CN104584477A - Authentication method, method of generating credentials, and associated device - Google Patents

Authentication method, method of generating credentials, and associated device Download PDF

Info

Publication number
CN104584477A
CN104584477A CN201380000924.5A CN201380000924A CN104584477A CN 104584477 A CN104584477 A CN 104584477A CN 201380000924 A CN201380000924 A CN 201380000924A CN 104584477 A CN104584477 A CN 104584477A
Authority
CN
China
Prior art keywords
credential
user equipment
mark
application server
logging request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201380000924.5A
Other languages
Chinese (zh)
Other versions
CN104584477B (en
Inventor
陈璟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN104584477A publication Critical patent/CN104584477A/en
Application granted granted Critical
Publication of CN104584477B publication Critical patent/CN104584477B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

An authentication method, method of generating credentials, and associated device. The authentication method comprising: upon receiving a first logon request of a user equipment, if it is found that the logon request does not have a valid first credential indication, then sending to the user equipment, according to the user equipment identifier carried by the logon request, an authentication challenge corresponding to the identifier, enabling the user equipment to generate, according to the authentication challenge, the corresponding first credential; receiving the second logon request sent by the user equipment, the second logon request being generated by the user equipment according to the identifier and the first credential; authenticating the user equipment according to the second credential corresponding to the identifier; the second credential is generated using the same means as used for generating the first credential. Also disclosed is an associated device. Using the technical solution of the authentication method, method of generating credentials, and associated device of the present invention, the process of a user equipment logging on to an application server can be simplified.

Description

Authentication method, method of generating credentials, and associated device
I testimony of a witnesies method, the method and relevant apparatus for generating credential
Technical field
The present invention relates to technical field of communication safety and comprising, more particularly to authentication method, the method and relevant apparatus that generate credential.Background technology
In third generation cooperative partner program(The 3rdGeneration Partnership Project, a kind of general bootstrap framework (Generic Bootstrapping Architecture 3GPP) are described in TS33.220, GBA) authentication mechanism, as shown in Figure 1, first, user equipment (User Equipment, UE) and BSF (Bootstrapping Function) perform identifying procedure, UE and BSF shared keys Ks and key identifier B-TID, in the flow, BSF obtains Ciphering Key from HSS/HLR (Home Subscriber Server/Home Location Register), then, UE and certain application server (Network Application Function, NAF login authentication flow) is performed, the applications client such as browser being specifically arranged on UE logs in application server, NAF obtains the key Ks_NAFl for logging in the NAF according to the B-TID of the user from BSF, UE sides are also generated and Ks_NAFl identicals Ks_NAF2, NAF and UE is verified based on identical Ks_NAFl and Ks_NAF2, to determine whether by login authentication.
However, GBA mechanism needs operator deployment BSF, BSF is needed and UE can be directly connected to, and UE, which needs to connect BSF and NAF respectively, could complete the login of application server, and flow is complicated, and access delay is big.
Therefore, how the identifying procedure of cylinder user equipment and application server turns into the problem of current industry is in the urgent need to address.The content of the invention
The embodiments of the invention provide authentication method, the method for generation credential and relevant apparatus, the problem of user equipment and the identifying procedure of application server for solving to exist in the prior art are complicated.
In a first aspect, the invention provides a kind of authentication method, including:
When receiving the first logging request of user equipment, if finding first logging request does not have The instruction of first credential of effect, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the wars of certification ^ million;
The second logging request that the user equipment is sent is received, second logging request is that the user equipment is generated according to the mark and first credential;
According to the second credential of the correspondence mark, the user equipment is verified;
Wherein, second credential is generated using with generating the first credential identical mode.In the first possible implementation, it is described when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge, including:
When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to family registered user server HSS or attaching position register HLR by the AF, and include the war of certification 4,000,000 and authentication response from institute's Ciphering Key;According to corresponding first credential of authentication challenge generation.
With reference to the first possible implementation of first aspect or first aspect, in second of possible implementation, it is described find the instruction that first logging request does not have effective first credential after, so that the mark is sent into authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
With reference to second of possible implementation of the first possible implementation or first aspect of first aspect, in the third possible implementation, methods described also includes:
The mark is converted to the international nobile recognition number IMSI of the user equipment.
With reference to the first possible implementation of first aspect or first aspect, in the 4th kind of possible implementation, after second logging request for receiving the user equipment transmission, and second credential according to the correspondence mark, before being verified to the user equipment, methods described also includes: According to the mark, second credential of the correspondence mark is obtained.
With reference in a first aspect, in the 5th kind of possible implementation, methods described also includes:
When receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
It is described according to the mark in the 6th kind of possible implementation with reference to the 4th kind of possible implementation or the 5th kind of possible implementation of combination first aspect of first aspect, second credential of the correspondence mark is obtained, including:
According to the mark, local second credential that whether is stored with is searched;
If the result searched is yes, from locally obtaining second credential;
If the result searched is no, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.Second aspect, the invention provides a kind of method for generating credential, including:
When there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
The application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;When the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment;
According to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.
In the first possible implementation, the Ciphering Key for receiving application server transmission is obtained after request, and it is described will be sent to from the Ciphering Key of family registered user server HSS or attaching position register HLR the correspondence mark obtained before the application server, methods described also includes:The information of the mark and the application server is sent to the HSS or HLR, to cause State HSS or HLR and check whether the user equipment allows to access the application server.
Described according to the Ciphering Key in second of possible implementation with reference to second aspect, using with generating after the first credential identical algorithm generates second credential, methods described also includes:
The correspondence mark, stores second credential.
With reference to second of possible implementation of the first possible implementation or second aspect of second aspect or second aspect, in the third possible implementation, methods described also includes:
The mark is converted to the international nobile recognition number IMSI of the user equipment.The third aspect there is provided a kind of authentication method, including:
When sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
According to the authentication challenge, first credential is generated;
The second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
Wherein, second credential is generated using with generating the first credential identical mode.It is described according to the authentication challenge in the first possible implementation, first credential is generated, including:
According to the authentication challenge, the authentication response of the correspondence authentication challenge is obtained;
According to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
With reference to the first possible implementation of the third aspect or the third aspect, in second of possible implementation, methods described also includes:
The 3rd logging request is sent to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
Receive the result to the user equipment that the application server is sent. Fourth aspect there is provided a kind of application server, including:
First transmitting element, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge;
First receiving unit, for receiving the second logging request that the user equipment is sent, second logging request is that the user equipment is generated according to the mark and first credential;
First authentication unit, for the second credential according to the correspondence mark, is verified to the user equipment;
Wherein, second credential is generated using with generating the first credential identical mode.In the first possible implementation, first transmitting element includes:
Second transmitting element, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to the corresponding Ciphering Key of family registered user server HSS or homing position by the AF, the Ciphering Key includes the wars of certification ^ million and authentication response;
First acquisition unit, for obtaining the authentication challenge from the AF;
3rd transmitting element, for sending the authentication challenge to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
With reference to the first possible implementation of fourth aspect or fourth aspect, in second of possible implementation, the application server also includes:
4th transmitting element, for the mark to be sent into authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
With reference to second of possible implementation of the first possible implementation or fourth aspect of fourth aspect, in the third possible implementation, the application server also includes:
First converting unit, the international nobile recognition number for the mark to be converted to the user equipment
IMSL
With reference to the first possible implementation of fourth aspect or fourth aspect, in the 4th kind of possible realization In mode, the application server also includes:
Second acquisition unit, for according to the mark, obtaining second credential of the correspondence mark.With reference to first aspect, in the 5th kind of possible implementation, the second acquisition unit is additionally operable to when receiving the logging request of user equipment, if according to the identifier lookup to first credential, then according to the mark, second credential of the correspondence mark is obtained.
With reference to the 4th kind of possible implementation or the 5th kind of possible implementation of combination fourth aspect of fourth aspect, in the 6th kind of possible implementation, the second acquisition unit includes:
First searching unit, for according to the mark, searching local second credential that whether is stored with;3rd acquiring unit, if the result for searching is yes, from locally obtaining second credential;4th acquiring unit, if being no for the result searched, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.There is provided a kind of authentication function device AF in terms of 5th, including:
Second receiving unit, for when there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
5th transmitting element, for the good business device of application will to be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;
3rd receiving unit, for when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server to obtain request, and second credential, which obtains request, includes the mark of the user equipment;
First generation unit, for according to the Ciphering Key, second credential to be generated using with generating the first credential identical algorithm, so that the application server carries out dangerous card to the user user according to second credential.
In the first possible implementation, the AF also includes:
6th transmitting element, for the information of the mark and the application server to be sent into the HSS Or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
With reference to the 5th aspect, in second of possible implementation, the AF also includes:
Memory cell, for the correspondence mark, stores second credential.
With reference to second of possible implementation of the first possible implementation or the 5th aspect of the 5th aspect or the 5th aspect, in the third possible implementation, the AF also includes:
There is provided a kind of user equipment in terms of second converting unit, the international nobile recognition number IMSL the 6th for the mark to be converted to the user equipment, including:
4th receiving unit, for when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
Second generation unit, for according to the authentication challenge, generating first credential;7th transmitting element, for sending the second logging request to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
Wherein, second credential is generated using with generating the first credential identical mode.In the first possible implementation, second generation unit includes:
5th acquiring unit, for according to the authentication challenge, obtaining the authentication response of the correspondence authentication challenge;
3rd generation unit, for according to the authentication challenge and the authentication response, first credential to be generated using with generating the second credential identical algorithm.
With reference to the 6th aspect or the first possible implementation of the 6th aspect, in second of possible implementation, the user equipment also includes:
8th transmitting element, for sending the 3rd logging request to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
5th receiving unit, for receiving the checking knot to the user equipment that the application server is sent Really.7th aspect, there is provided a kind of Verification System, application server described in 6th kind of possible implementation of the 5th kind of possible implementation or fourth aspect of the 4th kind of possible implementation or fourth aspect of the third possible implementation or fourth aspect of second possible implementation or fourth aspect of the first possible implementation or fourth aspect including fourth aspect or fourth aspect, authentication function device AF described in second of possible implementation of the first possible implementation or the 5th aspect of the 5th aspect or the 5th aspect or the third possible implementation of the 5th aspect, user equipment described in second of possible implementation of the first possible implementation or the 6th aspect of the aspects of family registered user server HSS or attaching position register HLR and the 6th or the 6th aspect.There is provided a kind of application server, including input unit, output device, memory and processor for eighth aspect;
Wherein, the computing device following steps:
When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the war of certification 4,000,000;
The second logging request that the user equipment is sent is received, second logging request is that the user equipment is generated according to the mark and first credential;
According to the second credential of the correspondence mark, the user equipment is verified;
Wherein, second credential is generated using with generating the first credential identical mode.In the first possible implementation, described in the computing device when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the step of user equipment generates corresponding first credential according to the authentication challenge, including:
When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to family registered user server HSS or attaching position register HLR by the AF, and from institute Hui Liang, the Ciphering Key includes the war of certification 4,000,000 and authentication response;According to corresponding first credential of authentication challenge generation.
With reference to the first possible implementation of eighth aspect or eighth aspect, in second of possible implementation, before first logging request is found described in the computing device there is no a standby step of effective first credential, also execute the following steps:
The mark is sent to authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
With reference to second of possible implementation of the first possible implementation or eighth aspect of eighth aspect, in the third possible implementation, the processor is also executed the following steps:
The mark is converted to the international nobile recognition number IMSI of the user equipment.
With reference to the first possible implementation of eighth aspect or eighth aspect, in the 4th kind of possible implementation, after the step of the second logging request of the user equipment transmission is received described in the computing device, and perform second credential according to the correspondence mark, before the step of being verified to the user equipment, also execute the following steps:
According to the mark, second credential of the correspondence mark is obtained.
With reference to eighth aspect, in the 5th kind of possible implementation, the processor is also executed the following steps:When receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
With reference to the 4th kind of possible implementation or the 5th kind of possible implementation of combination eighth aspect of eighth aspect, in the 6th kind of possible implementation, according to the mark described in the computing device, the step of obtaining second credential of the correspondence mark, including:
According to the mark, local second credential that whether is stored with is searched;
If the result searched is yes, from locally obtaining second credential;
If the result searched is no, second credential then is obtained from authentication function device AF, second credential is to be given birth to by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm Into the 9th aspect there is provided a kind of authentication function device A F, including input unit, output device, memory and processor;
Wherein, the computing device following steps:
When there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
The application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;When the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment;
According to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.
In the first possible implementation, after the step of Ciphering Key that application server transmission is received described in the computing device obtains request, and perform described by before the step of being sent to the application server from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, also execute the following steps:
The information of the mark and the application server is sent to the HSS or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
With reference to the 9th aspect, in second of possible implementation, according to the Ciphering Key described in the computing device, after the step of generating second credential with generation the first credential identical algorithm, also execute the following steps:
The correspondence mark, stores second credential.
With reference to second of possible implementation of the first possible implementation or the 9th aspect of the 9th aspect or the 9th aspect, in the third possible implementation, the processor is also executed the following steps:The mark is converted to the international nobile recognition number IMSI of the user equipment. There is provided a kind of user equipment, including input unit, output device, memory and processor for tenth aspect;
Wherein, the computing device following steps:
When sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
According to the authentication challenge, first credential is generated;
The second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
Wherein, second credential is generated using with generating the first credential identical mode.In the first possible implementation, according to the authentication challenge described in the computing device, the step of generating first credential, including:
According to the authentication challenge, the authentication response of the correspondence authentication challenge is obtained;
According to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
With reference to the tenth aspect or the first possible implementation of the tenth aspect, in second of possible implementation, the processor is also executed the following steps:
The 3rd logging request is sent to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
Receive the result to the user equipment that the application server is sent.Tenth on the one hand, there is provided a kind of Verification System, application server described in 6th kind of possible implementation of the 5th kind of possible implementation or eighth aspect of the 4th kind of possible implementation or eighth aspect of the third possible implementation or eighth aspect of second possible implementation or eighth aspect of the first possible implementation or eighth aspect including eighth aspect or eighth aspect, authentication function device A F described in second of possible implementation of the first possible implementation or the 9th aspect of the 9th aspect or the 9th aspect or the third possible implementation of the 9th aspect, family registered user services User equipment described in second of possible implementation of the first possible implementation or the tenth aspect of the aspects of device HSS or attaching position register HLR and the tenth or the tenth aspect.
Using the present invention authentication method, generate credential method and relevant apparatus technical scheme, can cylinder user equipment log in application server flow.Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, cylinder will be made to the required accompanying drawing used in embodiment below singly to introduce, apparently, drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is general bootstrap framework GBA schematic diagrames of the prior art;
Fig. 2 is a kind of flow chart of one embodiment of authentication method of the invention;
Fig. 3 is to a kind of flow chart of the further refinement of one embodiment of authentication method of the invention shown in Fig. 2;
Fig. 4 is a kind of flow chart of another embodiment of authentication method of the invention;
Fig. 5 is to a kind of flow chart of the further refinement of another embodiment of authentication method of the invention shown in Fig. 4;
Fig. 6 is a kind of flow chart of the one embodiment for the method for generating credential of the present invention;
Fig. 7 is the flow chart of another embodiment of the further refinement of the embodiment to the method for the generation credential shown in Fig. 6;
Fig. 8 is a kind of structural representation of one embodiment of application server of the invention;
Fig. 9 is to a kind of structural representation of the further refinement of one embodiment of application server of the invention shown in Fig. 8;
Figure 10 is a kind of structural representation of one embodiment of user equipment of the invention;
Figure 11 is to a kind of structural representation of the further refinement of one embodiment of user equipment of the invention shown in Figure 10;
Figure 12 is a kind of structural representation of authentication function device AF one embodiment of the invention;Figure 13 is the structural representation of the further refinement to one embodiment of the authentication function device AF shown in Figure 12;
Figure 14 is a kind of structural representation of one embodiment of Verification System of the invention; A kind of structural representation of another embodiment of application server that Figure 15 provides for the present invention;A kind of structural representation of another embodiment for authentication function device A F that Figure 16 provides for the present invention;
A kind of structural representation of another embodiment of user equipment that Figure 17 provides for the present invention.Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
The user equipment positioned at end side of following examples of the present invention is with Universal Integrated Circuit Card
(Universal Integrated Circuit Card,) or Global Subscriber identification module (Universal Subscriber Identity Module UICC, USIM equipment), application client is installed thereon, its application client can pass through authentication application routine interface(Authentication Application Programming Interface, AAPI) communicated with the UICC or USIM on the user equipment.
The Verification System positioned at network side of following examples of the present invention may include application server, authentication function module (Authentication Function,) and domestic consumer's registrar/home location register device (Home Subscriber Server/Home Location Register AF, HSS/HLR), application server receives the logging request of the applications client on user equipment, operator stores identical key when providing UICC/USIM cards to user in HSS and UICC/USIM cards.
Fig. 2 is a kind of flow chart of one embodiment of authentication method of the invention.As shown in Fig. 2 this method comprises the following steps:
Step S101, when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark Therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.Here, the mark of user equipment can be the mark of UICC card/USIM cards of user equipment.It is unique to the wars of certification ^ million that should be identified.
Step S102, receives the second logging request that the user equipment is sent, and second logging request is that the user equipment is generated according to the mark and first credential.
Again the logging request that user equipment is sent is received, the logging request is generated according to the mark of user equipment and the first credential.First credential is that user equipment is generated according to the authentication challenge received.
Step S103, according to the second credential of the correspondence mark, is verified to the user equipment;Wherein, second credential is generated using with generating the first credential identical mode.
Application server obtains the authentication challenge to that should identify, and can also be used according to the authentication challenge and generate the second credential with generating the identical mode of the first credential, according to second credential and the first credential, the user equipment is verified.
The authentication method provided according to embodiments of the present invention, user equipment and application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Fig. 3 is to a kind of flow chart of the further refinement of one embodiment of authentication method of the invention shown in Fig. 2.As shown in figure 3, this method comprises the following steps:
Step S201, receives the first logging request of user equipment.
Step S202, searches whether first logging request carries the instruction without effective first credential;If it is, going to step S203;Otherwise, step S208 is gone to.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the not instruction, show that the first credential can be obtained according to the logging request, following identifying procedure can be continued;If in the presence of the instruction, going to step S203.
Here, the mark of user equipment can be the identity of the UICC/USIM cards of user equipment.Should Mark can be the temporary identifications TID of UICC/USIM cards, can also be its permanent identification following methods generation IMSI: PID = MSISDN@pid.ottserver.operator.com ;TID is set to hide sensitive information as the MSISDN included in PID, for reducing PID access times, for example, can generate TID by the following method:TID=SHA-256 (RES)@tid.ottserver.operator.com, wherein RES are the part in the authentication response of UICC/USIM cards.
Step S203, the mark that first logging request is carried is converted to the international nobile recognition number IMSI of the user equipment.
Due in the logging request according to identifier lookup less than corresponding credential, so need application server to be communicated with AF, HSS, authentication challenge is obtained, and HSS can only recognize IMSI, accordingly, it would be desirable to which the mark is converted into IMSI.The mapping relations between mark and IMSI can be stored in the application server, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN or IMSI according to above-mentioned PID generation method is counter.
Conversion can also be placed on AF and complete.The customer equipment identification that so application server only needs to receive is sent to AF, and customer equipment identification is completed to IMSI conversion by AF.
Step S204, authentication function device AF is sent to by the IMSI, so that the IMSI is sent to family registered user server HSS or attaching position register HLR by the AF, and includes the war of certification 4,000,000 and authentication response from the HSS syndrome vectors.
If application server completes conversion, application server will be sent to according to the IMSI of mark conversion
IMSI is sent to HSS by AF, AF, and HSS finds the key arranged before HSS with UICC/USIM cards according to the IMSI, corresponding Ciphering Key is generated according to the key.If using the subscriber identification module (Subscriber Identity Module, SIM) in UICC, its Ciphering Key includes { RAND, RES, Kc };If using USIM, its Ciphering Key includes { RAND, AUTN, RES, CK, IK }.The Ciphering Key is sent to AF by HSS.
If AF completes conversion, AF obtains IMSI according to the mark of the user equipment received.AF is upper can to preserve the mapping relations between customer equipment identification and IMSI, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN according to above-mentioned PID generation method is counter, and then find IMSI.
Further, AF may also send the information of application server HSS, and HSS can be by checking The corresponding signing informations of IMSI judge whether user equipment has contracted corresponding business.The HSS mistakes returned are indicated to be sent to application server by access application server if the corresponding user equipmenies of IMSI are not contracted, AF.
Step S205, the authentication challenge is obtained from the AF.
AF sends authentication challenge to application server.If user is SIM user, authentication challenge is
RAND;If user is USIM user, the wars of certification ^ million are { RAND, AUTN }.
Step S206, sends the authentication challenge of the correspondence mark to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
The authentication challenge of acquisition is sent to the user equipment.
Step S207, receives the second logging request that the user equipment is sent, and second logging request is that the user equipment is generated according to the mark and first credential.
Again the logging request that the user equipment is sent is received, the logging request is that user equipment is generated according to mark and the first credential of generation, and first credential is generated according to authentication challenge.
Step S208, according to the mark, searches local second credential that whether is stored with;If it is, going to step S209;Otherwise, step S210 is gone to.
Step S209, from locally obtaining second credential.
Step S210, second credential is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of the HSS or HLR acquisitions, using with generating the first credential identical algorithm.
The mark according to step S208 to step S210, obtains the second credential to that should identify.If logged application server before user equipment, the second credential to that should identify may be locally stored in application server, therefore, according to the mark, the second credential being locally stored can just be found, second credential is according to the corresponding Ciphering Key of the mark obtained from HSS, using what is generated with the first credential identical algorithm of generation by AF.If locally not storing the second credential, because AF has obtained Ciphering Key to that should identify in step S205, so, according to the Ciphering Key, the second credential is generated using with the first credential identical algorithm of generation.The acquisition request of the second credential is sent to AF, the second credential of AF generations is received.
For example, AF is according to Ciphering Key(RAND, AUTN, RES, CK, IK) calculate the second credential method be: Credential = KDF (CKIIIK, "name of OTT server").
Step S211, according to second credential, is verified to the user equipment. Because the second credential of generation with the first credential that user equipment is sent is consistent, therefore can be by the checking of the user equipment.
The authentication method provided according to embodiments of the present invention, user equipment and application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Fig. 4 is a kind of flow chart of another embodiment of authentication method of the invention.As shown in figure 4, this method comprises the following steps:
Step S301, when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, application server obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, the user equipment receives the authentication challenge that application server is sent.Here, the mark of user equipment can be the mark of UICC card/USIM cards of user equipment.It is unique to the war of certification 4,000,000 that should be identified.
Step S302, according to the authentication challenge, generates first credential.
According to the authentication challenge received, user equipment can find the corresponding information of UICC/USIM cards thereon, and the first credential is generated using the algorithm of setting.
Step S303, the second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;Wherein, second credential is generated using with generating the first credential identical mode.
Again logging request is sent to application server, the logging request is generated according to the first credential of mark and generation, and application server obtains the authentication challenge to that should identify, it can also be used according to the authentication challenge and generate the second credential with the first credential identical mode of generation, according to the second credential and the first credential, the user equipment is verified. The authentication method provided according to embodiments of the present invention, user equipment and application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Fig. 5 is to a kind of flow chart of the further refinement of another embodiment of authentication method of the invention shown in Fig. 4.As shown in figure 5, this method comprises the following steps:
Step S401, when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
Here, the mark of user equipment can be the mark of UICC card/usim card of user equipment.It is unique to the authentication challenge that should be identified.The mark can be that the temporary identifications TID or its permanent identification PID, PID of UICC/USIM cards are that IMSI or MSISDN based on UICC/USIM cards are generated, for example, PID can be generated by the following method: PID = MSISDN@pid.ottserver.operator.com ;TID is set to hide sensitive information as the MSISDN included in PID, for reducing PID access times, for example, can generate TID by the following method:TID=SHA-256 (RES)@tid.ottserver.operator.com, wherein RES are the part in the authentication response of UICC/USIM cards.
Due in the logging request according to identifier lookup less than corresponding credential, so need application server to be communicated with AF, HSS, authentication challenge is obtained, and AF and HSS can only recognize IMSI, accordingly, it would be desirable to which the mark is converted into IMSI.The mapping relations between mark and IMSI can be stored in the application server, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN or IMSI according to above-mentioned PID generation method is counter.
Application server will be sent to AF according to the IMSI of mark conversion, and IMSI is sent to HSS by AF, HSS finds the key arranged before HSS with UICC/USIM cards according to the IMSI, and corresponding Ciphering Key is generated according to the key.If using the subscriber identification module (Subscriber Identity Module, SIM) in UICC, its Ciphering Key includes authentication challenge RAND and authentication response (RES, Kc);If using USIM, its Ciphering Key includes authentication challenge(RAND, AUTN) and authentication response(RES、 CK、 IK ) .The Ciphering Key is sent to AF by HSS.
Further, AF may also send the information of application server HSS, and HSS can be by checking that the corresponding signing informations of IMSI judge whether user equipment has contracted corresponding business.Access application server if the corresponding user equipmenies of IMSI are not contracted, HSS returns to corresponding mistake and is indicated to application server.
Access authentication challenge in the Ciphering Key that application server is obtained from AF.User equipment receives the authentication challenge that application server is sent.
If can be according to identifier lookup to corresponding first credential in logging request, application server whether there is the second credential to that should identify according to the identifier lookup, if in the presence of, and the first credential is consistent with the second credential, then receives the result being proved to be successful that application server is sent;If being not present, the result for the authentication failed that application server is sent is received.
Step S402, according to the authentication challenge, obtains the authentication response of the correspondence authentication challenge.Step S403, according to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
Applications client in user equipment is received after the authentication challenge such as (RAND, AUTN), send it to AAPI, AAPI sends it to USIM, the key that USIM arranges before finding with HSS, authentication response such as (RES, CK, IK) is generated, AAPI is according to the Ciphering Key(RAND, AUTN, RES, CK, IK), the first credential, such as Credential=KDF (CKIIIK, " name of OTT server ") are generated using set algorithm
Step S404, the second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment.
Again logging request is sent to application server, the logging request is generated according to the first credential of mark and generation, and application server obtains the Ciphering Key to that should identify, it can also be used according to the Ciphering Key and generate the second credential with the first credential identical algorithm of generation, according to the second credential and the first credential, the user equipment is verified. The authentication method provided according to embodiments of the present invention, user equipment and application server by third party by the interaction of both sides without that can complete certification, and the cylinder identifying procedure of user equipment and application server reduces the access delay of user equipment.
Fig. 6 is a kind of flow chart of the one embodiment for the method for generating credential of the present invention.As shown in figure 5, this method comprises the following steps:
Step S501, when there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, application server can send Ciphering Key and obtain request, receive the request, and the mark of user equipment is carried in the request.Here, the mark of user equipment can be the mark of UICC card/usim card of user equipment.
Step S502, the application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server.
When providing UICC/USIM cards, identical key is stored to that should identify in HSS or HLR and UICC/USIM cards.HSS or HLR is according to the identifier lookup to corresponding key, corresponding Ciphering Key can be generated, the Ciphering Key is obtained from HSS or HLR according to the mark, the Ciphering Key is sent to application server and the Ciphering Key is stored, make application server that the authentication challenge in the Ciphering Key is sent into user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.Wherein, Ciphering Key includes authentication challenge and authentication response.
Step S503, when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment.
When application server receives the logging request that user equipment is sent again, the logging request is that user sets Standby according to mark and the generation of the first credential, application server is obtained after the first credential therein, can send the acquisition request of the second credential.The second credential for receiving application server obtains request, and the request includes the mark of user equipment.
Step S504, according to the Ciphering Key, generates second credential, so that the application server is verified according to second credential to the user equipment using with generating the first credential identical algorithm.
According to the Ciphering Key obtained in step S502, second credential is generated using the identical algorithm with generating the first credential, second credential is sent to application server, so that application server is verified according to second credential to user equipment.
The method of the generation credential provided according to embodiments of the present invention, in verification process of the application server to user equipment, the credential verified is generated for application server, without user equipment and application server by being authenticated with third-party interaction, the cylinder verification process.
Fig. 7 is the flow chart of another embodiment of the further refinement of the embodiment to the method for the generation credential shown in Fig. 6.As shown in fig. 6, this method comprises the following steps:
Step S601, when there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment.
Step S601 is identical with the step S501 of previous embodiment, will not be repeated here.
Step S602, the mark is converted to the international nobile recognition number IMSI of the user equipment.Because HSS or HLR can only recognize the IMSI of user equipment, the UICC/USIM cards of user equipment have unique IMSI, accordingly, it would be desirable to which the mark obtained from logging request first is converted into IMSI.
Step S603, the IMSI and the application server information are sent to the HSS or HLR, so that whether the user equipment that the HSS or HLR searches the correspondence IMSI has signing information with the application server, if the result searched is yes, step S605 is gone to;Otherwise, step S604 is gone to.
Step S604, the mistake that the HSS or HLR is returned is indicated to be sent to the application server.Step S605, the application server will be sent to from the correspondence IMSI of family registered user server HSS or attaching position register HLR acquisitions Ciphering Key, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server. The key arranged with UICC/USIM cards is not only stored in HSS or HLR, always according to the mark of UICC/USIM cards, the card is stored and be inserted with the user equipment of the card whether there is the information contracted with certain application server.It according to the mark NAF_ID of the information of the IMSI of user equipment and application server such as application server, can find with the presence or absence of corresponding signing information, be indicated if it does not exist, then HSS or HLR returns to mistake.Receive after the mistake is indicated, the mistake is indicated to be sent to application server, terminates the identifying procedure.If there is corresponding signing information, then HSS or HLR finds corresponding key according to IMSI, and Ciphering Key is generated according to the key, and the Ciphering Key includes authentication challenge and authentication response.Application server will be sent to from the Ciphering Key of HSS or HLR acquisitions, so that the authentication challenge in Ciphering Key is sent to user equipment by application server, user equipment obtains corresponding authentication response according to the authentication challenge from UICC/USIM cards, generates the first credential.
Step S606, when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment.
Step S607, according to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server carries out dangerous card to the user user according to second credential.
Step S606 and S607 are identical with the step S503 and S504 of previous embodiment respectively, will not be repeated here.
The method of the generation credential provided according to embodiments of the present invention, in verification process of the application server to user equipment, the credential verified is generated for application server, without user equipment and application server by being authenticated with third-party interaction, the cylinder verification process;And according to the user equipment and the signing information of application server stored in HSS/HLR application server can be helped to be verified.
Fig. 8 is a kind of structural representation of one embodiment of application server of the invention.As shown in figure 8, the application server 1000 includes:
First transmitting element 11, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into one Application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.Here, the mark of user equipment can be the mark of UICC card/USIM cards of user equipment.It is unique to the war of certification 4,000,000 that should be identified.
First receiving unit 12, for receiving the second logging request that the user equipment is sent, second logging request is that the user equipment is generated according to the mark and first credential.
Again the logging request that user equipment is sent is received, the logging request is generated according to the mark of user equipment and the first credential.First credential is that user equipment is generated according to the authentication challenge received.
First authentication unit 13, for the second credential according to the correspondence mark, is verified to the user equipment;Wherein, second credential is generated using with generating the first credential identical mode.
Application server obtains the authentication challenge to that should identify, and can also be used according to the authentication challenge and generate the second credential with generating the identical mode of the first credential, according to second credential and the first credential, the user equipment is verified.
The application server provided according to embodiments of the present invention, user equipment and the application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Fig. 9 is to a kind of structural representation of the further refinement of one embodiment of application server of the invention shown in Fig. 8.As shown in figure 9, the application server 2000 includes:
First converting unit 21, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is converted to the international nobile recognition number IMSI of the user equipment.
Due in the logging request according to identifier lookup less than corresponding credential, so need application server to be communicated with AF, HSS, authentication challenge is obtained, and HSS can only recognize IMSI, accordingly, it would be desirable to which the mark is converted into IMSI.The mapping relations between mark and IMSI can be stored in the application server, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN or IMSI according to above-mentioned PID generation method is counter. Conversion can also be placed on AF and complete.The customer equipment identification that so application server only needs to receive is sent to AF, and customer equipment identification is completed to IMSI conversion by AF.
4th transmitting element 22, for the IMSI to be sent into authentication function device AF, so that the information of application server and the IMSI are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.First transmitting element 23, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
In the present embodiment, the first transmitting element 23 includes the second transmitting element 231, first acquisition unit
232 and the 3rd transmitting element 233.
Second transmitting element 231, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to the corresponding Ciphering Key of family registered user server HSS or ownership generation by the AF, the Ciphering Key includes the wars of certification ^ million and authentication response.
If application server completes conversion, application server will be sent to according to the IMSI of mark conversion
IMSI is sent to HSS by AF, AF, and HSS finds the key arranged before HSS with UICC/USIM cards according to the IMSI, corresponding Ciphering Key is generated according to the key.If using the subscriber identification module (Subscriber Identity Module, SIM) in UICC, its Ciphering Key includes { RAND, RES, Kc };If using USIM, its Ciphering Key includes { RAND, AUTN, RES, CK, IK }.The Ciphering Key is sent to AF by HSS.
If AF completes conversion, AF obtains IMSI according to the mark of the user equipment received.
AF is upper can to preserve the mapping relations between customer equipment identification and IMSI, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN according to above-mentioned PID generation method is counter, and then find IMSI.
Further, AF may also send the information of application server HSS, and HSS can be by checking that the corresponding signing informations of IMSI judge whether user equipment has contracted corresponding business.The HSS mistakes returned are indicated to be sent to application server by access application server if the corresponding user equipmenies of IMSI are not contracted, AF. First acquisition unit 232, for obtaining the authentication challenge from the AF.
AF sends authentication challenge to application server.If user is SIM user, authentication challenge is RAND;If user is USIM user, the wars of certification ^ million are { RAND, AUTN }.
3rd transmitting element 233, for sending the authentication challenge to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
The authentication challenge of acquisition is sent to the user equipment.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.
Here, the mark of user equipment can be the identity of the UICC/USIM cards of user equipment.The mark can be the temporary identifications TID of UICC/USIM cards, can also be its permanent identification following methods generation IMSI: PID = MSISDN@pid.ottserver.operator.com ;TID is set to hide sensitive information as the MSISDN included in PID, for reducing PID access times, for example, can generate TID by the following method:TID=SHA-256 (RES)@tid.ottserver.operator.com, wherein RES are the part in the authentication response of UICC/USIM cards.
First receiving unit 24, for receiving the second logging request that the user equipment is sent, second logging request is that the user equipment is generated according to the mark and first credential.
Again the logging request that the user equipment is sent is received, the logging request is that user equipment is generated according to mark and the first credential of generation, and first credential is generated according to authentication challenge.
Second acquisition unit 25, for according to the mark, obtaining second credential of the correspondence mark.
Second acquisition unit 25 is additionally operable to when receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
In embodiments of the present invention, second acquisition unit 25 includes the first searching unit 251, the 3rd acquiring unit 252 and the 4th acquiring unit 253. First searching unit 251, for according to the mark, searching local second credential that whether is stored with.
If logged application server before user equipment, the second credential to that should identify may be locally stored in application server, therefore, according to the mark, the second credential being locally stored can just be found, second credential is according to the corresponding Ciphering Key of the mark obtained from HSS, using what is generated with the first credential identical algorithm of generation by AF.If locally not storing the second credential, because AF has obtained Ciphering Key to that should identify in step S205, so, according to the Ciphering Key, the second credential is generated using with the first credential identical algorithm of generation.The acquisition request of the second credential is sent to AF, the second credential of AF generations is received.
For example, AF is according to Ciphering Key(RAND, AUTN, RES, CK, IK) calculate the second credential method be: Credential = KDF (CKIIIK, "name of OTT server") »
3rd acquiring unit 252, if the result for searching is yes, from locally obtaining second credential.
4th acquiring unit 253, if being no for the result searched, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.
First authentication unit 26, for the second credential according to the correspondence mark, is verified to the user equipment;Wherein, second credential is generated using with generating the first credential identical mode.
Because the second credential of generation with the first credential that user equipment is sent is consistent, therefore can be by the checking of the user equipment.
The application server provided according to embodiments of the present invention, user equipment and the application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Figure 10 is a kind of structural representation of one embodiment of user equipment of the invention.As shown in Figure 10, the user equipment 3000:
4th receiving unit 31, for when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received. Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, application server obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, the user equipment receives the authentication challenge that application server is sent.Here, the mark of user equipment can be the mark of UICC card/USIM cards of user equipment.It is unique to the war of certification 4,000,000 that should be identified.
Second generation unit 32, for according to the authentication challenge, generating first credential.
According to the authentication challenge received, user equipment can find the corresponding information of UICC/USIM cards thereon, and the first credential is generated using the algorithm of setting.
7th transmitting element 33, for sending the second logging request to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;Wherein, second credential is generated using with generating the first credential identical mode.
Again logging request is sent to application server, the logging request is generated according to the first credential of mark and generation, and application server obtains the authentication challenge to that should identify, it can also be used according to the authentication challenge and generate the second credential with the first credential identical mode of generation, according to the second credential and the first credential, the user equipment is verified.
The user equipment provided according to embodiments of the present invention, the user equipment and application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
Figure 11 is to a kind of structural representation of the further refinement of one embodiment of user equipment of the invention shown in Figure 10.As shown in figure 11, the user equipment 4000:
4th receiving unit 41, for when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into one Application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, obtain to should customer equipment identification authentication challenge, and the authentication challenge is sent to user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
Here, the mark of user equipment can be the mark of UICC card/usim card of user equipment.It is unique to the authentication challenge that should be identified.The mark can be that the temporary identifications TID or its permanent identification PID, PID of UICC/USIM cards are that IMSI or MSISDN based on UICC/USIM cards are generated, for example, PID can be generated by the following method: PID = MSISDN@pid.ottserver.operator.com ;TID is set to hide sensitive information as the MSISDN included in PID, for reducing PID access times, for example, can generate TID by the following method:TID=SHA-256 (RES)@tid.ottserver.operator.com, wherein RES are the part in the authentication response of UICC/USIM cards.
Due in the logging request according to identifier lookup less than corresponding credential, so need application server to be communicated with AF, HSS, authentication challenge is obtained, and AF and HSS can only recognize IMSI, accordingly, it would be desirable to which the mark is converted into IMSI.The mapping relations between mark and IMSI can be stored in the application server, according to the mapping relations can the completion of cylinder list be identified to IMSI conversion, or push away MSISDN or IMSI according to above-mentioned PID generation method is counter.
Application server will be sent to AF according to the IMSI of mark conversion, and IMSI is sent to HSS by AF,
HSS finds the key arranged before HSS with UICC/USIM cards according to the IMSI, and corresponding Ciphering Key is generated according to the key.If using the subscriber identification module (Subscriber Identity Module, SIM) in UICC, its Ciphering Key includes authentication challenge RAND and authentication response (RES, Kc);If using USIM, its Ciphering Key includes authentication challenge(RAND, AUTN) and authentication response(RES、 CK、 IK ) .The Ciphering Key is sent to AF by HSS.
Further, AF may also send the information of application server HSS, and HSS can be by checking that the corresponding signing informations of IMSI judge whether user equipment has contracted corresponding business.Access application server if the corresponding user equipmenies of IMSI are not contracted, HSS returns to corresponding mistake and is indicated to application server.
Access authentication challenge in the Ciphering Key that application server is obtained from AF.User equipment receives application clothes The authentication challenge that business device is sent.
If can be according to identifier lookup to corresponding first credential in logging request, application server whether there is the second credential to that should identify according to the identifier lookup, if in the presence of, and the first credential is consistent with the second credential, then receives the result being proved to be successful that application server is sent;If being not present, the result for the authentication failed that application server is sent is received.
Second generation unit 42, for according to the authentication challenge, generating first credential.
In the present embodiment, the second generation unit 42 includes the 5th acquiring unit 421 and the 3rd generation unit
422。
5th acquiring unit 421, for according to the authentication challenge, obtaining the authentication response of the correspondence authentication challenge.
3rd generation unit 422, for according to the authentication challenge and the authentication response, first credential to be generated using with generating the second credential identical algorithm.
Applications client in user equipment is received after the authentication challenge such as (RAND, AUTN), send it to AAPI, AAPI sends it to USIM, the key that USIM arranges before finding with HSS, authentication response such as (RES, CK, IK) is generated, AAPI is according to the Ciphering Key(RAND, AUTN, RES, CK, IK), the first credential, such as Credential=KDF (CKIIIK, " name of OTT server ") are generated using set algorithm
7th transmitting element 43, for sending the second logging request to the application server, second logging request is according to the mark and first credential generation, so that second credential of the application server according to the correspondence mark, dangerous card is carried out to the user equipment.
Again logging request is sent to application server, the logging request is generated according to the first credential of mark and generation, and application server obtains the Ciphering Key to that should identify, it can also be used according to the Ciphering Key and generate the second credential with the first credential identical algorithm of generation, according to the second credential and the first credential, the user equipment is verified.
The user equipment provided according to embodiments of the present invention, the user equipment and application server are by the interaction of both sides without that can complete certification by third party, cylinder has changed the identifying procedure of user equipment and application server, reduces the access delay of user equipment.
Figure 12 is a kind of structural representation of authentication function device AF one embodiment of the invention.As shown in figure 12, the AF5000 includes:
Second receiving unit 51, for when in the logging request that application server finds user equipment transmission When there is no the instruction of effective first credential, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment.
Logging request is sent to application server by the applications client on user equipment, the logging request is generated according to the mark of user equipment and the first credential.If a user equipment is to first log into an application server, the credential of login authentication may be carried out in the user equipment without storage, instruction can be carried in logging request, instruction explanation is without effective first credential, the instruction can be a mark, therefore, when receiving the logging request of user equipment, first look for whether the logging request has the mark of the instruction.If the user equipment does not have effective first credential, application server can send Ciphering Key and obtain request, receive the request, and the mark of user equipment is carried in the request.Here, the mark of user equipment can be the mark of UICC card/usim card of user equipment.
5th transmitting element 52, for the application server will to be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server.
When providing UICC/USIM cards, identical key is stored to that should identify in HSS or HLR and UICC/USIM cards.HSS or HLR is according to the identifier lookup to corresponding key, corresponding Ciphering Key can be generated, the Ciphering Key is obtained from HSS or HLR according to the mark, the Ciphering Key is sent to application server and the Ciphering Key is stored, make application server that the authentication challenge in the Ciphering Key is sent into user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.Wherein, Ciphering Key includes authentication challenge and authentication response.
3rd receiving unit 53, for when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment.
When application server receives the logging request that user equipment is sent again, the logging request is that user equipment is generated according to mark and the first credential, and application server is obtained after the first credential therein, can send the acquisition request of the second credential.The second credential for receiving application server obtains request, and the request includes the mark of user equipment.
First generation unit 54, for according to the Ciphering Key, second credential being generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user equipment. According to the Ciphering Key of acquisition, the second credential is generated using with the identical algorithm for generating the first credential, second credential application server is sent to, so that application server is verified according to second credential to user equipment.
The AF provided according to embodiments of the present invention, in verification process of the application server to user equipment, for application server the credential verified is generated, without user equipment and application server by being authenticated with third-party interaction, the cylinder verification process.
Figure 13 is the structural representation of the further refinement to one embodiment of the authentication function device AF shown in Figure 12.As shown in figure 13, the AF6000 includes:
Second receiving unit 61, for when there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment.
The function of second receiving unit 61 is identical with the second receiving unit 51 of previous embodiment, will not be repeated here.
Second converting unit 62, the international nobile recognition number IMSI for the mark to be converted to the user equipment.
Because HSS or HLR can only recognize the IMSI of user equipment, the UICC/USIM cards of user equipment have unique IMSI, accordingly, it would be desirable to which the mark obtained from logging request first is converted into IMSI.
6th transmitting element 63, for the IMSI and the application server information to be sent into the HSS or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
5th transmitting element 64, for the application server will to be sent to from the correspondence IMSI of family registered user server HSS or attaching position register HLR acquisitions Ciphering Key, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server.
The key arranged with UICC/USIM cards is not only stored in HSS or HLR, always according to
The mark of UICC/USIM cards, store the card be inserted with the card user equipment whether with certain application server exist signing information.It according to the mark NAF_ID of the information of the IMSI of user equipment and application server such as application server, can find with the presence or absence of corresponding signing information, be indicated if it does not exist, then HSS or HLR returns to mistake.Receive after the mistake is indicated, the mistake is indicated to be sent to application server, terminates the identifying procedure.If there is corresponding signing information, then HSS or HLR are according to IMSI Corresponding key is found, Ciphering Key is generated according to the key, the Ciphering Key includes authentication challenge and authentication response.Application server will be sent to from the Ciphering Key of HSS or HLR acquisitions, so that the authentication challenge in Ciphering Key is sent to user equipment by application server, user equipment obtains corresponding authentication response according to the authentication challenge from UICC/USIM cards, generates the first credential.
Memory cell 65, for the correspondence mark, stores second credential.
3rd receiving unit 66, for when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment.
First generation unit 67, for according to the Ciphering Key, second credential being generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.
The function of 3rd receiving unit 66 and the first generation unit 67 is identical with the 3rd receiving unit 53 and the first generation unit 54 of previous embodiment respectively, will not be repeated here.
The AF provided according to embodiments of the present invention, in verification process of the application server to user equipment, for application server the credential verified is generated, without user equipment and application server by being authenticated with third-party interaction, the cylinder verification process;And according to the user equipment and the signing information of application server stored in HSS/HLR application server can be helped to be verified.
Figure 14 is a kind of structural representation of one embodiment of Verification System of the invention.As shown in figure 14, the Verification System 7000 includes:Application server 71, authentication function device AF72, family registered user server HSS or attaching position register HLR73 and user equipment 74.
Wherein, user equipment 74 includes applications client 741, authentication application routine interface (Authentication Application Programming Interface, AAPI) 742 and UICC/USIM cards 743.
A kind of Verification System provided according to embodiments of the present invention, user equipment and application server are by the interaction of both sides without that can complete certification by third party, cylinder has changed the identifying procedure of user equipment and application server, reduces the access delay of user equipment.
A kind of structural representation of another embodiment of application server that Figure 15 provides for the present invention.As shown in figure 15, this includes using the good business device 8000 of the moon:
(quantity of the processor 84 in monitoring device can be with one or more, in Figure 15 by taking a processor as an example for input unit 81, output device 82, memory 83 and processor 84).In some implementations of the present invention In example, input unit 81, output device 82, memory 83 and processor 84 can be connected by bus or other manner, wherein, in Figure 15 exemplified by being connected by bus.
Wherein, batch processing code is stored in memory 83, and processor 84 is used to call the program code stored in memory 83, for performing following operation:
When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the war of certification 4,000,000;
The second logging request that the user equipment is sent is received, second logging request is that the user equipment is generated according to the mark and first credential;
According to the second credential of the correspondence mark, the user equipment is verified;
Wherein, second credential is generated using with generating the first credential identical mode.In some embodiments of the invention, processor 84 performs described when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the step of user equipment generates corresponding first credential according to the authentication challenge, including:
When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to family registered user server HSS or attaching position register HLR by the AF, and include the war of certification 4,000,000 and authentication response from institute's Ciphering Key;According to corresponding first credential of authentication challenge generation.
In some embodiments of the invention, processor 84 performs described after finding the step of first logging request does not have the instruction of effective first credential, and before performing the step of authentication challenge for sending the correspondence mark is to the user equipment, also execute the following steps:
The mark is sent to authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, and obtained Whether the user equipment of HSS or HLR the lookup correspondence mark has the lookup result of signing information with the application server;
Receive the lookup result that the AF is sent.
In some embodiments of the invention, processor 84 is also executed the following steps:
The mark is converted to the international nobile recognition number IMSI of the user equipment.
In some embodiments of the invention, after the step of processor 84 performs the second logging request of the reception user equipment transmission, and execution is described according to the second credential for corresponding to the mark, before the step of being verified to the user equipment, also executes the following steps:
According to the mark, second credential of the correspondence mark is obtained.
In some embodiments of the invention, processor 84 is also executed the following steps:
When receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
In some embodiments of the invention, processor 84 performs described according to the mark, the step of obtaining second credential of the correspondence mark, including:
According to the mark, local second credential that whether is stored with is searched;
If the result searched is yes, from locally obtaining second credential;
If the result searched is no, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.
It is understood that the function of each functional module of the application server 8000 of the present embodiment can be implemented according to the method in above method embodiment, it implements the associated description that process is referred to above method embodiment, and here is omitted.
The application server provided according to embodiments of the present invention, user equipment and the application server by the interaction of both sides without by third party certification can be completed, the cylinder identifying procedure of user equipment and application server.
A kind of structural representation of another embodiment for authentication function device A F that Figure 16 provides for the present invention.As shown in figure 16, the AF9000 includes:
Input unit 91, output device 92, memory 93 and the (processor in monitoring device of processor 94 94 quantity can be with one or more, in Figure 16 by taking a processor as an example).In some embodiments of the invention, input unit 91, output device 92, memory 93 and processor 94 can be connected by bus or other manner, wherein, in Figure 16 exemplified by being connected by bus.
Wherein, batch processing code is stored in memory 93, and processor 94 is used to call the program code stored in memory 93, for performing following operation:
When there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
The application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;When the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment;
According to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.
In some embodiments of the invention, after the step of Ciphering Key that processor 94 performs the reception application server transmission obtains request, and perform described by before the step of being sent to the application server from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, also execute the following steps:
The information of the mark and the application server is sent to the HSS or HLR, so that whether the user equipment that the HSS or HLR searches the correspondence mark has signing information with the application server, if the result searched is no, returns to mistake and indicate;
The mistake is indicated to be sent to the application server.
In some embodiments of the invention, processor 94 perform it is described according to the Ciphering Key, using with generate the step of the first credential identical algorithm generates second credential after, also execute the following steps:
The correspondence mark, stores second credential.
In some embodiments of the invention, processor 94 is also executed the following steps: The mark is converted to the international nobile recognition number IMSI of the user equipment.
It is understood that the function of the AF9000 of the present embodiment each functional module can be stated according to the above method, here is omitted.
The AF provided according to embodiments of the present invention, in verification process of the application server to user equipment, for application server the credential verified is generated, without user equipment and application server by being authenticated with third-party interaction, the cylinder verification process.
A kind of structural representation of another embodiment of user equipment that Figure 17 provides for the present invention.As shown in figure 17, the user equipment 1110 includes:
(quantity of the processor 114 in monitoring device can be with one or more, in Figure 17 by taking a processor as an example for input unit 111, output device 112, memory 113 and processor 114).In some embodiments of the invention, input unit 111, output device 112, memory 113 and processor 114 can be connected by bus or other manner, wherein, in Figure 17 exemplified by being connected by bus.
Wherein, batch processing code is stored in memory 113, and processor 114 is used to call the program code stored in memory 113, for performing following operation:
When sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
According to the authentication challenge, first credential is generated;
The second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
Wherein, second credential is generated using with generating the first credential identical mode.In some embodiments of the invention, processor 114 performs described according to the authentication challenge, the step of generating first credential, including:
According to the authentication challenge, the authentication response of the correspondence authentication challenge is obtained;
According to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
In some embodiments of the invention, processor 114 is also executed the following steps: The 3rd logging request is sent to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
Receive the result to the user equipment that the application server is sent.
It is understood that the function of each functional module of the user equipment 1110 of the present embodiment can be implemented according to the method in above method embodiment, it implements the associated description that process is referred to above method embodiment, and here is omitted.
The user equipment provided according to embodiments of the present invention, the user equipment and application server are by the interaction of both sides without that can complete certification by third party, cylinder has changed the identifying procedure of user equipment and application server, reduces the access delay of user equipment.
The present invention also provides a kind of Verification System, including the application server 8000 of previous embodiment, authentication function device A F9000, family registered user server HSS or attaching position register HLR and user equipment 1110.
A kind of Verification System provided according to embodiments of the present invention, user equipment and application server are by the interaction of both sides without that can complete certification by third party, cylinder has changed the identifying procedure of user equipment and application server, reduces the access delay of user equipment.
It is apparent to those skilled in the art that, the equipment of foregoing description and the specific work process of module clean for the convenience and cylinder of description may be referred to the corresponding process description in preceding method embodiment, no longer praise state herein.
In several embodiments provided herein, it should be understood that disclosed apparatus and method, it can realize by another way.For example, device embodiment described above is only schematical, for example, the division of the module, it is only a kind of division of logic function, there can be other dividing mode when actually realizing, such as multiple module or components can be combined or be desirably integrated into another equipment, or some features can be ignored, or do not perform.Another, it, by some communication interfaces, the INDIRECT COUPLING or communication connection of device or module, can be electrical, machinery or other forms that shown or discussed coupling or direct-coupling or communication connection each other, which can be,.
The module illustrated as separating component can be or may not be it is physically separate, as It can also be distributed on multiple NEs.It can select therein some or all of according to the actual needs, module realizes the purpose of this embodiment scheme.
In addition, each functional module in each of the invention embodiment can be integrated in a processing module or modules are individually physically present, can also two or more modules be integrated in a module.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can add the mode of required general hardware platform to realize by software, naturally it is also possible to pass through hardware.Understood based on such, the part that above-mentioned technical proposal substantially contributes to prior art in other words can be embodied in the form of software equipment, the computer software equipment can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions to cause a computer equipment (can be personal computer, server, or the network equipment etc.)Perform the method described in some parts of each embodiment or embodiment.
Embodiments described above, does not constitute the restriction to the technical scheme protection domain.Any modifications, equivalent substitutions and improvements made within the spirit and principle of above-mentioned embodiment etc., should be included within the protection domain of the technical scheme.

Claims (1)

  1. Claim
    1st, a kind of authentication method, it is characterised in that including:
    When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge;
    The second logging request that the user equipment is sent is received, second logging request is that the user equipment is generated according to the mark and first credential;
    According to the second credential of the correspondence mark, the user equipment is verified;
    Wherein, second credential is generated using with generating the first credential identical mode.
    2nd, the method as described in claim 1, it is characterized in that, it is described when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge, including:
    When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to family registered user server HSS or attaching position register HLR by the AF, and include the war of certification 4,000,000 and authentication response from the Ciphering Key;According to corresponding first credential of authentication challenge generation.
    3rd, method as claimed in claim 1 or 2, it is characterized in that, it is described find the instruction that first logging request does not have effective first credential after, and before the authentication challenge for sending the correspondence mark is to the user equipment, in addition to:
    The mark is sent to authentication function device AF, so that the AF is by the information of application server Domestic consumer's registrar HSS or attaching position register HLR is sent to the mark, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    4th, method as claimed in claim 2 or claim 3, it is characterised in that also include:
    The mark is converted to the international nobile recognition number IMSI of the user equipment.
    5th, method as claimed in claim 1 or 2, characterized in that, after second logging request for receiving the user equipment transmission, and second credential according to the correspondence mark, before being verified to the user equipment, in addition to:
    According to the mark, second credential of the correspondence mark is obtained.
    6th, the method as described in claim 1, it is characterised in that also include:
    When receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
    7th, the method as described in claim 5 or 6, it is characterised in that described according to the mark, obtains second credential of the correspondence mark, including:
    According to the mark, local second credential that whether is stored with is searched;
    If the result searched is yes, from locally obtaining second credential;
    If the result searched is no, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.8th, a kind of method for generating credential, it is characterised in that including:
    When there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
    The application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the application server is by the Ciphering Key Authentication challenge the user equipment is sent to generate first credential of the correspondence authentication challenge;When the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment;
    According to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.
    9th, method as claimed in claim 8, it is characterized in that, the Ciphering Key for receiving application server transmission is obtained after request, and it is described will be sent to from the Ciphering Key of family registered user server HSS or attaching position register HLR the correspondence mark obtained before the application server, in addition to:
    The information of the mark and the application server is sent to the HSS or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    10th, method as claimed in claim 8, it is characterised in that described according to the Ciphering Key, using with generate after the first credential identical algorithm generates second credential, in addition to:The correspondence mark, stores second credential.11st, the method as described in claim 8-10 any one, it is characterised in that also include:The mark is converted to the international nobile recognition number IMSI of the user equipment.
    12nd, a kind of authentication method, it is characterised in that including:
    When sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
    According to the authentication challenge, first credential is generated;
    The second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment; Wherein, second credential is generated using with generating the first credential identical mode.
    13rd, method as claimed in claim 12, it is characterised in that described according to the authentication challenge, generates first credential, including:
    According to the authentication challenge, the authentication response of the correspondence authentication challenge is obtained;
    According to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
    14th, the method as described in claim 12 or 13, it is characterised in that also include:
    The 3rd logging request is sent to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
    Receive the result to the user equipment that the application server is sent.
    15th, a kind of application server, it is characterised in that including:
    First transmitting element, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge;
    First receiving unit, for receiving the second logging request that the user equipment is sent, second logging request is that the user equipment is generated according to the mark and first credential;
    First authentication unit, for the second credential according to the correspondence mark, is verified to the user equipment;
    Wherein, second credential is generated using with generating the first credential identical mode.
    16th, application server as claimed in claim 15, it is characterised in that first transmitting element includes:
    Second transmitting element, for when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, authentication function is sent to by the mark Device AF so that the AF by it is described mark be sent to family registered user server HSS or ownership position into corresponding Ciphering Key, the Ciphering Key include the wars of certification ^ million and authentication response;
    First acquisition unit, for obtaining the authentication challenge from the AF;
    3rd transmitting element, for sending the authentication challenge to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge.
    17th, the application server as described in claim 15 or 16, it is characterised in that also include:4th transmitting element, for the mark to be sent into authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    18th, the application server as described in claim 16 or 17, it is characterised in that also include:First converting unit, the international nobile recognition number for the mark to be converted to the user equipment
    IMSL
    19th, the application server as described in claim 15 or 16, it is characterised in that also include:Second acquisition unit, for according to the mark, obtaining second credential of the correspondence mark.
    20th, application server as claimed in claim 15, it is characterized in that, the second acquisition unit is additionally operable to when receiving the logging request of user equipment, if according to the identifier lookup to first credential, then according to the mark, second credential of the correspondence mark is obtained.
    21st, the application server as described in claim 19 or 20, it is characterised in that the second acquisition unit includes:
    First searching unit, for according to the mark, searching local second credential that whether is stored with;
    3rd acquiring unit, if the result for searching is yes, from locally obtaining second credential; 4th acquiring unit, if being no for the result searched, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.
    22nd, a kind of authentication function device AF, it is characterised in that including:
    Second receiving unit, for when there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
    5th transmitting element, for will be from family registered user server HSS or attaching position register
    The Ciphering Key for the correspondence mark that HLR is obtained is sent to the application server, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;
    3rd receiving unit, for when the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server to obtain request, and second credential, which obtains request, includes the mark of the user equipment;
    First generation unit, for according to the Ciphering Key, second credential to be generated using with generating the first credential identical algorithm, so that the application server carries out dangerous card to the user user according to second credential.
    23rd, AF as claimed in claim 22, it is characterised in that also include:
    6th transmitting element, for the information of the mark and the application server to be sent into the HSS or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    24th, AF as claimed in claim 22, it is characterised in that also include:
    Memory cell, for the correspondence mark, stores second credential.
    25th, the AF as described in claim 22-24 any one, it is characterised in that also include:Second converting unit, the international nobile recognition number for the mark to be converted to the user equipment IMSL
    26th, a kind of user equipment, it is characterised in that including:
    4th receiving unit, for when sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
    Second generation unit, for according to the authentication challenge, generating first credential;7th transmitting element, for sending the second logging request to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
    Wherein, second credential is generated using with generating the first credential identical mode.
    27th, user equipment as claimed in claim 26, it is characterised in that second generation unit includes:
    5th acquiring unit, for according to the authentication challenge, obtaining the authentication response of the correspondence authentication challenge;
    3rd generation unit, for according to the authentication challenge and the authentication response, first credential to be generated using with generating the second credential identical algorithm.28th, the user equipment as described in claim 26 or 27, it is characterised in that also include:8th transmitting element, for sending the 3rd logging request to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
    5th receiving unit, for receiving the result to the user equipment that the application server is sent.
    29th, a kind of Verification System, it is characterised in that it includes authentication function device AF, family registered user server HSS or attaching position register HLR described in application server, claim 22-25 any one described in claim 15-21 any one and the user described in claim 26-28 any one set It is standby.
    30th, a kind of application server, it is characterised in that including input unit, output device, memory and processor;
    Wherein, the computing device following steps:
    When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the war of certification 4,000,000 of the correspondence mark is sent to the user equipment, so that the user equipment generates corresponding first credential according to the authentication challenge;
    The second logging request that the user equipment is sent is received, second logging request is that the user equipment is generated according to the mark and first credential;
    According to the second credential of the correspondence mark, the user equipment is verified;
    Wherein, second credential is generated using with generating the first credential identical mode.
    31st, application server as claimed in claim 30, it is characterized in that, described in the computing device when receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark of the user equipment then carried according to the logging request, the authentication challenge of the correspondence mark is sent to the user equipment, so that the step of user equipment generates corresponding first credential according to the authentication challenge, including:
    When receiving the first logging request of user equipment, if finding first logging request does not have the instruction of effective first credential, the mark is then sent to authentication function device AF, so that the mark is sent to family registered user server HSS or attaching position register HLR by the AF, and include the war of certification 4,000,000 and authentication response from the Ciphering Key;According to corresponding first credential of authentication challenge generation.
    32nd, the application server as described in claim 30 or 31, it is characterised in that after finding the step of first logging request does not have the instruction of effective first credential described in the computing device, Row following steps:
    The mark is sent to authentication function device AF, so that the information of application server and the mark are sent to domestic consumer's registrar HSS or attaching position register HLR by the AF, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    33rd, the application server as described in claim 31 or 32, it is characterised in that the processor is also executed the following steps:
    The mark is converted to the international nobile recognition number IMSI of the user equipment.34th, the application server as described in claim 30 or 31, it is characterized in that, after the step of the second logging request of the user equipment transmission is received described in the computing device, and perform second credential according to the correspondence mark, before the step of being verified to the user equipment, also execute the following steps:
    According to the mark, second credential of the correspondence mark is obtained.
    35th, application server as claimed in claim 30, it is characterised in that the processor is also executed the following steps:
    When receiving the logging request of user equipment, if according to the identifier lookup to first credential, according to the mark, obtaining second credential of the correspondence mark.
    36th, the application server as described in claim 34 or 35, it is characterised in that according to the mark described in the computing device, the step of obtaining second credential of the correspondence mark, including:According to the mark, local second credential that whether is stored with is searched;
    If the result searched is yes, from locally obtaining second credential;
    If the result searched is no, second credential then is obtained from authentication function device AF, second credential is to be generated by the AF according to the mark from the corresponding Ciphering Key of domestic consumer's registrar HSS or attaching position register HLR acquisitions, using with generating the first credential identical algorithm.37th, a kind of authentication function device A F, it is characterised in that including input unit, output device, deposit Reservoir and processor;
    Wherein, the computing device following steps:
    When there is no the instruction of effective first credential in the logging request that application server finds user equipment transmission, the Ciphering Key acquisition request that application server is sent is received, the Ciphering Key, which obtains request, includes the mark of the user equipment;
    The application server will be sent to from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, so that the authentication challenge in the Ciphering Key is sent to the user equipment to generate first credential of the correspondence authentication challenge by the application server;When the application server receives the second logging request that the user equipment is sent, the second credential for receiving the application server obtains request, and second credential, which obtains request, includes the mark of the user equipment;
    According to the Ciphering Key, second credential is generated using with generating the first credential identical algorithm, so that the application server is verified according to second credential to the user user.38th, AF as claimed in claim 37, it is characterized in that, after the step of Ciphering Key that application server transmission is received described in the computing device obtains request, and perform described by before the step of being sent to the application server from the Ciphering Key of the correspondence mark of family registered user server HSS or attaching position register HLR acquisitions, also execute the following steps:
    The information of the mark and the application server is sent to the HSS or HLR, to cause the HSS or HLR to check whether the user equipment allows to access the application server.
    39th, AF as claimed in claim 37, it is characterised in that according to the Ciphering Key described in the computing device, after the step of generating second credential with generation the first credential identical algorithm, is also executed the following steps:
    The correspondence mark, stores second credential.
    40th, the AF as described in claim 37-39 any one, it is characterised in that the processor is also executed the following steps:
    The mark is converted to the international nobile recognition number IMSI of the user equipment. 41st, a kind of user equipment, it is characterised in that including input unit, output device, memory and processor;
    Wherein, the computing device following steps:
    When sending the first logging request to application server, first logging request carries the mark of user equipment, if carrying the instruction without effective first credential in the logging request, the authentication challenge for the correspondence mark that the application server is sent is received;
    According to the authentication challenge, first credential is generated;
    The second logging request is sent to the application server, second logging request is according to the mark and first credential generation, so that the application server is verified according to the second credential of the correspondence mark to the user equipment;
    Wherein, second credential is generated using with generating the first credential identical mode.
    42nd, user equipment as claimed in claim 41, it is characterised in that according to the authentication challenge described in the computing device, the step of generating first credential, including:
    According to the authentication challenge, the authentication response of the correspondence authentication challenge is obtained;
    According to the authentication challenge and the authentication response, first credential is generated using with generating the second credential identical algorithm.
    43rd, the user equipment as described in claim 41 or 42, it is characterised in that the processor is also executed the following steps:
    The 3rd logging request is sent to the application server, 3rd logging request is according to the mark and first credential generation, described to be designated temporary mark or permanent identification, the permanent identification is to be generated according to the digital network No. MSISDN of international nobile recognition number IMSI or mobile registered user's International Integrated Services of the user equipment;
    Receive the result to the user equipment that the application server is sent.
    44th, a kind of Verification System, it is characterised in that it includes authentication function device A F, family registered user server HSS or attaching position register HLR described in application server, claim 37-40 any one described in claim 30-36 any one and the user equipment described in claim 41-43 any one.
CN201380000924.5A 2013-07-31 2013-07-31 Authentication method, the method and relevant apparatus for generating credential Active CN104584477B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/080511 WO2015013915A1 (en) 2013-07-31 2013-07-31 Authentication method, method of generating credentials, and associated device

Publications (2)

Publication Number Publication Date
CN104584477A true CN104584477A (en) 2015-04-29
CN104584477B CN104584477B (en) 2017-11-17

Family

ID=52430855

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201380000924.5A Active CN104584477B (en) 2013-07-31 2013-07-31 Authentication method, the method and relevant apparatus for generating credential

Country Status (2)

Country Link
CN (1) CN104584477B (en)
WO (1) WO2015013915A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557751A (en) * 2018-06-01 2019-12-10 苹果公司 authentication based on server trust evaluation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267301A (en) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 Identity authentication and secret key negotiation method and device in communication network
WO2009106091A1 (en) * 2008-02-25 2009-09-03 Nokia Siemens Networks Oy Secure bootstrapping architecture method based on password-based digest authentication
CN101626369A (en) * 2008-07-11 2010-01-13 中国移动通信集团公司 Method, device and system for single sign-on
CN101854630A (en) * 2010-05-25 2010-10-06 中兴通讯股份有限公司 Method, system and user equipment for realizing card authentication
CN102264069A (en) * 2010-05-28 2011-11-30 中国移动通信集团公司 Authentication control method, device and system based on universal guide architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267301A (en) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 Identity authentication and secret key negotiation method and device in communication network
WO2009106091A1 (en) * 2008-02-25 2009-09-03 Nokia Siemens Networks Oy Secure bootstrapping architecture method based on password-based digest authentication
CN101626369A (en) * 2008-07-11 2010-01-13 中国移动通信集团公司 Method, device and system for single sign-on
CN101854630A (en) * 2010-05-25 2010-10-06 中兴通讯股份有限公司 Method, system and user equipment for realizing card authentication
CN102264069A (en) * 2010-05-28 2011-11-30 中国移动通信集团公司 Authentication control method, device and system based on universal guide architecture

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110557751A (en) * 2018-06-01 2019-12-10 苹果公司 authentication based on server trust evaluation

Also Published As

Publication number Publication date
CN104584477B (en) 2017-11-17
WO2015013915A1 (en) 2015-02-05

Similar Documents

Publication Publication Date Title
CN103618794B (en) Method, terminal and the server of automated log on
JP6280641B2 (en) Account login method, device and system
CN102550001B (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
CN104967997A (en) Wireless network accessing method, Wi-Fi equipment, terminal equipment and system
CN103124267B (en) The method, system and the cloud server that log in/register is carried out by mobile terminal
US8091122B2 (en) Computer program product, apparatus and method for secure HTTP digest response verification and integrity protection in a mobile terminal
CN104581727A (en) Equipment connecting method and device and AP (access point) end electronic equipment
CN106411517B (en) A kind of password remapping method and device
WO2013108232A1 (en) Method and apparatus for providing network access credentials and network access to a remote device
CN104540129A (en) Registration and login method and system for third party application
JP4745965B2 (en) Login method with multiple identifiers for instant messaging system
CN103250397A (en) Methods and arrangements for enabling data transmission between a mobile device and a static destination address
CN103747013A (en) Cloud terminal login verification method and device
CN104363226A (en) Method, device and system for logging in operating system
CN105992204A (en) Access authentication method of applications of mobile intelligent terminal and device
CN104935435A (en) Login methods, terminal and application server
CN105744517A (en) Information authentication method and network side device
CN103973652A (en) Login method and login system
CN103152401A (en) Mobile terminal, login method and system through mobile terminal, and cloud server
CN104486460A (en) Application server address access method, equipment and system
CN104750723A (en) File sharing method, system, browser and server
CN103428176A (en) Mobile user accessing mobile Internet application method and system and application server
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN105577606A (en) Method and device for realizing register of authenticator
CN103747423A (en) Registration method, apparatus and system of terminal application

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant