CN102694779B - Combination attestation system and authentication method - Google Patents

Combination attestation system and authentication method Download PDF

Info

Publication number
CN102694779B
CN102694779B CN201110072463.5A CN201110072463A CN102694779B CN 102694779 B CN102694779 B CN 102694779B CN 201110072463 A CN201110072463 A CN 201110072463A CN 102694779 B CN102694779 B CN 102694779B
Authority
CN
China
Prior art keywords
frameworks
openid
idp
authentication
sso
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110072463.5A
Other languages
Chinese (zh)
Other versions
CN102694779A (en
Inventor
张孟旺
田甜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201110072463.5A priority Critical patent/CN102694779B/en
Priority to PCT/CN2012/071198 priority patent/WO2012126299A1/en
Publication of CN102694779A publication Critical patent/CN102694779A/en
Application granted granted Critical
Publication of CN102694779B publication Critical patent/CN102694779B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of combination attestation system, including SSO frameworks and OpenID frameworks, realize merging intercommunication between SSO frameworks and OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks.The present invention discloses a kind of authentication method for being applied to above-mentioned Verification System, after the service request for receiving UE, carrying OpenID certification requests redirect UE to OP to RP;OP returns undelegated response to UE, it is desirable to which UE is authenticated using the initial session certification SIP Digest mechanism in SSO frameworks after the HTTP for receiving UE obtains request;UE realizes SIP Digest by SSO frameworks in unrealized SIP Digest certifications;OP obtains the authorization message of UE after SIP Digest, according to the authorization message of UE, completes the OpenID certifications to UE, and produces authentication assertion according to authentication result;Authentication assertion is sent to into RP.The present invention can extend application scenarios for UE in SSO frameworks, with using existing more rich WEB service.

Description

Combination attestation system and authentication method
Technical field
The present invention relates to single-sign-on (SSO, Single Sign On) framework and OpenID framework integration technologies, especially relate to And a kind of SSO frameworks and OpenID framework emerging systems, and the authentication method being applied in the emerging system.
Background technology
Third generation partner program (3GPP, 3rd Generation Partnership Project) tissue is carried at present The common IMS gone out under non-universal integrated circuit card (UICC, Universal Integrated Circuit Card) environment Terminal is realized using session initiation protocol (SIP, Session Initiation Protocol) summary (Digest) authentication mechanism IMS terminal accesses the function of the SSO of application server (AS, Application Server), wherein, by SSO_APS The SSO frameworks of design can realize the function.SSO frameworks are generally by unified IP Multimedia System (IMS, IP Multimedia Subsystem) user, home subscriber server (HSS, Home Subscriber Server), AS and identification authentication certification is carried Donor entity (IdP).User equipment (UE, User Equipment) is connected by SSOb interfaces with IdP;UE and AS passes through SSOa Interface connects;IdP is connected by SSOh interfaces with HSS.IdP for checking identity being interacted using SIP Digest with UE, And AS is authenticated, the shared key between IdP and user is K0;Store in HSS for describing the signing of user profile File, while HSS also has the function of producing authentication information concurrently.AS provides network service business for UE.
In the implementation of the SSO frameworks in the SSO_APS, the situation that operator does not dispose GBA is directed to, while IMS terminal under the scene with UICC, is not recognized to UE using session initiation protocol summary (SIPDigest) authentication mechanism Card, realizes SSO function of the IMS terminal to AS, is implemented as follows:
IMS terminal (UE) sends HTTP service request to AS, application server AS to UE respond one it is 401 undelegated HTTPS is responded, it is desirable to which UE terminals go to authentication center to carry out authentication;Simultaneously comprising by AS and authentication center in the response The AS identity informations of IdP shared keys encryption;UE terminals send HTTP request message to authentication center IdP, and IdP is to UE ends for request End carries out authentication.Carry the AS identity informations of the identity and encryption of UE terminals simultaneously in the message;IdP is according to acquisition To AS privately owned identification identifiers the AS is authenticated, authentication storage result, while judging whether the K of corresponding UE0If, Then the UE was authenticated to there is the key, it is not necessary to is reused SIP Digest mechanism and is authenticated, skips the certification direct Perform subsequent step;If IdP judges the K that there is no corresponding UE0, then IdP based on IMS identification informations from HSS obtain SIP Digest Ciphering Key and UE information contenies;IdP produces random number nonce, and stores the nonce and from HSS downloads Hash function value H (A1);IdP sends 401 authentication challenges to UE using SIP Digest mechanism;UE produce random number cnonce and H (A1) is generated, and then produces key K0, and response value response is calculated using parameter;UE sends to IdP for challenge and rings Should, IdP completes the certification to UE, and produces shared key K0;IdP produces random number nonce1 again, using nonce1 and K0Produce Raw shared key encryption K1, IdP is using key K0The information such as encryption nonce1, encrypt K using IdP and AS shared keys1Recognize with UE Card result, the IdP sends 200OK message to the UE, comprising K0The encryption information such as nonce1, show the UE certifications into Work(;The K that AS and IdP shared keys are encrypted by the IdP simultaneously1AS is redirected to the authentication result to UE;UE decryption is obtained Nonce1, and produce shared key K1;AS decryption informations, obtain the authentication result and key K of UE1;Now possess between UE and AS Shared key K1, so as to both follow-up communications can utilize K1It is encrypted, it is ensured that communication security between the two.
In addition, OpenID also defines own infrastructure and specification, for realizing the access to Web service, its framework is main Including three entities:UE, OpenID identity provides entity (OP, OpenID Provider), service and relies on provider (RP).
The user that the OpenID frameworks are distributed when being and having the registration at OpenID Provider using each terminal use The user identifier, when UE is accessed supports that the service of OpenID relies on provider RP, need to be only input into by identifier, and RP is to the mark Know symbol to be standardized;Then RP utilizes discovery mechanism, and identifier obtain OP terminal URL (URL, Uniform/Universal ResourceLocator);It is associated between RP and OP so that between OP and RP, set up shared Key, the key cause the message of OP mark successives so that RP recognizes follow-up message, and the association process is optional, works as OP With both RP in different Mobile Network Operator (MNO, Mobile Network Operator) networks when, the process is produced Raw shared key is critically important to the safe transmission of message;RP request OP are authenticated to the UE;Mandates of the OP according to UE Information establishes whether that its authorized execution OpenID certification and expectation are authorized to use, and OP completes right according to the authorization message of UE The verification process of OpenID user, and RP is returned to according to authentication result generation authentication assertion;RP is asserted to this and is confirmed Operation, decides whether to provide service for the UE.
In SSO_APS, in SSO frameworks, final AS obtains shared key and terminal authentication result authorization message, while OpenID frameworks support Web service, and provide unique identification identifier for each UE;If can be real between both frameworks Existing intercommunication, will not both reduce original safety, can also increase the simplicity of terminal operation, and the applied field of terminal extension Scape, so as to existing diversified WEB service.
At present defined in 3GPP specifications 33.924, GBA frameworks and OpenID frameworks realize the scene of intercommunication, i.e. network should It is entity with function (NAF, Network Application Function) and OP.It is characterized in the Ub and Zn of former GBA frameworks Interface function is basically unchanged, and the OP and UE of OpenID frameworks need to increase GBA functions.When UE accesses each RP, first in OP/NAF It is upper that authentication and will be passed through on OP/NAF by authentication, need UE and boortstrap server function (BSF, BootstrappingServer Function) between guide process.
For the common IMS terminal under non-UICC environment, which can not carry out authentication using GBA frameworks, for this Class IMS terminal, devises the framework that SSO functions are realized using SIP Digest mechanism, current urgent need to resolve in SSO_APS The problem of intercommunication can not be merged between SSO frameworks and OpenID frameworks so that such IMS terminal supports OpenID mechanism, and then Obtain diversified WEB service.
The content of the invention
In view of this, present invention is primarily targeted at providing a kind of combination attestation system and authentication method, SSO framves can be made Structure and OpenID frameworks are fused to UE and provide more rich WEB service.
To reach above-mentioned purpose, the technical scheme is that what is be achieved in that:
A kind of combination attestation system, including SSO frameworks and OpenID frameworks, between the SSO frameworks and OpenID frameworks Entity OP is provided by the OpenID identity shared in the application server AS and OpenID frameworks in SSO frameworks and fusion is realized Intercommunication.
Preferably, also include in the OpenID frameworks that service relies on provider RP;Wherein,
The RP is used for, and after the service request for receiving IP multimedia service subsystem, IMS user equipment (UE), carries OpenID certification requests redirect the UE to the OP;
The OP is used for, and after the UE HTML (Hypertext Markup Language) HTTP acquisition request is received, returns not to the UE The response of mandate, it is desirable to which the UE is recognized using the initial session digest authentication SIP Digest mechanism in the SSO frameworks Card;
The UE is used for, and when the SIP Digest certifications are not implemented, realizes SIP Digest by the SSO frameworks Certification;
The OP is further used for, and obtains the authorization message of the UE after SIP Digest certifications, according to awarding for the UE Power information, completes the OpenID certifications to the UE, and produces authentication assertion according to authentication result;The authentication assertion is sent To the RP;
The RP is further used for, and provides service for the UE when asserting correct described in confirmation.
Preferably, the RP is further used for, after the service request for receiving the UE, based in the service request The identification information of the UE for carrying obtains the address information of the OP and finds the OP terminals URL, is completed by the URL Certification to the UE.
Preferably, before the RP and the OP carry out information exchange, further consult the key for communication security protection.
Preferably, home subscriber server HSS and identification authentication certification supplier's entity are also included in the SSO frameworks IdP;Wherein,
The AS, for asking the UE to go certification to the IdP, wherein including UE's and AS in request authentication information stream Identification information;
The IdP, is authenticated for the AS according to the identification information pair of the AS, and stores AS authentication results, and Confirm that the UE, without during SIP Digest certifications, obtains the information content of SIP Digest Ciphering Key and the UE from HSS, Produce random number nonce;Authentication challenge is sent to the UE;
The UE, for producing random number cnonce and generating hash function value, and then generates shared key K0, and to institute State IdP and reply response;
The IdP, for the certification to the UE is completed after receiving the response of the UE, and generates K0;And, again Random number nonce1 is produced, using nonce1 and K0Generate key K1, and utilize K0The encryption information such as nonce1, and using AS with Shared key between IdP is to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message to the UE, 200OK message packages contain K0The information such as encryption nonce1, show the UE certifications success;The IdP redirects this and utilizes AS simultaneously The information after shared key encryption between IdP is to the AS;
The UE is further used for, and after described 200OK message is obtained, generates K1, make between the UE and the AS Possess shared key K1
A kind of authentication method, be applied to SSO frameworks and OpenID frameworks fusion system in, wherein, the SSO frameworks and Realize merging intercommunication between OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks;Methods described Also include:
The RP after the service request for receiving IMS UE carries OpenID certification requests and redirects the UE to described OP;
The OP returns undelegated response to the UE, it is desirable to institute after the HTTP for receiving the UE obtains request State UE to be authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE realizes SIP Digest certification by the SSO frameworks when the SIP Digest certifications are not implemented;
The OP obtains the authorization message of the UE after SIP Digest certifications, according to the authorization message of the UE, completes OpenID certifications to the UE, and authentication assertion is produced according to authentication result;The authentication assertion is sent to into the RP;
Service is provided for the UE when asserting correct described in the RP confirmations.
Preferably, methods described also includes:
Marks of the RP after the service request for receiving the UE, based on the UE carried in the service request The address information and the discovery OP terminals URL of OP described in information acquisition, completes the certification to the UE by the URL.
Preferably, methods described also includes:
Before the RP and the OP carry out information exchange, consult the key for communication security protection.
Preferably, the UE realizes SIP by the SSO frameworks when the SIP Digest certifications are not implemented Digest certifications, be:
The AS will ask the UE to the authentication center IdP to go certification, include UE and AS in request authentication information stream Identification information;
The IdP is authenticated according to the identification information pair AS of the AS, and stores AS authentication results, and is confirming institute UE is stated without during SIP Digest certifications, SIP Digest Ciphering Key, the information content of the UE and Hash is obtained from HSS Functional value, produces random number nonce;Authentication challenge is sent to the UE;
The UE produces random number cnonce and generates hash function value, and then generates shared key K0, and to the IdP Reply response;
The IdP completes the certification to the UE after receiving the response of the UE, and generates K0;And, produce again Random number nonce1, using nonce1 and K0Generate key K1, and utilize K0The encryption information such as nonce1, and using AS and IdP it Between shared key to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message, 200OK to the UE Message package contains K0The information such as encryption nonce1, show the UE certifications success;The IdP redirects this and utilizes K simultaneously0And AS with The information after shared key encryption between IdP is to the AS;
The UE generates K after described 200OK message is obtained1, make to possess shared key between the UE and the AS K1
In the present invention, by sharing in AS the and OpenID frameworks in SSO frameworks between SSO frameworks and OpenID frameworks OP and realize fusion, so, when UE is to OpenID framework initiating business requests, OpenID frameworks will trigger UE and initiate to SSO framves The SIP Digest of structure, while strengthening supervising to UE user, also provide more horn of plenty for the user under SSO frameworks WEB service.
Description of the drawings
Fig. 1 is the composition structural representation of the system of SSO frameworks of the present invention and the fusion of OpenID frameworks;
Fig. 2 is the authentication method flow chart for being applied to system shown in Figure 1.
Specific embodiment
The basic thought of the present invention is, between SSO frameworks and OpenID frameworks by share the AS in SSO frameworks and OP in OpenID frameworks and realize fusion, so, when UE is to OpenID framework initiating business requests, OpenID frameworks will be triggered UE initiates the SIP Digest of SSO frameworks, while strengthening supervising to UE user, also provides for the user under SSO frameworks The more WEB service of horn of plenty.
It is to make the object, technical solutions and advantages of the present invention become more apparent, by the following examples and referring to the drawings, right The present invention is further described.
Fig. 1 is the composition structural representation of the system of SSO frameworks of the present invention and the fusion of OpenID frameworks, as shown in figure 1, this Invention proposes a kind of combined right-discriminating authentication architecture, to realize the intercommunication of SSO frameworks and OpenID frameworks in SSO_APS, with full Common IMS terminal under sufficient UICCless environment realizes the SSO functions of application server using the combined right-discriminating construction, its In, UE is IMS terminal, and the application server entity in OpenID providers entity (OP) and SSO_APS on SSO frameworks is one Entity, i.e. OP/AS, final application servers of the RP corresponding to the OpenID of IMS terminal emerging system to be accessed, IdP is use Family authentication center, completes the certification in SSO frameworks to UE in SSO_APS.In the present invention, in SSO frameworks and OpenID frameworks Each network element maintains original function and structure substantially, and what variation was larger is that OP and AS are merged.Due to above-mentioned each network element Achieved function is prior art, repeats no more the function and concrete structure of each network element here.The present invention is only to above-mentioned In emerging system, how UE realizes that certification is illustrated.
Fig. 2 is the authentication method flow chart for being applied to system shown in Figure 1, as shown in Fig. 2 the authentication method of the present invention is concrete Comprise the following steps:
Step 1. user sends user by the browser of UE and provides party identifier (User-suppliedIdentifier) To RP, initiating business request.
Step 2.RP initializes User-Supplied Identifier, provides party identifier based on the user and obtains OP's Address and discovery OP terminal URLs (URL, Uniform/Universal ResourceLocator), also, UE It is desirable for the URL and completes certification.
Shared key is set up using Diffie-hellman IKEs between step 3.RP and OP, the shared key The purpose of foundation is so that OP can encrypt follow-up message, RP can confirm received message (this key is optional attribute, It is not the necessary operation of intercommunication).If both OP and RP are positioned at different Mobile Network Operator (MNO, Mobile Network When in control domain Operator), then the arranging key is necessary.
Step 4.RP carries the certification request of OpenID and redirects the browser of UE to OP.RP is by the User- of step 1 Supplied Identifier be inserted into the openid.claimed_id in OpenID authentication request messages and In openid.identity fields.
Step 5. follows hard on the redirection, and UE sends HTTP GET requests to OP.
Step 6.OP/AS initializes UE certifications, and responds 401 undelegated HTTPS responses, disappears in the HTTPS responses Comprising the certification message header for carrying challenge information in breath, UE is authenticated using SIP Digest mechanism and server;Simultaneously The OP/AS identity (OP/AS_credential) of OP/AS and IdP shared keys encryption is carried in the response message, i.e., EKO, i(OP/AS_credential).Possess shared key K using current mechanism between OP/AS and IdPO, i, due to the KO, i's Acquisition belongs to prior art, the present invention repeat no more obtain which realize details.
If step 7. UE does not have effective key K0It is available, then it is right to carry out that UE sends HTTP request message to IdP The authentication procedures of UE, while identity (U_credential) and the EK of UE are carried in the HTTP request messageO, i(OP/ AS_credential)。
Step 8.IdP decrypts EKO, i(OP/AS_credential) OP/AS identity is obtained, based on the OP/AS identity Mark is authenticated to OP/AS, produces and store OP/AS authentication results OP/AS_Auth.Meanwhile, IdP is according to received UE identification identifier U_credential, first check whether there is corresponding UE and IdP shared keys K0If, K0Exist, Step 15, otherwise execution step 9 are jumped directly to then.
Step 9.IdP to HSS send certification request, based on search in U_credential, IdP to HSS and download correspondence SIP Digest Ciphering Key (SD-AV) and user configuration information.SD-AV includes U_credential, field (realm), quality assurance (qop), identifying algorithm (algorithm) and H (A1), wherein H (A1) be by U_credential, The hash function value that realm and password (password) are constituted.Under many HSS environment, IdP can be by inquiring that order relations are fixed Bit function (SLF, SubscriptionLocator Function) obtains the HSS addresses of corresponding storage user profile, finds The corresponding HSS.
Step 10.IdP produce random number nonce, and by for the U_credential, from HSS download H (A1) with The nonce is stored together.
Step 11.IdP sends 401 unverified challenge messages to UE, and U_ is included in the 401 unverified challenge message Credential, realm, qop, algorithm and nonce.
When the 401 unverified challenge message is received, UE produces random number cnonce and H (A1) to step 12.;Then it is sharp again UE and IdP shared keys K are produced with cnonce and H (A1) etc.0.Response values are calculated by one-way Hash function F. Response=F (H (A1), cnonce, nonce, qop, nonce-count).UE cnonce carry out network authentication and avoid Plain text attacks (" chosen plaintext ").Nonce-count is enumerator, and user is often used and calculated once with nonce Response, nonce-count will increase by 1, participate in response using nonce-count and calculate, can reduce Replay Attack Probability.
Step 13.UE sends response response to IdP for the challenge message in step 11, includes in the response message Cnonce, nonce, response, realm, U_credential, qop, algorithm, Digest-url and nonce- count。
, when step response message is received, IdP is using the nonce values of storage to the nonce values in response message for step 14. Test, if inspection is correct, IdP using parameter cnonce, nonce-count in the response message for receiving, qop etc. and Original is stored in the nonce in IdP and H (A1) and calculates Xresponse, by the Xresponse of calculating and the response values for receiving It is compared, the UE certifications if both comparative results are identical pass through;Otherwise UE authentification failures, IdP store the authentication result phase of UE Pass information UE_Auth.If UE certification successes, IdP produces shared key K using H (A1) and cnonce etc.0
Step 15.IdP produces random number nonce1 again;Then utilize K0Key K is produced with nonce1 etc.1;Shared key K0 Operation is encrypted to information such as nonce1 and produces EK0(nonce1);With OP/AS and IdP shared keys KO, iEncryption K1And UE_ Auth produces EKO, i(K1, UE_Auth).
Step 16.IdP sends 200OK message to UE, comprising K0The information such as encryption nonce1, show UE certification successes;Together When IdP redirect UE to OP/AS;EK is carried in the redirection messageO, i(K1, UE_Auth).
Step 17.UE decrypts EK0(nonce1) nonce1 values are obtained, and utilizes K simultaneously0Key K is produced with nonce1 etc.1
The message that step 18.IdP sends is redirected to OP/AS, and this carries EK in being redirected messageO, i(K1, UE_ Auth)。
Step 19.OP/AS is received after this is redirected message, decrypts EK using shared keyO, i(K1, UE_Auth), obtain Obtain K1And UE_Auth;OP/AS knows the pertinent authorization information of the UE according to UE_Auth, and OP/AS is established according to authorization message is The no UE is authorized to execution OpenID certifications and expectation is authorized to use;It is likely to from UE_Auth know with regard to info class simultaneously The message of type, the information type allow to share with RP.Authorization messages of the OP/AS according to UE, it is shared close using both UE and OP/AS Key K1The SSOa of effect completes the verification process to OpenID user, and produces authentication assertion according to authentication result.
Step 20.OP/AS redirects browser to the return address of OpenID, i.e. OP/AS redirects the browser of UE and returns RP is returned to, or carrying wherein in the redirection response message, certification is approved to assert, or carrying asserting for authentification failure. In the redirection response message head comprising a series of fields for defining authentication assertion information, these fields are perhaps by OP/AS and RP Between key encipherment protection.This key protection mechanism to both OP/AS and RP positioned at different MNO networks when especially weigh Will.
What step 21.RP was acknowledged receipt of asserts;Check whether certification is agreed with.The authenticating identity of UE is issuing the sound of RP It is provided in answering message.If both OP/AS and RP establish shared key in step 3, then the key is used to now Confirm the message from OP/AS.If being asserted as asserted and validation of information being all successful, then UE will obtain the service of RP.
It should be noted that if either step performs failure in 1~step 21 of above-mentioned steps, whole process stops holding OK.
During UE accesses RP application servers, if meeting with unexpected offline condition, when UE also do not complete UE and RP it Between access service process, then after network recovery, UE will access application server and then need to restart to ask service process;When UE has completed access service process, if the recovery network used time does not reach the life cycle of Cookie and shared key, network The shared key and Cookie can be continued with after recovery between UE and RP carries out the acquisition of application service, otherwise needs again Produce shared key process.After UE accesses RP application servers, if meeting with user, actively closing cancellation UE or power-off etc. are special Situation, then user need to complete again entirely to perform flow process.
In the present invention, above-mentioned key generating mode can adopt existing any one key generation method, and the present invention is simultaneously Adopted key generation method is not limited.
The above, only presently preferred embodiments of the present invention is not intended to limit protection scope of the present invention.

Claims (7)

1. a kind of combination attestation system, including single-sign-on SSO framework and OpenID frameworks, it is characterised in that the SSO frameworks And the OpenID identity between OpenID frameworks by sharing in the application server AS and OpenID frameworks in SSO frameworks is provided Entity OP and realize merge intercommunication;
The OP and service to be relied on and set up shared key using Diffie-hellman IKEs between provider RP;
Also include home subscriber server HSS and identification authentication certification supplier entity IdP in the SSO frameworks;Wherein,
The AS, for asking UE to be authenticated to the IdP, asks the identification information comprising UE and AS in authentication information stream;
The IdP, is authenticated for the AS according to the identification information pair of the AS, and stores AS authentication results, and is confirming The UE obtains the information content of SIP Digest Ciphering Key and the UE from HSS without during SIP Digest certifications, produces Random number nonce;Authentication challenge is sent to the UE;
The UE, for producing random number cnonce and generating hash function value, and then generates shared key K0, and to the IdP Reply response;
The IdP, for the certification to the UE is completed after receiving the response of the UE, and generates K0;And, produce again Random number nonce1, using nonce1 and K0Generate key K1, and utilize K0Encryption nonce1, and using being total between AS and IdP Key is enjoyed to K1After being encrypted with the authentication result to UE, 200OK message is sent to the UE, the 200OK message packages contain K0 Encryption nonce1 information;And, this is redirected using the information after the shared key encryption between AS and IdP to the AS;
The UE is further used for, and after described 200OK message is obtained, generates K1, make to possess between the UE and the AS altogether Enjoy key K1
2. system according to claim 1, it is characterised in that also include in the OpenID frameworks that service relies on provider RP;Wherein,
The RP is used for, and after the service request for receiving IP multimedia service subsystem, IMS user equipment (UE), carries OpenID Certification request redirects the UE to the OP;
The OP is used for, and after the UE HTML (Hypertext Markup Language) HTTP acquisition request is received, returns unauthorized to the UE Response, it is desirable to the UE is authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE is used for, and when the SIP Digest certifications are not implemented, realizes that SIP Digest recognize by the SSO frameworks Card;
The OP is further used for, and obtains the authorization message of the UE after SIP Digest certifications, is believed according to the mandate of the UE Breath, completes the OpenID certifications to the UE, and produces authentication assertion according to authentication result;The authentication assertion is sent to into institute State RP;
The RP is further used for, and provides service for the UE when asserting correct described in confirmation.
3. system according to claim 2, it is characterised in that the RP is further used for, in the clothes for receiving the UE After business request, the identification information based on the UE carried in the service request obtains the address information of the OP and finds institute OP terminal uniform resource position mark URLs are stated, the certification to the UE is completed by the URL.
4. system according to claim 2, it is characterised in that before the RP and the OP carry out information exchange, further Consult the key for communication security protection.
5. a kind of authentication method, it is characterised in that be applied in the system of SSO frameworks and the fusion of OpenID frameworks, wherein, it is described Realize merging intercommunication between SSO frameworks and OpenID frameworks by the OP shared in AS the and OpenID frameworks in SSO frameworks; The OP and service to be relied on and set up shared key using Diffie-hellman IKEs between provider RP;
Methods described also includes:
RP after the service request for receiving IMS UE carries OpenID certification requests and redirects the UE to the OP;
The OP returns undelegated response to the UE, it is desirable to the UE after the HTTP for receiving the UE obtains request It is authenticated using the initial session certification SIP Digest mechanism in the SSO frameworks;
The UE realizes SIP Digest certification by the SSO frameworks when the SIP Digest certifications are not implemented;
The OP obtains the authorization message of the UE after SIP Digest certifications, according to the authorization message of the UE, completes to institute The OpenID certifications of UE are stated, and authentication assertion is produced according to authentication result;The authentication assertion is sent to into the RP;
Service is provided for the UE when asserting correct described in the RP confirmations;
The UE realizes SIP Digest certifications by the SSO frameworks, is when the SIP Digest certifications are not implemented:
The AS asks UE to the IdP certifications, the identification information comprising UE and AS in the request authentication information stream;
The IdP is authenticated according to the identification information pair AS of the AS, and stores AS authentication results, and is confirming the UE Without during SIP Digest certifications, the information content of SIP Digest Ciphering Key and the UE is obtained from HSS, produce random number nonce;Authentication challenge is sent to the UE;
The UE produces random number cnonce and generates hash function value, and then generates shared key K0, and reply to the IdP Response;
The IdP completes the certification to the UE after receiving the response of the UE, and generates K0;And, random number is produced again Nonce1, using nonce1 and K0Generate key K1, and utilize K0Encrypted random number nonce1, and using being total between AS and IdP Key is enjoyed to K1After being encrypted with the authentication result to UE, the IdP sends 200OK message to the UE, and the 200OK disappears Breath includes K0Encryption nonce1 information;And, this is redirected using the information after the shared key encryption between AS and IdP to institute State AS;
The UE generates K after described 200OK message is obtained1, make to possess shared key K between the UE and the AS1
6. method according to claim 5, it is characterised in that methods described also includes:
Identification informations of the RP after the service request for receiving the UE, based on the UE carried in the service request Obtain the address information of the OP and find the OP terminals URL, the certification to the UE is completed by the URL.
7. method according to claim 5, it is characterised in that methods described also includes:
Before the RP and the OP carry out information exchange, consult the key for communication security protection.
CN201110072463.5A 2011-03-24 2011-03-24 Combination attestation system and authentication method Expired - Fee Related CN102694779B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110072463.5A CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method
PCT/CN2012/071198 WO2012126299A1 (en) 2011-03-24 2012-02-16 Combined authentication system and authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110072463.5A CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method

Publications (2)

Publication Number Publication Date
CN102694779A CN102694779A (en) 2012-09-26
CN102694779B true CN102694779B (en) 2017-03-29

Family

ID=46860066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110072463.5A Expired - Fee Related CN102694779B (en) 2011-03-24 2011-03-24 Combination attestation system and authentication method

Country Status (2)

Country Link
CN (1) CN102694779B (en)
WO (1) WO2012126299A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107548051A (en) * 2016-06-29 2018-01-05 中兴通讯股份有限公司 Method for processing business, network application function entity and generic authentication architecture system
CN110035035B (en) * 2018-01-12 2021-09-17 北京新媒传信科技有限公司 Secondary authentication method and system for single sign-on
CN108664803B (en) * 2018-04-04 2022-03-22 中国电子科技集团公司第三十研究所 Password-based document content fine-grained access control system
CN110021086B (en) * 2018-10-29 2021-09-28 深圳市微开互联科技有限公司 Openid-based temporary authorization access control method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552673A (en) * 2009-04-30 2009-10-07 用友软件股份有限公司 An approach to log in single sign-on system by using OpenID account
WO2010028691A1 (en) * 2008-09-12 2010-03-18 Nokia Siemens Networks Oy Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system
CN101771676A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Setting and authentication method for cross-domain authorization and relevant device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8613058B2 (en) * 2007-05-31 2013-12-17 At&T Intellectual Property I, L.P. Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an IMS network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010028691A1 (en) * 2008-09-12 2010-03-18 Nokia Siemens Networks Oy Methods, apparatuses and computer program product for obtaining user credentials for an application from an identity management system
CN101771676A (en) * 2008-12-31 2010-07-07 华为技术有限公司 Setting and authentication method for cross-domain authorization and relevant device and system
CN101552673A (en) * 2009-04-30 2009-10-07 用友软件股份有限公司 An approach to log in single sign-on system by using OpenID account

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Update of the solution of implementing SSO_APS based on SIP Digest;ZTE Corporation, et al.;《3GPP TSG-SA3(Security) Meeting #62》;20110128;第6页第1段至第7页最后一段 *

Also Published As

Publication number Publication date
CN102694779A (en) 2012-09-26
WO2012126299A1 (en) 2012-09-27

Similar Documents

Publication Publication Date Title
JP4643657B2 (en) User authentication and authorization in communication systems
JP5490874B2 (en) Identity management services provided by network operators
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
KR101485230B1 (en) Secure multi-uim authentication and key exchange
CN101455053B (en) Authenticating an application
CN101569217B (en) Method and arrangement for integration of different authentication infrastructures
CN101039311B (en) Identification web page service network system and its authentication method
CN104145465B (en) The method and apparatus of bootstrapping based on group in machine type communication
CN101621801A (en) Method, system, server and terminal for authenticating wireless local area network
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
CN109121135A (en) Client registers and key sharing method, apparatus and system based on GBA
Sharma et al. Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks
CN102694779B (en) Combination attestation system and authentication method
CN103067345A (en) Method and system for varied GBA guiding
CN102869010A (en) Method and system for single sign-on
WO2011131002A1 (en) Method and system for identity management
CN101990771B (en) Service reporting
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system
Cheng et al. Analysis and improvement of the Internet‐Draft IKEv3 protocol
CN103297969A (en) IMS single sign-on combination authentication method and system
CN103428694A (en) Split terminal single sign-on combined authentication method and system
CN103095649A (en) Combination authentication method and system of internet protocol multimedia subsystem (IMS) single sign on
Sharma et al. Design and Analysis of Authentication in IoT-based Smart Homes
CN102469102B (en) Single-point logging method and system
CN117915322A (en) Slice secondary authentication method and system based on key integrity detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170329

Termination date: 20210324

CF01 Termination of patent right due to non-payment of annual fee