encrypted communication with authentication, authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070801 |