CN102694779A - Combination authentication system and authentication method - Google Patents

Combination authentication system and authentication method Download PDF

Info

Publication number
CN102694779A
CN102694779A CN2011100724635A CN201110072463A CN102694779A CN 102694779 A CN102694779 A CN 102694779A CN 2011100724635 A CN2011100724635 A CN 2011100724635A CN 201110072463 A CN201110072463 A CN 201110072463A CN 102694779 A CN102694779 A CN 102694779A
Authority
CN
China
Prior art keywords
authentication
idp
framework
openid
sso
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011100724635A
Other languages
Chinese (zh)
Other versions
CN102694779B (en
Inventor
张孟旺
田甜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110072463.5A priority Critical patent/CN102694779B/en
Priority to PCT/CN2012/071198 priority patent/WO2012126299A1/en
Publication of CN102694779A publication Critical patent/CN102694779A/en
Application granted granted Critical
Publication of CN102694779B publication Critical patent/CN102694779B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the invention is a combination authentication system, comprising a single sign on (SSO) architecture and an open ID architecture. And integration and interworking between the SSO architecture and the open ID architecture are realized by sharing of an application server (AS) in the SSO architecture and an open ID provider (OP) in the open ID architecture. In addition, the invention also discloses an authentication method applied to the authentication system. After an RP receives a service request from user equipment (UE), an open ID authentication request is carried and the UE is relocated at an OP; after the OP receives an HTTP obtaining request from the UE, an unauthorized response is returned to the UE and the UE is required to use a session initiation protocol digest mechanism in the SSO architecture to carry out authentication; when the UE dose not realize the SIP digest authentication, the SSO architecture is used to realize SIP digest; the OP obtains UE authorization information after the SIP digest and according to the authorization information of the UE, open ID authentication on the UE is completed and authentication assertion is generated based on the authentication result; and the authentication assertion is sent to the RP. According to the invention, an application scene is extended for UE in an SSO architecture, so that existing diversified WEB services can be used.

Description

Combination Verification System and authentication method
Technical field
The present invention relates to single-sign-on (SSO, Single Sign On) framework and OpenID framework integration technology, relate in particular to a kind of SSO framework and OpenID framework emerging system, and be applied to the authentication method in this emerging system.
Background technology
Present third generation partner program (3GPP; 3rd Generation Partnership Project) tissue has proposed at non-Universal Integrated Circuit Card (UICC; Universal Integrated Circuit Card) the unified IMS terminal under the environment utilizes session initiation protocol (SIP; Session Initiation Protocol) summary (Digest) authentication mechanism is realized IMS terminal access application server (AS; Application Server) function of SSO wherein, can realize this function through the SSO framework that in SSO_APS, designs.The SSO framework is usually by unified IP Multimedia System (IMS, IP Multimedia Subsystem) user, home subscriber server (HSS, Home Subscriber Server), AS and identification authentication authentication supplier entity (IdP).Subscriber equipment (UE, User Equipment) is connected through the SSOb interface with IdP; UE is connected through the SSOa interface with AS; IdP is connected through the SSOh interface with HSS.IdP is used for utilizing SIP Digest to carry out the validation-cross identity with UE, and AS is carried out authentication, and the shared key between IdP and the user is K 0Storage is used to describe the signed instrument of user profile among the HSS, and HSS also has the function that produces authentication information concurrently simultaneously.AS is the UE business of providing services on the Internet.
In the implementation of the SSO framework in this SSO_APS; To be the situation that operator does not dispose GBA; The IMS terminal does not have under the scene of UICC simultaneously; Utilize session initiation protocol summary (SIPDigest) authentication mechanism that UE is carried out authentication, realize the SSO function of this IMS terminal, the concrete realization as follows AS:
The HTTP services request is sent to AS in IMS terminal (UE), and application server AS is responded one 401 undelegated HTTPS response to UE, requires the UE terminal to go to authentication center to carry out authentication; In this response, comprise simultaneously the AS identity information of sharing secret key encryption by AS and the IdP of authentication center; The HTTP request message is sent to the IdP of authentication center in the UE terminal, and request IdP carries out authentication to the UE terminal.Carry the AS identity information of the identify label and the encryption at UE terminal simultaneously in this message; IdP carries out authentication according to the privately owned identification identifier of AS that acquires to this AS, and the authentication storage result judges whether to exist the K of corresponding UE simultaneously 0, if there is then this UE authentication of this key, do not need to utilize once more SIP Digest mechanism to carry out authentication, skip this authentication and directly carry out subsequent step; If IdP judges the K that does not have corresponding UE 0, then IdP obtains the SIP Digest Ciphering Key and the UE information content based on the IMS identification information from HSS; IdP produces random number nonce, and the hash function value H (A1) that stores this nonce and download from HSS; IdP uses SIP Digest mechanism to send 401 authentication challenge to UE; UE produces random number cnonce and generates H (A1), and then produces key K 0, and utilize calculation of parameter response response; UE sends response to challenging to IdP, and IdP accomplishes the authentication to UE, and produces shared key K 0IdP produces random number nonce1 once more, utilizes nonce1 and K 0Produce and share secret key encryption K 1, IdP utilizes key K 0Encrypt information such as nonce1, utilize IdP and AS to share secret key encryption K 1With the UE authentication result, said IdP sends 200OK message to said UE, comprises K 0Encrypt information such as nonce1, show said UE authentication success; Said IdP shares AS and IdP the K of secret key encryption simultaneously 1Be redirected to AS with authentication result to UE; The UE deciphering obtains nonce1, and produces shared key K 1The AS decryption information, authentication result and the key K of acquisition UE 1Have shared key K between UE and the AS this moment 1Thereby both can utilize K at follow-up communication 1Encrypt, guarantee communication security between the two.
In addition, OpenID has also defined self framework and standard, is used to realize the professional visit to Web, and its framework comprises that mainly three entity: UE, OpenID identity provide entity (OP, OpenID Provider), service to rely on provider (RP).
This OpenID framework is the user identifier of distribution when utilizing each terminal use all to have to register at OpenID Provider place; When the UE visit supports that the service of OpenID relies on the RP of provider; Only need this user identifier input, RP carries out standardization to this identifier; Then RP utilizes discovery mechanism, and identifier obtains the terminal point URL (URL, Uniform/Universal ResourceLocator) of OP; Carry out association between RP and the OP; Make between OP and the RP to set up and share key, this key makes the message of OP mark successive, makes the follow-up message of RP identification; This association process is optional; When OP and RP were in different Mobile Network Operator (MNO, Mobile Network Operator) network, the shared key that this process produces was very important to the safe transmission of message; RP request OP carries out authentication to this UE; OP establishes according to the authorization message of UE whether it is authorized to carry out the OpenID authentication is authorized to use with expectation, and OP accomplishes the verification process to OpenID user according to the authorization message of UE, and returns to RP according to authentication result generation authentication assertion; RP asserts to this and confirms operation, determines whether for this UE service being provided.
Final AS obtains to share key and terminal authentication authorization message as a result in the SSO framework in SSO_APS, and the OpenID framework is supported the Web business simultaneously, and unique identification identifier is provided for each UE; If can realize intercommunication between these two kinds of frameworks, neither can reduce original fail safe, can also increase the simplicity of terminal operation, and the application scenarios of terminal extension, so that with existing diversified WEB service.
Defined the scene that GBA framework and OpenID framework are realized intercommunication at present in the 3GPP standard 33.924, promptly network application function (NAF, Network Application Function) and OP are entity.The Ub and the Zn interface function that are characterized in former GBA framework are constant basically, and the OP of OpenID framework and UE need increase the GBA function.During each RP of UE visit, at first on OP/NAF, pass through authentication, and will on OP/NAF, pass through authentication, need channeling conduct process between UE and the boortstrap server function (BSF, BootstrappingServer Function).
For the unified IMS terminal under non-UICC environment; It can not use the GBA framework to carry out authentication; To such IMS terminal, in SSO_APS, designed the framework that utilizes SIP Digest mechanism to realize the SSO function, need the problem that can not merge intercommunication between SSO framework and the OpenID framework that solves at present badly; Make such IMS terminal support OpenID mechanism, and then obtain diversified WEB service.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of combination Verification System and authentication method, can make SSO framework and OpenID framework be fused to UE abundanter WEB service is provided.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of combination Verification System comprises SSO framework and OpenID framework, provides entity OP to realize merging intercommunication through application server AS in the shared SSO framework and the OpenID identity in the OpenID framework between said SSO framework and the OpenID framework.
Preferably, comprise also in the said OpenID framework that service relies on the RP of provider; Wherein,
Said RP is used for, and after the services request that receives IP multimedia service subsystem, IMS user equipment (UE), carries the OpenID authentication request and is redirected said UE to said OP;
Said OP is used for, and receiving after said UE HTTP HTTP obtains request, returns undelegated response to said UE, requires said UE to use the initial session digest authentication SIP Digest mechanism in the said SSO framework to carry out authentication;
Said UE is used for, and when being unrealized said SIP Digest authentication, realizes SIP Digest authentication through said SSO framework;
Said OP is further used for, and obtains the authorization message of said UE after the SIP Digest authentication, according to the authorization message of said UE, accomplishes the OpenID authentication to said UE, and produces authentication assertion according to authentication result; Said authentication assertion is sent to said RP;
Said RP is further used for, and confirms that said asserting when correct is that said UE provides service.
Preferably; Said RP is further used for; After receiving the services request of said UE, the address information that obtains said OP based on the identification information of the said UE that carries in the said services request with find said OP terminal point URL, accomplish authentication through said URL to said UE.
Preferably, before said RP and said OP carry out information interaction, further consult to be used for the key of communication security protection.
Preferably, also comprise home subscriber server HSS and identification authentication authentication supplier entity IdP in the said SSO framework; Wherein,
Said AS is used to ask said UE to go authentication to said IdP, wherein comprises the identification information of UE and AS in the request authentication information flow;
Said IdP; Be used for this AS being carried out authentication according to the identification information of said AS, and storage AS authentication result, and when confirming said UE without SIP Digest authentication; Obtain the information content of SIP Digest Ciphering Key and said UE from HSS, produce random number nonce; Send authentication challenge to said UE;
Said UE is used to produce random number cnonce and generates the hash function value, and then generates shared key K 0, and to said IdP answer response;
Said IdP accomplishes the authentication to said UE after being used to receive the response of said UE, and generates K 0And, produce random number nonce1 once more, utilize nonce1 and K 0Generate key K 1, and utilize K 0Encrypt information such as nonce1, and utilize shared key between AS and the IdP K 1After the authentication result of UE was encrypted, said IdP sent 200OK message to said UE, and 200OK message comprises K 0Encrypt information such as nonce1, show said UE authentication success; Simultaneously said IdP is redirected this and utilizes information after the shared secret key encryption between AS and the IdP to said AS;
Said UE is further used for, and after obtaining described 200OK message, generates K 1, make between said UE and the said AS to have shared key K 1
A kind of authentication method is applied to wherein, realize merging intercommunication through AS in the shared SSO framework and the OP in the OpenID framework between said SSO framework and the OpenID framework in the system of SSO framework and OpenID framework fusion; Said method also comprises:
Said RP carries the OpenID authentication request and is redirected said UE to said OP after the services request that receives IMS UE;
Said OP returns undelegated response to said UE after the HTTP that receives said UE obtains request, require said UE to use the initial session authentication SIP Digest mechanism in the said SSO framework to carry out authentication;
Said UE realizes SIP Digest authentication through said SSO framework when being unrealized said SIP Digest authentication;
Said OP obtains the authorization message of said UE after the SIP Digest authentication, according to the authorization message of said UE, accomplishes the OpenID authentication to said UE, and produces authentication assertion according to authentication result; Said authentication assertion is sent to said RP;
Said RP confirms that said asserting when correct is that said UE provides service.
Preferably, said method also comprises:
Said RP after receiving the services request of said UE, the address information that obtains said OP based on the identification information of the said UE that carries in the said services request with find said OP terminal point URL, accomplish authentication through said URL to said UE.
Preferably, said method also comprises:
Before said RP and said OP carry out information interaction, consult to be used for the key of communication security protection.
Preferably, said UE realizes SIP Digest authentication through said SSO framework when being unrealized said SIP Digest authentication, for:
Said AS will ask said UE to go authentication to the said IdP of authentication center, comprise the identification information of UE and AS in the request authentication information flow;
Said IdP carries out authentication based on the identification information of said AS to this AS; And storage AS authentication result; And when confirming said UE without SIP Digest authentication, the information content and hash function value from HSS obtains SIP Digest Ciphering Key, said UE produce random number nonce; Send authentication challenge to said UE;
Said UE produces random number cnonce and generates the hash function value, and then generates shared key K 0, and to said IdP answer response;
Said IdP accomplishes the authentication to said UE after receiving the response of said UE, and generates K 0And, produce random number nonce1 once more, utilize nonce1 and K 0Generate key K 1, and utilize K 0Encrypt information such as nonce1, and utilize shared key between AS and the IdP K 1After the authentication result of UE was encrypted, said IdP sent 200OK message to said UE, and 200OK message comprises K 0Encrypt information such as nonce1, show said UE authentication success; Said IdP is redirected this and utilizes K simultaneously 0And the information after the shared secret key encryption between AS and the IdP is to said AS;
Said UE generates K after obtaining described 200OK message 1, make between said UE and the said AS to have shared key K 1
Among the present invention; Realize merging through AS in the shared SSO framework and the OP in the OpenID framework between SSO framework and the OpenID framework; Like this, when UE initiates service request to the OpenID framework, the OpenID framework will trigger the SIP Digest that UE is initiated to the SSO framework; When UE user is strengthened supervising, also the more WEB service of horn of plenty is provided for the user under the SSO framework.
Description of drawings
Fig. 1 is the composition structural representation of the system of SSO framework of the present invention and the fusion of OpenID framework;
Fig. 2 is the authentication method flow chart that is applied to system shown in Figure 1.
Embodiment
Basic thought of the present invention is; Realize merging through AS in the shared SSO framework and the OP in the OpenID framework between SSO framework and the OpenID framework; Like this, when UE initiates service request to the OpenID framework, the OpenID framework will trigger the SIP Digest that UE is initiated to the SSO framework; When UE user is strengthened supervising, also the more WEB service of horn of plenty is provided for the user under the SSO framework.
For making the object of the invention, technical scheme and advantage clearer, below lift embodiment and, the present invention is further explained with reference to accompanying drawing.
Fig. 1 is the composition structural representation of the system of SSO framework of the present invention and the fusion of OpenID framework; As shown in Figure 1, the present invention proposes a kind of combined right-discriminating authentication architecture, with the intercommunication of SSO framework and OpenID framework among the realization SSO_APS; Unified IMS terminal to satisfy under the UICCless environment utilizes this combined right-discriminating construction to realize the SSO function of application server; Wherein, UE is the IMS terminal, and the application server entity among OpenID provider entity (OP) and the SSO_APS on the SSO framework is an entity; Be OP/AS; The final application server of the OpenID of the emerging system that RP will visit corresponding to the IMS terminal, IdP is the authentification of user center, accomplishes among the SSO_APS in the SSO framework authentication to UE.Among the present invention, each network element in SSO framework and the OpenID framework has kept original function and structure basically, and changing bigger is that OP and AS merge.Because the function that above-mentioned each network element can be realized is prior art, the function of each network element that repeats no more and concrete structure here.How the present invention only realizes that to UE in the above-mentioned emerging system authentication describes.
Fig. 2 is the authentication method flow chart that is applied to system shown in Figure 1, and is as shown in Figure 2, and authentication method of the present invention specifically may further comprise the steps:
Step 1. user sends user provider's identifier (User-suppliedIdentifier) to RP through the browser of UE, initiates service request.
Step 2.RP initialization User-Supplied Identifier; Obtain the address and discovery OP terminal point URL (URL of OP based on this user provider's identifier; And UE hopes to use this URL to accomplish authentication Uniform/Universal ResourceLocator).
Utilize the Diffie-hellman IKE to set up between step 3.RP and the OP and share key; The purpose that should share key foundation is to make OP can encrypt follow-up message; RP can confirm received message (this key is optional attribute, is not the necessary operation of intercommunication).If OP and RP are positioned at the control domain of different Mobile Network Operator (MNO, Mobile Network Operator) when interior, then this arranging key is necessary.
Step 4.RP carries browser that the authentication request of OpenID is redirected UE to OP.RP is inserted into the User-Supplied Identifier of step 1 among the openid.claimed_id and openid.identity field in the OpenID authentication request message.
Step 5. follows hard on this and is redirected, and UE sends HTTP GET request to OP.
Step 6.OP/AS initialization UE authentication, and respond 401 undelegated HTTPS responses, in this HTTPS response message, comprising the authentication message head that carries challenge information, UE uses SIP Digest mechanism to carry out authentication with server; Carry the OP/AS identify label (OP/AS_credential) of the shared secret key encryption of OP/AS and IdP simultaneously in this response message, i.e. EK O, i(OP/AS_credential).Utilize current mechanism to have shared key K between OP/AS and the IdP O, i, because this K O, iAcquisition belong to prior art, the realization details that the present invention repeats no more and obtains it.
If step 7. UE does not have effective key K 0Available, UE sends the HTTP request message to carry out the authentication process to UE to IdP so, carries identify label (U_credential) and the EK of UE simultaneously in this HTTP request message O, i(OP/AS_credential).
Step 8.IdP deciphers EK O, i(OP/AS_credential), obtain the OP/AS identify label, OP/AS is carried out authentication, produce and storage OP/AS authentication result OP/AS_Auth based on this OP/AS identify label.Simultaneously, IdP is according to received UE identification identifier U_credential, and at first whether inspection exists UE corresponding with it and IdP to share key K 0, if K 0Exist, then directly jump to step 15, otherwise execution in step 9.
Step 9.IdP sends authentication request to HSS, and based on U_credential, IdP searches and download corresponding SIP Digest Ciphering Key (SD-AV) and user configuration information in HSS.Comprise U_credential, field (realm), quality assurance (qop), identifying algorithm (algorithm) and H (A1) among the SD-AV, wherein the hash function value formed by U_credential, realm and password (password) of H (A1).Under many HSS environment, IdP can obtain the HSS address of corresponding storing subscriber information through inquiry order relations positioning function (SLF, SubscriptionLocator Function), finds this corresponding HSS.
Step 10.IdP produces random number nonce, and will store with this nonce to H (A1) this U_credential, that download from HSS.
Step 11.IdP sends 401 unverified challenge message to UE, comprises U_credential, realm, qop, algorithm and nonce in this 401 unverified challenge message.
Step 12. is when receiving this 401 unverified challenge message, and UE produces random number cnonce and H (A1); And then utilize cnonce and H (A1) etc. to produce UE and the shared key K of IdP 0Calculate the response value through one-way hash function F.response=F(H(A1),cnonce,nonce,qop,nonce-count)。UE carries out network authentication and avoids plain text to attack (" chosen plaintext ") with cnonce.Nonce-count is a counter, and every use of user and nonce calculate a response, and nonce-count will increase by 1, uses nonce-count to participate in response and calculates, and can reduce the possibility of Replay Attack.
Step 13.UE sends response response to the challenge message in the step 11 to IdP, comprises cnonce, nonce, response, realm, U_credential, qop, algorithm, Digest-url and nonce-count in this response message.
Step 14. is when receiving the step response message; IdP utilizes the nonce value of storage that the nonce value in the response message is tested; If check is correct; Then IdP utilizes parameter c nonce in the response message receive, nonce-count, qop etc. and nonce and H (A1) in the former IdP of being stored in to calculate Xresponse, and the Xresponse that calculates is compared with the response value of receiving, passes through as if the identical then UE of both comparative results authentication; Otherwise the UE authentification failure, the authentication result relevant information UE_Auth of IdP storage UE.If the UE authentication success, then IdP utilizes H (A1) and cnonce etc. to produce shared key K 0
Step 15.IdP produces random number nonce1 again; Utilize K then 0Produce key K with nonce1 etc. 1Share key K 0Information such as nonce1 are carried out cryptographic operation produce EK 0(nonce1); Share key K with OP/AS and IdP O, iEncrypt K 1Produce EK with UE_Auth O, i(K 1, UE_Auth).
Step 16.IdP sends 200OK message to UE, comprises K 0Encrypt information such as nonce1, show the UE authentication success; IdP is redirected UE to OP/AS simultaneously; Carry EK in this redirect message O, i(K 1, UE_Auth).
Step 17.UE deciphers EK 0(nonce1), obtain the nonce1 value and utilize K simultaneously 0Produce key K with nonce1 etc. 1
The message that step 18.IdP sends is redirected to OP/AS, and this is redirected and carries EK in the message O, i(K 1, UE_Auth).
After step 19.OP/AS receives that this is redirected message, utilize and share secret key decryption EK O, i(K 1, UE_Auth), obtain K 1And UE_Auth; OP/AS is known the associated authorization information of this UE according to UE_Auth, and OP/AS establishes according to authorization message whether this UE is authorized to carry out the OpenID authentication is authorized to use with expectation; Simultaneously also possibly know the message about information type from UE_Auth, this information type allows to share with RP.OP/AS utilizes the shared key K of UE and OP/AS according to the authorization message of UE 1The SSOa of effect accomplishes the verification process to OpenID user, and produces authentication assertion according to authentication result.
Step 20.OP/AS is redirected the return address of browser to OpenID, and promptly the browser of the redirected UE of OP/AS turns back to RP, wherein in this redirect response message or carry that authentication is approved asserts, or carries asserting of authentification failure.Comprise the field of a series of definition authentication assertion information at this redirect response message head, perhaps these fields are protected by the secret key encryption between OP/AS and the RP.This key protection mechanism is even more important when OP/AS and RP are positioned at different MNO networks.
What step 21.RP acknowledged receipt of asserts; Promptly check authentication whether to be agreed with.The authenticating identity of UE is provided in issuing the response message of RP.If OP/AS and RP have set up shared key when step 3, this key is used to confirm the message from OP/AS now so.If be asserted as all successes of asserted and validation of information, UE will obtain the service of RP so.
Need to prove that if arbitrary step is carried out failure in the above-mentioned steps 1~step 21, then whole process stops to carry out.
In the process of UE visit RP application server, if meet with unexpected suspension situation, when UE does not also accomplish access services process between UE and the RP, then UE wants access application server then need restart to ask service process behind network recovery; When UE has accomplished the access services process; If recover the life cycle of network time spent no show Cookie and shared key; Then can continue between UE and the RP behind the network recovery to utilize this shared key and Cookie to carry out obtaining of application service, share key processes otherwise need to produce again.Behind UE visit RP application server, initiatively close special circumstances such as nullifying UE or outage if meet with the user, then the user need accomplish whole execution flow process again.
Among the present invention, above-mentioned key generating mode can adopt existing any key generation method, and the present invention does not limit the key generation method that is adopted.
The above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention.

Claims (9)

1. one kind is made up Verification System; Comprise single-sign-on SSO framework and OpenID framework; It is characterized in that, provide entity OP to realize merging intercommunication through application server AS in the shared SSO framework and the OpenID identity in the OpenID framework between said SSO framework and the OpenID framework.
2. system according to claim 1 is characterized in that, comprises also in the said OpenID framework that service relies on the RP of provider; Wherein,
Said RP is used for, and after the services request that receives IP multimedia service subsystem, IMS user equipment (UE), carries the OpenID authentication request and is redirected said UE to said OP;
Said OP is used for, and receiving after said UE HTTP HTTP obtains request, returns undelegated response to said UE, requires said UE to use the initial session authentication SIP Digest mechanism in the said SSO framework to carry out authentication;
Said UE is used for, and when being unrealized said SIP Digest authentication, realizes SIP Digest authentication through said SSO framework;
Said OP is further used for, and obtains the authorization message of said UE after the SIP Digest authentication, according to the authorization message of said UE, accomplishes the OpenID authentication to said UE, and produces authentication assertion according to authentication result; Said authentication assertion is sent to said RP;
Said RP is further used for, and confirms that said asserting when correct is that said UE provides service.
3. system according to claim 2; It is characterized in that; Said RP is further used for; After receiving the services request of said UE, the address information that obtains said OP based on the identification information of the said UE that carries in the said services request with find said OP terminal point uniform resource position mark URL, accomplish authentication through said URL to said UE.
4. system according to claim 2 is characterized in that, before said RP and said OP carry out information interaction, further consults to be used for the key of communication security protection.
5. system according to claim 1 is characterized in that, also comprises home subscriber server HSS and identification authentication authentication supplier entity IdP in the said SSO framework; Wherein,
Said AS is used to ask said UE to carry out authentication to said IdP, comprises the identification information of UE and AS in the request authentication information flow;
Said IdP; Be used for this AS being carried out authentication according to the identification information of said AS, and storage AS authentication result, and when confirming said UE without SIP Digest authentication; Obtain the information content of SIP Digest Ciphering Key and said UE from HSS, produce random number nonce; Send authentication challenge to said UE;
Said UE is used to produce random number cnonce and generates the hash function value, and then generates shared key K 0, and to said IdP answer response;
Said IdP accomplishes the authentication to said UE after being used to receive the response of said UE, and generates K 0And, produce random number nonce1 once more, utilize nonce1 and K 0Generate key K 1, and utilize K 0Encrypt nonce1, and utilize shared key between AS and the IdP K 1After the authentication result of UE is encrypted, send 200OK message to said UE, said 200OK message comprises K 0Encrypt nonce1 information; And, be redirected this and utilize information after the shared secret key encryption between AS and the IdP to said AS;
Said UE is further used for, and after obtaining described 200OK message, generates K 1, make between said UE and the said AS to have shared key K 1
6. an authentication method is characterized in that, is applied to wherein, realize merging intercommunication through AS in the shared SSO framework and the OP in the OpenID framework between said SSO framework and the OpenID framework in the system of SSO framework and OpenID framework fusion; Said method also comprises:
Said RP carries the OpenID authentication request and is redirected said UE to said OP after the services request that receives IMS UE;
Said OP returns undelegated response to said UE after the HTTP that receives said UE obtains request, require said UE to use the initial session authentication SIP Digest mechanism in the said SSO framework to carry out authentication;
Said UE realizes SIP Digest authentication through said SSO framework when being unrealized said SIP Digest authentication;
Said OP obtains the authorization message of said UE after the SIP Digest authentication, according to the authorization message of said UE, accomplishes the OpenID authentication to said UE, and produces authentication assertion according to authentication result; Said authentication assertion is sent to said RP;
Said RP confirms that said asserting when correct is that said UE provides service.
7. method according to claim 6 is characterized in that, said method also comprises:
Said RP after receiving the services request of said UE, the address information that obtains said OP based on the identification information of the said UE that carries in the said services request with find said OP terminal point URL, accomplish authentication through said URL to said UE.
8. method according to claim 6 is characterized in that, said method also comprises:
Before said RP and said OP carry out information interaction, consult to be used for the key of communication security protection.
9. method according to claim 6 is characterized in that, said UE realizes SIP Digest authentication through said SSO framework when being unrealized said SIPDigest authentication, for:
Said AS asks said UE to said IdP authentication, comprises the identification information of UE and AS in this request authentication information flow;
Said IdP carries out authentication according to the identification information of said AS to this AS, and storage AS authentication result, and when confirming said UE without SIP Digest authentication, the information content from HSS obtains SIP Digest Ciphering Key and said UE produces random number nonce; Send authentication challenge to said UE;
Said UE produces random number cnonce and generates the hash function value, and then generates shared key K 0, and to said IdP answer response;
Said IdP accomplishes the authentication to said UE after receiving the response of said UE, and generates K 0And, produce random number nonce1 once more, utilize nonce1 and K 0Generate key K 1, and utilize K 0Encrypted random number nonce1, and utilize shared key between AS and the IdP to K 1After the authentication result of UE was encrypted, said IdP sent 200OK message to said UE, and said 200OK message comprises K 0Encrypt nonce1 information; And, be redirected this and utilize information after the shared secret key encryption between AS and the IdP to said AS;
Said UE generates K after obtaining described 200OK message 1, make between said UE and the said AS to have shared key K 1
CN201110072463.5A 2011-03-24 2011-03-24 Combination attestation system and authentication method Expired - Fee Related CN102694779B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110072463.5A CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method
PCT/CN2012/071198 WO2012126299A1 (en) 2011-03-24 2012-02-16 Combined authentication system and authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110072463.5A CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method

Publications (2)

Publication Number Publication Date
CN102694779A true CN102694779A (en) 2012-09-26
CN102694779B CN102694779B (en) 2017-03-29

Family

ID=46860066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110072463.5A Expired - Fee Related CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method

Country Status (2)

Country Link
CN (1) CN102694779B (en)
WO (1) WO2012126299A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107548051A (en) * 2016-06-29 2018-01-05 中兴通讯股份有限公司 Method for processing business, network application function entity and generic authentication architecture system
CN108664803A (en) * 2018-04-04 2018-10-16 中国电子科技集团公司第三十研究所 A kind of document content fine granularity access control system based on password
CN110035035A (en) * 2018-01-12 2019-07-19 北京新媒传信科技有限公司 A kind of secondary authentication method and system of single-sign-on

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110021086B (en) * 2018-10-29 2021-09-28 深圳市微开互联科技有限公司 Openid-based temporary authorization access control method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080301785A1 (en) * 2007-05-31 2008-12-04 At&T Intellectual Property, Inc. Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an ims network
CN101552673A (en) * 2009-04-30 2009-10-07 用友软件股份有限公司 An approach to log in single sign-on system by using OpenID account
WO2010028691A1 (en) * 2008-09-12 2010-03-18 Nokia Siemens Networks Oy Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system
CN101771676A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Setting and authentication method for cross-domain authorization and relevant device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080301785A1 (en) * 2007-05-31 2008-12-04 At&T Intellectual Property, Inc. Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an ims network
WO2010028691A1 (en) * 2008-09-12 2010-03-18 Nokia Siemens Networks Oy Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system
CN101771676A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Setting and authentication method for cross-domain authorization and relevant device and system
CN101552673A (en) * 2009-04-30 2009-10-07 用友软件股份有限公司 An approach to log in single sign-on system by using OpenID account

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZTE CORPORATION, ET AL.: "Update of the solution of implementing SSO_APS based on SIP Digest", 《3GPP TSG-SA3(SECURITY) MEETING #62》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107548051A (en) * 2016-06-29 2018-01-05 中兴通讯股份有限公司 Method for processing business, network application function entity and generic authentication architecture system
CN110035035A (en) * 2018-01-12 2019-07-19 北京新媒传信科技有限公司 A kind of secondary authentication method and system of single-sign-on
CN110035035B (en) * 2018-01-12 2021-09-17 北京新媒传信科技有限公司 Secondary authentication method and system for single sign-on
CN108664803A (en) * 2018-04-04 2018-10-16 中国电子科技集团公司第三十研究所 A kind of document content fine granularity access control system based on password
CN108664803B (en) * 2018-04-04 2022-03-22 中国电子科技集团公司第三十研究所 Password-based document content fine-grained access control system

Also Published As

Publication number Publication date
WO2012126299A1 (en) 2012-09-27
CN102694779B (en) 2017-03-29

Similar Documents

Publication Publication Date Title
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
CN101455053B (en) Authenticating an application
KR100995423B1 (en) User authentication and authorisation in a communications system
DK2039199T3 (en) ACCESSORIES SYSTEM FOR USER EQUIPMENT
EP2308254B1 (en) Methods, nodes, system, computer programs and computer program products for secure user subscription or registration
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
EP3180934B1 (en) Methods and nodes for mapping subscription to service user identity
CN111050322B (en) GBA-based client registration and key sharing method, device and system
US8875236B2 (en) Security in communication networks
US10511435B2 (en) Methods and apparatus for direct communication key establishment
CN101621801A (en) Method, system, server and terminal for authenticating wireless local area network
JP2012523158A (en) Security key management in IMS-based multimedia broadcast and multicast services (MBMS)
WO2012058896A1 (en) Method and system for single sign-on
US10897707B2 (en) Methods and apparatus for direct communication key establishment
Sharma et al. Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks
CN102694779A (en) Combination authentication system and authentication method
CN103067345A (en) Method and system for varied GBA guiding
CN112995090B (en) Authentication method, device and system for terminal application and computer readable storage medium
WO2013004104A1 (en) Single sign-on method and system
CN102638440A (en) Method and system for realizing single sign on (SSO) in IP multimedia subsystem (IMS) network
WO2012000313A1 (en) Method and system for home gateway certification
US9686280B2 (en) User consent for generic bootstrapping architecture
WO2017016762A1 (en) Method to provide identification in privacy mode
CN103297969A (en) IMS single sign-on combination authentication method and system
CN103095649A (en) Combination authentication method and system of internet protocol multimedia subsystem (IMS) single sign on

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170329

Termination date: 20210324

CF01 Termination of patent right due to non-payment of annual fee