CN102045173A - Authentication method, device and system of user equipment - Google Patents

Authentication method, device and system of user equipment Download PDF

Info

Publication number
CN102045173A
CN102045173A CN200910206162XA CN200910206162A CN102045173A CN 102045173 A CN102045173 A CN 102045173A CN 200910206162X A CN200910206162X A CN 200910206162XA CN 200910206162 A CN200910206162 A CN 200910206162A CN 102045173 A CN102045173 A CN 102045173A
Authority
CN
China
Prior art keywords
subscriber equipment
objective network
information
requestor
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200910206162XA
Other languages
Chinese (zh)
Inventor
杨永利
丁志明
树贵明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Device Co Ltd
Original Assignee
Huawei Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Device Co Ltd filed Critical Huawei Device Co Ltd
Priority to CN200910206162XA priority Critical patent/CN102045173A/en
Publication of CN102045173A publication Critical patent/CN102045173A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses an authentication method, device and system of user equipment, which relates to the field of communication and solves the problem of communication interrupt caused by the user equipment and an authentication server covering and storing authentication information acquired in the authentication process. The technical scheme provided by the invention comprises the following steps of: acquiring target network information; initiating authentication to a target network authenticator through a requestor example corresponding to the target network information and acquiring the authentication information of the user equipment; and storing the authentication information of the user equipment in a storage region corresponding to the requestor example through the requestor example corresponding to the target network information, wherein the storage region corresponding to the requestor example and the storage region corresponding to other requestor examples are mutually independent. The embodiment can be applied to the network switching process.

Description

The authentication method of subscriber equipment, device and system
Technical field
The present invention relates to the communications field, relate in particular to a kind of authentication method, device and system of subscriber equipment.
Background technology
Subscriber equipment (User Equipment, UE) switch to the pre-authentication that objective network needs to carry out before objective network from source network, at present, Extensible Authentication Protocol (Extensible Authentication Protocol, EAP) be a kind of use authentication protocol very widely, UE can adopt the authenticator of EAP authentication protocol and objective network to carry out finishing the pre-authentication of objective network by the certificate server of core net alternately.
In the process of carrying out pre-authentication, UE and certificate server all are stored in the pre-authentication information of the objective network that obtains in the local buffer area temporarily, if authentication success, UE and certificate server use the authentication information of storing in the buffer area to replace the authentication information of source network, if authentification failure, the authentication information of storing in UE and the certificate server deletion buffer area, the authentication information of source network is used in continuation.
In sum, in the prior art, UE and certificate server cover preservation to the authentication information that obtains, after UE pre-authentication in objective network is successful, if UE does not switch to this objective network immediately, then can be capped and cause UE can't continue to communicate, thereby cause communication disruption by source network because of the authentication information of source network; When UE need because the authentication information of source network is capped, so UE also needs by certificate server source network to be carried out pre-authentication again, wasted Internet resources, and the network handoff delay be longer when objective network switches back source network.
Summary of the invention
Given this, embodiments of the invention provide a kind of authentication method and device of subscriber equipment, can preserve many cover authentication informations simultaneously.
Embodiments of the invention adopt following technical scheme:
A kind of authentication method of subscriber equipment comprises: obtain objective network information; Requestor's example by described objective network information correspondence is initiated authentication to the authenticator of objective network, obtains the authentication information of subscriber equipment; Requestor's example by described objective network information correspondence is kept at the authentication information of described subscriber equipment in the storage area of this requestor's example correspondence, wherein, separate between the storage area that the storage area of requestor's example correspondence of described objective network information correspondence is corresponding with other requestor's examples.
A kind of subscriber equipment comprises:
First acquiring unit is used to obtain objective network information;
Second acquisition unit, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit is initiated authentication to the authenticator of objective network, obtains the authentication information of subscriber equipment;
Memory cell, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit is kept at the authentication information of the subscriber equipment that described second acquisition unit obtains in the storage area of this requestor's example correspondence, wherein, the storage area that the storage area of requestor's example correspondence of described objective network information correspondence is corresponding with other requestor's examples is separate.
The authentication method of the subscriber equipment that the embodiment of the invention provides and device, can and preserve the authentication information of the subscriber equipment that objective network that obtain in the verification process and described produces by requestor's example corresponding with objective network information, the technical scheme that makes the embodiment of the invention provide can be preserved many cover authentication informations simultaneously, thereby guarantee authentication finish communicate by letter under the situation that the back subscriber equipment do not switch to objective network at once unaffected, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Because the embodiment of the invention can be preserved many cover authentication informations simultaneously, so when subscriber equipment switches, do not need to carry out again complete authentication operation between described a plurality of networks, saved the Internet resources that authentication takies, improve the network switch speed, reduced the network handoff delay.
Embodiments of the invention also provide a kind of authentication method, device and system of subscriber equipment, can preserve many cover authentication informations simultaneously.
Embodiments of the invention adopt following technical scheme:
A kind of authentication method of subscriber equipment, comprise: carry out alternately with the authenticator of objective network, by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation, obtain the authentication information of described subscriber equipment, wherein, described request person's example is corresponding with described objective network; The authentication information of described subscriber equipment is kept in the clauses and subclauses corresponding with described subscriber equipment and objective network.
A kind of certificate server comprises:
Acquiring unit, be used for carrying out alternately,, obtain the authentication information of described subscriber equipment by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation with the authenticator of objective network, wherein, described request person's example is corresponding with described objective network;
Memory cell, the authentication information that is used for subscriber equipment that described acquiring unit is obtained is kept at and described subscriber equipment and the corresponding clauses and subclauses of objective network.
A kind of communication system is characterized in that, comprising:
Certificate server is used for carrying out alternately subscriber equipment being authenticated with the authenticator of objective network, obtains the authentication information of described subscriber equipment, described authentication information is kept in the clauses and subclauses of described subscriber equipment and objective network correspondence.
The authentication method of the subscriber equipment that the embodiment of the invention provides, device and system, certificate server can be stored in the authentication information that subscriber equipment is carried out obtaining in the verification process in the clauses and subclauses corresponding with described subscriber equipment and objective network, make this certificate server to preserve many cover authentication informations simultaneously for described subscriber equipment, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Preserve many cover key informations simultaneously and also make subscriber equipment switching between a plurality of networks of once doing authentication need not repeat to do authentication, thereby saved Internet resources, accelerated the network switch speed.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, the accompanying drawing of required use is done to introduce simply in will describing embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The authentication method flow chart of the subscriber equipment that Fig. 1 provides for the embodiment of the invention;
The authentication method flow chart of the subscriber equipment that Fig. 2 provides for another embodiment of the present invention;
The authentication method sequential chart of the subscriber equipment that Fig. 3 provides for further embodiment of this invention;
The authentication method sequential chart of the subscriber equipment that Fig. 4 provides for yet another embodiment of the invention;
The user device architecture schematic diagram one that Fig. 5 provides for the embodiment of the invention;
The user device architecture schematic diagram two that Fig. 6 provides for the embodiment of the invention;
The certificate server structural representation that Fig. 7 provides for the embodiment of the invention;
Fig. 8 is the structural representation of memory cell in the certificate server shown in Figure 7.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In order to solve subscriber equipment and certificate server the authentication information that verification process obtains is covered preservation, cause the problem of communication disruption, the embodiment of the invention provides a kind of authentication method, device and system of subscriber equipment.
As shown in Figure 1, the authentication method of the subscriber equipment that the embodiment of the invention provides comprises:
Step 101, UE obtains objective network information.
UE can only preserve the authentication information of a cover and a certain type network, also can preserve authentication information respectively for a plurality of heterogeneous networks of a certain type network.If for a certain type network only keeps a cover authentication information, the objective network information that UE obtains only needs network type just passable, if a plurality of heterogeneous networks of a certain type network keep many cover authentication informations, the objective network information of obtaining not only needs network type, also needs the identification information of each heterogeneous networks.
In the present embodiment, the type of objective network comprises: Wireless Fidelity access network (Wireless Fidelity Access Network, WiFi AN) and micro-wave access global inter communication access service network (Worldwide Interoperability for Microwave Access Access Service Network, WiMAX ASN) etc.
When objective network is WiFi AN, the identification information of objective network can for service set (Service Set Identifier, SSID) or mobile domains sign (Mobile Domain Identification, MDID) etc.; When objective network was WiMAX ASN, the identification information of objective network can identify (Operator ID) etc. for operator.
In the present embodiment, when objective network information was the type information of objective network, UE can determine the type of objective network by the employed radio frequency of communicating by letter with objective network, obtained the type information of objective network.For example: when UE uses WiFi AN radio frequency and objective network to communicate, can determine that the type of this objective network is WiFi AN, the type information that obtains objective network is the type information of WiFi AN; When UE uses WiMAX ASN radio frequency and objective network to communicate, can determine that the type of this objective network is WiMAXASN, the type information that obtains objective network is the type information of WiMAXASN.
When objective network information was the type information of objective network and identification information, if the type of objective network is WiFi AN, UE can obtain the SSID (perhaps MDID) of objective network from the beacon frame (Beacon) of target AP broadcasting; UE can not scan by self yet, but by the Query Information server, obtains the BSSID of target AP, and the sign SSID of the network of described AP (perhaps MDID).
When objective network information is the type information of objective network and identification information, if the type of objective network is WiMAXASN, UE can or obtain the information (being specifically as follows the sign BSID of base station) of base station by scanning of home from the mode that information server obtains, the sign BSID of base station has 48bits, high 24 are network identity, are also referred to as operator's sign (Operator ID).
Certainly, in the use of reality, UE can also obtain the identification information of objective network by additive method, every kind of situation is not given unnecessary details one by one herein.
Further, in step 101, when objective network was WiFi AN, UE can also set up the corresponding relation of the BSSID of target AP and the SSID of objective network (perhaps MDID), particularly, can realize by two kinds of methods:
A kind of method is, UE obtains the SSID (perhaps MDID) of objective network and the BSSID of this target AP from the beacon frame (Beacon) of the target AP that finds, set up the corresponding relation of the BSSID of target AP and the SSID of objective network (perhaps MDID).
Another kind method is, UE Query Information server obtains the BSSID of target AP, and the sign SSID of the network of described AP (perhaps MDID), sets up the corresponding relation of the BSSID of target AP and the SSID of objective network (perhaps MDID).
Alternatively, step 102, UE sets up the corresponding requestor's example of objective network information that obtains with step 101.
Particularly, in step 102, UE can inquire about the local corresponding requestor's example of objective network information that obtains with step 101 that whether exists, when not inquiring the corresponding requestor's example of the objective network information obtained with step 101, set up the requestor example corresponding with this objective network information; When inquiring the corresponding requestor's example of objective network information that obtains with step 101, then need not rebulid requestor's example.
In the present embodiment, when subscriber equipment only kept a cover authentication information for certain type network, UE can set up requestor's example for this network type; When subscriber equipment is the many covers of a plurality of heterogeneous networks reservations authentication information of certain type network, UE is respectively the combination of the type information of each objective network and identification information and sets up corresponding requestor's example (be each objective network and set up corresponding requestor's example), and the corresponding relation of the combination of the type information of the requestor's example set up and objective network and identification information is stored in the mapping table as shown in table 1.
Table 1:
Figure B200910206162XD0000071
Step 103, UE initiates authentication by requestor's example of the objective network information correspondence that step 101 is obtained to the authenticator of objective network, obtains the authentication information of this UE.
In the present embodiment, the authentication information of UE is a key information, comprising: MSK, EMSK, MIP and SPI etc.
In the verification process of the authenticated device of a plurality of requestor's examples of UE and certificate server, the credential of use (credential) is same credential.
Present embodiment is WiFi AN with objective network, it is that example describes step 103 that UE sets up the requestor example corresponding with the identification information of objective network: on down direction, when UE is WiFi when only creating requestor's example, WiFi MAC layer is just directly handed to this requestor's example after receiving message identifying.When UE is that WiFi is when creating a plurality of requestor's example, UE receives the message that authenticator sends, the corresponding relation of the BSSID of the target AP of setting up by the source BSSID in the mac frame and in step 101 and the SSID (perhaps MDID) of objective network, obtain the identification information (SSID or MDID) of the objective network of this BSSID correspondence, the identification information according to objective network sends to corresponding requestor's example with the message that receives then; On up direction, UE sends message by the AP of requestor's example in the objective network of correspondence.
Step 104, the requestor example of UE by objective network information correspondence is kept at the authentication information of UE in the storage area of this requestor's example correspondence.
In the present embodiment, each requestor's example of UE has separately independently storage area, and the authentication information that each requestor's example obtains is stored in the storage area of management separately.
Need to prove that in the present embodiment, if described request person's example has been stored authentication information in advance, then the authentication information of this requestor's example UE that step 103 can be obtained covers the authentication information of having stored.For example: when the type information of requestor's example and objective network at once, if this requestor's example has been preserved the information that authenticates between UE and other networks (network type is identical with the objective network type), after then requestor's example obtains authentication information between UE and the objective network, UE that adopts authentication information between UE and the objective network to cover to have preserved and the authentication information between other networks (network type is identical with the objective network type).For another example: when the type information of requestor's example and objective network and identification information at once, if this requestor's example has been preserved the authentication information between UE and the objective network, then UE authenticates again by requestor's example and objective network in step 103, obtain after the new authentication information, requestor's example adopts this new authentication information to cover original UE that has preserved and the authentication information between the objective network.
Alternatively, in order rationally to utilize the hardware resource of UE, avoid the problem of the wasting of resources, the authentication method of the subscriber equipment that the embodiment of the invention provides can also comprise: when the authentication information of described request person's example preservation arrives the ageing time that is provided with earlier, and deletion described request person's example and described authentication information.
The authentication method of the subscriber equipment that the embodiment of the invention provides, can be by preserving authentication information that obtain in the verification process and subscriber equipment described objective network generation with requestor's example of objective network information correspondence, the technical scheme that makes the embodiment of the invention provide can be preserved many cover authentication informations simultaneously, thereby guarantee authentication finish communicate by letter under the situation that the back subscriber equipment do not switch to objective network at once unaffected, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Because the embodiment of the invention can be preserved many cover authentication informations simultaneously, so when subscriber equipment switches, do not need to carry out again complete authentication operation between described a plurality of networks, saved the Internet resources that authentication takies, improve the network switch speed, reduced the network handoff delay.
As shown in Figure 2, the embodiment of the invention also provides a kind of authentication method of subscriber equipment, comprising:
Step 201, the authenticator of certificate server and objective network are carried out alternately, by alternately this UE is authenticated between requestor's example of authenticator and UE foundation, obtain the authentication information of this UE, and wherein, described request person's example is corresponding with described objective network;
Step 202, certificate server is kept at the authentication information of this UE in the clauses and subclauses corresponding with described UE and objective network.
In the present embodiment, certificate server can be searched and the credential of this UE and the corresponding clauses and subclauses of combination of objective network information according to credential and the objective network information of the UE that obtains in advance; If find and the credential of described UE and the corresponding clauses and subclauses of combination of objective network information, the authentication information of UE and described objective network is stored in these clauses and subclauses; If do not find and the credential of described UE and the corresponding clauses and subclauses of combination of objective network information, then create and the credential of described UE and the corresponding clauses and subclauses of combination of objective network information, the authentication information of UE and described objective network is stored in the clauses and subclauses of this foundation.
The first step of EAP verification process, certificate server are obtained the network access identifier of UE, and (Network Access Identifier NAI), can carry the identification information of objective network in the modification of NAI part (decoration section); The identification information that comprises the user among the NAI, certificate server can find the credential of corresponding subscriber equipment according to user's identification information, certificate server the credential of subscriber equipment and objective network information as a combination; Objective network information also can obtain by other method, can identify by IP address or the authenticator with its mutual authenticator such as certificate server, and the Query Information server obtains the information of the objective network at authenticator place.
In the present embodiment, objective network information can be the type information and the identification information of objective network, perhaps type information of objective network etc., and wherein, the type of objective network comprises: WiFi AN and WiMAXASN etc.
When objective network was WiFi AN, the identification information of objective network can be SSID or MDID etc.; When objective network was WiMAX ASN, the identification information of objective network can be Operator ID etc.
The authentication method of the subscriber equipment that the embodiment of the invention provides, certificate server can carry out subscriber equipment that obtain in the verification process being stored in and described subscriber equipment and the corresponding clauses and subclauses of objective network with authentication information objective network, make this certificate server to preserve many cover authentication informations simultaneously for described subscriber equipment, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Preserve many cover key informations simultaneously and also make subscriber equipment switching between a plurality of networks of once doing authentication need not repeat to do authentication, thereby saved Internet resources, accelerated the network switch speed.
For the technical scheme that enables those skilled in the art to be expressly understood that more the embodiment of the invention provides, the authentication method of the subscriber equipment that the embodiment of the invention is provided below by specific embodiment is elaborated.
In another embodiment provided by the invention, subscriber equipment is operated in the WiMAX radio frequency, authenticate to WiFi AN network, subscriber equipment is set up the requestor example corresponding with the identification information of WiFi AN network, and the authentication information by obtaining in this requestor's example preservation verification process, the authentication information that obtains in the verification process is kept at user's credential to certificate server and the identification information of WiFi AN network makes up in the corresponding clauses and subclauses.
As shown in Figure 3, the authentication method of the subscriber equipment that further embodiment of this invention provides comprises:
Step 301, user equipment scans WiFi AN obtains the identification information (SSID or MDID) of WiFi AN and the BSSID of target AP, and sets up the mapping relations of BSSID and SSID (perhaps MDID) in subscriber equipment inside.The specific implementation method can be described referring to step 101 as shown in Figure 1, do not give unnecessary details herein.
Step 302, subscriber equipment is set up the corresponding requestor's example of identification information of the WiFi AN that obtains with step 301.
Particularly, in step 302, UE can inquire about the local corresponding requestor's example of identification information that whether has the WiFiAN that obtains with step 301, when the corresponding requestor's example of the identification information that does not inquire the WiFi AN that obtains with step 301, set up the requestor example corresponding with the identification information of this WiFi AN; Perhaps, when the corresponding requestor's example of the identification information that inquires the WiFi AN that obtains with step 301, then need not rebulid requestor's example.
Step 303, subscriber equipment and WiFi AN authenticate, and produce as authentication informations such as MSK and EMSK.
Particularly, step 303 can comprise:
The authenticator of WiFi AN sends a request message (EAP Request) to subscriber equipment, requires to report the NAI network access identifier.The EAP request message, is encapsulated in the mac frame that WiFi eats dishes without rice or wine when subscriber equipment sends by AP.
After subscriber equipment is received the mac frame that comprises the EAP request message, search BSSID and SSID (or MDID) mapping table according to the BSSID in the frame head of this mac frame, obtain SSID (or MDID), and finding corresponding EAP requestor example according to SSID (MDD), the EAP request message that will remove MAC layer information according to the way of common protocol stack sends to the EAP requestor example that finds then.
After the EAP requestor example corresponding with this WiFi AN received the EAP request in the subscriber equipment, reply EAP response message (EAP Response), in this EAP response message, carry the NAI network access identifier, wherein, the modification of NAI network access identifier part (decoration section) comprises the information of access network.In the present embodiment, NAI form that band is modified can be<routing realms>{ networktype=WiFi|netID=SSID>}<usemame〉<realm 〉, wherein networktype=WiFi|netID=SSID〉} and be described modification part, this modifies network type and the network identity of part with the formal representation subscriber equipment place of parameter.
After EAP requestor example produces the EAP response message, this EAP response message is sent to the WiFiMAC processing layer of subscriber equipment, the encapsulation of MAC processing layer outwards sends after going up the MAC header.
After authenticator is received the EAP response message that comprises the NAI network access identifier, send access request message (Access Request) to certificate server, can use RADIUS (remote address dial-in user service) agreement between authenticator and certificate server, comprise the NAI network access identifier in the access request message.
After certificate server is received and is inserted request message, extract the NAI network access identifier, and find the credential of the user name correspondence in this NAI network access identifier, no matter adopt WiMAX or WiFi access technology, this credential is identical for subscriber equipment.Whether certificate server is searched the clauses and subclauses corresponding with the combination of the identification information of the credential of this subscriber equipment and WiFi AN and is existed; If find the corresponding clauses and subclauses of combination with the sign of the credential of described subscriber equipment and WiFi AN, create no longer again; If do not find the corresponding clauses and subclauses of combination with the identification information of the credential of described subscriber equipment and WiFi AN, then create the corresponding clauses and subclauses of combination with the identification information of the credential of described subscriber equipment and WiFi AN.In the present embodiment, the credential in the combination of the identification information of credential and WiFi AN can be user name or credential sign.
Certificate server uses the credential of NAI network access identifier correspondence, and (such as EAP-AKA, EAP-TLS) the EAP requestor example of authentication method and subscriber equipment is carried out authentication to adopt certain.
After authentication was passed through, subscriber equipment and certificate server (such as EAP-AKA, produced common MSK and EMSK at authentication method on basis EAP-TLS).Further, in order to guarantee the fail safe of mobile IP, can also on the basis of EMSK, produce a series of mobile cryptographic keys, and produce corresponding Security Parameter Index (SPI, Security Parameter Index) so that equipment such as external agent in mobile IP device and the mobile IP protocol and home agent are searched and taken for these keys.
Step 304a, the EAP requestor example of subscriber equipment is preserved authentication informations such as MSK and EMSK, and the derivative key that is obtained by MSK and EMSK, and promptly the described mobile cryptographic key of step 303 also has authorization key, the safe key etc. of eating dishes without rice or wine of being derived by MSK.
Step 304b, certificate server is stored in authentication informations such as MSK and EMSK in the clauses and subclauses of combination correspondence of identification information of the credential of subscriber equipment and WiFi AN, by the derivative key that EMSK obtains, promptly the described mobile cryptographic key of step 303 also is stored in these clauses and subclauses.
UE is operated in the WiFi radio frequency, and the process that the authentication method of the subscriber equipment that the employing present embodiment provides authenticates to the WiMAXASN network is operated in the WiMAX radio frequency with above-mentioned UE, and is basic identical to the process that WiFi AN network authenticates, and repeats no more herein.
The authentication method of the subscriber equipment that the embodiment of the invention provides, subscriber equipment can be preserved the authentication information of this subscriber equipment and WiFi AN generation by the requestor example corresponding with WiFi AN, certificate server can be saved in the authentication information that described subscriber equipment and WiFi AN produce the corresponding clauses and subclauses of combination of the identification information of the credential of subscriber equipment and WiFiAN, conversely, when subscriber equipment is handled when the WiMAX network switches too from the WiFi network, make subscriber equipment and certificate server all can preserve many cover authentication informations simultaneously, solved in the prior art certificate server and subscriber equipment same credential has only been preserved a cover authentication information, the authentication information that obtains is covered preservation, make when heterogeneous network switches, to authenticate the problem that causes communication interruption time long in advance; Preserve many cover key informations simultaneously and also make subscriber equipment switching between a plurality of networks of once doing authentication need not repeat to do authentication, thereby accelerated the network switch speed.
In an embodiment more provided by the invention, subscriber equipment is operated in the WiMAX radio frequency, authenticate to WiFi AN network, do not distinguish the difference of WiFi AN, subscriber equipment is set up the requestor example corresponding with WiFi AN network type, and the authentication information by obtaining in this requestor's example preservation verification process, certificate server makes up credential and the WiFi AN network type that the authentication information that obtains in the verification process is kept at the user in the corresponding clauses and subclauses.
As shown in Figure 4, the authentication method of the subscriber equipment that further embodiment of this invention provides comprises:
Step 401, user equipment scans WiFi AN obtains available target AP.
Because do not distinguish the difference of WiFi AN, at any time only WiFi AN is preserved a cover authentication information, therefore do not need to set up the mapping relations between the BSSID of the identification information (SSID or MDID) of WiFi AN and target AP.
Step 402, subscriber equipment is set up the EAP requestor example corresponding with WiFi AN network type.
Particularly, if also not corresponding with WiFi AN network type EAP requestor example on the subscriber equipment is then set up the EAP requestor example of this WiFi AN network type correspondence; If set up the EAP requestor example corresponding on the subscriber equipment, directly used this EAP requestor example with the WiFiAN network type.
Step 403, subscriber equipment and WiFi AN authenticate, and produce as authentication informations such as MSK and EMSK.
Particularly, step 403 can comprise:
The authenticator of WiFi AN sends a request message (EAP Request) to subscriber equipment, requires to report the NAI network access identifier.The EAP request message, is encapsulated in the mac frame that WiFi eats dishes without rice or wine when subscriber equipment sends by AP.
After subscriber equipment is received the mac frame that comprises the EAP request message, because this mac frame obtains from the WiFi interface, so the EAP request message that the WiFi MAC processing layer of subscriber equipment will remove MAC layer information sends to the EAP requestor example corresponding with WiFi AN network type.
After the EAP requestor example corresponding with WiFi AN network type received the EAP request in the subscriber equipment, reply EAP response message (EAP Response), in this EAP response message, carry the NAI network access identifier, wherein, the modification of NAI network access identifier part (decoration section) comprises the information of access network type.In the present embodiment, the NAI form that band is modified can be:<routing realms>{ networktype=WiFi|netID=SSID〉}<usemame〉<realm 〉, wherein, { networktype=WiFi} is described modification part, and this modifies the network type of part with the formal representation subscriber equipment place of parameter.
After EAP requestor example produces the EAP response message, the EAP response message is sent to the WiFi MAC processing layer of subscriber equipment, the encapsulation of MAC processing layer outwards sends after going up the MAC header.
After authenticator is received the EAP response message that comprises the NAI network access identifier, send access request message (Access Request) to certificate server, can use RADIUS (remote address dial-in user service) agreement between authenticator and certificate server, comprise the NAI network access identifier in the access request message.
After certificate server is received and is inserted request message, extract the NAI network access identifier, and find the credential of the user name correspondence in this NAI network access identifier, no matter adopt WiMAX or WiFi access technology, this credential is identical for subscriber equipment.Whether certificate server is searched the clauses and subclauses corresponding with the combination of the credential of this subscriber equipment and WiFi AN network type and is existed; If find and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of WiFi AN network type, create no longer again; If do not find and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of WiFi AN network type, then create and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of WiFi AN network type.In the present embodiment, the credential in the combination of the identification information of credential and WiFi AN can be user name or credential sign.
Certificate server uses the credential of NAI network access identifier correspondence, and (such as EAP-AKA, EAP-TLS) the EAP requestor example of authentication method and subscriber equipment is carried out authentication to adopt certain.
After authentication was passed through, subscriber equipment and certificate server (such as EAP-AKA, produced common MSK and EMSK at authentication method on basis EAP-TLS).Further, in order to guarantee the fail safe of mobile IP, can also on the basis of EMSK, produce a series of mobile cryptographic keys, and produce corresponding SPI so that equipment such as the external agent in mobile IP device and the mobile IP protocol, home agent are searched and taken for these keys.
Step 404a, the EAP requestor of subscriber equipment preserves authentication informations such as MSK and EMSK, and the derivative key that is obtained by MSK and EMSK, and promptly the described mobile cryptographic key of step 403 also has authorization key, the safe key etc. of eating dishes without rice or wine of being derived by MSK.
Step 404b, certificate server is stored in authentication informations such as MSK and EMSK in the clauses and subclauses of combination correspondence of the credential of subscriber equipment and WiFi network type information, by the derivative key that EMSK obtains, promptly the described mobile cryptographic key of step 403 also is stored in these clauses and subclauses.
UE is operated in the WiFi radio frequency, the process that adopts the authentication method of the subscriber equipment that present embodiment provides to authenticate to the WiMAXASN network, and to be operated in the WiMAX radio frequency basic identical to the process that WiFi AN network authenticates with above-mentioned UIE, repeats no more herein.
The authentication method of the subscriber equipment that the embodiment of the invention provides, subscriber equipment can be preserved the authentication information of this subscriber equipment and WiFi AN generation by the requestor example corresponding with WiFi AN network type, certificate server can be saved in the authentication information that described subscriber equipment and WiFi AN produce in the corresponding clauses and subclauses of the combination of network type of the credential of subscriber equipment and WiFi AN, conversely, when subscriber equipment is handled when the WiMAX network switches too from the WiFi network, make subscriber equipment and certificate server all can respectively preserve a cover authentication information to different network types simultaneously, solved in the prior art certificate server and subscriber equipment and same credential is only preserved a cover authentication information can not support the long problem of communication interruption time when the heterogeneous network authentication makes that heterogeneous network switches in advance; Preserve many cover key informations simultaneously and also make subscriber equipment need not repeat to do authentication when between the heterogeneous network of once doing authentication, switching, thereby accelerated the network switch speed.
As shown in Figure 5, the embodiment of the invention also provides a kind of subscriber equipment, comprising:
First acquiring unit 501 is used to obtain objective network information;
UE can only preserve the authentication information of a cover and a certain type network, also can preserve authentication information respectively for a plurality of heterogeneous networks of a certain type network.If for a certain type network only keeps a cover authentication information, the objective network information that UE obtains only needs network type just passable, if a plurality of heterogeneous networks of a certain type network keep many cover authentication informations, the objective network information of obtaining not only needs network type, also needs the identification information of each heterogeneous networks.In the present embodiment, the type of objective network comprises: WiFi AN and WiMAXASN etc.
When objective network was WiFi AN, the identification information of objective network can be SSID or MDID etc.; When objective network was WiMAXASN, the identification information of objective network can be Operator ID etc.
Second acquisition unit 502, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit 501 is initiated authentication to the authenticator of objective network, obtains the authentication information of subscriber equipment;
Memory cell 503, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit 501 is kept at the authentication information of the subscriber equipment that described second acquisition unit 502 obtains in the storage area of this requestor's example correspondence, wherein, the storage area that the storage area of requestor's example correspondence of described objective network information correspondence is corresponding with other requestor's examples is separate.
Further, as shown in Figure 6, subscriber equipment can also comprise:
Query unit 504 is used to inquire about whether have a corresponding requestor's example of objective network information that obtains with described first acquiring unit 501;
Set up unit 505, be used for when described query unit 504 does not inquire the corresponding requestor's example of the objective network information obtained with described first acquiring unit 501, setting up the corresponding requestor's example of objective network information that obtains with described first acquiring unit 501.
Further, as shown in Figure 6, subscriber equipment can also comprise:
Delete cells 506, when the authentication information that is used for the subscriber equipment preserved when described request person's example arrives the ageing time that sets in advance, the authentication information of deletion described request person's example and described subscriber equipment.
The authentication method of the subscriber equipment that the specific implementation method of the subscriber equipment that the embodiment of the invention provides can provide referring to the embodiment of the invention is described, repeats no more herein.
The subscriber equipment that the embodiment of the invention provides can be preserved authentication information that obtain in the verification process and subscriber equipment described objective network generation by the requestor example corresponding with objective network information, the technical scheme that makes the embodiment of the invention provide can be preserved many cover authentication informations simultaneously, thereby guarantee authentication finish communicate by letter under the situation that the back subscriber equipment do not switch to objective network at once unaffected, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Because the embodiment of the invention can be preserved many cover authentication informations simultaneously, so when subscriber equipment switches, do not need to carry out again complete authentication operation between described a plurality of networks, saved the Internet resources that authentication takies, improve the network switch speed, reduced the network handoff delay.
As shown in Figure 7, the embodiment of the invention also provides a kind of certificate server, comprising:
Acquiring unit 701, be used for carrying out alternately,, obtain the authentication information of described subscriber equipment by the mutual authentication between requestor's example of authenticator and subscriber equipment foundation to described subscriber equipment with the authenticator of objective network, wherein, described request person's example is corresponding with described objective network;
Memory cell 702, the authentication information that is used for subscriber equipment that described acquiring unit 701 is obtained is kept at and described subscriber equipment and the corresponding clauses and subclauses of objective network.
Further, as shown in Figure 8, described memory cell 702 can comprise:
Search subelement 7021, be used for combination, search and the credential of this subscriber equipment and the corresponding clauses and subclauses of combination of objective network information according to the identification information of the credential of the subscriber equipment that obtains in advance and objective network;
First storing sub-units 7022 finds and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information if be used for the described subelement 7021 of searching, and the authentication information of described subscriber equipment is stored in these clauses and subclauses;
Second storing sub-units 7023, if being used for the described subelement 7021 of searching does not find and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, create and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, the authentication information of described subscriber equipment is stored in the clauses and subclauses of this establishment.
Wherein, objective network information can be the type information and the identification information of objective network, perhaps type information of objective network etc., and in the present embodiment, the type of objective network comprises: WiFi AN and WiMAXASN etc.
When objective network was WiFi AN, the identification information of objective network can be SSID or MDID etc.; When objective network was WiMAX ASN, the identification information of objective network can be Operator ID etc.
The authentication method of the subscriber equipment that the specific implementation method of the certificate server that the embodiment of the invention provides can provide referring to the embodiment of the invention is described, repeats no more herein.
The certificate server that the embodiment of the invention provides subscriber equipment can be carried out that obtain and authentication information objective network in the verification process be stored in the corresponding clauses and subclauses of described subscriber equipment and objective network in, make this certificate server to preserve many cover authentication informations simultaneously for described subscriber equipment, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Preserve many cover key informations simultaneously and also make subscriber equipment switching between a plurality of networks of once doing authentication need not repeat to do authentication, thereby saved Internet resources, accelerated the network switch speed.
The embodiment of the invention also provides a kind of communication system, comprising:
Certificate server, be used for carrying out alternately with the authenticator of objective network, by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation, obtain the authentication information of described subscriber equipment, described authentication information is kept in the clauses and subclauses corresponding with described subscriber equipment and objective network.
The authentication method of the subscriber equipment that the specific implementation method of the communication system that the embodiment of the invention provides can provide referring to the embodiment of the invention is described, repeats no more herein.
In the communication system that the embodiment of the invention provides, certificate server can be saved in the authentication information that subscriber equipment and objective network produce in the corresponding clauses and subclauses of subscriber equipment and objective network, make and to preserve many cover authentication informations simultaneously with certificate server, solved that certificate server covers preservation to the authentication information that obtains in the prior art, made and after authentication is finished, switch the problem that causes communication disruption immediately; Preserve many cover key informations simultaneously and also make subscriber equipment switching between a plurality of networks of once doing authentication need not repeat to do authentication, thereby saved Internet resources, accelerated the network switch speed.
The authentication method of the subscriber equipment that the embodiment of the invention provides, device and system can be applied in the process of network switching.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer-readable recording medium, as ROM/RAM, magnetic disc or CD etc.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.

Claims (15)

1. the authentication method of a subscriber equipment is characterized in that, comprising:
Obtain objective network information;
Requestor's example by described objective network information correspondence is initiated authentication to the authenticator of objective network, obtains the authentication information of subscriber equipment;
Requestor's example by described objective network information correspondence is kept at the authentication information of described subscriber equipment in the storage area of this requestor's example correspondence, wherein, the storage area that the storage area of requestor's example correspondence of described objective network information correspondence is corresponding with other requestor's examples is separate.
2. method according to claim 1 is characterized in that, described requestor's example by described objective network information correspondence is kept at the authentication information of described subscriber equipment in this requestor's example corresponding memory space and comprises:
When described request person's example corresponding memory space had stored authentication information, described request person's example adopted the authentication information of described subscriber equipment to cover the described authentication information of having stored.
3. method according to claim 1 is characterized in that,, also comprises before the authenticator of objective network is initiated authentication at described requestor's example by described objective network information correspondence:
Whether inquiry exists the requestor example corresponding with described objective network information;
When not inquiring the requestor example corresponding, set up the requestor example corresponding with described objective network information with described objective network information.
4. method according to claim 1 is characterized in that, also comprises:
When the authentication information of the subscriber equipment of preserving when described request person's example arrives the ageing time that sets in advance, the authentication information of deletion described request person's example and described subscriber equipment.
5. method according to claim 1 is characterized in that, a plurality of requestor's examples of subscriber equipment and the verification process between the same certificate server use same credential.
6. according to any described method among the claim 1-5, it is characterized in that described objective network information comprises: the type information of objective network and identification information, the perhaps type information of objective network.
7. the authentication method of a subscriber equipment is characterized in that, comprising:
Carry out alternately with the authenticator of objective network, by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation, obtain the authentication information of the user of institute equipment, wherein, described request person's example is corresponding with described objective network;
The authentication information of described subscriber equipment is kept in the clauses and subclauses corresponding with described subscriber equipment and objective network.
8. method according to claim 7 is characterized in that, described pre-authentication information with described subscriber equipment is kept in the clauses and subclauses corresponding with described subscriber equipment and objective network and comprises:
According to the credential and the objective network information of the subscriber equipment that obtains in advance, search and the credential of this subscriber equipment and the corresponding clauses and subclauses of combination of objective network information;
If find and described customer equipment identification and the corresponding clauses and subclauses of objective network information, the authentication information of described subscriber equipment is stored in these clauses and subclauses;
If do not find and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, create and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, the authentication information of described subscriber equipment is stored in the clauses and subclauses of this establishment.
9. method according to claim 8 is characterized in that, described objective network information comprises: the type information of objective network and identification information, the perhaps type information of objective network.
10. a subscriber equipment is characterized in that, comprising:
First acquiring unit is used to obtain objective network information;
Second acquisition unit, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit is initiated authentication to the authenticator of objective network, obtains the authentication information of subscriber equipment;
Memory cell, the requestor's example that is used for the objective network information correspondence obtained by described first acquiring unit is kept at the authentication information of the subscriber equipment that described second acquisition unit obtains in the storage area of this requestor's example correspondence, wherein, the storage area that the storage area of requestor's example correspondence of described objective network information correspondence is corresponding with other requestor's examples is separate.
11. subscriber equipment according to claim 10 is characterized in that, also comprises:
Query unit is used to inquire about whether have a corresponding requestor's example of objective network information that obtains with described first acquiring unit;
Set up the unit, be used for when described query unit does not inquire the corresponding requestor's example of the objective network information obtained with described first acquiring unit, setting up the corresponding requestor's example of objective network information that obtains with described first acquiring unit.
12. subscriber equipment according to claim 10 is characterized in that, also comprises:
Delete cells, when the authentication information that is used for the subscriber equipment preserved when described request person's example arrives the ageing time that sets in advance, the authentication information of deletion described request person's example and described subscriber equipment.
13. a certificate server is characterized in that, comprising:
Acquiring unit, be used for carrying out alternately,, obtain the authentication information of described subscriber equipment by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation with the authenticator of objective network, wherein, described request person's example is corresponding with described objective network;
Memory cell, the authentication information that is used for subscriber equipment that described acquiring unit is obtained is kept at and described subscriber equipment and the corresponding clauses and subclauses of objective network.
14. certificate server according to claim 13 is characterized in that, described memory cell comprises:
Search subelement, be used for credential and objective network information, search and the credential of this subscriber equipment and the corresponding clauses and subclauses of combination of objective network information according to the subscriber equipment that obtains in advance;
First storing sub-units finds and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information if be used for the described subelement of searching, and the authentication information of described subscriber equipment is stored in these clauses and subclauses;
Second storing sub-units, if being used for the described subelement of searching does not find and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, create and the credential of described subscriber equipment and the corresponding clauses and subclauses of combination of objective network information, the authentication information of described subscriber equipment is stored in the clauses and subclauses of this establishment.
15. a communication system is characterized in that, comprising:
Certificate server, be used for carrying out alternately with the authenticator of objective network, by alternately described subscriber equipment is authenticated between requestor's example of described authenticator and subscriber equipment foundation, obtain the authentication information of described subscriber equipment, described authentication information is kept in the clauses and subclauses corresponding with described subscriber equipment and objective network.
CN200910206162XA 2009-10-12 2009-10-12 Authentication method, device and system of user equipment Pending CN102045173A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910206162XA CN102045173A (en) 2009-10-12 2009-10-12 Authentication method, device and system of user equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910206162XA CN102045173A (en) 2009-10-12 2009-10-12 Authentication method, device and system of user equipment

Publications (1)

Publication Number Publication Date
CN102045173A true CN102045173A (en) 2011-05-04

Family

ID=43910992

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910206162XA Pending CN102045173A (en) 2009-10-12 2009-10-12 Authentication method, device and system of user equipment

Country Status (1)

Country Link
CN (1) CN102045173A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184782A (en) * 2013-05-28 2014-12-03 腾讯科技(深圳)有限公司 Method and device for realizing socialization of third party application
CN108540493A (en) * 2018-04-28 2018-09-14 北京佰才邦技术有限公司 Authentication method, user equipment, network entity and business side server
CN109691157A (en) * 2016-09-19 2019-04-26 高通股份有限公司 The technology of the security key of cellular network is derived based on the execution of Extensible Authentication Protocol (EAP) process

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002071177A2 (en) * 2001-03-03 2002-09-12 Moneyhive.Com Pte Ltd Method and system for substantially secure electronic transactions
CN101426202A (en) * 2007-11-02 2009-05-06 华为技术有限公司 Method, device and system for network switching implementation
CN101471777A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 Access control system and method between domains based on domain name

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002071177A2 (en) * 2001-03-03 2002-09-12 Moneyhive.Com Pte Ltd Method and system for substantially secure electronic transactions
CN101426202A (en) * 2007-11-02 2009-05-06 华为技术有限公司 Method, device and system for network switching implementation
CN101471777A (en) * 2007-12-29 2009-07-01 中国科学院计算技术研究所 Access control system and method between domains based on domain name

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184782A (en) * 2013-05-28 2014-12-03 腾讯科技(深圳)有限公司 Method and device for realizing socialization of third party application
CN104184782B (en) * 2013-05-28 2015-09-30 腾讯科技(深圳)有限公司 A kind of method and device, system realizing third-party application social
CN109691157A (en) * 2016-09-19 2019-04-26 高通股份有限公司 The technology of the security key of cellular network is derived based on the execution of Extensible Authentication Protocol (EAP) process
CN109691157B (en) * 2016-09-19 2022-05-03 高通股份有限公司 Method, apparatus, and non-transitory computer-readable medium for wireless communication
CN114727283A (en) * 2016-09-19 2022-07-08 高通股份有限公司 Method, apparatus, and non-transitory computer-readable medium for wireless communication
US11463871B2 (en) 2016-09-19 2022-10-04 Qualcomm Incorporated Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (EAP) procedure
CN108540493A (en) * 2018-04-28 2018-09-14 北京佰才邦技术有限公司 Authentication method, user equipment, network entity and business side server

Similar Documents

Publication Publication Date Title
US11856621B2 (en) Station and method for receiving a frame comprising a configuration change counter corresponding to another access point
US8199720B2 (en) Method for handover between heterogenous radio access networks
CA2663168C (en) Security authentication and key management within an infrastructure-based wireless multi-hop network
US8385549B2 (en) Fast authentication between heterogeneous wireless networks
JP6022596B2 (en) Method and device for authentication in an integrated wireless network
US10715999B2 (en) Selective key caching for fast roaming of wireless stations in communication networks
US8549293B2 (en) Method of establishing fast security association for handover between heterogeneous radio access networks
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
US20120284785A1 (en) Method for facilitating access to a first access nework of a wireless communication system, wireless communication device, and wireless communication system
EP1414262A1 (en) Authentication method for fast handover in a wireless local area network
CN1969568A (en) Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
KR20090039593A (en) Method of establishing security association in inter-rat handover
US20110047592A1 (en) Pre-registration security support in multi-technology interworking
CN103391543A (en) Method and device for achieving roaming switch
CN101888630A (en) Authentication Method, system and device for switching access networks
CN101888631B (en) Method, system and equipment for switching access network
CN101945390A (en) Admission control method and device
CN102026190A (en) Rapid and safe heterogeneous wireless network switching method
CN102045173A (en) Authentication method, device and system of user equipment
CN101990207A (en) Access control method, home base station (HBS) and HBS authorization server
Chen et al. A seamless handoff mechanism for DHCP-based IEEE 802.11 WLANs
WO2016065847A1 (en) Wifi offload method, device and system
CN114765827A (en) Safety protection method, device and system
CN101394664B (en) Mobile node, method and system for implementing media irrelevant switching

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20110504