CN102694779B - Combination attestation system and authentication method - Google Patents
Combination attestation system and authentication method Download PDFInfo
- Publication number
- CN102694779B CN102694779B CN201110072463.5A CN201110072463A CN102694779B CN 102694779 B CN102694779 B CN 102694779B CN 201110072463 A CN201110072463 A CN 201110072463A CN 102694779 B CN102694779 B CN 102694779B
- Authority
- CN
- China
- Prior art keywords
- frameworks
- openid
- idp
- authentication
- sso
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of combination attestation system, including SSO frameworks and OpenID frameworks, realize merging intercommunication between SSO frameworks and OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks.The present invention discloses a kind of authentication method for being applied to above-mentioned Verification System, after the service request for receiving UE, carrying OpenID certification requests redirect UE to OP to RP;OP returns undelegated response to UE, it is desirable to which UE is authenticated using the initial session certification SIP Digest mechanism in SSO frameworks after the HTTP for receiving UE obtains request;UE realizes SIP Digest by SSO frameworks in unrealized SIP Digest certifications;OP obtains the authorization message of UE after SIP Digest, according to the authorization message of UE, completes the OpenID certifications to UE, and produces authentication assertion according to authentication result;Authentication assertion is sent to into RP.The present invention can extend application scenarios for UE in SSO frameworks, with using existing more rich WEB service.
Description
Technical field
The present invention relates to single-sign-on (SSO, Single Sign On) framework and OpenID framework integration technologies, especially relate to
And a kind of SSO frameworks and OpenID framework emerging systems, and the authentication method being applied in the emerging system.
Background technology
Third generation partner program (3GPP, 3rd Generation Partnership Project) tissue is carried at present
The common IMS gone out under non-universal integrated circuit card (UICC, Universal Integrated Circuit Card) environment
Terminal is realized using session initiation protocol (SIP, Session Initiation Protocol) summary (Digest) authentication mechanism
IMS terminal accesses the function of the SSO of application server (AS, Application Server), wherein, by SSO_APS
The SSO frameworks of design can realize the function.SSO frameworks are generally by unified IP Multimedia System (IMS, IP Multimedia
Subsystem) user, home subscriber server (HSS, Home Subscriber Server), AS and identification authentication certification is carried
Donor entity (IdP).User equipment (UE, User Equipment) is connected by SSOb interfaces with IdP;UE and AS passes through SSOa
Interface connects;IdP is connected by SSOh interfaces with HSS.IdP for checking identity being interacted using SIP Digest with UE,
And AS is authenticated, the shared key between IdP and user is K0;Store in HSS for describing the signing of user profile
File, while HSS also has the function of producing authentication information concurrently.AS provides network service business for UE.
In the implementation of the SSO frameworks in the SSO_APS, the situation that operator does not dispose GBA is directed to, while
IMS terminal under the scene with UICC, is not recognized to UE using session initiation protocol summary (SIPDigest) authentication mechanism
Card, realizes SSO function of the IMS terminal to AS, is implemented as follows:
IMS terminal (UE) sends HTTP service request to AS, application server AS to UE respond one it is 401 undelegated
HTTPS is responded, it is desirable to which UE terminals go to authentication center to carry out authentication;Simultaneously comprising by AS and authentication center in the response
The AS identity informations of IdP shared keys encryption;UE terminals send HTTP request message to authentication center IdP, and IdP is to UE ends for request
End carries out authentication.Carry the AS identity informations of the identity and encryption of UE terminals simultaneously in the message;IdP is according to acquisition
To AS privately owned identification identifiers the AS is authenticated, authentication storage result, while judging whether the K of corresponding UE0If,
Then the UE was authenticated to there is the key, it is not necessary to is reused SIP Digest mechanism and is authenticated, skips the certification direct
Perform subsequent step;If IdP judges the K that there is no corresponding UE0, then IdP based on IMS identification informations from HSS obtain SIP
Digest Ciphering Key and UE information contenies;IdP produces random number nonce, and stores the nonce and from HSS downloads
Hash function value H (A1);IdP sends 401 authentication challenges to UE using SIP Digest mechanism;UE produce random number cnonce and
H (A1) is generated, and then produces key K0, and response value response is calculated using parameter;UE sends to IdP for challenge and rings
Should, IdP completes the certification to UE, and produces shared key K0;IdP produces random number nonce1 again, using nonce1 and K0Produce
Raw shared key encryption K1, IdP is using key K0The information such as encryption nonce1, encrypt K using IdP and AS shared keys1Recognize with UE
Card result, the IdP sends 200OK message to the UE, comprising K0The encryption information such as nonce1, show the UE certifications into
Work(;The K that AS and IdP shared keys are encrypted by the IdP simultaneously1AS is redirected to the authentication result to UE;UE decryption is obtained
Nonce1, and produce shared key K1;AS decryption informations, obtain the authentication result and key K of UE1;Now possess between UE and AS
Shared key K1, so as to both follow-up communications can utilize K1It is encrypted, it is ensured that communication security between the two.
In addition, OpenID also defines own infrastructure and specification, for realizing the access to Web service, its framework is main
Including three entities:UE, OpenID identity provides entity (OP, OpenID Provider), service and relies on provider (RP).
The user that the OpenID frameworks are distributed when being and having the registration at OpenID Provider using each terminal use
The user identifier, when UE is accessed supports that the service of OpenID relies on provider RP, need to be only input into by identifier, and RP is to the mark
Know symbol to be standardized;Then RP utilizes discovery mechanism, and identifier obtain OP terminal URL (URL,
Uniform/Universal ResourceLocator);It is associated between RP and OP so that between OP and RP, set up shared
Key, the key cause the message of OP mark successives so that RP recognizes follow-up message, and the association process is optional, works as OP
With both RP in different Mobile Network Operator (MNO, Mobile Network Operator) networks when, the process is produced
Raw shared key is critically important to the safe transmission of message;RP request OP are authenticated to the UE;Mandates of the OP according to UE
Information establishes whether that its authorized execution OpenID certification and expectation are authorized to use, and OP completes right according to the authorization message of UE
The verification process of OpenID user, and RP is returned to according to authentication result generation authentication assertion;RP is asserted to this and is confirmed
Operation, decides whether to provide service for the UE.
In SSO_APS, in SSO frameworks, final AS obtains shared key and terminal authentication result authorization message, while
OpenID frameworks support Web service, and provide unique identification identifier for each UE;If can be real between both frameworks
Existing intercommunication, will not both reduce original safety, can also increase the simplicity of terminal operation, and the applied field of terminal extension
Scape, so as to existing diversified WEB service.
At present defined in 3GPP specifications 33.924, GBA frameworks and OpenID frameworks realize the scene of intercommunication, i.e. network should
It is entity with function (NAF, Network Application Function) and OP.It is characterized in the Ub and Zn of former GBA frameworks
Interface function is basically unchanged, and the OP and UE of OpenID frameworks need to increase GBA functions.When UE accesses each RP, first in OP/NAF
It is upper that authentication and will be passed through on OP/NAF by authentication, need UE and boortstrap server function (BSF,
BootstrappingServer Function) between guide process.
For the common IMS terminal under non-UICC environment, which can not carry out authentication using GBA frameworks, for this
Class IMS terminal, devises the framework that SSO functions are realized using SIP Digest mechanism, current urgent need to resolve in SSO_APS
The problem of intercommunication can not be merged between SSO frameworks and OpenID frameworks so that such IMS terminal supports OpenID mechanism, and then
Obtain diversified WEB service.
The content of the invention
In view of this, present invention is primarily targeted at providing a kind of combination attestation system and authentication method, SSO framves can be made
Structure and OpenID frameworks are fused to UE and provide more rich WEB service.
To reach above-mentioned purpose, the technical scheme is that what is be achieved in that:
A kind of combination attestation system, including SSO frameworks and OpenID frameworks, between the SSO frameworks and OpenID frameworks
Entity OP is provided by the OpenID identity shared in the application server AS and OpenID frameworks in SSO frameworks and fusion is realized
Intercommunication.
Preferably, also include in the OpenID frameworks that service relies on provider RP;Wherein,
The RP is used for, and after the service request for receiving IP multimedia service subsystem, IMS user equipment (UE), carries
OpenID certification requests redirect the UE to the OP;
The OP is used for, and after the UE HTML (Hypertext Markup Language) HTTP acquisition request is received, returns not to the UE
The response of mandate, it is desirable to which the UE is recognized using the initial session digest authentication SIP Digest mechanism in the SSO frameworks
Card;
The UE is used for, and when the SIP Digest certifications are not implemented, realizes SIP Digest by the SSO frameworks
Certification;
The OP is further used for, and obtains the authorization message of the UE after SIP Digest certifications, according to awarding for the UE
Power information, completes the OpenID certifications to the UE, and produces authentication assertion according to authentication result;The authentication assertion is sent
To the RP;
The RP is further used for, and provides service for the UE when asserting correct described in confirmation.
Preferably, the RP is further used for, after the service request for receiving the UE, based in the service request
The identification information of the UE for carrying obtains the address information of the OP and finds the OP terminals URL, is completed by the URL
Certification to the UE.
Preferably, before the RP and the OP carry out information exchange, further consult the key for communication security protection.
Preferably, home subscriber server HSS and identification authentication certification supplier's entity are also included in the SSO frameworks
IdP;Wherein,
The AS, for asking the UE to go certification to the IdP, wherein including UE's and AS in request authentication information stream
Identification information;
The IdP, is authenticated for the AS according to the identification information pair of the AS, and stores AS authentication results, and
Confirm that the UE, without during SIP Digest certifications, obtains the information content of SIP Digest Ciphering Key and the UE from HSS,
Produce random number nonce;Authentication challenge is sent to the UE;
The UE, for producing random number cnonce and generating hash function value, and then generates shared key K0, and to institute
State IdP and reply response;
The IdP, for the certification to the UE is completed after receiving the response of the UE, and generates K0;And, again
Random number nonce1 is produced, using nonce1 and K0Generate key K1, and utilize K0The encryption information such as nonce1, and using AS with
Shared key between IdP is to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message to the UE,
200OK message packages contain K0The information such as encryption nonce1, show the UE certifications success;The IdP redirects this and utilizes AS simultaneously
The information after shared key encryption between IdP is to the AS;
The UE is further used for, and after described 200OK message is obtained, generates K1, make between the UE and the AS
Possess shared key K1。
A kind of authentication method, be applied to SSO frameworks and OpenID frameworks fusion system in, wherein, the SSO frameworks and
Realize merging intercommunication between OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks;Methods described
Also include:
The RP after the service request for receiving IMS UE carries OpenID certification requests and redirects the UE to described
OP;
The OP returns undelegated response to the UE, it is desirable to institute after the HTTP for receiving the UE obtains request
State UE to be authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE realizes SIP Digest certification by the SSO frameworks when the SIP Digest certifications are not implemented;
The OP obtains the authorization message of the UE after SIP Digest certifications, according to the authorization message of the UE, completes
OpenID certifications to the UE, and authentication assertion is produced according to authentication result;The authentication assertion is sent to into the RP;
Service is provided for the UE when asserting correct described in the RP confirmations.
Preferably, methods described also includes:
Marks of the RP after the service request for receiving the UE, based on the UE carried in the service request
The address information and the discovery OP terminals URL of OP described in information acquisition, completes the certification to the UE by the URL.
Preferably, methods described also includes:
Before the RP and the OP carry out information exchange, consult the key for communication security protection.
Preferably, the UE realizes SIP by the SSO frameworks when the SIP Digest certifications are not implemented
Digest certifications, be:
The AS will ask the UE to the authentication center IdP to go certification, include UE and AS in request authentication information stream
Identification information;
The IdP is authenticated according to the identification information pair AS of the AS, and stores AS authentication results, and is confirming institute
UE is stated without during SIP Digest certifications, SIP Digest Ciphering Key, the information content of the UE and Hash is obtained from HSS
Functional value, produces random number nonce;Authentication challenge is sent to the UE;
The UE produces random number cnonce and generates hash function value, and then generates shared key K0, and to the IdP
Reply response;
The IdP completes the certification to the UE after receiving the response of the UE, and generates K0;And, produce again
Random number nonce1, using nonce1 and K0Generate key K1, and utilize K0The encryption information such as nonce1, and using AS and IdP it
Between shared key to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message, 200OK to the UE
Message package contains K0The information such as encryption nonce1, show the UE certifications success;The IdP redirects this and utilizes K simultaneously0And AS with
The information after shared key encryption between IdP is to the AS;
The UE generates K after described 200OK message is obtained1, make to possess shared key between the UE and the AS
K1。
In the present invention, by sharing in AS the and OpenID frameworks in SSO frameworks between SSO frameworks and OpenID frameworks
OP and realize fusion, so, when UE is to OpenID framework initiating business requests, OpenID frameworks will trigger UE and initiate to SSO framves
The SIP Digest of structure, while strengthening supervising to UE user, also provide more horn of plenty for the user under SSO frameworks
WEB service.
Description of the drawings
Fig. 1 is the composition structural representation of the system of SSO frameworks of the present invention and the fusion of OpenID frameworks;
Fig. 2 is the authentication method flow chart for being applied to system shown in Figure 1.
Specific embodiment
The basic thought of the present invention is, between SSO frameworks and OpenID frameworks by share the AS in SSO frameworks and
OP in OpenID frameworks and realize fusion, so, when UE is to OpenID framework initiating business requests, OpenID frameworks will be triggered
UE initiates the SIP Digest of SSO frameworks, while strengthening supervising to UE user, also provides for the user under SSO frameworks
The more WEB service of horn of plenty.
It is to make the object, technical solutions and advantages of the present invention become more apparent, by the following examples and referring to the drawings, right
The present invention is further described.
Fig. 1 is the composition structural representation of the system of SSO frameworks of the present invention and the fusion of OpenID frameworks, as shown in figure 1, this
Invention proposes a kind of combined right-discriminating authentication architecture, to realize the intercommunication of SSO frameworks and OpenID frameworks in SSO_APS, with full
Common IMS terminal under sufficient UICCless environment realizes the SSO functions of application server using the combined right-discriminating construction, its
In, UE is IMS terminal, and the application server entity in OpenID providers entity (OP) and SSO_APS on SSO frameworks is one
Entity, i.e. OP/AS, final application servers of the RP corresponding to the OpenID of IMS terminal emerging system to be accessed, IdP is use
Family authentication center, completes the certification in SSO frameworks to UE in SSO_APS.In the present invention, in SSO frameworks and OpenID frameworks
Each network element maintains original function and structure substantially, and what variation was larger is that OP and AS are merged.Due to above-mentioned each network element
Achieved function is prior art, repeats no more the function and concrete structure of each network element here.The present invention is only to above-mentioned
In emerging system, how UE realizes that certification is illustrated.
Fig. 2 is the authentication method flow chart for being applied to system shown in Figure 1, as shown in Fig. 2 the authentication method of the present invention is concrete
Comprise the following steps:
Step 1. user sends user by the browser of UE and provides party identifier (User-suppliedIdentifier)
To RP, initiating business request.
Step 2.RP initializes User-Supplied Identifier, provides party identifier based on the user and obtains OP's
Address and discovery OP terminal URLs (URL, Uniform/Universal ResourceLocator), also, UE
It is desirable for the URL and completes certification.
Shared key is set up using Diffie-hellman IKEs between step 3.RP and OP, the shared key
The purpose of foundation is so that OP can encrypt follow-up message, RP can confirm received message (this key is optional attribute,
It is not the necessary operation of intercommunication).If both OP and RP are positioned at different Mobile Network Operator (MNO, Mobile Network
When in control domain Operator), then the arranging key is necessary.
Step 4.RP carries the certification request of OpenID and redirects the browser of UE to OP.RP is by the User- of step 1
Supplied Identifier be inserted into the openid.claimed_id in OpenID authentication request messages and
In openid.identity fields.
Step 5. follows hard on the redirection, and UE sends HTTP GET requests to OP.
Step 6.OP/AS initializes UE certifications, and responds 401 undelegated HTTPS responses, disappears in the HTTPS responses
Comprising the certification message header for carrying challenge information in breath, UE is authenticated using SIP Digest mechanism and server;Simultaneously
The OP/AS identity (OP/AS_credential) of OP/AS and IdP shared keys encryption is carried in the response message, i.e.,
EKO, i(OP/AS_credential).Possess shared key K using current mechanism between OP/AS and IdPO, i, due to the KO, i's
Acquisition belongs to prior art, the present invention repeat no more obtain which realize details.
If step 7. UE does not have effective key K0It is available, then it is right to carry out that UE sends HTTP request message to IdP
The authentication procedures of UE, while identity (U_credential) and the EK of UE are carried in the HTTP request messageO, i(OP/
AS_credential)。
Step 8.IdP decrypts EKO, i(OP/AS_credential) OP/AS identity is obtained, based on the OP/AS identity
Mark is authenticated to OP/AS, produces and store OP/AS authentication results OP/AS_Auth.Meanwhile, IdP is according to received
UE identification identifier U_credential, first check whether there is corresponding UE and IdP shared keys K0If, K0Exist,
Step 15, otherwise execution step 9 are jumped directly to then.
Step 9.IdP to HSS send certification request, based on search in U_credential, IdP to HSS and download correspondence
SIP Digest Ciphering Key (SD-AV) and user configuration information.SD-AV includes U_credential, field
(realm), quality assurance (qop), identifying algorithm (algorithm) and H (A1), wherein H (A1) be by U_credential,
The hash function value that realm and password (password) are constituted.Under many HSS environment, IdP can be by inquiring that order relations are fixed
Bit function (SLF, SubscriptionLocator Function) obtains the HSS addresses of corresponding storage user profile, finds
The corresponding HSS.
Step 10.IdP produce random number nonce, and by for the U_credential, from HSS download H (A1) with
The nonce is stored together.
Step 11.IdP sends 401 unverified challenge messages to UE, and U_ is included in the 401 unverified challenge message
Credential, realm, qop, algorithm and nonce.
When the 401 unverified challenge message is received, UE produces random number cnonce and H (A1) to step 12.;Then it is sharp again
UE and IdP shared keys K are produced with cnonce and H (A1) etc.0.Response values are calculated by one-way Hash function F.
Response=F (H (A1), cnonce, nonce, qop, nonce-count).UE cnonce carry out network authentication and avoid
Plain text attacks (" chosen plaintext ").Nonce-count is enumerator, and user is often used and calculated once with nonce
Response, nonce-count will increase by 1, participate in response using nonce-count and calculate, can reduce Replay Attack
Probability.
Step 13.UE sends response response to IdP for the challenge message in step 11, includes in the response message
Cnonce, nonce, response, realm, U_credential, qop, algorithm, Digest-url and nonce-
count。
, when step response message is received, IdP is using the nonce values of storage to the nonce values in response message for step 14.
Test, if inspection is correct, IdP using parameter cnonce, nonce-count in the response message for receiving, qop etc. and
Original is stored in the nonce in IdP and H (A1) and calculates Xresponse, by the Xresponse of calculating and the response values for receiving
It is compared, the UE certifications if both comparative results are identical pass through;Otherwise UE authentification failures, IdP store the authentication result phase of UE
Pass information UE_Auth.If UE certification successes, IdP produces shared key K using H (A1) and cnonce etc.0。
Step 15.IdP produces random number nonce1 again;Then utilize K0Key K is produced with nonce1 etc.1;Shared key K0
Operation is encrypted to information such as nonce1 and produces EK0(nonce1);With OP/AS and IdP shared keys KO, iEncryption K1And UE_
Auth produces EKO, i(K1, UE_Auth).
Step 16.IdP sends 200OK message to UE, comprising K0The information such as encryption nonce1, show UE certification successes;Together
When IdP redirect UE to OP/AS;EK is carried in the redirection messageO, i(K1, UE_Auth).
Step 17.UE decrypts EK0(nonce1) nonce1 values are obtained, and utilizes K simultaneously0Key K is produced with nonce1 etc.1。
The message that step 18.IdP sends is redirected to OP/AS, and this carries EK in being redirected messageO, i(K1, UE_
Auth)。
Step 19.OP/AS is received after this is redirected message, decrypts EK using shared keyO, i(K1, UE_Auth), obtain
Obtain K1And UE_Auth;OP/AS knows the pertinent authorization information of the UE according to UE_Auth, and OP/AS is established according to authorization message is
The no UE is authorized to execution OpenID certifications and expectation is authorized to use;It is likely to from UE_Auth know with regard to info class simultaneously
The message of type, the information type allow to share with RP.Authorization messages of the OP/AS according to UE, it is shared close using both UE and OP/AS
Key K1The SSOa of effect completes the verification process to OpenID user, and produces authentication assertion according to authentication result.
Step 20.OP/AS redirects browser to the return address of OpenID, i.e. OP/AS redirects the browser of UE and returns
RP is returned to, or carrying wherein in the redirection response message, certification is approved to assert, or carrying asserting for authentification failure.
In the redirection response message head comprising a series of fields for defining authentication assertion information, these fields are perhaps by OP/AS and RP
Between key encipherment protection.This key protection mechanism to both OP/AS and RP positioned at different MNO networks when especially weigh
Will.
What step 21.RP was acknowledged receipt of asserts;Check whether certification is agreed with.The authenticating identity of UE is issuing the sound of RP
It is provided in answering message.If both OP/AS and RP establish shared key in step 3, then the key is used to now
Confirm the message from OP/AS.If being asserted as asserted and validation of information being all successful, then UE will obtain the service of RP.
It should be noted that if either step performs failure in 1~step 21 of above-mentioned steps, whole process stops holding
OK.
During UE accesses RP application servers, if meeting with unexpected offline condition, when UE also do not complete UE and RP it
Between access service process, then after network recovery, UE will access application server and then need to restart to ask service process;When
UE has completed access service process, if the recovery network used time does not reach the life cycle of Cookie and shared key, network
The shared key and Cookie can be continued with after recovery between UE and RP carries out the acquisition of application service, otherwise needs again
Produce shared key process.After UE accesses RP application servers, if meeting with user, actively closing cancellation UE or power-off etc. are special
Situation, then user need to complete again entirely to perform flow process.
In the present invention, above-mentioned key generating mode can adopt existing any one key generation method, and the present invention is simultaneously
Adopted key generation method is not limited.
The above, only presently preferred embodiments of the present invention is not intended to limit protection scope of the present invention.
Claims (7)
1. a kind of combination attestation system, including single-sign-on SSO framework and OpenID frameworks, it is characterised in that the SSO frameworks
And the OpenID identity between OpenID frameworks by sharing in the application server AS and OpenID frameworks in SSO frameworks is provided
Entity OP and realize merge intercommunication;
The OP and service to be relied on and set up shared key using Diffie-hellman IKEs between provider RP;
Also include home subscriber server HSS and identification authentication certification supplier entity IdP in the SSO frameworks;Wherein,
The AS, for asking UE to be authenticated to the IdP, asks the identification information comprising UE and AS in authentication information stream;
The IdP, is authenticated for the AS according to the identification information pair of the AS, and stores AS authentication results, and is confirming
The UE obtains the information content of SIP Digest Ciphering Key and the UE from HSS without during SIP Digest certifications, produces
Random number nonce;Authentication challenge is sent to the UE;
The UE, for producing random number cnonce and generating hash function value, and then generates shared key K0, and to the IdP
Reply response;
The IdP, for the certification to the UE is completed after receiving the response of the UE, and generates K0;And, produce again
Random number nonce1, using nonce1 and K0Generate key K1, and utilize K0Encryption nonce1, and using being total between AS and IdP
Key is enjoyed to K1After being encrypted with the authentication result to UE, 200OK message is sent to the UE, the 200OK message packages contain K0
Encryption nonce1 information;And, this is redirected using the information after the shared key encryption between AS and IdP to the AS;
The UE is further used for, and after described 200OK message is obtained, generates K1, make to possess between the UE and the AS altogether
Enjoy key K1。
2. system according to claim 1, it is characterised in that also include in the OpenID frameworks that service relies on provider
RP;Wherein,
The RP is used for, and after the service request for receiving IP multimedia service subsystem, IMS user equipment (UE), carries OpenID
Certification request redirects the UE to the OP;
The OP is used for, and after the UE HTML (Hypertext Markup Language) HTTP acquisition request is received, returns unauthorized to the UE
Response, it is desirable to the UE is authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE is used for, and when the SIP Digest certifications are not implemented, realizes that SIP Digest recognize by the SSO frameworks
Card;
The OP is further used for, and obtains the authorization message of the UE after SIP Digest certifications, is believed according to the mandate of the UE
Breath, completes the OpenID certifications to the UE, and produces authentication assertion according to authentication result;The authentication assertion is sent to into institute
State RP;
The RP is further used for, and provides service for the UE when asserting correct described in confirmation.
3. system according to claim 2, it is characterised in that the RP is further used for, in the clothes for receiving the UE
After business request, the identification information based on the UE carried in the service request obtains the address information of the OP and finds institute
OP terminal uniform resource position mark URLs are stated, the certification to the UE is completed by the URL.
4. system according to claim 2, it is characterised in that before the RP and the OP carry out information exchange, further
Consult the key for communication security protection.
5. a kind of authentication method, it is characterised in that be applied in the system of SSO frameworks and the fusion of OpenID frameworks, wherein, it is described
Realize merging intercommunication between SSO frameworks and OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks;
The OP and service to be relied on and set up shared key using Diffie-hellman IKEs between provider RP;
Methods described also includes:
RP after the service request for receiving IMS UE carries OpenID certification requests and redirects the UE to the OP;
The OP returns undelegated response to the UE, it is desirable to the UE after the HTTP for receiving the UE obtains request
It is authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE realizes SIP Digest certification by the SSO frameworks when the SIP Digest certifications are not implemented;
The OP obtains the authorization message of the UE after SIP Digest certifications, according to the authorization message of the UE, completes to institute
The OpenID certifications of UE are stated, and authentication assertion is produced according to authentication result;The authentication assertion is sent to into the RP;
Service is provided for the UE when asserting correct described in the RP confirmations;
The UE realizes SIP Digest certifications by the SSO frameworks, is when the SIP Digest certifications are not implemented:
The AS asks UE to the IdP certifications, the identification information comprising UE and AS in the request authentication information stream;
The IdP is authenticated according to the identification information pair AS of the AS, and stores AS authentication results, and is confirming the UE
Without during SIP Digest certifications, the information content of SIP Digest Ciphering Key and the UE is obtained from HSS, produce random number
nonce;Authentication challenge is sent to the UE;
The UE produces random number cnonce and generates hash function value, and then generates shared key K0, and reply to the IdP
Response;
The IdP completes the certification to the UE after receiving the response of the UE, and generates K0;And, random number is produced again
Nonce1, using nonce1 and K0Generate key K1, and utilize K0Encrypted random number nonce1, and using being total between AS and IdP
Key is enjoyed to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message to the UE, and the 200OK disappears
Breath includes K0Encryption nonce1 information;And, this is redirected using the information after the shared key encryption between AS and IdP to institute
State AS;
The UE generates K after described 200OK message is obtained1, make to possess shared key K between the UE and the AS1。
6. method according to claim 5, it is characterised in that methods described also includes:
Identification informations of the RP after the service request for receiving the UE, based on the UE carried in the service request
Obtain the address information of the OP and find the OP terminals URL, the certification to the UE is completed by the URL.
7. method according to claim 5, it is characterised in that methods described also includes:
Before the RP and the OP carry out information exchange, consult the key for communication security protection.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110072463.5A CN102694779B (en) | 2011-03-24 | 2011-03-24 | Combination attestation system and authentication method |
PCT/CN2012/071198 WO2012126299A1 (en) | 2011-03-24 | 2012-02-16 | Combined authentication system and authentication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110072463.5A CN102694779B (en) | 2011-03-24 | 2011-03-24 | Combination attestation system and authentication method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102694779A CN102694779A (en) | 2012-09-26 |
CN102694779B true CN102694779B (en) | 2017-03-29 |
Family
ID=46860066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110072463.5A Expired - Fee Related CN102694779B (en) | 2011-03-24 | 2011-03-24 | Combination attestation system and authentication method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN102694779B (en) |
WO (1) | WO2012126299A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107548051A (en) * | 2016-06-29 | 2018-01-05 | 中兴通讯股份有限公司 | Method for processing business, network application function entity and generic authentication architecture system |
CN110035035B (en) * | 2018-01-12 | 2021-09-17 | 北京新媒传信科技有限公司 | Secondary authentication method and system for single sign-on |
CN108664803B (en) * | 2018-04-04 | 2022-03-22 | 中国电子科技集团公司第三十研究所 | Password-based document content fine-grained access control system |
CN110021086B (en) * | 2018-10-29 | 2021-09-28 | 深圳市微开互联科技有限公司 | Openid-based temporary authorization access control method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101552673A (en) * | 2009-04-30 | 2009-10-07 | 用友软件股份有限公司 | An approach to log in single sign-on system by using OpenID account |
WO2010028691A1 (en) * | 2008-09-12 | 2010-03-18 | Nokia Siemens Networks Oy | Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system |
CN101771676A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Setting and authentication method for cross-domain authorization and relevant device and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8613058B2 (en) * | 2007-05-31 | 2013-12-17 | At&T Intellectual Property I, L.P. | Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an IMS network |
-
2011
- 2011-03-24 CN CN201110072463.5A patent/CN102694779B/en not_active Expired - Fee Related
-
2012
- 2012-02-16 WO PCT/CN2012/071198 patent/WO2012126299A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010028691A1 (en) * | 2008-09-12 | 2010-03-18 | Nokia Siemens Networks Oy | Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system |
CN101771676A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Setting and authentication method for cross-domain authorization and relevant device and system |
CN101552673A (en) * | 2009-04-30 | 2009-10-07 | 用友软件股份有限公司 | An approach to log in single sign-on system by using OpenID account |
Non-Patent Citations (1)
Title |
---|
Update of the solution of implementing SSO_APS based on SIP Digest;ZTE Corporation, et al.;《3GPP TSG-SA3(Security) Meeting #62》;20110128;第6页第1段至第7页最后一段 * |
Also Published As
Publication number | Publication date |
---|---|
CN102694779A (en) | 2012-09-26 |
WO2012126299A1 (en) | 2012-09-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4643657B2 (en) | User authentication and authorization in communication systems | |
JP5490874B2 (en) | Identity management services provided by network operators | |
US10411884B2 (en) | Secure bootstrapping architecture method based on password-based digest authentication | |
KR101485230B1 (en) | Secure multi-uim authentication and key exchange | |
CN101455053B (en) | Authenticating an application | |
CN101569217B (en) | Method and arrangement for integration of different authentication infrastructures | |
CN101039311B (en) | Identification web page service network system and its authentication method | |
CN104145465B (en) | The method and apparatus of bootstrapping based on group in machine type communication | |
CN101621801A (en) | Method, system, server and terminal for authenticating wireless local area network | |
KR20070032805A (en) | System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks | |
CN109121135A (en) | Client registers and key sharing method, apparatus and system based on GBA | |
Sharma et al. | Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks | |
CN102694779B (en) | Combination attestation system and authentication method | |
CN103067345A (en) | Method and system for varied GBA guiding | |
CN102869010A (en) | Method and system for single sign-on | |
WO2011131002A1 (en) | Method and system for identity management | |
CN101990771B (en) | Service reporting | |
US9485654B2 (en) | Method and apparatus for supporting single sign-on in a mobile communication system | |
Cheng et al. | Analysis and improvement of the Internet‐Draft IKEv3 protocol | |
CN103297969A (en) | IMS single sign-on combination authentication method and system | |
CN103428694A (en) | Split terminal single sign-on combined authentication method and system | |
CN103095649A (en) | Combination authentication method and system of internet protocol multimedia subsystem (IMS) single sign on | |
Sharma et al. | Design and Analysis of Authentication in IoT-based Smart Homes | |
CN102469102B (en) | Single-point logging method and system | |
CN117915322A (en) | Slice secondary authentication method and system based on key integrity detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170329 Termination date: 20210324 |
|
CF01 | Termination of patent right due to non-payment of annual fee |