CN102065425A - System and method for preauthenticating terminal switched among different management domains - Google Patents
System and method for preauthenticating terminal switched among different management domains Download PDFInfo
- Publication number
- CN102065425A CN102065425A CN200910210960XA CN200910210960A CN102065425A CN 102065425 A CN102065425 A CN 102065425A CN 200910210960X A CN200910210960X A CN 200910210960XA CN 200910210960 A CN200910210960 A CN 200910210960A CN 102065425 A CN102065425 A CN 102065425A
- Authority
- CN
- China
- Prior art keywords
- authentication
- management domain
- terminal
- certificate server
- former
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a system and a method for preauthenticating a terminal switched among different management domains, which can reduce the switching time delay of the terminal switched among the different management domains during switching. The method comprises the following steps that: the terminal transmits a preauthentication request to a hometown authentication server after receiving a preauthentication initiating message sent by the original management domain or a destination management domain; the hometown authentication server and the terminal perform preauthentication interaction; and the hometown authentication server sends a preauthentication success message to the terminal and the destination management domain after the preauthentication succeeds. By the system and the method, after a user who is successfully preauthenticated switches the terminal, the authentication process of switching to the destination management domain is reduced, the time delay is reduced, and the service continuity is improved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the pre-authentication system and method that a kind of terminal is switched between different management domains.
Background technology
In the mobile network, terminal can be switched at diverse access point.If two different access points belong to different management domains respectively, when then terminal is switched, need carry out complete authorizing procedure between former management domain and objective management territory.
Terminal is switched performed complete authentication in the prior art between two management domains, has following technological deficiency at least:
1) complete authorizing procedure switches with respect to physics, needs long time delay.
2) terminal is when roaming network switches, and the user authenticates at local domain and is connected to the local certificate server with the certificate server of user by local domain and compares, and latter's time delay is much bigger.
3) different management domain access styles are likely different, and different accesses may need different identifying procedures.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of pre-authentication system and method, the handover delay when switching between different management domains to reduce terminal.
In order to solve the problems of the technologies described above, the pre-authenticating method that the present invention at first provides a kind of terminal to switch between different management domains is used for the switching of described terminal between former management domain and purpose management domain, comprising:
Described terminal is initiated pre-authentication request to the local certificate server after receiving the pre-authentication start message of described former management domain or the transmission of purpose management domain;
It is mutual that described local certificate server and described terminal are carried out pre-authentication;
After described pre-authentication success, described local certificate server sends the pre-authentication success message to described terminal and purpose management domain.
Preferably, this method further comprises:
Described terminal switches to described purpose management domain according to described pre-authentication success message.
Preferably, described pre-authentication start message is by the authenticator in the described former management domain, and perhaps the authenticator in the purpose management domain sends to described terminal.
Preferably, described terminal is initiated the step of described pre-authentication request to described local certificate server, comprising:
Described terminal is by described former management domain and/or purpose management domain, and certificate server is initiated described pre-authentication request to described local.
Preferably, described local certificate server and described terminal are carried out the mutual step of described pre-authentication, comprising:
Described local certificate server and described terminal be by described former management domain and/or purpose management domain, and it is mutual to carry out described pre-authentication.
Preferably, described pre-authentication start message and pre-authentication success message are expanded based on Extensible Authentication Protocol; Described pre-authentication is mutual, carries out based on Extensible Authentication Protocol based on described.
Preferably, described pre-authentication start message and described pre-authentication are mutual, expand based on the Extensible Authentication Protocol initial information; Described pre-authentication success message is expanded based on the Extensible Authentication Protocol ending message.
In order to solve the problems of the technologies described above, the pre-authentication system that the present invention also provides a kind of terminal to switch between different management domains is used for the switching of described terminal between former management domain and purpose management domain, it is characterized in that, this system also comprises the local certificate server, wherein:
Described terminal after being used to receive the pre-authentication start message of described former management domain or the transmission of purpose management domain, is initiated pre-authentication request to described local certificate server;
The local certificate server is used for that to carry out pre-authentication mutual with described terminal, and after described pre-authentication success, sends the pre-authentication success message to described terminal and purpose management domain.
Preferably, described former management domain comprises former authenticator, and described purpose management domain comprises the purpose authenticator; Described pre-authentication start message sends to described terminal by described former authenticator or purpose authenticator.
Preferably, described former management domain and/or purpose management domain are used for the described pre-authentication request that described terminal is initiated is transmitted to described local certificate server, and it is mutual also to be used to carry out described pre-authentication.
The present invention has realized the switching of terminal between management domain by based on the pre-authentication under the Extensible Authentication Protocol, has reduced handover delay.
Pre-authentication is before terminal begins to switch, carry out the pre-authentication flow process with the purpose management domain in advance, switch again after the pre-authentication success, can guarantee that like this user is after switching, be the user of pre-authentication success, reduce the verification process that switches to behind the purpose management domain, reduced time delay, strengthened business continuance.
Pre-authentication techniques provided by the invention is the enhancing to Extensible Authentication Protocol (EAP), makes the EAP authentication protocol better support the pre-authentication mode.In addition, the identifying procedure in the technical solution of the present invention is independent of existing identifying procedure, to existing flow process without any influence.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in specification, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the composition schematic diagram of system embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the inventive method first embodiment;
Fig. 3 is the schematic flow sheet of the inventive method second embodiment;
Fig. 4 is the schematic flow sheet of the inventive method the 3rd embodiment.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, how the application technology means solve technical problem to the present invention whereby, and the implementation procedure of reaching technique effect can fully understand and implements according to this.
Need to prove that if do not conflict, each feature among the embodiment of the invention and the embodiment can mutually combine, all within protection scope of the present invention.In addition, can in computer system, carry out in the step shown in the flow chart of accompanying drawing such as a set of computer-executable instructions, and, though there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
ERP (EAP Extensions for EAP Re-authentication Protocol) is used for based on the re-authentication agreement in the unified management territory of Extensible Authentication Protocol (EAP).When terminal was switched in the unified management territory, fully the key material that produces after the authentication may not have expiredly, if carry out complete authentication again when switching, has increased handover delay (because can adopt this not have expired key material fully this moment).This agreement is by the mode of expansion EAP, and (Extended MasterSession Key EMSK) carries out key derivation, makes terminal and certificate server carry out re-authentication, can reduce the terminal time delay for switching to utilize extended master session key in the complete authentication.
In technical solution of the present invention, respectively EAP-Initiate information and EAP-Finish information to be expanded, particular content is as follows:
Initial (EAP-Initiate) information of Extensible Authentication Protocol is expanded, increase the Pre-auth-start type, pre-authentication initial (EAP-Initiate/Pre-auth-start) message is initiated by the authenticator in former management domain or the purpose management domain, shows that this authenticator supports EAP pre-authentication mode.
Expansion EAP-Initiate information increases the Pre-auth type.When terminal is received the EAP-Initiate information (being EAP-Initiate/Pre-auth-start message) that comprises pre-authentication initial (Pre-auth-start) type, send the EAP-Initiate information of Pre-auth type, be pre-authentication request (EAP-Initiate/Pre-auth) message, beginning pre-authentication flow process.
Extensible Authentication Protocol is finished (EAP-Finish) information expand, increase the Pre-auth type.After the pre-authentication flow process finished, the authenticator in the purpose management domain sent EAP-Finish/Pre-auth message to terminal.This EAP-Finish/Pre-auth message may be sent to the authenticator of purpose management domain by the EAP server of purpose management domain.
Fig. 1 is the composition schematic diagram of system embodiment of the present invention.As shown in Figure 1, system embodiment of the present invention mainly comprises authenticator's (being called purpose authenticator 140) and the certificate server (being called purpose certificate server 150) in authenticator's (being called former authenticator 120) in terminal 110, the former management domain and certificate server (being called former certificate server 130), the purpose management domain, and local certificate server 160, wherein:
Purpose authenticator 140, setting up two layers with terminal 110 is connected, and link to each other with purpose certificate server 150, be used for sending the pre-authentication start message to terminal 110, and the pre-authentication request message that terminal 110 is sent sends to purpose certificate server 150, and the pre-authentication success message that purpose certificate server 150 is sent sends to terminal 110;
Pre-authentication interaction flow between this terminal 110 and this local certificate server can pass through purpose authenticator 140, purpose certificate server 150, former authenticator 120 and former certificate server 130 etc.This purpose authenticator 140 can obtain from the equipment with EAP server capability to this pre-authentication success message that this terminal 110 sends, and this EAP server also can be a purpose certificate server 150 such as being that local certificate server 160 obtains.
How system embodiment of the present invention shown in Figure 1 realizes the flow process of pre-authentication of the present invention, please further further understands referring to figs. 2 to the inventive method embodiment shown in Figure 4.
Fig. 2 is the schematic flow sheet of the inventive method first embodiment.In the present embodiment, former management domain and purpose management domain have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this purpose management domain includes purpose authenticator and purpose certificate server.As shown in Figure 2, present embodiment mainly comprises the steps:
Step S210, purpose authenticator send pre-authentication initial (EAP-Initiate/Pre-auth-start) message and give terminal;
Step S220 after terminal is received this EAP-Initiate/Pre-auth-start message, sends pre-authentication request (EAP-Initiate/Pre-auth) message to the purpose authenticator;
After step S230, purpose authenticator receive this EAP-Initiate/Pre-auth message, send pre-authentication request to the purpose certificate server;
Step S240 after the purpose certificate server is received pre-authentication request, sends pre-authentication request to the local certificate server;
After step S250, local certificate server received the pre-authentication request that the purpose certificate server sends, to carry out pre-authentication mutual with terminal; In this step, purpose authenticator and purpose certificate server can participate in the pre-authentication reciprocal process;
Step S260, after the success of the pre-authentication of terminal, the local certificate server sends the pre-authentication success message to the purpose certificate server;
Step S270 after the purpose certificate server is received the pre-authentication success message, sends the pre-authentication success message to the purpose authenticator;
After step S280, purpose authenticator receive the pre-authentication success message, send pre-authentication and finish (EAP-Finish/Pre-auth) message to terminal, pre-authentication finishes.
Follow-up handoff procedure can carry out according to this pre-authentication result, if the pre-authentication success can directly switch to the purpose management domain from former management domain when then switching, no longer needs to carry out identifying procedure.
Among the embodiment shown in Figure 2, purpose certificate server and local certificate server also can have the EAP server capability.
Fig. 3 is the schematic flow sheet of the inventive method second embodiment.In the present embodiment, former management domain and purpose management domain have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this purpose management domain includes purpose authenticator and purpose certificate server.As shown in Figure 3, present embodiment mainly comprises the steps:
Step S310, former authenticator send EAP-Initiate/Pre-auth-start message to terminal;
Step S320 after terminal is received this EAP-Initiate/Pre-auth-start message, sends pre-authentication request EAP-Initiate/Pre-auth message to former authenticator;
After step S330, former authenticator receive this EAP-Initiate/Pre-auth message, send pre-authentication request to the purpose authenticator;
Step S340 after purpose authenticator receives pre-authentication request, sends pre-authentication request to the purpose certificate server;
Step S350 after the purpose certificate server is received pre-authentication request, sends pre-authentication request to the local certificate server;
Step S360, it is mutual that local certificate server and terminal are carried out pre-authentication; In this step, former authenticator, purpose authenticator, that the purpose certificate server can participate in this pre-authentication is mutual;
Step S370, after the success of the pre-authentication of terminal, the local certificate server sends the pre-authentication success message to the purpose certificate server;
Step S380 after the purpose certificate server is received the pre-authentication success message, sends the pre-authentication success message to the purpose authenticator;
After step S390, purpose authenticator receive the pre-authentication success message, send the pre-authentication success message to former authenticator;
Step S395 after former authenticator receives the pre-authentication success message, sends EAP-Finish/Pre-auth message to terminal.
First embodiment shown in Figure 2, the pre-authentication flow process is initiated by the purpose authenticator, therefore can be referred to as direct pre-authentication pattern.Second embodiment shown in Figure 3, the pre-authentication flow process is initiated by former authenticator, therefore can be referred to as indirect pre-authentication pattern.
Fig. 4 is the schematic flow sheet of the inventive method the 3rd embodiment.In the present embodiment, former management domain and purpose management domain do not have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this purpose management domain includes purpose authenticator and purpose certificate server.As shown in Figure 4, present embodiment mainly comprises the steps:
Step S410, former authenticator send EAP-Initiate/Pre-auth-start message to terminal;
Step S420 after terminal is received this EAP-Initiate/Pre-auth-start message, sends pre-authentication request EAP-Initiate/Pre-auth message to former authenticator;
After step S430, former authenticator receive this EAP-Initiate/Pre-auth message, send pre-authentication request to the local certificate server;
Step S440, it is mutual that local certificate server and terminal are carried out pre-authentication; In this step, it is mutual that the purpose certificate server also participates in this pre-authentication;
Step S450, after the success of the pre-authentication of terminal, the local certificate server sends the pre-authentication success message to the purpose certificate server;
Step S460, purpose certificate server send the pre-authentication success message to the purpose authenticator;
Step S470, after the success of the pre-authentication of terminal, the local certificate server sends the pre-authentication success message to former authenticator; Need to prove, the local certificate server with the success of the pre-authentication of terminal after, send the pre-authentication success message to former authenticator and purpose authenticator, not strict time order and function order;
Step S480 after former authenticator receives the pre-authentication success message, sends EAP-Finish/Pre-auth message to terminal.
Need to prove that the pre-authentication message in the various embodiments described above of the present invention comprises pre-authentication start message, pre-authentication request message and pre-authentication end, all is based on the EAP authentication protocol and expands.In fact, technical solution of the present invention also can realize by other message.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
Though the disclosed execution mode of the present invention as above, the execution mode that described content just adopts for the ease of understanding the present invention is not in order to limit the present invention.Technical staff in any the technical field of the invention; under the prerequisite that does not break away from the disclosed spirit and scope of the present invention; can do any modification and variation what implement in form and on the details; but scope of patent protection of the present invention still must be as the criterion with the scope that appending claims was defined.
Claims (10)
1. the pre-authenticating method that terminal is switched between different management domains is used for the switching of described terminal between former management domain and purpose management domain, it is characterized in that, comprising:
Described terminal is initiated pre-authentication request to the local certificate server after receiving the pre-authentication start message of described former management domain or the transmission of purpose management domain;
It is mutual that described local certificate server and described terminal are carried out pre-authentication;
After described pre-authentication success, described local certificate server sends the pre-authentication success message to described terminal and purpose management domain.
2. the method for claim 1 is characterized in that, this method further comprises:
Described terminal switches to described purpose management domain according to described pre-authentication success message.
3. the method for claim 1 is characterized in that:
Described pre-authentication start message is by the authenticator in the described former management domain, and perhaps the authenticator in the purpose management domain sends to described terminal.
4. the method for claim 1 is characterized in that, described terminal is initiated the step of described pre-authentication request to described local certificate server, comprising:
Described terminal is by described former management domain and/or purpose management domain, and certificate server is initiated described pre-authentication request to described local.
5. the method for claim 1 is characterized in that, described local certificate server and described terminal are carried out the mutual step of described pre-authentication, comprising:
Described local certificate server and described terminal be by described former management domain and/or purpose management domain, and it is mutual to carry out described pre-authentication.
6. the method for claim 1 is characterized in that:
Described pre-authentication start message and pre-authentication success message are expanded based on Extensible Authentication Protocol;
Described pre-authentication is mutual, carries out based on Extensible Authentication Protocol based on described.
7. method as claimed in claim 6 is characterized in that:
Described pre-authentication start message and described pre-authentication are mutual, expand based on the Extensible Authentication Protocol initial information;
Described pre-authentication success message is expanded based on the Extensible Authentication Protocol ending message.
8. the pre-authentication system that terminal is switched between different management domains is used for the switching of described terminal between former management domain and purpose management domain, it is characterized in that this system also comprises the local certificate server, wherein:
Described terminal after being used to receive the pre-authentication start message of described former management domain or the transmission of purpose management domain, is initiated pre-authentication request to described local certificate server;
The local certificate server is used for that to carry out pre-authentication mutual with described terminal, and after described pre-authentication success, sends the pre-authentication success message to described terminal and purpose management domain.
9. system as claimed in claim 8 is characterized in that:
Described former management domain comprises former authenticator, and described purpose management domain comprises the purpose authenticator;
Described pre-authentication start message sends to described terminal by described former authenticator or purpose authenticator.
10. system as claimed in claim 8 is characterized in that:
Described former management domain and/or purpose management domain are used for the described pre-authentication request that described terminal is initiated is transmitted to described local certificate server, and it is mutual also to be used to carry out described pre-authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910210960.XA CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910210960.XA CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102065425A true CN102065425A (en) | 2011-05-18 |
| CN102065425B CN102065425B (en) | 2014-06-11 |
Family
ID=44000476
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910210960.XA Expired - Fee Related CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102065425B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833747A (en) * | 2012-09-17 | 2012-12-19 | 北京交通大学 | Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system |
| CN102869000A (en) * | 2012-09-17 | 2013-01-09 | 北京交通大学 | Certificate authorization method of separation-mechanism mobile management system |
| CN108881131A (en) * | 2017-06-23 | 2018-11-23 | 中国人民解放军理工大学 | The efficient handover mechanism of host identities authentication information under a kind of SDN multiple domain mobile network environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212798A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
| WO2008103488A2 (en) * | 2007-02-23 | 2008-08-28 | Kabushiki Kaisha Toshiba | Media independent pre-authentication supporting fast handoff in proxy mipv6 environment |
-
2009
- 2009-11-12 CN CN200910210960.XA patent/CN102065425B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212798A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
| WO2008103488A2 (en) * | 2007-02-23 | 2008-08-28 | Kabushiki Kaisha Toshiba | Media independent pre-authentication supporting fast handoff in proxy mipv6 environment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833747A (en) * | 2012-09-17 | 2012-12-19 | 北京交通大学 | Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system |
| CN102869000A (en) * | 2012-09-17 | 2013-01-09 | 北京交通大学 | Certificate authorization method of separation-mechanism mobile management system |
| CN102833747B (en) * | 2012-09-17 | 2015-02-25 | 北京交通大学 | Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system |
| CN102869000B (en) * | 2012-09-17 | 2015-05-20 | 北京交通大学 | Certificate authorization method of separation-mechanism mobile management system |
| CN108881131A (en) * | 2017-06-23 | 2018-11-23 | 中国人民解放军理工大学 | The efficient handover mechanism of host identities authentication information under a kind of SDN multiple domain mobile network environment |
| CN108881131B (en) * | 2017-06-23 | 2021-01-08 | 中国人民解放军理工大学 | Efficient transfer mechanism of host identity authentication information in SDN multi-domain mobile network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102065425B (en) | 2014-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11477242B2 (en) | Network security management method, and apparatus | |
| CN110139387B (en) | Uplink small data transmission method, network side DU and network side CU | |
| JP6571676B2 (en) | Safe and simplified procedure for joining a social Wi-Fi mesh network | |
| KR101467780B1 (en) | Method for handover between heterogeneous radio access networks | |
| US10805793B2 (en) | Communication method and device | |
| EP2293611A1 (en) | A method, apparatus, system and server for network authentication | |
| CN102209355B (en) | Network switching method and terminal for supporting network switch | |
| JP5815885B2 (en) | Enabling access to key lifetime for wireless link setup | |
| US20130196708A1 (en) | Propagation of Leveled Key to Neighborhood Network Devices | |
| CN108966363B (en) | Connection establishing method and device | |
| US8407474B2 (en) | Pre-authentication method, authentication system and authentication apparatus | |
| US9602463B2 (en) | Method, device and system for obtaining local domain name | |
| CN102065425B (en) | System and method for preauthenticating terminal switched among different management domains | |
| CN103199990B (en) | A kind of method and apparatus of Routing Protocol certification migration | |
| CN109863772B (en) | Security policy processing method and related equipment | |
| US9860220B2 (en) | Methods and devices having a key distributor function for improving the speed and quality of a handover | |
| CN101599878A (en) | Re-authentication method, system and authentication device | |
| CN109842484B (en) | Method, device and equipment for updating next-hop chain counter | |
| WO2021258922A1 (en) | Bootstrapping authentication method and system, electronic device, and readable storage medium | |
| US20160344716A1 (en) | Implicit Challenge Authentication Process | |
| CN114173337A (en) | Electronic device, method for executing the same, and computer-readable medium | |
| CN104333864A (en) | Authentication resynchronization method and device | |
| CN113039766A (en) | Optimized equal-cost Simultaneous Authentication (SAE) authentication in wireless networks | |
| WO2018032984A1 (en) | Access authentication method, ue, and access device | |
| CN101801108B (en) | Business flow establishing method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140611 Termination date: 20201112 |