CN102065425B - System and method for preauthenticating terminal switched among different management domains - Google Patents
System and method for preauthenticating terminal switched among different management domains Download PDFInfo
- Publication number
- CN102065425B CN102065425B CN200910210960.XA CN200910210960A CN102065425B CN 102065425 B CN102065425 B CN 102065425B CN 200910210960 A CN200910210960 A CN 200910210960A CN 102065425 B CN102065425 B CN 102065425B
- Authority
- CN
- China
- Prior art keywords
- authentication
- management domain
- certificate server
- terminal
- authenticator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a system and a method for preauthenticating a terminal switched among different management domains, which can reduce the switching time delay of the terminal switched among the different management domains during switching. The method comprises the following steps that: the terminal transmits a preauthentication request to a hometown authentication server after receiving a preauthentication initiating message sent by the original management domain or a destination management domain; the hometown authentication server and the terminal perform preauthentication interaction; and the hometown authentication server sends a preauthentication success message to the terminal and the destination management domain after the preauthentication succeeds. By the system and the method, after a user who is successfully preauthenticated switches the terminal, the authentication process of switching to the destination management domain is reduced, the time delay is reduced, and the service continuity is improved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the pre-authentication system and method that a kind of terminal is switched between different management domains.
Background technology
In mobile network, terminal can be switched at diverse access point.If two different access points belong to respectively different management domains, when terminal is switched between former management domain and objective management territory, need to carry out complete authorizing procedure.
In prior art, terminal is switched performed complete authentication between two management domains, at least has following technological deficiency:
1) complete authorizing procedure switches with respect to physics, time delay that need to be longer.
2) terminal is in the time that roaming network switches, and user authenticates with user and is connected to compared with the certificate server of local by the certificate server of local domain at local domain, and the latter's time delay is much bigger.
3) different management domain access styles are likely different, and different accesses may need different identifying procedures.
Summary of the invention
Technical problem to be solved by this invention, is to provide a kind of pre-authentication system and method, the handover delay while switching between different management domains to reduce terminal.
In order to solve the problems of the technologies described above, the pre-authenticating method that first the present invention provides a kind of terminal to switch between different management domains, the switching for described terminal between former management domain and object management domain, comprising:
Described terminal is received after the pre-authentication start message of described former management domain or the transmission of object management domain, is initiated pre-authentication request to local certificate server;
It is mutual that described local certificate server and described terminal are carried out pre-authentication;
After described pre-authentication success, described local certificate server sends pre-authentication success message to described terminal and object management domain.
Preferably, the method further comprises:
Described terminal, according to described pre-authentication success message, is switched to described object management domain.
Preferably, described pre-authentication start message is by the authenticator in described former management domain, or authenticator in object management domain sends to described terminal.
Preferably, described terminal is initiated the step of described pre-authentication request to described local certificate server, comprising:
Described terminal, by described former management domain and/or object management domain, is initiated described pre-authentication request to described local certificate server.
Preferably, described local certificate server and described terminal are carried out the mutual step of described pre-authentication, comprising:
Described local certificate server and described terminal be by described former management domain and/or object management domain, carries out described pre-authentication mutual.
Preferably, described pre-authentication start message and pre-authentication success message, expand based on Extensible Authentication Protocol; Described pre-authentication is mutual, carries out based on Extensible Authentication Protocol based on described.
Preferably, described pre-authentication start message and described pre-authentication are mutual, expand based on Extensible Authentication Protocol initial information; Described pre-authentication success message, expands based on Extensible Authentication Protocol ending message.
In order to solve the problems of the technologies described above, the pre-authentication system that the present invention also provides a kind of terminal to switch between different management domains, the switching for described terminal between former management domain and object management domain, is characterized in that, this system also comprises local certificate server, wherein:
Described terminal, for receiving after the pre-authentication start message of described former management domain or the transmission of object management domain, initiates pre-authentication request to described local certificate server;
Local certificate server, for to carry out pre-authentication mutual with described terminal, and after described pre-authentication success, sends pre-authentication success message to described terminal and object management domain.
Preferably, described former management domain comprises former authenticator, and described object management domain comprises object authenticator; Described pre-authentication start message sends to described terminal by described former authenticator or object authenticator.
Preferably, described former management domain and/or object management domain, be transmitted to described local certificate server for the described pre-authentication request that described terminal is initiated, also mutual for carrying out described pre-authentication.
The present invention, by the pre-authentication based under Extensible Authentication Protocol, has realized the switching of terminal between management domain, has reduced handover delay.
Pre-authentication is before terminal starts to switch, carry out pre-authentication flow process with object management domain in advance, after pre-authentication success, switch again, can guarantee that like this user is after switching, the successful user of pre-authentication, reduce the verification process being switched to after object management domain, reduced time delay, strengthened business continuance.
Pre-authentication techniques provided by the invention, is the enhancing to Extensible Authentication Protocol (EAP), makes EAP authentication protocol better support pre-authentication mode.In addition, the identifying procedure in technical solution of the present invention, is independent of existing identifying procedure, on existing flow process without any impact.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in specification, claims and accompanying drawing.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, for explaining the present invention, is not construed as limiting the invention together with embodiments of the present invention.In the accompanying drawings:
Fig. 1 is the composition schematic diagram of system embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the inventive method the first embodiment;
Fig. 3 is the schematic flow sheet of the inventive method the second embodiment;
Fig. 4 is the schematic flow sheet of the inventive method the 3rd embodiment.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, to the present invention, how application technology means solve technical problem whereby, and the implementation procedure of reaching technique effect can fully understand and implement according to this.
It should be noted that, if do not conflicted, each feature in the embodiment of the present invention and embodiment can mutually combine, all within protection scope of the present invention.In addition, can in the computer system such as one group of computer executable instructions, carry out in the step shown in the flow chart of accompanying drawing, and, although there is shown logical order in flow process, but in some cases, can carry out shown or described step with the order being different from herein.
ERP (EAP Extensions for EAP Re-authentication Protocol) is for the re-authentication agreement in the unified management territory based on Extensible Authentication Protocol (EAP).When terminal is switched in unified management territory, the key material producing after authentication completely may not have expired, if carry out complete authentication while switching, has increased handover delay (because now can adopt this there is no expired key material completely) again.This agreement is by the mode of expansion EAP, utilize extended master session key (the Extended MasterSession Key in complete authentication, EMSK) carry out key derivation, make terminal and certificate server carry out re-authentication, can reduce the time delay that terminal is switched.
In technical solution of the present invention, respectively EAP-Initiate information and EAP-Finish information to be expanded, particular content is as follows:
Initial (EAP-Initiate) information of Extensible Authentication Protocol is expanded, increase Pre-auth-start type, pre-authentication initial (EAP-Initiate/Pre-auth-start) message is initiated by the authenticator in former management domain or object management domain, shows that this authenticator supports EAP pre-authentication mode.
Expansion EAP-Initiate information, increases Pre-auth type.In the time that terminal is received the EAP-Initiate information (being EAP-Initiate/Pre-auth-start message) that comprises pre-authentication initial (Pre-auth-start) type, send the EAP-Initiate information of Pre-auth type, be pre-authentication request (EAP-Initiate/Pre-auth) message, start pre-authentication flow process.
Extensible Authentication Protocol is finished to (EAP-Finish) information and expand, increase Pre-auth type.After pre-authentication flow process finishes, the authenticator in object management domain sends EAP-Finish/Pre-auth message to terminal.This EAP-Finish/Pre-auth message may be sent to by the EAP server of object management domain the authenticator of object management domain.
Fig. 1 is the composition schematic diagram of system embodiment of the present invention.As shown in Figure 1, system embodiment of the present invention mainly comprises authenticator's (being called object authenticator 140) and the certificate server (being called object certificate server 150) in authenticator's (being called former authenticator 120) in terminal 110, former management domain and certificate server (being called former certificate server 130), object management domain, and local certificate server 160, wherein:
Pre-authentication interaction flow between this terminal 110 and this local certificate server, can pass through object authenticator 140, object certificate server 150, former authenticator 120 and former certificate server 130 etc.This pre-authentication success message that this object authenticator 140 sends to this terminal 110, can obtain from the equipment with EAP server capability, and this EAP server, such as being that local certificate server 160 obtains, can be also object certificate server 150.
How system embodiment of the present invention shown in Fig. 1, realize the flow process of pre-authentication of the present invention, further understands please further refer to the inventive method embodiment shown in Fig. 2 to Fig. 4.
Fig. 2 is the schematic flow sheet of the inventive method the first embodiment.In the present embodiment, former management domain and object management domain have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this object management domain includes object authenticator and object certificate server.As shown in Figure 2, the present embodiment mainly comprises the steps:
Step S210, object authenticator sends pre-authentication initial (EAP-Initiate/Pre-auth-start) message to terminal;
Step S220, terminal is received after this EAP-Initiate/Pre-auth-start message, sends pre-authentication request (EAP-Initiate/Pre-auth) message to object authenticator;
Step S230, object authenticator receives after this EAP-Initiate/Pre-auth message, sends pre-authentication request to object certificate server;
Step S240, object certificate server is received after pre-authentication request, sends pre-authentication request to local certificate server;
Step S250, local certificate server receives after the pre-authentication request that object certificate server sends, to carry out pre-authentication mutual with terminal; In this step, object authenticator and object certificate server can participate in pre-authentication reciprocal process;
Step S260, after the pre-authentication success of terminal, local certificate server sends pre-authentication success message to object certificate server;
Step S270, object certificate server is received after pre-authentication success message, sends pre-authentication success message to object authenticator;
Step S280, object authenticator receives after pre-authentication success message, sends pre-authentication and finishes (EAP-Finish/Pre-auth) message to terminal, pre-authentication finishes.
Follow-up handoff procedure can carry out according to this pre-authentication result, if pre-authentication success can directly be switched to object management domain from former management domain while switching, no longer needs to carry out identifying procedure.
In embodiment shown in Fig. 2, object certificate server and local certificate server also can have EAP server capability.
Fig. 3 is the schematic flow sheet of the inventive method the second embodiment.In the present embodiment, former management domain and object management domain have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this object management domain includes object authenticator and object certificate server.As shown in Figure 3, the present embodiment mainly comprises the steps:
Step S310, former authenticator sends EAP-Initiate/Pre-auth-start message to terminal;
Step S320, terminal is received after this EAP-Initiate/Pre-auth-start message, sends pre-authentication request EAP-Initiate/Pre-auth message to former authenticator;
Step S330, former authenticator receives after this EAP-Initiate/Pre-auth message, sends pre-authentication request to object authenticator;
Step S340, object authenticator receives after pre-authentication request, sends pre-authentication request to object certificate server;
Step S350, object certificate server is received after pre-authentication request, sends pre-authentication request to local certificate server;
Step S360, it is mutual that local certificate server and terminal are carried out pre-authentication; In this step, former authenticator, object authenticator, that object certificate server can participate in this pre-authentication is mutual;
Step S370, after the pre-authentication success of terminal, local certificate server sends pre-authentication success message to object certificate server;
Step S380, object certificate server is received after pre-authentication success message, sends pre-authentication success message to object authenticator;
Step S390, object authenticator receives after pre-authentication success message, sends pre-authentication success message to former authenticator;
Step S395, former authenticator receives after pre-authentication success message, sends EAP-Finish/Pre-auth message to terminal.
The first embodiment shown in Fig. 2, pre-authentication flow process is initiated by object authenticator, therefore can be referred to as direct pre-authentication pattern.The second embodiment shown in Fig. 3, pre-authentication flow process is initiated by former authenticator, therefore can be referred to as indirect pre-authentication pattern.
Fig. 4 is the schematic flow sheet of the inventive method the 3rd embodiment.In the present embodiment, former management domain and object management domain do not have trusting relationship, and its Central Plains management domain includes former authenticator and former certificate server, and this object management domain includes object authenticator and object certificate server.As shown in Figure 4, the present embodiment mainly comprises the steps:
Step S410, former authenticator sends EAP-Initiate/Pre-auth-start message to terminal;
Step S420, terminal is received after this EAP-Initiate/Pre-auth-start message, sends pre-authentication request EAP-Initiate/Pre-auth message to former authenticator;
Step S430, former authenticator receives after this EAP-Initiate/Pre-auth message, sends pre-authentication request to local certificate server;
Step S440, it is mutual that local certificate server and terminal are carried out pre-authentication; In this step, it is mutual that object certificate server also participates in this pre-authentication;
Step S450, after the pre-authentication success of terminal, local certificate server sends pre-authentication success message to object certificate server;
Step S460, object certificate server sends pre-authentication success message to object authenticator;
Step S470, after the pre-authentication success of terminal, local certificate server sends pre-authentication success message to former authenticator; It should be noted that, local certificate server with the pre-authentication success of terminal after, send pre-authentication success message to former authenticator and object authenticator, do not have strict time order and function order;
Step S480, former authenticator receives after pre-authentication success message, sends EAP-Finish/Pre-auth message to terminal.
It should be noted that, the pre-authentication message in the various embodiments described above of the present invention, comprises pre-authentication start message, pre-authentication request message and pre-authentication end, is all to expand based on EAP authentication protocol.In fact, technical solution of the present invention also can realize by other message.
Obviously, those skilled in the art should be understood that, above-mentioned of the present invention each module or each step can realize with general calculation element, they can concentrate on single calculation element, or be distributed on the network that multiple calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, or they are made into respectively to each integrated circuit modules, or the multiple modules in them or step are made into single integrated circuit module to be realized.Like this, the present invention is not restricted to any specific hardware and software combination.
Although the disclosed execution mode of the present invention as above, the execution mode that described content just adopts for the ease of understanding the present invention, not in order to limit the present invention.Technical staff in any the technical field of the invention; do not departing under the prerequisite of the disclosed spirit and scope of the present invention; can do any modification and variation what implement in form and in details; but scope of patent protection of the present invention, still must be as the criterion with the scope that appending claims was defined.
Claims (5)
1. the pre-authenticating method that terminal is switched between different management domains, the switching for described terminal between former management domain and object management domain, is characterized in that, comprising:
Described terminal is received after the pre-authentication start message of described former management domain or the transmission of object management domain, is initiated pre-authentication request to local certificate server;
Described pre-authentication start message and pre-authentication success message, expand based on Extensible Authentication Protocol;
Pre-authentication is mutual, carries out based on described Extensible Authentication Protocol;
It is mutual that described local certificate server and described terminal are carried out pre-authentication, and object certificate server participates in pre-authentication reciprocal process;
The pre-authentication request message that described object certificate server sends object authenticator sends to local certificate server, and the pre-authentication success message that local certificate server is sent after pre-authentication success sends to object authenticator;
Described terminal is initiated the step of described pre-authentication request to described local certificate server, comprising:
Described terminal, by described former management domain and/or object management domain, is initiated described pre-authentication request to described local certificate server;
Described local certificate server and described terminal are carried out the mutual step of described pre-authentication, comprising:
Described local certificate server and described terminal be by described former management domain and/or object management domain, carries out described pre-authentication mutual;
After described pre-authentication success, described local certificate server sends pre-authentication success message to described terminal and object management domain.
2. the method for claim 1, is characterized in that, the method further comprises:
Described terminal, according to described pre-authentication success message, is switched to described object management domain.
3. the method for claim 1, is characterized in that:
Described pre-authentication start message is by the authenticator in described former management domain, or authenticator in object management domain sends to described terminal.
4. the method for claim 1, is characterized in that:
Described pre-authentication start message and described pre-authentication are mutual, expand based on Extensible Authentication Protocol initial information;
Described pre-authentication success message, expands based on Extensible Authentication Protocol ending message.
5. the pre-authentication system that terminal is switched between different management domains, the switching for described terminal between former management domain and object management domain, is characterized in that, this system also comprises object certificate server, local certificate server, wherein:
Described terminal, for receiving after the pre-authentication start message of described former management domain or the transmission of object management domain, initiates pre-authentication request to described local certificate server;
Object certificate server, for participating in pre-authentication reciprocal process;
Local certificate server, for to carry out pre-authentication mutual with described terminal, and after described pre-authentication success, sends pre-authentication success message to described terminal and object management domain;
Described former management domain comprises former authenticator, and described object management domain comprises object authenticator;
Described pre-authentication start message sends to described terminal by described former authenticator or object authenticator;
Described former management domain and/or object management domain, be transmitted to described local certificate server for the described pre-authentication request that described terminal is initiated, also mutual for carrying out described pre-authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910210960.XA CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910210960.XA CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102065425A CN102065425A (en) | 2011-05-18 |
| CN102065425B true CN102065425B (en) | 2014-06-11 |
Family
ID=44000476
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910210960.XA Expired - Fee Related CN102065425B (en) | 2009-11-12 | 2009-11-12 | System and method for preauthenticating terminal switched among different management domains |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102065425B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833747B (en) * | 2012-09-17 | 2015-02-25 | 北京交通大学 | Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system |
| CN102869000B (en) * | 2012-09-17 | 2015-05-20 | 北京交通大学 | Certificate authorization method of separation-mechanism mobile management system |
| CN108881131B (en) * | 2017-06-23 | 2021-01-08 | 中国人民解放军理工大学 | Efficient transfer mechanism of host identity authentication information in SDN multi-domain mobile network environment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212798A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8446875B2 (en) * | 2007-02-23 | 2013-05-21 | Toshiba America Research, Inc. | Media independent pre-authentication supporting fast-handoff in proxy MIPv6 environment |
-
2009
- 2009-11-12 CN CN200910210960.XA patent/CN102065425B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212798A (en) * | 2006-12-26 | 2008-07-02 | 中兴通讯股份有限公司 | Pre-authentication process that supports quick switching |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102065425A (en) | 2011-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11477242B2 (en) | Network security management method, and apparatus | |
| JP5421274B2 (en) | Handover method between different radio access networks | |
| EP2418883B1 (en) | Wireless local area network terminal pre-authentication method and wireless local area network system | |
| CN102685741B (en) | Access authentication processing method and system, terminal as well as network equipment | |
| US10805793B2 (en) | Communication method and device | |
| JP2017513327A (en) | Safe and simplified procedure for joining a social Wi-Fi mesh network | |
| EP2293611A1 (en) | A method, apparatus, system and server for network authentication | |
| KR20100100641A (en) | Dual modem device | |
| JP5815885B2 (en) | Enabling access to key lifetime for wireless link setup | |
| US20070218896A1 (en) | Method for reconnecting a mobile terminal in a wireless network | |
| US20130196708A1 (en) | Propagation of Leveled Key to Neighborhood Network Devices | |
| EP2395779B1 (en) | Pre-authentication method, device and system | |
| CN102209355A (en) | Network switching method and terminal for supporting network switch | |
| US8407474B2 (en) | Pre-authentication method, authentication system and authentication apparatus | |
| CN108966363B (en) | Connection establishing method and device | |
| CN103402201B (en) | A kind of WiFi-WiMAX heterogeneous wireless network authentication method based on pre-authentication | |
| CN102065425B (en) | System and method for preauthenticating terminal switched among different management domains | |
| KR101359600B1 (en) | Method, device and system for obtaining local domain name | |
| CN103199990B (en) | A kind of method and apparatus of Routing Protocol certification migration | |
| US20170324718A1 (en) | Methods and Devices Having a Key Distributor Function for Improving the Speed and Quality of a Handover | |
| CN101599878A (en) | Re-authentication method, system and authentication device | |
| US9602493B2 (en) | Implicit challenge authentication process | |
| Shen et al. | Fast handover pre-authentication protocol in 3GPP-WLAN heterogeneous mobile networks | |
| KR100882431B1 (en) | A Method of reducing authentication delay for mobile host by simplified authentication token | |
| Chen et al. | A seamless handoff mechanism for DHCP-based IEEE 802.11 WLANs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140611 Termination date: 20201112 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |