CN1385051A - GSM security for packet data networks - Google Patents

GSM security for packet data networks Download PDF

Info

Publication number
CN1385051A
CN1385051A CN 00815051 CN00815051A CN1385051A CN 1385051 A CN1385051 A CN 1385051A CN 00815051 CN00815051 CN 00815051 CN 00815051 A CN00815051 A CN 00815051A CN 1385051 A CN1385051 A CN 1385051A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
gsm
security
packet
data
networks
Prior art date
Application number
CN 00815051
Other languages
Chinese (zh)
Inventor
J·L·马里茨里奥斯
J·L·瑞茨桑切茨
Original Assignee
艾利森电话股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • G06F21/43User authentication using separate channels for security data wireless channels
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L29/00Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/00 - H04L27/00 contains provisionally no documents
    • H04L29/02Communication control; Communication processing contains provisionally no documents
    • H04L29/06Communication control; Communication processing contains provisionally no documents characterised by a protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0853Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or paths for security, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity
    • H04W12/08Access security

Abstract

在通信系统中,提供采用GSM(全球移动通信系统)保密原理来鉴别请求接入分组数据网络的用户的方法与设备。 In a communication system, method and apparatus for providing a user using the GSM (Global System for Mobile Communications) Confidential principle to identify the access request packet data network. 在需要验证试图接入某些资源(例如,网络的应用程序)的用户的识别时,由鉴别实体启动鉴别处理。 When attempting to access the need to verify the user's identification of certain resources (e.g., web application), authentication by the authentication start processing entity. 此鉴别实体将鉴别请求发送给鉴别服务器,此鉴别服务器检查此用户的识别是否对应于已知用户。 This authentication entity authentication request to the authentication server, the authentication server checks whether the user identification corresponding to a known user. 如果是这样的话,此鉴别服务器生成通过接入网络和远程主机发送给此用户的鉴别令牌。 If this is the case, the authentication server transmits to this user generated authentication token via the access network and the remote host. 此鉴别服务器通过无线网络利用保密通信链路来请求此用户在公用陆地移动网络上通过此保密通信链路将此鉴别令牌发回给此鉴别服务器。 This authentication server to request the user in the public land mobile network via this secure communication link this authentication token back to the authentication server via this secure communication link using the wireless network. 一旦此用户通过保密信道将此鉴别令牌发回给此鉴别服务器,此鉴别服务器将发送给此用户的鉴别令牌和通过保密通信链路从此用户接收的鉴别令牌进行比较。 Once the user of this authentication token back to this authentication server through the secret channel, the authentication server sends the user authentication token and authentication token received by the user via secure communication link from this comparison. 如果这些鉴别令牌相符,则此鉴别服务器指示此鉴别实体同意此用户接入所请求的业务。 If the authentication tokens match, this indicates that this authentication server user authentication entity agrees access the requested service. 如果这些鉴别令牌不相符,则将拒绝此用户接入所请求的业务。 If these do not match authentication tokens, user access to the requested service is rejected.

Description

用于分组数据网络的全球移动通信系统安全性 GSM security for packet data network

背景本发明一般涉及用于为分组数据网络提供安全性的方法与设备,并且更特别地涉及应用GSM安全性原理来鉴别请求接入分组数据网络的用户的方法与设备。 BACKGROUND The present invention generally relates to a method for providing a security apparatus and a packet data network, and more particularly relates to the use GSM security principles to authentication methods and devices requesting access to a user of a packet data network.

从远程位置中接入例如互联网的分组数据网络(PDN)的用户的数量每天在增加。 From a remote location such as the number of users of Internet access a packet data network (PDN) is increasing every day. 因而,互连到互联网的专用网络的数量已显著增加。 Accordingly, the number of interconnected private networks to the Internet has increased dramatically. 专用网络一般是这样一种网络,其中对专用网络的主机站点的接入限于授权用户。 Typically a private network is a network in which access to the private network host site is limited to authorized users. 在将专用网络连接到互联网时,执行包括鉴别程序的保密程序,以保证只有授权的用户才能从授权的主机中接入此专用网络。 When a private network connected to the Internet, performing security procedures comprise authentication procedures to ensure that only authorized users can access to this private network from the authorization host. 例如,在用户从远程位置请求接入专用网络的主机站点时,在同意此用户接入此主机站点之前,必须鉴别此用户。 For example, when a user requests access to the private network host site from a remote location, the user consent before accessing this host site must identify the user.

一些常规的鉴别程序使用口令。 Some routine identification program using a password. 口令是利用自动装置识别的一串字符并允许用户接入受保护的文件或输入或输出装置。 An automatic means for identifying the password is a string of characters and allowing the user access to protected files or receiving input or output devices. 诸如Kefberos的大多数复杂的系统使用基于口令的鉴别方案。 Most of complex systems such as Kefberos password-based authentication schemes. Kerberos是用于客户机/服务器计算的保密系统。 Kerberos security system is a client / server computing.

可以在请求接入专用网络的主机站点的远程站点上生成口令。 Password may be generated at the remote site access request from the host site's private network. 一些系统利用对称或非对称的密码技术来生成和鉴别口令,这将在以后具体进行描述。 Some systems using a symmetric or asymmetric cryptographic techniques to generate and identify password, which will be described later specifically.

PDN的持续发展生成大范围的计算机业务。 PDN continued development of a wide range of computer generated business. 在某些情况中,这些业务限于许多用户。 In some cases, these operations are limited to many users. 在其他情况中,在商业基础上动态接入这些业务,即,用户付费来使用这些业务。 In other cases, on a commercial basis dynamic access these services, namely, users pay to use these services. 在上述的两种情况中,这些用户在他们能接入所需业务之前必须利用业务提供者的业务提供系统来鉴别他们自己。 In the above two cases, the user must use the service providing system of the service provider before they can access the required services to identify themselves. 因而,业务提供者保证只有有权接入这些业务的用户能这样做。 Thus, the service provider to ensure that users only have the right to access these services do the same.

蜂窝通信系统控制由对应于授权用户的移动站(MS)利用的网络资源。 Cellular communication system network resources controlled by the authorized user corresponding to the mobile station (MS) use. 在常规的GSM蜂窝通信系统中,MS包括用户识别模块(SIM),此SIM包含具有例如用于允许此MS接入GSM蜂窝通信系统的网络基础结构的数据的用户信息。 In a conventional GSM cellular communication system, MS include User Identify Module (SIM), the SIM contains subscriber information, for example, to allow this MS having access to a data network infrastructure for GSM cellular communication system. SIM参与用户的鉴别和无线通信的后续加密(如果有的话)。 SIM participation subsequent encrypted user authentication and a wireless communication (if any).

用户识别鉴别操作可以验证只提供业务给受限制的和可控制的用户组,而授权操作可以验证提供受限制和可控制的资源组给合适的用户。 User identification authentication verification operation may only provide service to a restricted group of users and controllable, verify operations may be authorized to provide a controllable and limited resource group to the right users. 原则上,在要求客户机开通与特定服务器(例如,接入服务器)的对话的意义上,获得网络的接入类似于获得对任何特定的应用服务器的接入。 In principle, in the sense of requiring that the client opened with a particular server (for example, access server) dialogue, to get access to the network is similar to gain access to any particular application server. 接入对话包括与不同服务器进行的所有其他可能的对话,并且这是与网络中的服务器进行任何交互作用之前的要求。 Access dialogue including all other possible dialogue with different servers, and this is required before any interaction with the server in the network. 每个服务器能具有它自己的程序来鉴别和授权用户。 Each server can have its own program to identify and authorize users.

远程接入公用或专用数据网络正在急剧增长,特别是通过拨号PSTN/ISDN连接,这些拨号PSTN/ISDN连接因为通过非保密的通信线路发送数据而不安全。 Remote access to the public or private data network is rapidly growing, particularly ISDN dial-up connection PSTN /, these dialing PSTN / ISDN connection as non-confidential data transmitted through the communication line without security. 另外,用于破坏安全性的软件相当先进并且这些软件比过去更广泛地使用,这使阻止未授权的用户获取保密信息更困难。 In addition, the software used to compromise the security of the software is quite advanced and more widely used than in the past, which makes prevents unauthorized users from gaining confidential information more difficult.

由于数据网络正在快速增长,所以用于数据网络的每个应用程序的独立的安全性程序在侵入者将他自己放置在数据网络中时可能不足以抵抗此侵入者。 This may not be sufficient to resist the intruders because the data when the network is growing rapidly, so each application for a network of independent data safety procedures intruder placing himself in a data network. 因而,整个数据网络安全性程序和策略对于保护专用分组数据网络变得更加必要。 Thus, the entire data network security procedures and policies become more necessary for the protection of private packet data network.

弱鉴别和强鉴别是两种公知类型的鉴别。 Weak and strong authentication identification are two known types of authentication. 弱鉴别和强鉴别可以使用公知的鉴别保密方法,诸如:令牌(例如,比特的独特组合)、口令(例如,保密字符串)或生物统计学信息(例如,指纹、声纹、视网膜扫描等)。 Weak and strong authentication can identify a known authentication security methods, such as: a token (e.g., a unique bit combination), a password (e.g., secret string), or biometric information (e.g., fingerprint, voiceprint, retina scan, etc. ).

弱鉴别因为使用单一方法来鉴别用户而被称为单因数鉴别。 Since the weak discriminator to identify a user using a single method is referred to as single factor authentication. 弱鉴别也包括具有传统的静态口令与一次性口令的技术。 Weak discriminator also includes static passwords and one-time password with a conventional technique. 然而,静态口令能利用包括键盘敲击监视程序、用于猜测的闯入程序和网络探测程序在内的软件程序来破坏。 However, the use of static passwords can include keystroke monitoring program for the software program and network intrusion detection programs, including speculation to disrupt.

通过生成不能从以前的口令中计算的一次性口令(每个对话一个口令)(即,引入伪随机序列作为计算因数)能使静态口令免受上述软件程序的破坏。 By generating a one-time password can not be calculated from the previous password (a password for each session) (i.e., pseudo-random sequence is introduced as a calculation factor) can damage static password from the software program described above. 从永远不在网络上发送的“真实”口令(用户与网络之间共享的密码)中生成此一次性口令。 The "real" password (shared between the user and the network password) is sent from the Internet is not always generate this one-time passwords.

强鉴别称为两因数鉴别。 Strong authentication known as two-factor identification. 强鉴别因为利用两种方法(通常为令牌和口令)来鉴别用户,因而比弱鉴别更安全。 Since strong authentication using two methods (typically token and password) to identify the user, and thus more secure than the weak discriminator. 已经能在市场上购买到从令牌和口令中生成一次性口令的系统,诸如Security Dynamic'sSecure ID(安全动态保密ID)、Safeword's Safeword DES Gold Card(安全字的安全字DES金卡)和Digital Pathway's Defender(数字通路防御者)。 Has been able to buy on the market system to the one-time password generated from the password and a token, such as a Security Dynamic'sSecure ID (confidential dynamic security ID), Safeword's Safeword DES Gold Card (DES security word security word Gold) and Digital pathway's Defender (digital path defender). 例如,令牌可以是硬件装置,而口令可以是接入此硬件装置的个人识别号(PIN)代码。 For example, the token may be a hardware device, the access and the password can be a personal identification number (PIN) code for this hardware device.

例如,通过引入明确的鉴别还可以使强鉴别更安全,此网络生成随机因数作为用户口令生成操作的输入(这称为:网络质询用户)。 For example, by introducing a clear discrimination can also make strong authentication more secure, the network generates a random divisor input operation is generated as a user password (which is called: User Network Challenge). 第二,口令的生存周期能非常短,例如,1分钟,因此在对话继续时实施连续的鉴别处理。 Second, the lifetime of the password can be very short, e.g., one minute, so the identification process in the continuous embodiment dialogue continues. 第三,能使用基于对称或非对称密码术的更复杂的密钥和算法。 Third, keys can be used and more complex algorithm based on symmetric or asymmetric cryptography.

最常用的鉴别程序基于识别/口令方法。 Identification / password authentication procedure most commonly used method based. 最先进的系统利用基于一次性口令和令牌的方法。 Based on a one-time password token and use of the most advanced systems. 然而,这些实施方案具有限制。 However, these embodiments have limitations. 例如,静态登录/口令方法提供弱的安全性。 For example, static login / password method to provide security weak. 另外,强鉴别方法要求用户持有附加装置,即,令牌装置。 Further, the user holds the strong authentication method requires additional equipment, i.e., the token device. 一些强鉴别机制要求特定的硬件,例如,智能卡阅读器。 Some strong authentication mechanism requires specific hardware, for example, a smart card reader. 而且,一些强鉴别方法要求特定的硬件和软件结构,这导致管理负担。 Moreover, some strong authentication method requires specific hardware and software architecture, which leads to administrative burden. 因此,令牌装置缺乏灵活性使强鉴别方法具有其他问题。 Thus, lack of flexibility means that the token strong authentication methods have other problems.

因而,在PDN中需要应用GSM安全性原理来鉴别用户,以便在接入专用业务网络以及这样的专用业务网络的特定业务与应用时提高安全性。 Accordingly, in applications requiring the PDN GSM security principles to identify the user, in order to improve security when access to a dedicated application specific service and service network, and such a dedicated service network.

还需要在专用业务网络和请求接入此网络的用户之间使用两个不同的通信信道,其中一个信道是通过接入网络连接到PDN的非保密信道并且不被用于在远程主机与此PDN之间传送任何敏感信息,而另一信道是将在MS与PDN之间通过公用陆地移动网络(PLMN)交换保密信息的保密信道。 Also requires the use of two different communication channel between the user-specific network and service requests to access this network, which is connected via a channel to the access network and the PDN-confidential channel is not used for a remote host with this PDN transfer between any sensitive information, and the other channel is a confidential channel to the exchange of confidential information by a public land mobile network (PLMN) between the MS and the PDN. 还需要在执行电子商务交易时利用这样的GSM安全性原理来鉴别用户。 Users also need to identify with such a GSM security principles in the implementation of e-commerce transactions.

发明概要根据本申请的发明,利用将GSM安全性原理应用到PDN中的用户鉴别以提高接入专用业务网络的接入安全性的方法和设备来实现这些与其他目的。 SUMMARY OF THE INVENTION According to the invention of the present application, a method of using the access security apparatus and the GSM security principles to authentication the user in order to improve the PDN dedicated traffic access network to achieve these and other objects.

根据本发明的示例性实施例,用于鉴别请求接入PDN的用户的通信系统包括连接到此PDN的PLMN。 According to an exemplary embodiment of the present invention, for identifying a user requesting access to the PDN connected to this communication system comprises a PLMN of the PDN. 远程主机通过接入网络连接到此PDN。 Remote host via this access network PDN. 移动站可能通过无线链路耦合到此PLMN。 The mobile station may be coupled via a wireless link to this PLMN. 为响应用户请求接入PDN,此PDN生成鉴别令牌并通过接入网络和远程主机在非保密或保密通信信道上将此鉴别令牌发送给用户。 In response to a user requesting access PDN, this PDN generates authentication token and authentication token to the user via the access network and the remote host or unclassified this secure communication channel. 此用户通过PLMN的保密信道将此鉴别令牌发回给此PDN,其中此PDN比较这些鉴别令牌以确定是否同意此用户接入此PDN。 This user authentication secret channel PLMN this token back to the PDN this, wherein this authentication tokens PDN comparison to determine whether these agree this user access PDN.

根据本发明的另一示例性实施例,通信系统具有用于在执行电子商务交易时鉴别用户的电子商务服务器。 According to another exemplary embodiment of the present invention, a communication system having a user authentication when performing e-commerce transaction in e-commerce server. 希望执行电子商务交易的用户发送请求给此PDN,此PDN生成鉴别令牌。 User wishes to perform e-commerce transactions to send this request to the PDN, this generation PDN identification token. 与用于处理电子商务应用的收费方面的付费服务器进行通信。 And charges for processing the application of e-commerce payment server to communicate. 通过接入网络利用非保密或保密通信线路将此鉴别令牌从此PDN发送给此用户,此用户在PLMN上利用保密通信信道将此鉴别令牌发回给此PDN。 By using network access confidential or non-confidential communication line authentication token from this PDN sent to this user, the user using the secure communication channel back to the authenticator token PDN on this PLMN. 将发送给此用户的鉴别令牌与此用户发送给PDN的鉴别令牌进行比较,以确定是否授权此用户继续他的操作。 It will be sent to the user authentication token sent to the PDN user authentication token to determine whether the user is authorized to continue his operations. 此通信系统也具有与付费服务器通信的鉴别服务器,以便向此用户收取电子商务交易的费用。 The communication system also has paid communicate with the server authentication server, e-commerce transactions to be charged to the user. 另外,可以将计费信息发送给PLMN的计费系统。 Further, the charging information may be sent to the PLMN billing system.

附图简述通过结合附图阅读此说明书,本发明的特性、目的和优点将变得显而易见,在附图中相同的标号表示相同的单元,并且其中:图1是表示根据本发明的示例性实施例的通信系统的方框图;图2是表示根据本发明的示例性实施例的移动站的方框图;图3是表示根据本发明的示例性实施例的鉴别用户的方法的方框图;图4是表示根据本发明的示例性实施例在移动设备(ME)和MS的SIM之间通信的方法的流程图;图5是表示根据本发明的另一示例性实施例用于在拨号情况中接入PDN时鉴别用户的通信系统的方框图;图6是表示根据本发明的另一示例性实施例的用于鉴别用户的方法的流程图;图7是表示根据本发明的示例性实施例用于在执行电子商务交易时鉴别用户的通信系统的方框图;图8是表示根据本发明的示例性实施例用于在执行电子商务交易时鉴别用户的方 BRIEF DESCRIPTION OF THE DRAWINGS By combining this specification, features, objects and advantages of the present invention will become apparent from the accompanying drawings in which like reference numerals refer to like elements, and wherein: FIG 1 is an exemplary representation of the present invention. a block diagram of a communication system according to an embodiment; FIG. 2 is a block diagram illustrating a mobile station according to an exemplary embodiment of the present invention; FIG. 3 is a block diagram according to authenticate the user to an exemplary embodiment of the present invention a method of representation; FIG. 4 shows a according to an exemplary embodiment of the present invention in a flowchart of a method of communication between a SIM mobile equipment (ME) and the MS; FIG. 5 is a diagram according to another exemplary embodiment of the present invention is used in a dial-up access PDN case a block diagram of a communication system when a user authentication; FIG. 6 is a flowchart showing a method for authenticating a user according to another exemplary embodiment of the present invention; FIG. 7 is a representation of an exemplary embodiment of the present invention is used to perform a block diagram of a communication system to authenticate users when e-commerce transactions; FIG. 8 is a diagram used to authenticate a user when executing e-commerce transaction party according to an exemplary embodiment of the present invention. 的消息顺序图表;图9是表示根据本发明的示例性实施例的使用非结构化辅助业务数据(USSD)的通信系统的方框图;图10是表示根据本发明的示例性实施例用于在使用USSD的网络情况中鉴别用户的方法的消息顺序图表;图11是表示根据本发明的示例性实施例的使用无线应用协议(WAP)的通信系统的方框图;和图12表示在图11所示的通信系统中鉴别用户的方法。 Message sequence diagram; FIG. 9 is a block diagram of a communication system according to an exemplary embodiment of the present invention Unstructured Supplementary Service Data (USSD); Figure 10 is a representation of an exemplary embodiment of the present invention for use USSD in case of network user authentication method for a message sequence diagram; FIG. 11 is a block diagram of a communication system using an exemplary embodiment of the present invention wireless application protocol (WAP) based on; and 12 shown in FIG. 11 represents the method of user authentication in a communication system.

详细描述图1是表示根据本发明的示例性实施例的通信系统的方框图。 Detailed Description FIG. 1 is a block diagram showing a communication system according to an exemplary embodiment of the present invention. 在图1中,此通信系统包括PLMN 22、PDN 24、接入网络26、远程主机32和MS 68。 In Figure 1, the communication system comprises a PLMN 22, PDN 24, the access network 26, the remote host 32 and the MS 68.

PDN 24可以通过通信链路(未示出)连接到接入网络26。 PDN 24 may be connected to the access network 26 via a communication link (not shown). 接入网络26可以通过通信链路30连接到远程主机32。 Access network 26 may be connected to a remote host 32 through a communication link 30.

PLMN 22包括通过通信链路40连接到基站控制器(BSC)38的基站收发信机(BTS)36。 PLMN 22 comprises a connection via a communication link 40 to a base station controller (BSC) base transceiver station 38 (BTS) 36. 移动交换中心/访问者位置寄存器(MSC/VLR)42可以分别通过通信链路46与48连接到BSC 38和短消息业务中心(SMS-C)44。 A mobile switching center / visitor location register (MSC / VLR) 42 via communication link 46 may be respectively connected to BSC 38 and 48 to the short message service center (SMS-C) 44. 归属位置寄存器(HLR)50可以分别通过通信链路54与56连接到MSC/VLR 42和鉴别中心(AuC)52。 A home location register (HLR) 50 may be connected to the MSC / VLR 42 and the authentication center (AuC) 52 and 56 via communication link 54.

PDN 24包括通过通信链路62连接到鉴别实体60的鉴别服务器58。 PDN 24 includes a connector 60 to the authentication entity authentication server 58 via a communication link 62. WAP服务器76可以通过通信链路78连接到鉴别服务器58。 WAP server 76 may be connected to the authentication server 58 via a communication link 78. 网络接入业务(NAS)/路由器64通过通信链路66连接到鉴别实体60。 Network access services (NAS) / router 64 is connected to the authentication entity 60 through a communication link 66. 鉴别服务器58可以通过通信链路72连接到SMS-C44,此连接的细节方面对于本发明不是关键的,并因此未表示出来。 Authentication server 58 may be connected to the SMS-C44 via a communication link 72, the details of this connection is not critical to the present invention, and therefore not represented. 然而,此连接取决于连接的类型(例如,X.25,IP)和起作用的保密机制(例如,IPsec,隧道服务器,路由器,防火墙)。 However, depending on the type of connection (e.g., X.25, IP) and acting security mechanisms (e.g., IPsec, tunnel server, a router, a firewall) is connected. HLR 56可以通过通信链路74连接到鉴别服务器58。 HLR 56 may be connected to the authentication server 58 via a communication link 74.

MS 68利用表示为无线链路70的无线连接与PLMN 22通信。 MS 68 using a connection to communicate with PLMN 22 represents a wireless radio link 70.

PLMN 22可以根据引入在此作为参考的欧洲电信标准局(ETSI)文件ETS 300 573、ETS 300 574和ETS 300 578中所述的全球移动通信系统(ETSI)标准进行构造。 PLMN 22 may (ETSI) documents ETS 300 573, ETS 300 574 and ETS Global System for Mobile communication system according to 300 578 (ETSI) standard configured according to the European Telecommunications Standards Institute incorporated herein by reference. GSM规范在本领域中是公知的并因而不在此进一步进行描述。 GSM specifications are well known and therefore not further described in this art. BTS 36通过无线链路70接收MS 68生成的上行链路信号,BTS 36生成下行链路信号以便通过无线链路70发送给MS 68。 BTS 36 receives an uplink signal generated MS 68 through a wireless link 70, BTS 36 to generate a downlink signal to the MS 68 via radio link 70 transmission. BTS 36也与用于控制一组基站(未示出)的操作的BSC 38通信。 38 is also a communication BSC BTS 36 for controlling a group of base stations (not shown) of the operation.

HLR 50包含有关用户对于此通信系统的预约和位置信息。 HLR 50 contains location information about the user and the reservation for this communication system. HLR 50因而用于识别/验证用户。 Thus HLR 50 for identification / authentication user. HLR 50也包含有关此用户可利用的通信系统的特性和业务的用户数据。 HLR 50 also contains data about the characteristics of the user and the service communications systems available to the user. AuC 52处理PLMN 22的安全性功能。 AuC 52 deal with the security features of PLMN 22. AuC52存储用户的专用密钥并采用A3(鉴别)与A5(加密/解密)安全性算法。 AuC52 stores user's private key and using A3 (identification) and A5 (encryption / decryption) security algorithm. A3与A5安全性算法描述在引入在此作为参考的ETSI文件ETS300 929中,在引入在此作为参考的ETS 300 534的附录C中也规定了这些A3与A5算法。 A3 and A5 security algorithm described in the ETSI document incorporated herein by reference in ETS300 929, incorporated herein by reference in the ETS in Appendix C 300 534 also provides these algorithms A3 and A5.

SMS-C 44通过通信链路72接收在PDN 24上生成的消息,此SMS-C44将接收的消息组合为短消息业务(SMS)消息,这些SMS消息如相应的GSM标准规范中定义的一样进行发送并因而将不在此进一步进行描述。 SMS-C 44 over a communication link to receive the generated message on the PDN 24 72 SMS-C44 This combined message is received short message service (SMS) messages, such as SMS messages as defined in GSM standard specifications corresponding performed transmission and thus will not be further described herein.

例如个人计算机或膝上计算机的远程主机32包含用于远程接入PDN 24的常规客户软件,诸如,微软的互联网探测器、美国在线公司的Netscape Navigator等。 For example, a remote host computer or laptop personal computer 32 includes a conventional remote access client software PDN 24, such as Microsoft Internet detectors, America Online Inc.'s Netscape Navigator and so on.

PDN 24包括许多主机(未全部示出)。 PDN 24 includes a plurality of host (not all shown). 鉴别实体60负责保证只有授权用户才获准接入PDN 24中的资源。 60 to identify the entity responsible for ensuring that only authorized users are granted access to 24 resources PDN. 这些资源可以包括应用程序或应用程序内的内容。 These resources can include content within an application or applications. 本领域技术人员将认识到,PDN 24和接入网络26可以通过中间PDN(例如,ISP,内联网)进行连接。 Those skilled in the art will recognize that, PDN 24, and 26 can access the network (e.g., ISP, intranet) via an intermediate connection PDN. 本领域技术人员也将认识到,接入网络26可以是蜂窝网络并因而通过常规的无线方法将远程主机26链接到NAS/路由器64。 Those skilled in the art will recognize, the access network may be a cellular network 26 and thus through the conventional method of wireless link 26 to a remote host NAS / router 64. 本领域技术人员也将认识到,鉴别服务器58可以通过中间网关系统连接到PLMN 22。 Those skilled in the art will also recognize that the authentication server 58 may be connected to the PLMN 22 via an intermediate gateway system.

鉴别服务器58提供鉴别业务给PDN 24。 Authentication server 58 to provide identification services to PDN 24. 鉴别服务器58为每个接入请求生成鉴别令牌,并处理与MS 68的处理装置(未示出)中的鉴别应用程序的对话。 Authentication server 58 generates authentication token request, and processing means processing with the MS (not shown) session authentication application 68 for each access. 将在下面利用图2的描述来具体描述此处理装置。 This processing will be specifically described using the apparatus described in FIG. 2 below. 鉴别服务器58验证来自此处理装置的响应。 Authentication server 58 authentication response from the processing apparatus. 鉴别服务器58将此鉴别处理的结果传送给鉴别实体60。 Result of the authentication server 58 transmits this authentication process to the authentication entity 60. 此处理装置与鉴别实体58之间通信的任何可能的加密都要求将相应的算法和密钥值存储在鉴别服务器58中。 58 between any of the encryption communication may require the authentication server 58 in the corresponding algorithm and key values ​​stored in this processing and the authentication entity device. 如果重复使用此GSM安全性方案,此鉴别服务器58将既不存储这些密钥自身而且也不计算鉴别算法,相反地,它将从GSM网络中相应的的AuC 52中获得必要的值。 If this is repeated using GSM security scheme, the authentication server 58 will store the key itself is neither calculated nor authentication algorithm, conversely, it is appropriate from the GSM network AuC 52 obtain the necessary value. 在鉴别与付费相关时,此鉴别服务器58负责与付费服务器(未示出)建立相应的对话,并将必要的信息(例如,价格)从此鉴别实体传送给付费服务器。 When identification and payment related to this authentication server 58 is responsible for the payment server (not shown) to establish the appropriate dialogue, and the information is necessary (eg, price) to identify the entity transmitted from the payment server.

鉴别实体60调用合适的机制(例如,协议应用编程接口)来请求鉴别服务器58进行鉴别。 60 call the appropriate entity authentication mechanisms (e.g., the protocol application programming interface) to request the authentication server 58 for authentication. 此鉴别实体60将鉴别令牌传送给远程主机32并处理此鉴别处理的结果。 This authentication entity 60 transmits the authentication token to the remote host 32 and the processing result of this identification process. 在鉴别是与要求记录附加信息(例如,付费)的操作有关时,此鉴别实体60通过鉴别服务器58请求用户鉴别。 Identification is required to record the additional information (e.g., charge) when the relevant operation, this authentication entity 60 requests the user authentication by the authentication server 58. 此鉴别请求包括此附加信息。 This authentication request includes this additional information.

本领域技术人员将认识到,鉴别实体60和鉴别服务器58可以位于不同的PDN中,假定这些PDN利用例如IPsec.隧道的保密数据信道进行链接的话。 Those skilled in the art will recognize, the authentication entity 60 and the authentication server 58 may be located in different PDN, it is assumed, for example, using the IPsec these PDN. Confidential data channel tunnel link words.

图2是根据本发明的示例性实施例在使用SMS的情况中的移动站结构和与之交互作用的网络环境的方框图。 FIG 2 is a block diagram and interacting with the network environment in the case of using SMS in the mobile station configuration according to an exemplary embodiment of the present invention. 此移动站结构(MS)80包括SIM 90和ME 92。 This structure of the mobile station (MS) 80 includes a SIM 90 and ME 92. 此网络环境包括PLMN 82和鉴别服务器84。 This environment includes network authentication server PLMN 82 and 84. PLMN82又包括可以通过通信链路88连接到鉴别服务器84的SMS-C 86。 PLMN82 in turn may be connected to the authentication server comprises a SMS-C 86 84 over a communication link 88.

ME 92包括键盘102和显示器104。 ME 92 includes a keyboard 102 and a display 104. 此SIM 90包括SIM操作系统(SIMOS)96、GSM部分98、SIM应用工具箱(STK)100和鉴别应用程序,即,表示为AUTH-APP 108的处理装置。 This SIM 90 includes a SIM operating system (SIMOS) 96, GSM part 98, SIM Application Toolkit (STK) 100, and application identification, i.e., the processing apparatus is expressed as the AUTH-APP 108. ME 92和SIM 90利用通信链路94相互通信。 ME 92 and the SIM 90 communicate with each other using a communication link 94.

此SIM 90可以是安装在MS 80中的“智能”卡并包含例如用于允许MS 80接入GSM通信系统的网络基础结构的数据的用户信息。 This SIM 90 in MS 80 may be mounted in the "smart" cards and include, for example MS 80 for allowing access to the data communication network infrastructure of the GSM system user information. SIM 90参与用户的鉴别和无线电通信的后续加密(如果有的话)。 SIM 90 participating in subsequent encrypted authentication and radio communication users (if any).

MS 80通过表示为无线链路106的无线通信链路与PLMN 82通信。 MS 80 represented by a communication link 106 is a wireless radio communication link with the PLMN 82.

SIM 90与ISO/EEC/7816和GSM 11.14(阶段2+)规范的标准兼容。 SIM 90 (Phase 2+) specification compliant with ISO / EEC / 7816 and GSM 11.14. GSM 11.14定义SIM 90和ME 92之间的接口以及用于此ME 92(特别地,用于AUTH-APP 108)的必备程序。 GSM 11.14 defines an interface and this is used between the ME 92 ME 92 SIM 90 and mandatory programs (in particular, for AUTH-APP 108) a. AUTH-APP 108是用于使SIM90中存在的应用程序能与ME 92相互作用并利用ME 92进行操作的结构。 AUTH-APP 108 is an application for SIM90 present configuration of the operation can be performed with the ME 92 interact using ME 92. 例如,交互作用包括在显示器104上显示消息、从键盘102中获得用户的输入和通过无线链路106发送与接收短消息。 For example, the interaction comprises displaying a message on the display 104, and user's input is obtained via a wireless link 106 to send and receive short messages from the keyboard 102.

SIM OS 96提供执行与管理框架以用于处理常规GSM功能的GSM应用程序。 SIM OS 96 performs management framework to provide a process for GSM applications a conventional GSM functionality. 与之一起,STK 100为类似于AUTH-APP 108的所有类型的应用程序提供环境。 Together therewith, STK 100 provide an environment for similar AUTH-APP 108 for all types of applications.

AUTH-APP 108处理利用保密信道(未示出)与鉴别服务器84进行的通信。 AUTH-APP 108 using a secret processing channel (not shown) for communicating with the authentication server 84. 在AUTH-APP 108通过PLMN 82从鉴别服务器84中接收到鉴别请求时,它指示MS 80请求此鉴别令牌。 When AUTH-APP 108 PLMN 82 receives from the authentication server 84 to the authentication request by MS 80 indicating which request this authentication token. 一旦将此鉴别令牌输入到MS 80中,此AUTH-APP 108通过PLMN 82将包含此鉴别令牌的鉴别响应发回给鉴别服务器84。 Once this authentication token input into the MS 80, then this AUTH-APP 108 by PLMN 82 comprising a differential response to this authentication token back to the authentication server 84. 可以利用PIN码来保护AUTH-APP 108执行的鉴别应用程序的执行。 Protection can be performed using the PIN code authentication AUTH-APP application 108 executed. 在AUTH-APP 108与鉴别服务器84之间对通信的任何可能的加密都会要求把相应的算法和密钥值存储在此AUTH-APP 108中。 AUTH-APP 108 between the authentication server 84 may be any communications will require the encryption algorithm 108 and corresponding key values ​​are stored in this AUTH-APP.

仍然参见图2,在MS 80与鉴别服务器84之间的通信路径中利用端对端加密能获得较高的安全等级。 Still referring to FIG. 2, can be obtained using a high-end encryption in the security level of the communication path between the MS 80 and the authentication server 84. 在MS 80的AUTH-APP 108之间的应用层上并在鉴别服务器84上进行加密。 Authentication and encryption on the server 84 in the application layer 108 MS 80 between the AUTH-APP.

根据对称加密或非对称加密能实现MS 80与鉴别服务器84交换的数据内容的加密。 Symmetric encryption or asymmetric encryption the encrypted data content can be achieved with MS 80 authentication server 84 in accordance with the exchange. 在对称加密中,在SIM 90的AUTH-APP 108与鉴别服务器84之间分享保密密钥。 In symmetric encryption, a secret key shared between the SIM AUTH-APP 108 and the authentication server 84 90. 此保密密钥用于加密MS 80和鉴别服务器84上的数据。 This secret key is used to encrypt data on the authentication server 84 and MS 80. 通常,根据通常为用户的专用保密密钥的某一种子字符串,为两个通信方(MS 80与鉴别服务器84)之间的每个通信对话生成这样的保密密钥(也称为加密密钥)以用于信道加密。 Typically, according to some seed string is typically confidential private key of the user, such as the secret key generated for each communication session between two communicating parties (MS 80 and the authentication server 84) (also referred to as encryption key) for encryption channel. 在每个用户签署这些业务时,给此用户分配专用的保密密钥。 When each user to sign these services, users are assigned to this private secret key. 此用户保持这一密钥,除非此保密密钥必须进行更新。 This user keep this key, unless the secret key must be updated.

在本发明的一个实施例中,通过查询存储在SIM 90中的用户的专用保密密钥来改善用户鉴别,这利用标准的GSM鉴别方法从鉴别服务器84中来完成并因而将不在此进一步进行描述。 In one embodiment of the present invention, by querying the private secret key stored in the user to improve the user 90 SIM authentication, the use of this standard GSM authentication method from the authentication server 84 to complete and will thus not be described further herein . 鉴别服务器84连接到GSM核心网络,以便从PLMN 82的AuC(未示出)中获取安全性信息。 Authentication server 84 connected to the GSM core network, so (not shown) from the AuC PLMN 82 acquires security information. 鉴别服务器84不需要运行GSM加密算法或存储用户的保密密钥。 Authentication server 84 does not need to run the GSM encryption algorithm or a secret key stored in the user. 相反地,此鉴别服务器84可以从此AuC中检索用于此用户的随机号(RAND)和SRES对。 Conversely, this AuC authentication server 84 may retrieve from the user for a random number (the RAND) and SRES pairs. SIM 90中的AUTH-APP 108能重复使用此GSM安全性信息(密钥和算法);它将使用A3算法来从存储在SIM 90中的RAND与专用的保密密钥中获得SRES。 The SIM 90 AUTH-APP 108 can reuse the GSM security information (keys and algorithms); it is obtained using the A3 algorithm SRES stored in the SIM 90 from the RAND and the secret private keys.

图3表示根据本发明的示例性实施例的鉴别用户的方法。 3 shows a method for identifying a user according to an exemplary embodiment of the present invention. 在图3中,通信系统包括远程主机116、接入网络118、PLMN 120、MS 122和PDN 110,此PDN 110包括鉴别实体112和鉴别服务器114。 In the communication system of Figure 3 includes a remote host 116, access network 118, PLMN 120, MS 122 and PDN 110, this authentication entity 112 includes a PDN 110 and authentication server 114.

在图3中,此方法在步骤124开始,在步骤124用户发出操作请求以便通过接入网络118将远程主机116连接到PDN 110。 In Figure 3, the method begins at step 124, the operation request sent to the remote host 118 to 116 is connected to the PDN 110 through a user access network at step 124. 在步骤125,鉴别实体112通过保密分组数据连接(未示出)与鉴别服务器114通信并请求鉴别试图接入PDN 110的用户。 At step 125, authentication entity 112 via confidential data packet (not shown) communicating with the authentication server 114 and requests authentication user attempting to access the PDN 110.

在步骤126,鉴别服务器114给鉴别实体112提供鉴别令牌(未示出)。 At step 126, authentication server 114 to the authentication entity authentication token 112 (not shown). 在步骤127,鉴别实体112通过接入网络118将此鉴别令牌发送给远程主机116。 At step 127, authentication entity 112 through the access network 118 transmits this authentication token 116 to the remote host.

在步骤128,鉴别服务器114利用常规的无线方法通过PLMN 120联络MS 122,并请求此用户利用MS 122通过MS 122和PLMN 120将在步骤127发送给远程主机116的鉴别令牌发回给鉴别服务器114。 At step 128, authentication server 114 by using a conventional method of wireless contact PLMN 120 MS 122, and requests from the user using the MS 122 back to the authentication server via PLMN 120 and MS 122 transmits the authentication token to the remote host 116 at step 127 114.

MS 122可以在此用户能利用诸如键盘的输入装置将鉴别令牌输入到MS 122中之前请求此用户输入PIN码。 MS 122 may be able to use the user input device such as a keyboard to input authentication token to the MS requesting the user enter a PIN code before 122. 在步骤129,此用户利用MS122的键盘输入PIN码。 In step 129, the user uses a keyboard to enter a PIN code MS122. 一旦此PIN码是有效的,此MS 122内的SIM中的应用程序与此MS122通信,以提示此用户输入在步骤127由远程主机116接收的鉴别令牌。 Once this PIN is valid, the application in this SIM MS 122 in communication with this MS122, prompt the user to input the authentication token 127 received in step 116 by the remote host. 在步骤130,此用户利用诸如MS 122的键盘的输入装置输入此鉴别令牌。 In step 130, the user input device such as the keyboard input this MS 122 authentication token.

在步骤132,此SIM的应用程序指示此MS 122通过PLMN 120将此鉴别令牌发回给鉴别服务器114。 In step 132, the SIM application MS 122 indicating this is sent back to the authentication server 114 through this PLMN 120 authentication token. 最后,此鉴别服务器114确定通过PLMN 120接收的鉴别令牌是否与在步骤127发送给远程主机116的鉴别令牌相符。 Finally, the authentication server 114 determines whether the received authentication token by the PLMN 120 matches the authentication token to the remote host 116 at step 127. 如果这些鉴别令牌相符,则此鉴别服务器114指示鉴别实体112同意此用户接入请求的业务。 If the authentication tokens match, the authentication server 114 indicating this authentication entity 112 agree to the user access the service requested. 如果这些鉴别令牌不相符,则将适当的出错情况发送给鉴别实体112。 If the authentication token does not match, then the appropriate error condition is sent to the authentication entity 112. 因而,拒绝此用户接入所请求的业务。 Thus, the user denied access to the requested service.

本领域技术人员将认识到,MS 122和远程主机116可以通过无线、有线线路或红外连接(未示出)进行链接,以实现较迅速的鉴别处理。 Those skilled in the art will recognize, MS 122 and remote host 116 may be connected to the link (not shown) through a wireless, wireline or infrared, to achieve a more rapid identification process. 例如,SIM中的应用程序能如下所述从远程主机116中检索鉴别令牌而无需用户干预。 For example, the SIM application can be retrieved as the authentication token 116 from the remote host without user intervention.

返回参见步骤129,此用户可以在远程主机116中而不是在MS 122中输入PIN码。 Referring back to step 129, the user can remote host 116 rather than enter the PIN in the MS 122. 远程主机116随后可以通过MS 122与远程主机116之间的无线、有线或红外连接自动地将此PIN码传送给MS 122。 Remote host 116 may then be connected between the MS 122 via the wireless remote host 116, a wired or infrared this PIN code automatically transmitted to MS 122. 而且,一旦远程主机116如步骤127所述接收到鉴别令牌时,能将此PIN码存储在远程主机116中,其中此远程主机116可以通过无线、有线线路或红外连接自动地将此PIN码传送给MS 122。 Further, once a remote host 116 as the received token to the authentication step 127, the PIN code can be stored in this remote host 116, wherein this remote host 116 may be connected to this PIN code automatically via a wireless, wireline or infrared transmitted to the MS 122.

可选择地,返回参见步骤130,MS 122可以通过无线、有线或红外连接自动地从远程主机116中检索此鉴别令牌。 Alternatively, referring back to step 130, MS 122 may be connected automatically retrieve authentication token from a remote host 116 via a wireless, infrared or cable.

图4是表示在图2所示的MS 80的ME 92与SIM 90之间通信的方法的示例性实施例的流程图。 FIG 4 is a flowchart 92 of an exemplary embodiment of a method of communication between the MS 90 SIM shown in FIG. 2 ME 80. 根据图4,在步骤140,ME 92从PLMN 82中接收短消息(图2)。 According to FIG. 4, at step 140, ME 92 receives a short message (FIG. 2) from the PLMN 82. 此短消息可以是请求ME 92发送鉴别令牌给PLMN 82的消息。 This message may be a ME 92 sends an authentication token request message to the PLMN 82. 在步骤142,ME 92发送鉴别请求(SMS-PP下载)给SIM 90。 In step 142, ME 92 sends an authentication request (SMS-PP download) to the SIM 90. 此SIM 90启动其鉴别应用程序、读出此鉴别请求并获得RAND。 This SIM 90 to start its authentication application, reads out authentication request and obtain RAND. 在步骤144,此SIM 90发送PIN码请求给ME 90。 In step 144, the SIM 90 transmits a PIN code request to the ME 90. 用户通过利用诸如ME 92的键盘102(图2)的输入装置输入PIN码。 ME 92, such as a user by using a keyboard 102 (FIG. 2) an input means for inputting a PIN code. 此ME 92可以在显示器104上显示输入的PIN码,此ME 92从键盘104中读出此PIN码。 This ME 92 can display the input PIN code on the display 104, the ME 92 reads out the PIN code from the keyboard 104.

接下来,在步骤146,ME 92将此PIN码发送给SIM 90,此SIM 90检查此PIN码以验证它是否是用于此ME 92的授权PIN码。 Next, at step 146, ME 92 This PIN code is sent to the SIM 90, this SIM 90 checks this PIN to verify that it is authorized for the ME 92 in this PIN. 此SIM 90随后在步骤148发送鉴别令牌请求给此ME 92。 This SIM 90 then transmits this request to the authentication token ME 92 at step 148. 用户通过利用诸如键盘108的输入装置输入此鉴别令牌而进行响应。 A keyboard input device 108, such as a user input in response to this identification is performed by using the token. ME 90可以在显示器104上显示输入的鉴别令牌并从键盘102中读出鉴别令牌。 ME 90 can display the authentication token input on the display 104 and reads out the authentication token 102 from the keyboard. ME 92在步骤150将此鉴别令牌发送给SIM 90。 ME 92 sends this step authentication token 150 to the SIM 90. 此SIM 90通过对RAND和专用密钥应用A3保密算法来计算SRES。 This SIM 90 is calculated by application of the RAND and the private key secret algorithm A3 SRES. 此SIM 90利用SRES和鉴别令牌来准备响应。 This SIM 90 using the SRES and authentication tokens to prepare a response. 在步骤152,SIM 90将鉴别响应发送给ME 90。 In step 152, SIM 90 transmits the authentication response to the ME 90. 最后,在步骤154,此ME 92将包含此鉴别令牌的短消息发送给PLMN 82。 Finally, at step 154, the ME 92 will contain the message authentication token transmitted to the PLMN 82.

返回参见图3,MS 122中的SIM内的应用程序以及鉴别服务器114可以保密地存储鉴别密钥。 Referring back to FIG 3, the application server 114 and authentication of the MS 122 within the SIM authentication key can be stored confidentially. 可选择地,可以生成密钥和/或将这些密钥存储在鉴别服务器114中,也可以从具有合适的生成和/或存储功能的外部节点中获得这些密钥。 Alternatively, the keys may be generated and / or the authentication server 114, may be obtained from an external node with appropriate generation and / or storage functions of these keys stored in the key.

本领域技术人员将认识到,能在PDN中在远程主机与鉴别实体之间进行的后续通信的加密中使用对话密钥。 Those skilled in the art will recognize that, subsequent encrypted communication can be performed between the remote host and the authentication entity using the session key in the PDN. 通过对RAND应用合适的算法和利用专用密钥可以获得对话密钥,这例如在GSM系统中在计算加密密钥(Kc)期间完成,其中利用用户的专用密钥将A8安全性算法应用于RAND。 RAND by applying the appropriate algorithm and private key can be obtained using the session key, which is done, for example during the (Kc) calculating encryption key in the GSM system, in which a user using the private key of the security algorithm A8 applied RAND . Kc生成算法称为A8安全性算法并用于从鉴别程序期间发送的RAND中计算Kc。 Kc generation algorithm called A8 security algorithms and used to calculate from the RAND transmitted during the authentication procedure Kc. A8算法是操作员特定的算法。 A8 algorithm is an operator-specific algorithms. A8在PLMN 120上被AuC(未示出)应用并在用户侧在MS 122中被SIM(未示出)应用。 A8 is the AuC (not shown) applied to the PLMN 120 and MS 122 in the user side are SIM (not shown) applied. 因而,此Kc不一定要进行发送,这是因为在加密信道的两侧计算此Kc。 Accordingly, this does not have to be transmitted Kc, Kc calculate this because on both sides of the encrypted channel. A8算法的规范在以前引入作为参考的ETS 300534的附录C中被描述。 A8 algorithm specification is described in the previously incorporated in Appendix C 300534 as a reference ETS.

在此方案中,MS 122的SIM(未示出)中的应用程序能在接收到鉴别令牌时采用合适的算法来获得对话密钥,随后它能通过MS 122将获得的对话密钥发送给远程主机116中的拨号客户机。 In this scenario, MS 122's SIM (not shown) can be employed in applications suitable algorithm upon receiving the authentication token to obtain the session key, the session key can then be obtained by the MS 122 to a remote host 116 dial-up clients. 此拨号客户机可以将接收的密钥用于与PDN 110进行的后续通信的加密/解密。 This dial-up clients can be received key used to encrypt subsequent communication is performed with the PDN 110 / decryption.

鉴别服务器114也能采用MS 122的SIM中的应用程序用于计算对话密钥的同一算法来获得对话密钥。 Authentication server 114 can use the application SIM MS 122 in the same algorithm for calculating the session key to obtain the session key. 鉴别服务器114也可以在发送给鉴别实体112的鉴别响应中包括此对话密钥。 Authentication server 114 may be transmitted to the authentication entity authentication response 112 include this session key.

在非对称加密用于在鉴别服务器114上生成对话密钥时,利用用户的公用密钥来对它加密并与此消息中的RAND一起发送给MS 122的SIM中的应用程序。 In asymmetric encryption for generating a session key in the authentication server 114, using the user's public key and sent along to the application SIM MS 122 in this message RAND encrypts it. 此MS 122的SIM中的应用程序可以利用其专用密钥来获得对话密钥值。 SIM application in this MS 122 can use its private key to obtain the session key value. 随后它可以通过MS 122将获得的对话密钥发送给远程主机中的拨号客户机。 Then the session key it obtained by the MS 122 transmits to the remote host dial-up clients. 此拨号客户机可以将接收的密钥用于与PDN 110进行的后续通信的加密/解密。 This dial-up clients can be received key used to encrypt subsequent communication is performed with the PDN 110 / decryption. 此MS 122中的SIM将存储它自己的专用密钥和鉴别服务器114的公用密钥。 MS 122 in this SIM storing its own private key and the public key 114 of the authentication server. 因而,鉴别服务器114将存储它自己的专用密钥和每个用户的公用密钥。 Accordingly, authentication server 114 stores its own private key and public key for each user. 可选择地,鉴别服务器114能从外部节点(未示出)中检索这些密钥。 Alternatively, the authentication server 114 from an external node (not shown) to retrieve the keys.

下面的讨论描述单向两遍(unilateral two-pass)鉴别机制。 The following discussion describes one way twice (unilateral two-pass) authentication mechanism. 诸如ISO/IEC 9798-3所示的其他机制(包括相互鉴别)也是可应用的。 ISO / IEC other mechanisms (including mutual authentication) such as shown in 9798-3 also applicable.

仍然参见图3,假定鉴别服务器114存储必要的密钥并且它能应用加密算法,用户利用远程主机116启动到PDN 110中的接入服务器的连接。 3, assuming that the server 114 stores authentication keys are still necessary and it can be applied Referring to FIG encryption algorithm, users with a remote host 116 connected to the PDN 110 to start an access server. 接入网络提供远程主机116与PDN 110之间的通信路径。 Access network 116 provides a communication path between the remote host and the PDN 110.

鉴别实体112通过保密分组数据连接来联络鉴别服务器114,并请求鉴别试图接入的用户。 Confidential authentication entity via a packet data connection 112 to contact authentication server 114 and requests authentication of the user attempting to access. 鉴别服务器114生成RAND。 Authentication server 114 generates a RAND. 随后,它利用无线网络基础结构来联络MS 122,此消息包括RAND。 Subsequently, it uses the wireless network infrastructure to be contacted by MS 122, this message including RAND.

鉴别服务器114向鉴别实体112提供通过接入网络148传送给远程主机116的鉴别令牌。 Authentication server 114 provides authentication token transmitted to the remote host via the access network to the authentication entity 148 116 112.

MS 122的SIM中的应用程序根据通常的无线程序从鉴别服务器114中接收消息。 Application in the SIM MS 122 receives a message from the authentication server 114 according to the normal radio program.

MS 122的SIM中的应用程序可选地与MS 122通信以便要求用户输入PIN码。 Application in the MS SIM 122 optionally communicates with the MS 122 requires the user to enter a PIN code. 一旦验证此PIN码是有效的,此应用程序与MS 122通信,以请求此用户输入远程主机116接收的鉴别令牌。 Once this PIN verification is valid, the application communicates with the MS 122, requesting the user to input authentication token received by the remote host 116. 此应用程序利用存储在MS 122的SIM中的密钥来构造鉴别响应消息,该消息包括对应于将此算法(对称或非对称)应用到RAND上的接收的RAND的签名此签名可选地可以包括鉴别令牌。 This application uses the key stored in the MS SIM 122 is constructed in the authentication response message, comprising the message corresponding to this algorithm (symmetric or asymmetric) to the received RAND RAND signature on this signature can alternatively including identification token.

MS 122的SIM中的应用程序指示无线终端利用标准的无线程序将此响应发回给鉴别服务器114。 Application in the SIM MS 122 indicates that the wireless terminal uses the wireless standard procedure this response back to the authentication server 114.

最后,鉴别服务器114确定通过无线网络接收的响应是否正确和是否包括鉴别令牌。 Finally, the authentication server 114 through the wireless network determines whether the received response is correct and whether to include authentication token. 鉴别服务器114利用用于该用户的密钥将此算法(对称或非对称)应用于接收的签名。 This authentication server 114 algorithm (symmetric or asymmetric) applied to the received signature with the key for the user. 如果得到的信息与RAND和鉴别令牌值相符,鉴别服务器114指示鉴别实体112同意此用户接入请求的业务。 If the information obtained with the RAND and authentication token values ​​match, the authentication server 114 instructs the user authentication entity 112 agree to access the service requested. 否则,发送合适的出错情况给鉴别主机。 Otherwise, send the appropriate error condition to identify the host.

本发明良好地适用于通信系统的拨号接入鉴别。 The present invention is well suited for authentication dial-in a communication system. 图5是根据本发明的另一示例性实施例的通信系统的图。 FIG 5 is a diagram of a communication system according to another exemplary embodiment of the present invention. 在图5中,此通信系统包括PLMN 160、PDN 162、远程接入网络164、调制解调器166、远程主机170和MS 208。 In FIG. 5, the communication system comprises a PLMN 160, PDN 162, the remote access network 164, modem 166, and remote host 170 MS 208. MS 208利用一个被表示为无线链路210的无线链路与PLMN 160通信。 MS 208 using a wireless link 210 is indicated as a wireless communication link 160 with the PLMN. 此PLMN 160包括BTS 172、BSC 174、MSC/VLR 178、SMS-C 180、HLR 186和AuC 188。 This PLMN 160 comprises BTS 172, BSC 174, MSC / VLR 178, SMS-C 180, HLR 186 and AuC 188. PDN 162包括鉴别服务器194和鉴别、授权与计费(AAA)服务器196以及NAS 200。 PDN 162 includes an authentication server 194 and the authentication, authorization and accounting (AAA) server 196 and NAS 200. 除了图1的鉴别实体60被图5的AAA服务器196替代之外,图5的通信系统基本上类似于图1的通信系统。 In addition to the authentication entity 60 in FIG. 1 are outside the AAA server 196 of FIG. 5 an alternative, the communication system of FIG. 5 is substantially similar to the communication system of FIG. NAS 200利用例如RADIUS的合适协议与AAA服务器96通信。 NAS 200 using a suitable communication protocol, for example, 96 and RADIUS AAA server.

鉴别服务器194用作AAA服务器196的后端服务器。 AAA authentication server 194 as a server back-end server 196. AAA服务器196从被配置成可使用此通信系统的用户的NAS 200中接收鉴别请求。 Receiving authentication request 200 AAA server 196 can use the communication system is configured from user NAS. 除了AAA服务器196之外,图5的组成部分执行与图1的其对应部分相同的功能,并因而不在此进一步进行描述。 In addition to the AAA server 196, FIG. 5 consisting of a portion which corresponds to FIG 1 performs the same functions as part of, and therefore is not further described herein.

图6是表示根据本发明的示例性实施例的图5的通信系统的拨号情况的消息顺序图表。 FIG 6 is a message sequence diagram showing the communication system according to the dial view of an exemplary embodiment of the present invention 5. 在图6中使用的协议只用于示意目的并因而不限制本发明的应用。 Protocol used in FIG. 6 for purposes of illustration and thus do not limit the application of the invention.

用户利用常规的拨号客户机应用程序从被用作用户的远程接入的User PC 170开始至ISP/内联网(未示出)的通信。 The user using a conventional dial-up starts from a client application is used as a user remote access to the User PC 170 to ISP / intranet (not shown) communication. 一旦确立至NAS 200的通信路径,建立处理就开始。 Once established communication path to the NAS 200, the establishment process is started. 在步骤220,NAS 200发送识别请求给User PC 170,请求此User PC 179识别此用户。 At step 220, NAS 200 transmits an identification request to the User PC 170, a request of this user User PC 179 recognizes this. 在步骤222,此UserPC 170通过发送包含用户识别的响应给NAS 200来对此识别请求进行响应。 In step 222, this UserPC 170 by sending a response containing the user identification to the NAS 200 in response to this request identification. 一旦此用户识别到达NAS 200,在步骤224,发送接入请求(标识)给AAA服务器196。 Once the user identification reaches the NAS 200, in step 224, it transmits an access request (identifier) ​​196 to the AAA server. 此AAA服务器196检查此用户的识别并将接入请求传送给鉴别服务器194(步骤226)。 This AAA server 196 checks the user's identification and the access request is transmitted to the authentication server 194 (step 226).

在步骤228,鉴别服务器194从PLMN 160(图5)的AuC 188中获得RAND与SRES对。 In step 228, the authentication server 194 to obtain a RAND and SRES from PLMN 160 (FIG. 5) in the AuC 188. 随后,在步骤230,鉴别服务器194请求SMS-C 180生成SMS消息,它请求MS 208的SIM(未示出)中的应用程序鉴别此用户。 Subsequently, at step 230, the server 194 requests authentication SMS-C 180 generates an SMS message, it requests the MS 208 SIM (not shown) application user authentication. 此请求包含从AuC 188中获得的RAND。 This request contains the RAND obtained from the AuC 188.

鉴别服务器194检查它在步骤226接收的用户标识并生成鉴别令牌。 Authentication server 194 checks at step 226 it receives the user ID and generates an authentication token. 在步骤232,将此鉴别令牌发送给AAA服务器196。 In step 232, the authentication token 196 to the AAA server sends this. 如步骤234与236所示,AAA服务器196通过NAS 200将此鉴别令牌传送给User PC170,在User PC 170的显示器屏幕上给此用户显示此鉴别令牌。 As shown in step 234 and 236, AAA server 196,200 transmits this authentication token to User PC170, to display the user authentication token on the User PC monitor screen 170 by the NAS.

在步骤238,MS 208接收包含RAND的SMS消息并将其传送给MS 208的SIM(未示出)的鉴别应用程序。 In step 238, MS 208 receiving an SMS message comprising the RAND and transfers it to the authentication application MS SIM (not shown) 208. 此鉴别应用程序处理此消息并请求此用户的PIN代码,此PIN代码可能是此SIM的PIN码。 This authentication message and the application processing requests from the user the PIN code, the PIN code may be the SIM PIN code. 在步骤239,用户利用诸如MS 208的键盘的输入装置输入此PIN码。 In step 239, a user input device such as the keyboard of the MS 208 enter this PIN. 此SIM的鉴别应用程序验证此PIN码。 This SIM authentication application to verify the PIN code. 如果此用户输入不正确的PIN码,则此用户具有有限次数的重试来输入正确的PIN码。 If the user enters an incorrect PIN code, the user has a limited number of retries to enter the correct PIN code. 如果达到连续失败的最大数量,此应用程序阻止此SIM接受PIN码。 If the maximum number of consecutive failed to achieve, this application prevent the acceptance of this SIM PIN code. 如果此PIN码对应于存储在此SIM中的PIN码,则此鉴别应用程序提示此用户输入鉴别令牌。 If this PIN is stored in a corresponding PIN code in the SIM, then the authentication application prompts the user to enter this authentication token.

仍然参见步骤239,用户利用MS 208的键盘输入鉴别令牌,可以在User IP 170的显示器上显示此鉴别令牌(在步骤236)。 Still referring to step 239, the user using the MS 208 authentication token keyboard input, may display the authentication token (step 236) on the display 170 User IP. 此鉴别应用程序对此RAND应用合适的算法以获得SRES。 This identification of the application of this RAND apply the appropriate algorithm to obtain SRES. 使用的算法可能是从此RAND和存储在此SIM中的专用密钥中获得SRES的GSM A3鉴别算法。 The algorithm may be used to obtain SRES from the GSM A3 authentication algorithm stored in the SIM and RAND dedicated keys. 随后,在步骤240,此MS 208根据此鉴别应用程序的请求发送包含此鉴别令牌和SRES的短消息给SMS-C 180。 Subsequently, at step 240, the MS 208 according to this authentication request containing the application authentication token and send the SRES message to the SMS-C 180.

在步骤242,User PC170发送响应给NAS 200。 At step 242, User PC170 sends a response to the NAS 200. 此NAS 200在步骤244发送接入请求响应给AAA服务器196。 This NAS 200 in step 244 sends an access request to the AAA server 196 in response. 在步骤246,此AAA服务器196发送接入请求响应给鉴别服务器194。 In step 246, the AAA server 196 transmits an access request to the authentication server 194 in response. 接下来,在步骤248,此SMS-C 180发送包含鉴别令牌和SRER的SMS指示消息给鉴别服务器194。 Next, at step 248, the SMS-C 180 sends an authentication token and an SMS SRER indication message 194 to the authentication server.

一旦此SMS指示消息到达鉴别服务器194,此鉴别服务器194将接收的鉴别令牌和发送给AAA服务器196的鉴别令牌进行比较,并将此SRES和从AuC 188获得的SRES进行比较。 Once this message arrives at the SMS indicating the authentication server 194, authentication server 194 receives this authentication tokens and authentication tokens to the AAA server 196 and compares the SRES and this SRES obtained from the AuC 188 is compared. 如果所有的值相符,则鉴别此用户。 If all the values ​​match, the identification of the user. 因而,在步骤250,鉴别服务器194发送接入接受消息给AAA服务器194,指示此AAA服务器196授权此用户的接入尝试。 Thus, at step 250, authentication server 194 transmits an access accept message to the AAA server 194, AAA server 196 indicates that this user is authorized access attempt. 最后,在步骤252,AAA服务器196利用NAS 200确认接受。 Finally, at step 252, AAA server 196 using the NAS 200 accepts confirmation.

本发明能用于在执行电子商务交易时鉴别用户。 The present invention can be used to identify the user when performing e-commerce transactions. 图7是表示根据本发明的示例性实施例在执行电子商务交易时鉴别用户的通信系统的方框图。 FIG 7 is a block diagram of a communication system performing user authentication when e-commerce transaction in accordance with an exemplary embodiment of the present invention. 图7的通信系统包括PLMN 258、PDN 272、接入网络280、调制解调器282、远程主机284和MS 286。 FIG 7 comprises a communication system PLMN 258, PDN 272, access network 280, modem 282, and remote host 284 MS 286. PLMN 258包括BTS 260、BSC 262、MSC/VLR 264、HLR 268、AuC 270、SMS-C 266和计费系统271。 PLMN 258 comprises BTS 260, BSC 262, MSC / VLR 264, HLR 268, AuC 270, SMS-C 266 271 and billing system. PDN 272包括鉴别服务器274、电子商务服务器276和NAS 278。 PDN 272 includes an authentication server 274, e-commerce server 276 and the NAS 278. 除了用电子商务服务器276替代图1的鉴别实体60和PLMN 258具有连接到鉴别服务器274的计费系统271之外,图7的通信系统与图1的通信系统相同。 Alternatively commerce server 276 except that the authentication entity 60 and the PLMN 258 of FIG. 1 having a billing system 274 is connected to the authentication server 271 outside of, the communication system of FIG. 7, the communication system is the same as FIG. 除了电子商务服务器276和计费系统271之外,图7的组成部分执行与图1的其相应组成部分相同的功能,并因而在此不再进一步进行描述。 In addition to e-commerce server 276 and billing system 271, the same functionality as the corresponding components of a part of FIG. 7 and FIG performed, and will therefore not be further described.

电子商务服务器276和鉴别服务器274可以位于不同的PDN中,只要在它们之间存在保密数据信道,例如,IPsec隧道。 E-commerce server 276 and authentication server 274 can be in different PDN, as long as the presence of confidential data channel therebetween, e.g., IPsec tunnel. 而且,远程主机284可以通过其他的PDN(例如,互联网)连接到PDN 272。 Moreover, the remote host 284 may be connected to the PDN 272 via the PDN another (e.g., the Internet). 在此方案中,例如,利用希望鉴别购买商品的用户的电子商务应用程序来触发鉴别。 In this scenario, for example, we want to use to identify the user to purchase goods e-commerce applications to trigger identification. 电子商务服务器276通过保密分组数据连接来联络鉴别服务器274,以便请求鉴别试图接入的用户。 Confidential e-commerce server 276 through a packet data connection to contact authentication server 274 to request authentication of the user access attempt. 此鉴别请求包括所有相关的付费信息,例如,价格、购买的商品项目。 This authentication request includes all relevant payment information, such as prices, commodity items purchased. 此应用程序可任选地在MS 286的ME(未示出)中显示付费信息,例如,价格。 This application in the MS 286 may optionally be a ME (not shown) payment information is displayed, for example, prices. 在验证从此应用程序中接收的响应之后,鉴别服务器274将联络付费服务器,即,管理电子商务应用收费的实体。 After the response received from the verification application, contact the authentication server 274 will pay for servers that manage the application fee of e-commerce entity. 此付费服务器能是电子商务基础结构的一部分或能与网络计费系统271集成在一起,或者可以是互联网付费提供者。 This can be paid server infrastructure of e-commerce or can be integrated with the network billing system part 271, or may be paid Internet provider. 如果鉴别成功,完成收费操作并且鉴别服务器274确认对此电子商务服务器276的付费,以同意此用户接入所请求的业务或项目。 If the authentication is successful, the completion of the charging operation and the authentication server 274 to confirm this e-commerce payment server 276, to agree to this project or business user access requested. 否则,发送适当的出错情况给鉴别主机。 Otherwise, send the appropriate error condition to identify the host. 因而,拒绝此用户接入所请求的业务或项目。 Thus, the user program or service reject the requested access.

图8是表示根据本发明的示例性实施例在执行电子商务交易时鉴别用户的方法的消息顺序图表。 8 is a message sequence chart showing a user authentication when performing e-commerce transaction in accordance with an exemplary embodiment of the present invention is a method. 根据图8,此方法在步骤350开始,在步骤350电子商务服务器276请求用户的标识。 According to FIG. 8, the method begins at step 350, at step 350 the electronic commerce server 276 requests the user's identity. 接下来,在步骤352,此电子商务应用程序通过一个响应标识来从User PC 284中获得用户标识,例如,可通过User PC 284的显示屏幕来提醒此用户输入他或她的标识。 Next, at step 352, the e-commerce applications through a response identifier to identify the User PC 284 is obtained from the user, for example, to remind the user to enter his or her identity by User PC display screen 284. 在步骤354,电子商务服务器276将此鉴别请求发送给鉴别服务器274。 In step 354, the electronic commerce server 276 transmits this authentication request to the authentication server 274. 除了此用户标识之外,此鉴别请求还包括所有相关的付费信息,例如,价格和购买的商品项目。 In addition to this user ID, the authentication request also includes all relevant payment information, such as price and purchased items.

在步骤356,鉴别服务器274从PLMN 258(图7)的AuC 270中获得RAND和SRES对。 In step 356, the authentication server 274 to obtain from the RAND and the SRES PLMN 258 (FIG. 7) in the AuC 270. 随后,在步骤358,鉴别服务器274请求SMS-C 266生成SMS消息,以便请求MS 286的SIM(未示出)中的鉴别应用程序去鉴别此用户。 Subsequently, at step 358, the server 274 requests authentication SMS-C 266 generates an SMS message to request the MS 286 in SIM (not shown) identifying the application to identify the user. 此请求包含从AuC 270中获得的RAND。 This request contains the RAND obtained from the AuC 270. 可任选地,此请求也可以包括价格购买的商品项目,以保证这样的付费/购买信息的完整性。 Optionally, the request may also include the purchase price of commodity items, to ensure that such a payment / purchase completeness of information.

鉴别服务器274检查此用户标识并生成鉴别令牌。 Authentication server 274 checks the user ID and generates an authentication token. 在步骤360,将此鉴别令牌发送给电子商务服务器276。 In step 360, the authentication token 276 sends this to the e-commerce server. 在步骤362,电子商务服务器276通过User PC 284发送鉴别令牌请求给此用户。 In step 362, the e-commerce server 276 sends an authentication request to the user by the token User PC 284. 此User PC 284将此鉴别令牌请求显示给此用户。 This User PC 284 displays this authentication token request to this user. 在步骤364,SMS-C 266发送包括RAND的SMS消息给此MS 286。 In step 364, SMS-C 266 transmits the SMS message including RAND to this MS 286.

此MS 286接收此消息并将此消息传送给MS 286的SIM(未示出)中的鉴别应用程序。 This MS 286 receives this message and the authentication application (not shown) in this message to the SIM MS 286. 此鉴别应用程序处理此消息并请求此用户输入PIN码,此PIN码可能是此SIM的PIN码。 This application authentication process the message and requests the user enter a PIN code, this PIN may be the SIM PIN code. 此用户在步骤365利用MS 286的键盘输入此PIN码。 In step 365 the user of the MS 286 using the keyboard input this PIN. 此鉴别应用程序验证此PIN码。 This identification of the application to verify the PIN code. 此用户进行有限数量的重试来输入正确的PIN码。 This user limited number of retries to enter the correct PIN code. 如果达到连续失败的最大数量,此应用程序阻止此SIM接受PIN码。 If the maximum number of consecutive failed to achieve, this application prevent the acceptance of this SIM PIN code. 如果此值对应于存储在此SIM中的PIN码,则此鉴别应用程序提示此用户输入鉴别令牌。 If this value corresponds to the PIN code stored in the SIM, then the authentication application prompts the user to enter this authentication token.

仍参见步骤365,此用户利用MS 286的键盘输入鉴别令牌,此鉴别令牌显示在User PC 284的显示器上(参见步骤362)。 Referring still to step 365, the user keyboard input using the MS 286 authentication token, this token identification is displayed on the display User PC 284 (see step 362). 此鉴别应用程序对此RAND应用合适的算法,以获得SRES。 This identification of the application of this RAND appropriate algorithm to obtain SRES. 在此方案中使用的算法是从RAND和存储在此SIM中的专用密钥中获得SRES的GSM A3鉴别算法(步骤366)。 Algorithm used in this embodiment is GSM A3 authentication algorithm (step 366) obtained from the private key SRES and RAND are stored in the SIM. 此鉴别应用程序请求MS 286发送包含此鉴别令牌和SRES的SMS消息给SMS-C 266。 This application authentication request contains the MS 286 authentication token, and transmits the SRES SMS message to SMS-C 266.

在步骤368,SMS-C 266发送包含鉴别令牌SRES的SMS指示消息给鉴别服务器274。 368, SMS-C 266 transmits an authentication token SRES SMS indication message in step 274 to the authentication server. 此鉴别服务器274将接收的鉴别令牌和发送给电子商务应用程序的鉴别令牌进行比较,并将此SRES和从AuC 270中获得的SRES进行比较。 This authentication server 274 and the received authentication token is sent to e-commerce applications authentication token and compares the SRES and this SRES obtained from the AuC 270 are compared. 如果所有的值相符,鉴别服务器274能任选地联络付费服务器并将从电子商务应用程序中接收的付费信息传送给此付费服务器。 If all of the values ​​match, the authentication server 274 can optionally be contacted by the payment server and payment information received from the transmitting electronic commerce application server to pay for this. 在步骤370,鉴别服务器274生成收费记录(付费信息)并将此信息传送给PLMN 258的计费系统271。 In step 370, authentication server 274 generates charging record (charge information) and transmit this information to the billing system 271 of the PLMN 258. 因而,将在对应于此用户的无线预约的帐单中包括此购买商品。 Thus, this would include billing wireless reservation purchase goods corresponding to this user.

一旦传送此付费信息,将操作的结果通知此电子商务应用程序。 Once this transfer payment information, the result of the operation of this notification e-business applications. 在步骤372,此鉴别服务器274发送消息给电子商务服务器276。 In step 372, the authentication server 274 sends a message 276 to the e-commerce server. 最后,在步骤374,此电子商务服务器276确认此操作。 Finally, at step 374, the e-commerce server 276 to confirm the action.

本发明能在使用非结构化辅助业务数据(USSD)的通信系统中进行实施。 The invention can be implemented in a communication system using Unstructured Supplementary Service Data (USSD) in. 图9是表示根据本发明的示例性实施例的用于USSD的通信系统的方框图。 FIG 9 is a block diagram of a communication system for USSD an exemplary embodiment of the present invention. 图9的通信系统包括PLMN 400、PDN 402、接入网络404、调制解调器406、远程主机408、MS 410和无线链路412。 FIG 9 includes a communication system PLMN 400, PDN 402, access network 404, modem 406, remote host 408, MS 410 and wireless links 412. PLMN 400包括BTS 414、BSC 416、MSC/VLR 418、HLR 420、AuC 422。 PLMN 400 comprises BTS 414, BSC 416, MSC / VLR 418, HLR 420, AuC 422. PDN 402包括鉴别服务器424、AAA服务器426和NAS 428。 PDN 402 includes an authentication server 424, AAA server 426 and the NAS 428. 除了PLMN 400不要求SMS-C之外,图9的通信系统基本上类似于图1的通信系统。 In addition to PLMN 400 is not required outside the SMS-C, the communication system of FIG. 9 is substantially similar to the communication system of FIG. 在图9中,AuC 422连接到HLR 420,并且HLR 420连接到鉴别服务器424。 In FIG. 9, AuC 422 is connected to the HLR 420, HLR 420 and 424 connected to the authentication server. 在图9中,MS 410用户(未示出)和PLMN 400操作者(未示出)以对于MS 410以及对于中间网络是透明的方式来定义应用程序以便进行通信。 In FIG. 9, MS 410 user (not shown) and operator PLMN 400 (not shown) to be defined for the MS 410 and the intermediate network is a transparent manner for the communication application. 在引入在此作为参考的ETS 300 625中描述USSD的处理。 USSD process is described in ETS 300 625 herein incorporated by reference in.

图10是表示根据本发明的示例性实施例的处理图9所示的通信系统的USSD的方法的消息顺序图表。 FIG 10 is a message sequence diagram showing a communication method according USSD processing system shown in an exemplary embodiment of the present invention is 9. 在图10中,此用户利用常规的拨号客户机应用程序从User PC 408中开始至ISP/内联网(未示出)的通信,它用作用户的远程接入。 In Figure 10, the user using a conventional dial-up client application starts from the User PC 408 to ISP / intranet (not shown) of a communication, which is used as remote access users. 一旦确立至NAS 428的通信路径,此建立处理开始。 Once established communication path to the NAS 428, the establishment process is started. 在步骤500,NAS 428发送一个标识请求给User PC408,请求此User PC 408识别此用户。 At step 500, NAS 428 sends an identification request to the User PC408, this request identify User PC 408 user. 在步骤502,User PC 408通过发送包含此用户标识的响应给NAS 428来对此识别请求进行响应。 At step 502, User PC 408 by sending a response to the user identifier comprises NAS 428 in response to this request identification. 一旦此用户标识到达NAS 428,在步骤504,发送接入请求(识别)给AAA服务器426。 Once the user ID reaches the NAS 428, in step 504, it transmits an access request (identification) to the AAA server 426. 此AAA服务器426检查此用户的标识并将接入请求传送给鉴别服务器424(步骤506)。 This AAA server 426 checks the user's identity and an access request to the authentication server 424 (step 506). 在步骤508,鉴别服务器424发送US SD请求给HLR420。 At step 508, authentication server 424 transmits the request to the US SD HLR420. 此HLR发送USSD请求给服务于此用户当前所在的区域的MSC/VLR。 This sends a USSD request to HLR serving the user currently located area of ​​MSC / VLR. 此MSC/VLR接收此请求并通过BSC和BTS(未在流程图中示出)将此请求传送给MS。 This MSC / VLR receives the request and through the BTS and BSC (not shown in the flowchart) This request is transmitted to the MS. 鉴别服务器424也将包含鉴别令牌的接入质询发送给AAA服务器426(步骤510)。 Access authentication server 424 will also include token authentication challenge transmitted to the AAA server 426 (step 510).

接下来,在步骤512,AAA服务器426将包含此鉴别令牌的接入质询发送给NAS 428。 Next, at step 512, AAA server 426 includes an access authentication token this question sent to the NAS 428. 在步骤514,此NAS 428将包含此鉴别令牌的请求发送给此User PC 408。 In step 514, this request containing the NAS 428 transmits this authentication token to this User PC 408. 在步骤516,MSC/VLR 418发送USSD请求给MS 410。 In step 516, MSC / VLR 418 sends a USSD request to the MS 410. 在步骤518,此用户在MS 410中输入鉴别令牌。 In step 518, the user inputs authentication token in the MS 410. 在步骤520,MS 410将包含此鉴别令牌的USSD响应发送给MSC/VLR 418。 In step 520, MS 410 authentication token containing this USSD response is sent to the MSC / VLR 418.

在步骤522,User PC 408发送响应消息给NAS 428。 At step 522, User PC 408 transmits a response message to the NAS 428. 随后,在步骤524,此NAS 428将包含用户标识和响应消息的接入请求发送给AAA服务器426,此AAA服务器426将包含用户标识和响应请求的接入请求发送给鉴别服务器424(步骤526)。 Subsequently, at step 524, the NAS 428 will contain the user identifier and send an access request response message to the AAA server 426, the AAA server 426 includes an access request response identifier and a user request to authentication server 424 (step 526) . 在步骤528,HLR 420将包含此鉴别令牌的USSD响应发送给鉴别服务器424。 In step 528, HLR 420 containing the authentication token for this USSD response is sent to the authentication server 424. 在步骤530,此鉴别服务器将接入接受消息发送给AAA服务器426。 In step 530, the authentication server transmits an access accept message 426 to the AAA server. 最后,在步骤532,此AAA服务器426将此接入接受消息发送给NAS 428。 Finally, at step 532, the AAA server 426 transmits this access accept message to the NAS 428.

本发明能在使用WAP的通信系统中进行实施。 The invention can be implemented in a communication system using WAP. WAP规定用于无线设备的应用框架以及网络协议。 WAP wireless device for a predetermined application framework and network protocols. WAP模型类似于万维网,它被加以优化以符合无线环境的特征。 WAP model is similar to the World Wide Web, it is to be optimized to meet the characteristics of the wireless environment. 在例如1998年4月30日的WAP结构的相应WAP论坛规范中规定WAP结构和协议,其中最新的版本是WAP规范组1.1。 WAP architecture and protocol specified in the WAP Forum specifications corresponding structures such as WAP, 1998 April 30, where the latest version is WAP 1.1 specification group.

图11是表示根据本发明的示例性实施例的用于WAP的通信系统的方框图。 WAP FIG. 11 is a block diagram of a communication system according to an exemplary embodiment of the present invention. 此通信系统包括PLMN 600、PDN 602、接入网络604、远程主机606、包含WAP浏览器(未示出)的MS 608和无线链路610。 This communication system comprises a PLMN 600, PDN 602, access network 604, remote host 606, MS 608 comprises a WAP browser (not shown) and a wireless link 610. PDN602包括鉴别实体614、鉴别服务器616、NAS 618和WAP服务器620。 PDN602 including authentication entity 614, authentication server 616, NAS 618 and WAP server 620.

PLMN 600可以根据GSM标准来构造。 PLMN 600 may be constructed in accordance with the GSM standard. 此PLMN 600可以包括WAP网关612,此WAP网关612可以通过通信链路626连接到WAP服务器620。 This PLMN 600 may include a WAP gateway 612, the WAP gateway 612 may be connected to the WAP server 620 via the communication link 626. 在图11中,MS用户和WAP服务器620中的鉴别应用程序根据WAP论坛定义的WAP规范进行通信。 In Figure 11, MS WAP server 620 and user authentication applications to communicate according to WAP Forum WAP specification definition.

图12表示根据本发明的示例性实施例在图11所示的通信系统中鉴别用户的方法。 12 shows a method of user authentication in a communication system shown in FIG. 11 according to an exemplary embodiment of the present invention. 在图12中,此用户请求一个要求鉴别的业务。 In Figure 12, the user requests a service authentication request. 此方法在步骤700开始,其中鉴别实体614发送标识请求给User PC 606,以识别此用户。 This method begins at step 700, wherein the authentication entity 614 sends an identification request to the User PC 606, to identify the user. 在步骤702,User PC 606通过发送包含此用户标识的响应给鉴别实体614来对此识别请求进行响应。 At step 702, User PC 606 responds to this by transmitting the user ID to the authentication entity comprising a recognition request 614 in response to this. 在步骤704,鉴别实体614发送接入请求给鉴别服务器616。 In step 704, the entity 614 sends an access authentication request to the authentication server 616. 在步骤706,鉴别服务器616发送鉴别令牌给此鉴别实体614。 At step 706, authentication server 616 transmits this authentication token to the authentication entity 614. 此鉴别服务器616也发送鉴别请求给WAP服务器620中的鉴别应用程序(步骤708)。 This authentication server 616 send an authentication request to the authentication application (step 708) WAP server 620.

在步骤710,鉴别实体614将此鉴别令牌发送给User PC 606。 In step 710, the authenticator 614 entity authentication token to the User PC 606. WAP服务器620通过WAP网关612将此请求发送给MS 608(步骤712和714)。 WAP server 620 via a WAP gateway 612 sends the request to the MS 608 (step 712 and 714).

在步骤716,用户在MS 608中输入此鉴别令牌。 In step 716, the user enter the MS 608 authentication token. 在步骤718和720,MS 608通过WAP网关612将包含此鉴别令牌的响应发送给WAP服务器620。 In step 718 and 720, MS 608 via WAP gateway 612 sends the response to this authentication token transmitted to the WAP server 620. 在步骤722,WAP服务器620将包含此鉴别令牌的响应发送给鉴别服务器616。 In step 722, WAP server 620 sends the response to this authentication token transmitted to the authentication server 616.

最后,在步骤724,此鉴别服务器发送接入接受消息给鉴别实体614。 Finally, at step 724, the authentication server sends an access accept message 614 to the authentication entity.

本领域技术人员将认识到,本发明能以其他特定的形式来实施而不脱离其基本特征。 Those skilled in the art will recognize that the present invention is capable of embodiment in other specific forms without departing from its essential characteristics. 因而,本文所述的实施例因此在所有方面应认为是示意性的而非限制性的。 Accordingly, the embodiments described herein therefore to be considered in all respects as illustrative and not restrictive.

Claims (45)

  1. 1.鉴别请求接入分组数据网络(PDN)的用户的一种方法,包括以下步骤:(a)接收对此PDN的接入请求;(b)生成鉴别令牌;(c)在非保密或保密通信链路上通过接入网络将此鉴别令牌从此PDN发送给此用户;(d)在公用陆地移动网络(PLMN)上通过保密通信链路从此PDN中向此用户询问有关此鉴别令牌的情况;(e)在此公用陆地移动网络(PLMN)上通过保密通信链路将此用户接收的鉴别令牌发送给此PDN;和(f)将步骤(c)的鉴别令牌与步骤(e)的鉴别令牌进行比较,以确定是否同意此用户接入此PDN。 1. A method for requesting a user authentication to access a packet data network (PDN), comprising the steps of: (a) receiving a request for this access the PDN; (b) generating token authentication; (c) in a non-confidential or PDN authentication token sent from an access network via this secure communication to the user on the link; (d) by the public land mobile network (PLMN) secure communication link from interrogation on this authentication token to the user in the PDN situation; (e) on this public land mobile network (PLMN) sends this user authentication token received to this secure communication link via PDN; identification token and the step (f) of step (c) is ( e) authentication token to determine whether the user agrees to this access PDN.
  2. 2.权利要求1的方法,其中如果步骤(c)的鉴别令牌与步骤(e)的鉴别令牌相符,则同意此用户接入此PDN。 The method of claim 1, wherein if the step (c) identification token in step (e) matches the authentication token, the user agrees to access this PDN.
  3. 3.权利要求1的方法,其中如果步骤(c)的鉴别令牌与步骤(e)的鉴别令牌不相符,则拒绝此用户接入此PDN。 The method of claim 1, wherein if the step (c) identification token in step (e) does not match the authentication token, the user is denied access to this PDN.
  4. 4.权利要求1的方法,还包括利用鉴别实体来发送请求给鉴别服务器的步骤,其中此鉴别服务器检查此用户的标识。 The method of claim 1, further comprising the step of using the authentication entity to send a request to the authentication server, wherein this authentication server checks the user's identity.
  5. 5.权利要求4的方法,还包括利用此鉴别实体来生成鉴别令牌的步骤。 The method of claim 4, further comprising the step of using this authentication entity generates authentication tokens.
  6. 6.权利要求5的方法,还包括利用此鉴别服务器来将此鉴别令牌发送给此PDN的步骤。 The method of claim 5, further comprising an authentication server to use this token to identify this step of this PDN.
  7. 7.权利要求6的方法,其中此鉴别服务器将步骤(c)的鉴别令牌与步骤(e)的鉴别令牌进行比较。 The method of claim 6, wherein the authentication server in this step (c) identification token in step (e) comparing the authentication token.
  8. 8.权利要求7的方法,其中步骤(e)还包括利用移动站来通过PLMN将此鉴别令牌发送给此PDN。 The method of claim 7, wherein step (e) further comprises using the mobile station to identify this token to the PDN through this PLMN.
  9. 9.权利要求8的方法,还包括在此移动站中输入至少个人识别号(PIN)代码或鉴别令牌之一的步骤。 9. The method of claim 8, further comprising an input step of at least one of a personal identification number (PIN) code or identification of the mobile station in the token.
  10. 10.权利要求8的方法,还包括在远程主机中输入至少个人识别号(PIN)代码或鉴别令牌之一的步骤,其中利用有线线路或无线连接将此移动站连接到此远程主机,以便利用此有线线路或无线连接将此PIN代码或此鉴别令牌从此远程主机发送给此移动站。 10. The method of claim 8, further comprising an input step of at least one of a personal identification number (PIN) code or the authentication token in the remote host, wherein a wired line or a wireless connection of this mobile station is connected to this remote host to With this wireline or wireless connection to send this PIN code or from this remote host authentication token to the mobile station.
  11. 11.权利要求8的方法,还包括将存储在远程主机上的个人识别号(PIN)代码自动发送给此移动站的步骤。 11. The method of claim 8, further comprising personal identification number stored on the remote host (PIN) code is automatically sent to the step of the mobile station.
  12. 12.权利要求8的方法,还包括将此鉴别令牌从此PDN中发送给远程主机的步骤,其中此远程主机将此鉴别令牌自动发送给此移动站。 12. The method of claim 8, further comprising the step of transmitting authentication token from the PDN to this remote host, the remote host wherein this authentication token automatically sends this to the mobile station.
  13. 13.权利要求8的方法,还包括对通过PLMN在此移动站与此鉴别服务器之间传送的信息执行端对端加密的步骤。 13. The method of claim 8, further comprising the step of performing end encryption of the information by the mobile station and the PLMN this transfer between the authentication server.
  14. 14.权利要求13的方法,还包括利用此鉴别服务器来包含加密密钥生成算法或公式和利用此加密密钥生成算法或公式来为此移动站与此鉴别服务器之间通过PLMN进行的每个通信对话计算加密密钥的步骤。 14. The method of claim 13, further comprising a server to use this authentication between each comprising an encryption key generation algorithm or formula and using this encryption key generation algorithm or formula for this mobile station with the authentication server through this PLMN the step of computing an encryption key communication session.
  15. 15.权利要求13的方法,还包括利用此移动站来包含加密密钥生成算法或公式和利用此加密密钥生成算法或公式来为此移动站与此鉴别服务器之间通过PLMN进行的每个通信对话计算加密密钥的步骤。 15. The method of claim 13, further comprising using the mobile station to include between each encryption key generation algorithm or formula and using this encryption key generation algorithm or formula for this mobile station with the authentication server through this PLMN the step of computing an encryption key communication session.
  16. 16.权利要求13的方法,还包括利用此鉴别服务器来包含加密算法和对此移动站与此鉴别服务器之间通过此PLMN传送的信息应用此加密算法的步骤。 16. The method of claim 13, further comprising a server to use this authentication response containing the encryption algorithm and encryption algorithm of this step the mobile station and the PLMN herein by this information communicated between the application authentication server.
  17. 17.权利要求13的方法,还包括利用此移动站来包含加密算法和对此移动站与此鉴别服务器之间通过此PLMN传送的信息应用此加密算法的步骤。 17. The method of claim 13, further comprising the mobile station comprises using the encryption algorithm and the mobile station for this step with this encryption algorithm herein by this PLMN information transmitted between the application authentication server.
  18. 18.权利要求8的方法,还包括在通过此PLMN进行通信时从此鉴别服务器中质询存储在此移动站中的此用户的个人鉴别密钥的步骤。 18. The method of claim 8, further comprising the step of the mobile station in the personal authentication of the user of the storage key from the authentication server in question at the time of communication through this PLMN.
  19. 19.权利要求18的方法,还包括利用此鉴别服务器来比较质询此用户的鉴别密钥的结果和与此鉴别令牌检查一起确定是否同意此用户接入此PDN的步骤。 19. The method of claim 18, further comprising an authentication server to use this challenge result of the comparison of the user authentication key and authentication token, together with this determination step checks whether this user access PDN consent.
  20. 20.权利要求18的方法,还包括利用此移动站来包含鉴别算法和对可以通过此PLMN与此鉴别令牌一起发送给此鉴别服务器的质询生成响应的步骤。 20. The method of claim 18, further comprising the step of generating a response may be transmitted to this challenge authentication server through this PLMN identification token together with this use of the mobile station and contains the authentication algorithm.
  21. 21.权利要求1的方法,还包括在同意此用户接入此PDN时对在此用户与此PDN之间传送的信息执行端对端加密的步骤。 21. The method of claim 1, further comprising the step of agreeing to this PDN access user information in the user-end and perform this transfer between the PDN encryption.
  22. 22.权利要求21的方法,还包括利用此鉴别服务器来包含加密密钥生成算法或公式和利用此加密密钥生成算法或公式来为通过此接入网络在此用户与此PDN之间进行的每个通信对话计算加密密钥的步骤。 22. The method of claim 21, further comprising an authentication server to use this encryption key generation algorithm comprises or formula and using this encryption key generation algorithm or equation performed with this PDN between the user access to the network through this step encryption key for each communication session is calculated.
  23. 23.权利要求21的方法,还包括利用此移动站来包含加密密钥生成算法或公式和利用此加密密钥生成算法或公式来为通过此接入网络在此用户与此PDN之间进行的每个通信对话计算加密密钥的步骤。 23. The method of claim 21, further comprising using the mobile station to include the encryption key generation algorithm or formula and using this encryption key generation algorithm or equation performed with this PDN between the user access to the network through this step encryption key for each communication session is calculated.
  24. 24.权利要求21的方法,还包括利用移动站来传送加密密钥给远程主机以便在同意此用户接入此PDN时进一步用于加密在此用户与此PDN之间传送的信息的步骤。 24. The method of claim 21, further comprising transmitting an encryption key using a mobile station to a remote host to access this user consent PDN further step for encrypting information transmitted between the PDN this this user.
  25. 25.权利要求21的方法,还包括利用此PDN来包含加密算法和在同意此用户接入此PDN时对在此用户与此PDN之间传送的信息应用此加密算法的步骤。 25. The method of claim 21, further comprising a PDN to use this encryption and comprising the steps of this encryption algorithm is agreed upon access to the user information between the PDN this user with this PDN transmission applications.
  26. 26.权利要求21的方法,还包括利用远程主机来包含加密算法并在同意此用户接入此PDN时对在此用户与此PDN之间传送的信息应用此加密算法的步骤。 This step in the encryption algorithm information transmitted between the PDN this user 26. The application of the method as claimed in claim 21, further comprising using a remote host to include an encryption algorithm and the user agree upon access this PDN.
  27. 27.一种通信系统,用于鉴别请求接入分组数据网络(PDN)的用户,包括:a)公用陆地移动网络(PLMN),被连接到此PDN;b)远程主机,通过接入网络连接到此PDN;和c)移动站,通过无线链路耦合到此PLMN,其中为响应接收到用户接入此PDN的请求,此PDN生成鉴别令牌并通过接入网络与此远程主机在未加密或加密的通信链路上将该鉴别令牌发送给此用户,此用户通过此PLMN将此鉴别令牌发回给此PDN,其中此PDN比较这些鉴别令牌以确定是否同意此用户接入此PDN。 27. A communication system for a user requesting access authentication packet data network (PDN), comprising: a) public land mobile network (the PLMN), is connected to this PDN; b) a remote host connected through an access network this PDN; and c) a mobile station, over a wireless link to this coupling the PLMN, where in response to receiving the user request for this access the PDN, the PDN authentication token generated by the remote host with this access network is not encrypted on or encrypted communication link sends the authentication token to the user, the user authentication through this PLMN this token back to this PDN, wherein this authentication tokens PDN comparison to determine whether these agree this user access PDN.
  28. 28.权利要求27的通信系统,其中此PLMN还包括:基站收发信机,被连接到基站控制器;移动交换中心/访问位置寄存器,被连接到短消息业务中心和基站控制器;和归属位置寄存器,被连接到鉴别中心。 Mobile Switching Center / Visitor Location Register, is connected to the short message service center and a base station controller;; and a home position of the base transceiver stations, base station controllers are connected to: 28. The communication system as claimed in claim 27, wherein this PLMN further comprising register, is connected to the authentication center.
  29. 29.权利要求28的通信系统,其中此远程主机通过此接入网络连接到此网络接入服务器。 29. A communication system as claimed in claim 28, wherein the remote host is connected to this network access server via this access network.
  30. 30.权利要求29的通信系统,其中此短消息业务中心连接到鉴别服务器。 30. The communication system of claim 29, wherein this short message service center is connected to the authentication server.
  31. 31.权利要求30的通信系统,其中此鉴别服务器连接到此归属位置寄存器。 31. The communication system of claim 30, wherein the authentication server is connected to this in this home location register.
  32. 32.权利要求31的通信系统,其中此鉴别服务器连接到无线应用协议(WAP)服务器。 32. The communication system of claim 31, wherein the authentification server connected to a wireless application protocol (WAP) server.
  33. 33.权利要求32的通信系统,其中此PDN还包括连接到此鉴别服务器和网络接入服务器的鉴别实体。 33. A communication system as claimed in claim 32, wherein this further comprising a PDN connection to this server authentication entity authentication and a network access server.
  34. 34.权利要求31的通信系统,其中此PDN还包括:鉴别、授权和计费(从A)服务器,它被连接到此鉴别服务器;和网络接入服务器,它被连接到此AAA服务器。 34. The communication system of claim 31, wherein this PDN further comprising: authentication, authorization, and accounting (from A) a server, which is connected to this authentication server; and a network access server, which is connected to this AAA server.
  35. 35.权利要求34的通信系统,其中此鉴别服务器具有连接到不同的PLMN接口以使用至少短消息业务、非结构化辅助业务数据或无线应用协议无线技术之一的能力。 35. The communication system of claim 34, wherein the authentication server has this ability to connect to a different PLMN interface to use at least a short message service, or one service data Unstructured Supplementary wireless application protocol wireless technology.
  36. 36.权利要求34的通信系统,其中此鉴别服务器通过中间网关系统连接到此PLMN。 36. A communication system as claimed in claim 34, wherein the authentification server connected through this PLMN intermediate gateway system.
  37. 37.权利要求31的通信系统,其中此PDN还包括:电子商务服务器,它被连接到此网络接入服务器和此鉴别服务器;和计费系统,它被连接到此鉴别服务器。 37. The communication system of claim 31, wherein this PDN further comprising: a commerce server, which is connected to this network access server and an authentication server for this; and billing system, which is connected to this authentication server.
  38. 38.权利要求37的通信系统,其中此移动站包括:移动设备;和用户识别模块(SIM)。 38. The communication system of claim 37, wherein the mobile station comprising: a mobile device; and a subscriber identification module (SIM).
  39. 39.权利要求38的通信系统,其中此SIM还包括SIM操作系统、GSM部分、SIM应用工具箱和鉴别应用程序,其中此SIM操作系统与此SIM应用工具箱一起提供合适的环境,以便此应用程序起作用并与此鉴别服务器通信。 39. The communication system of claim 38, wherein the SIM further includes a SIM operating system, GSM part, SIM Application Toolkit applications and authentication, wherein the SIM operating system and the SIM application toolkit provided with a suitable environment for this application this program works with authentication server communication.
  40. 40.权利要求39的通信系统,其中对在此鉴别应用程序与此鉴别服务器之间传送的消息进行加密。 40. A communication system as claimed in claim 39, wherein the message authentication between this application and the authentication server transmits this encrypted.
  41. 41.在执行电子商务交易时鉴别用户的一种方法,包括以下步骤:(a)接收接入分组数据网络(PDN)的接入请求,以便执行电子商务交易;(b)生成鉴别令牌;(c)联络用于处理电子商务应用程序变化的付费服务器;(d)在未加密或加密的通信链路上通过接入网络将此鉴别令牌从此PDN发送给此用户;(e)在公用陆地移动网络(PLMN)上通过加密的通信信道将此用户接收的鉴别令牌发送给此PDN;和(f)将步骤(d)的鉴别令牌与步骤(e)的鉴别令牌进行比较,以确定执行电子商务交易的用户是否被鉴别。 41. A method for user authentication when performing e-commerce transactions, comprising the steps of: (a) receiving access access a packet data network (PDN) request, to perform e-commerce transactions; (b) generating token authentication; (c) contact the server for processing e-commerce applications charge variation; (d) a token from identification PDN sent unencrypted or encrypted communication link to this network through user access; (e) in the common this PDN sent to this user authentication tokens received on the land mobile network (PLMN) through an encrypted communication channel; and (f) the step (d) identification token in step (e) compares the authentication token, to determine whether the user to perform e-commerce transactions to be identified.
  42. 42.权利要求41的方法,其中鉴别服务器与此付费服务器通信,以便对此用户收取电子商务交易的费用。 42. The method of claim 41, wherein the authentication server and server communicate this to pay for this user fee e-commerce transactions.
  43. 43.权利要求42的方法,其中将计费信息发送给计费系统。 43. The method of claim 42, wherein the transmitting billing information to the billing system.
  44. 44.一种通信系统,用于鉴别请求接入分组数据网络(PDN)的用户,包括:(a)用于接收接入此PDN的接入请求的装置;(b)用于生成鉴别令牌的装置;(c)用于在未加密或加密的通信链路上通过接入网络将此鉴别令牌从此PDN发送给此用户的装置;(d)用于在公用陆地移动网络(PLMN)上利用保密通信信道将此用户接收的鉴别令牌发送给此PDN的装置;和(e)用于将步骤(c)的鉴别令牌与步骤(d)的鉴别令牌进行比较以确定是否同意此用户接入此PDN的装置。 44. A communication system for a user requesting access authentication packet data network (PDN), comprising: (a) access means for receiving a request for this access PDN; (b) for generating authentication tokens means; (c) a token from identification apparatus PDN sent to this user in unencrypted or encrypted communication link through the access network for this; (d) for the public land mobile network (PLMN) using the secure communication channel to send user receives this authentication token to the apparatus of this PDN; and (e) the authentication token and a step for step (c) and (d) comparing the authentication token to determine whether to agree this user access device PDN.
  45. 45.权利要求44的通信系统,还包括:(f)用于为通过此PLMN与移动站进行的每个通信对话生成对话密钥的装置;(g)用于在同意此用户接入此PDN时为通过接入网络与远程主机进行的每个通信对话生成对话密钥的装置;(h)用于通过此PLMN质询存储在此移动站中的用户的专用鉴别密钥的装置;(i)用于检查此用户的专用密钥质询的结果并与此鉴别令牌的检查一起确定是否同意此用户接入此PDN的装置;(j)用于对通过PLMN与此移动站相互交换的信息应用加密算法的装置;和(k)用于在同意此用户接入此PLMN时对通过此接入网络与此远程主机相互交换的信息应用加密算法的装置。 45. The communication system as claimed in claim 44, further comprising: (f) means for generating a session key for each communication session by the mobile station for this PLMN; (G) for user access to this agreed with PDN means for generating the session key for each communication session for network access via the remote host; (H) PLMN question storage means through which a user's private key authentication in the mobile station is used; (I) the result of this is used to check the user's private key challenge and authentication token, together with this determination to check whether the consent of the user apparatus of this PDN access; (j) of the information for use by the mobile station and the PLMN interchangeable apparatus encryption algorithm; and (k) means for applying an encryption algorithm information of this access network and exchange this remote host in granting user access to this PLMN.
CN 00815051 1999-08-31 2000-08-31 GSM security for packet data networks CN1385051A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US38625399 true 1999-08-31 1999-08-31

Publications (1)

Publication Number Publication Date
CN1385051A true true CN1385051A (en) 2002-12-11

Family

ID=23524822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 00815051 CN1385051A (en) 1999-08-31 2000-08-31 GSM security for packet data networks

Country Status (3)

Country Link
EP (1) EP1208715A1 (en)
CN (1) CN1385051A (en)
WO (1) WO2001017310A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100469196C (en) 2006-07-28 2009-03-11 电信科学技术研究院 Identification method for multi-mode terminal roaming among heterogenous inserting technology networks
CN1816822B (en) 2003-08-11 2010-09-29 索尼株式会社 Authentication method, authentication system, and authentication server
CN103647646B (en) * 2007-03-30 2017-08-04 埃森哲环球服务有限公司 Admittedly digital content delivery

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI115355B (en) 2000-06-22 2005-04-15 Icl Invia Oyj The arrangement for identification and verification of the secure system to the user
WO2002015626A1 (en) * 2000-08-15 2002-02-21 Telefonaktiebolaget Lm Ericsson (Publ) Network authentication by using a wap-enabled mobile phone
GB0028618D0 (en) * 2000-11-24 2001-01-10 Ericsson Telefon Ab L M Ipsec connections for mobile terminals
CA2435329A1 (en) * 2001-01-17 2002-07-25 Arcot Systems, Inc. Pre-authentication of users using one-time passwords
US7181762B2 (en) 2001-01-17 2007-02-20 Arcot Systems, Inc. Apparatus for pre-authentication of users using one-time passwords
US6983381B2 (en) 2001-01-17 2006-01-03 Arcot Systems, Inc. Methods for pre-authentication of users using one-time passwords
US7194251B2 (en) 2001-03-20 2007-03-20 3Com Corporation Intelligent gate distributed use and device network access management on personal area network
WO2002102019A3 (en) * 2001-04-20 2003-07-31 3Com Corp Network management device and method for managing wireless access to a network
US8209753B2 (en) 2001-06-15 2012-06-26 Activcard, Inc. Universal secure messaging for remote security tokens
US20020194499A1 (en) * 2001-06-15 2002-12-19 Audebert Yves Louis Gabriel Method, system and apparatus for a portable transaction device
ES2292609T3 (en) * 2001-06-27 2008-03-16 Nokia Corporation Method and system for authorizing carriers in a wireless network comunicacones.
WO2003003690A1 (en) * 2001-06-27 2003-01-09 Nokia Corporation Method and system for bearer authorization in a wireless communication network
GB0119629D0 (en) * 2001-08-10 2001-10-03 Cryptomathic As Data certification method and apparatus
DE10138381B4 (en) * 2001-08-13 2005-04-07 Orga Systems Enabling Services Gmbh Computer system and method for data access control
CA2356420A1 (en) * 2001-08-30 2003-02-28 Duane Sharman Authentication and non-repudiation of a subscriber on a public network
FR2832576A1 (en) * 2001-11-20 2003-05-23 Schlumberger Systems & Service Mobile user supplier identification process uses authentication function
FR2834163B1 (en) 2001-12-20 2004-11-19 Cegetel Groupe Method for access control to a content and system for access control to a content
DE10200681B4 (en) * 2002-01-10 2004-09-23 Siemens Ag Temporary Zugansberechtigung to access automation equipment
DE10218729B4 (en) * 2002-04-26 2004-05-27 Andawari Gmbh A method for authenticating and / or authorizing persons
FR2842055B1 (en) * 2002-07-05 2004-12-24 Nortel Networks Ltd A method for controlling access to a cellular system radio through a wireless LAN, and the control member for carrying out the method
EP1560109A4 (en) * 2002-11-06 2011-05-18 Panasonic Corp Print system, print device, and print instruction method
US7907935B2 (en) 2003-12-22 2011-03-15 Activcard Ireland, Limited Intelligent remote device
US7548620B2 (en) * 2004-02-23 2009-06-16 Verisign, Inc. Token provisioning
CA2577333C (en) 2004-08-18 2016-05-17 Mastercard International Incorporated Method and system for authorizing a transaction using a dynamic authorization code
GB0422132D0 (en) * 2004-10-06 2004-11-03 Sharp Kk Method and apparatus for performing a secure transaction in a trusted network
GB0423301D0 (en) 2004-10-20 2004-11-24 Fujitsu Ltd User authorization for services in a wireless communications network
JP4782139B2 (en) 2004-10-26 2011-09-28 テレコム・イタリア・エッセ・ピー・アー Method and system for access to the web service to authenticate the mobile user to transparently
CN1838591B (en) 2005-03-21 2010-05-05 松下电器产业株式会社 Automatic safety authentication system and method for wireless network
WO2006136750A3 (en) * 2005-06-20 2007-05-03 Vincent Barnaud Authenticating a sever prior to sending identification data of a client
CA2645044C (en) * 2005-10-11 2016-05-10 Philip Yuen System and method for authorization of transactions
US8352376B2 (en) 2005-10-11 2013-01-08 Amazon Technologies, Inc. System and method for authorization of transactions
EP1802155A1 (en) 2005-12-21 2007-06-27 Cronto Limited System and method for dynamic multifactor authentication
US7975287B2 (en) 2006-02-01 2011-07-05 Research In Motion Limited System and method for validating a user of an account using a wireless device
GB0604001D0 (en) * 2006-02-28 2006-04-05 Orange Personal Comm Serv Ltd System and method for controlling network access
FR2900019B1 (en) * 2006-04-12 2008-10-31 Alcatel Sa Method for authentication, terminal and associated operator
EP2016542A1 (en) * 2006-05-10 2009-01-21 Worldwide Gpms Ltd. Process and system for confirming transactions by means of mobile units
US20090228966A1 (en) * 2006-05-18 2009-09-10 Fronde Anywhere Limited Authentication Method for Wireless Transactions
US8943573B2 (en) 2006-06-16 2015-01-27 Fmt Worldwide Pty Ltd Authentication system and process
EP1871065A1 (en) * 2006-06-19 2007-12-26 Nederlandse Organisatie voor Toegepast-Natuuurwetenschappelijk Onderzoek TNO Methods, arrangement and systems for controlling access to a network
US7945246B2 (en) 2007-10-26 2011-05-17 Sony Ericsson Mobile Communications Ab System and method for establishing authenticated network communications in electronic equipment
FR2924294A1 (en) * 2007-11-28 2009-05-29 France Telecom Authentication identifier e.g. medium access control address, and random sequence transmitting method for e.g. portable computer, involves sending authentication request nearer to communicating device by terminal
FR2958821A1 (en) * 2007-12-11 2011-10-14 Mediscs a User Authentication Method
JP4983596B2 (en) * 2007-12-28 2012-07-25 ブラザー工業株式会社 Data providing system and the data providing device
JP5211686B2 (en) 2007-12-28 2013-06-12 ブラザー工業株式会社 Data providing system and the data providing device
WO2009090428A1 (en) * 2008-01-15 2009-07-23 Vodafone Group Plc Mobile approval system and method
US8620826B2 (en) 2008-03-27 2013-12-31 Amazon Technologies, Inc. System and method for receiving requests for tasks from unregistered devices
US8204827B1 (en) 2008-03-27 2012-06-19 Amazon Technologies, Inc. System and method for personalized commands
FR2940580B1 (en) * 2008-12-23 2012-11-30 Solleu Yann Le Method and access control system has a service
DE102009060946A1 (en) * 2009-12-23 2011-06-30 Doering, Wolfram, 13469 A method for electronic communication of bank orders and communication system for practicing the method
EP2831851A4 (en) 2012-03-30 2015-08-26 Nokia Technologies Oy Identity based ticketing
US9053304B2 (en) * 2012-07-13 2015-06-09 Securekey Technologies Inc. Methods and systems for using derived credentials to authenticate a device across multiple platforms
US20140095387A1 (en) * 2012-10-01 2014-04-03 Nxp B.V. Validating a transaction with a secure input and a non-secure output
US9495524B2 (en) 2012-10-01 2016-11-15 Nxp B.V. Secure user authentication using a master secure element
GB201307995D0 (en) * 2013-05-03 2013-06-12 Vodafone Ip Licensing Ltd Access control
WO2014181028A1 (en) * 2013-05-06 2014-11-13 Nokia Corporation Method and apparatus for access control
US20160127902A1 (en) 2013-06-12 2016-05-05 Telecom Italia S.P.A. Mobile device authentication in heterogeneous communication networks scenario
EP2924944B1 (en) * 2014-03-25 2018-03-14 Telia Company AB Network authentication
EP2940618A1 (en) * 2014-04-29 2015-11-04 Deutsche Telekom AG Method, system, user equipment and program for authenticating a user
CN104506510B (en) * 2014-12-15 2017-02-08 百度在线网络技术(北京)有限公司 A method for device authentication, service authentication system and apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
FR2771875B1 (en) * 1997-11-04 2000-04-14 Gilles Jean Antoine Kremer Information transmission method and computer server implementing it

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816822B (en) 2003-08-11 2010-09-29 索尼株式会社 Authentication method, authentication system, and authentication server
CN100469196C (en) 2006-07-28 2009-03-11 电信科学技术研究院 Identification method for multi-mode terminal roaming among heterogenous inserting technology networks
CN103647646B (en) * 2007-03-30 2017-08-04 埃森哲环球服务有限公司 Admittedly digital content delivery

Also Published As

Publication number Publication date Type
EP1208715A1 (en) 2002-05-29 application
WO2001017310A1 (en) 2001-03-08 application

Similar Documents

Publication Publication Date Title
Schwiderski-Grosche et al. Secure mobile commerce
US6880079B2 (en) Methods and systems for secure transmission of information using a mobile device
US7058180B2 (en) Single sign-on process
US7437757B2 (en) Token for use in online electronic transactions
US7296149B2 (en) Secure user and data authentication over a communication network
US7085840B2 (en) Enhanced quality of identification in a data communications network
US7107248B1 (en) System and method of bootstrapping a temporary public-key infrastructure from a cellular telecommunication authentication and billing infrastructure
US7275260B2 (en) Enhanced privacy protection in identification in a data communications network
US7496751B2 (en) Privacy and identification in a data communications network
US20110197266A1 (en) Methods and systems for secure user authentication
US20040214570A1 (en) Technique for secure wireless LAN access
US20070130463A1 (en) Single one-time password token with single PIN for access to multiple providers
US20060080545A1 (en) Single-use password authentication
US20110086616A1 (en) Secure Transaction Authentication
US20090234760A1 (en) Transaction authorisation system and method
US20070067620A1 (en) Systems and methods for third-party authentication
US20040030659A1 (en) Transaction system and method
US20050086467A1 (en) Requesting digital certificates
US20110265159A1 (en) System and Methods for Online Authentication
US20130308778A1 (en) Secure registration of a mobile device for use with a session
US7606560B2 (en) Authentication services using mobile device
US20050021982A1 (en) Hybrid authentication
US20110022835A1 (en) Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates
US20020056044A1 (en) Security system
EP1102157A1 (en) Method and arrangement for secure login in a telecommunications system

Legal Events

Date Code Title Description
C10 Request of examination as to substance
C06 Publication
C10 Request of examination as to substance
C02 Deemed withdrawal of patent application after publication (patent law 2001)