CN1659820A - Non-repudiation of service agreements - Google Patents

Abstract

The invention generally relates to efficient non-repudiation of service agreements between a user (10) and a service provider (20) in a communication system. An additional trusted party (30), a so-called service agreement manager is introduced, and the invention is based on the idea that the service agreement manager (30) shares a secret key (Ki) with a user terminal (10) and that the service provider (20) has a trust relation with the service agreement manager (30). The non-repudiation scheme proposed by the invention is furthermore based on preparation of relevant service agreement information, cryptographic processing (14/34) of this information based on the shared secret key (Ki) in order to generate user-signed service agreement verification information. The user-signed verification information is subsequently forwarded to the service provider (20) to enable verification (26/36) of the service agreement based on the trust relation between the service provider (20) and the service agreement manager (30).

Description

The approval of service agreement

Technical field

The present invention relates generally in the Modern Communication System (as mobile communication system), guarantee the reliable method of transaction security between user and the service provider.

Background technology

A lot of communication systems of today comprise mobile communication system, for enhancing system security and robustness adopts and identifies and ciphering process.

As in mobile communication system, the user identifies to network and/or ISP, so that obtain the visit to basic network service and other service, and the basis to accounting of user is also useed in this evaluation as.The basic security agreement of Modern Communication System is usually directed to inquiry-response qualification process, usually mainly based on secret key encryption.Inquiry-response identifies it is well-known in the art, and has the some kinds of standards in the basic inquiry-response evaluation that is used for GSM (global system for mobile communications) and UMTL (Universal Mobile Telecommunications System).

In the especially small-sized payment system of ecommerce, what the ISP was the most basic is to prove that the user is with meaning a services pay (customer acceptance of service fee/service agreement).

The technology that becomes known for approving adopts the digital signature based on public-key cryptography scheme usually, says that from calculating angle this method is very expensive.

Summary of the invention

The present invention has overcome these and other shortcoming of prior-art devices.

A general objectives of the present invention provides the scheme that effective stalwartness is provided for the approval of ISP in the communication system and the service agreement between the user.

A target of the present invention provides a kind of ISP of making can prove or verify that the user has accepted the scheme of the service agreement that provides really.

For example, the ISP may be interested in meaning a services pay can proving the user, comprises the checking of the service fee of acceptance.

Another target of the present invention is to provide a kind of mechanism for improved evaluation and cryptographic key agreement (AKA) based on inquiry-response in the communication system.

These and other target is satisfied by the present invention of claims definition.

Briefly, the present invention introduces the 3rd trusted party usually, so-called service agreement manager.Idea behind the present invention is that service agreement manager and user terminal are shared a key and ISP and the creditable relation of service agreement manager.The approval scheme that the present invention proposes is also based on the preparation to the related service protocol information, according to sharing the encryption of key to this information, so that generate the service agreement authorization information of user's signature.The authorization information of user's signature is forwarded to the ISP subsequently, to allow to according to the checking of the credit relationship realization between ISP and the service protocol manager to this service agreement.

The service agreement manager can be any trusted party of the service agreement between management or participative management ISP and the user, as can be implemented in the Virtual network operator end of communication system.

Service agreement manager even can be dispersed between different node or the difference side, as can comprise the user identity agency and be arranged in the ISP and the identity agency between the payment agency.In this case, between ISP, payment agency and identity agency, built up a credit chain, and user terminal is common and the identity agency shares key.

The preparation of service agreement information is normally finished or initialization by the ISP, but should be appreciated that, as long as user and ISP accept this agreement, this information just can be prepared by the either party in the related each side.

Encryption to service agreement information is finished at user side usually, but also can relate to the service agreement manager in some cases.Preferably, user terminal is according to carrying out encryption from sharing the local endorsement key of deriving of key, so that generate required authorization information.

The ISP receives the authorization information of user's signature and the minimum fact of this information of storage of having the ability can stop the user to deny the service agreement of importing.If wish or suitable, can be by the service agreement manager even directly online or off-line carries out actual verification by the ISP.

For example, the service agreement manager can generate the authorization information of expectation according to service agreement information of preparing and shared key to small part, and verifies that when needed the authorization information of transmitting the user's signature that comes from the ISP is whether corresponding to the authorization information of expectation.

The inquiry that the authorization information of user signature can be initiated from the service agreement manager by the user terminal response or the cradit note of initiating based on user side and generate easily all will be in conjunction with the service agreement information that provides under the both of these case.

But, also can all carry out encryption at service agreement manager end and user side to service agreement information.In this case, the service agreement manager preferably encryption of the shared key generation of basis service agreement information is represented and this expression is transmitted to user terminal (normally passing through the ISP), can represent to generate correct authorization information according to the encryption that shared key handling receives at user side then.

For example, to the solution based on cradit note, the encryption of service agreement manager side can comprise the encryption to the cradit note that generates based on the service agreement information of preparing, and user side is handled the deciphering that then generally comprises the cradit note of encrypting.

Should be appreciated that service agreement information can be general electronic contract.But the present invention has been verified to be comprised in service agreement information that service charge information and service agreement manager serve as the payment supplier or represent the ISP to serve as in the application of toll center and is particularly useful.

To general contract signature, the embodiment of the particular design of a permission ISP off-line verification relates to by the identical local example of sheltering function shelters the authorization information of the expectation that is generated by the service agreement manager and the authorization information of user's signature.Shelter the authorization information of the expectation that generates according to shared key and general contract and be transmitted to the ISP by the service agreement manager.The ISP receives the authorization information of user signature and shelters it from user side, thus can be by the expectation authorization information after relatively sheltering and the authorization information of the signature of the user after sheltering hold service for checking credentials agreement the ISP.

Advantageously, the service agreement manager is by applying the service agreement authorization information that the keyed hash of contract is generated expectation as checking and the random enquire in the cryptographic key agreement process based on normal inquiry-response.

In a series of useful especially embodiments, the approval of service agreement be used for network insertion based on the checking of inquiry-response with cryptographic key agreement (AKA) (for example GMS/UMTS AKA) process integration be in the same place, use is generally used for the identical shared key of AKA.This means can multiplexing existing foundation structure.

Obviously opposite with the present invention, be used to provide the prior art of service agreement approval to be based on direct public-key cryptography scheme between ISP and the user terminal, adopt asymmetric key right.

Although unnecessary, proved what a key material that is used for the service agreement approval and the key material that is used for common AKA separately still were beneficial to.In this respect, the Keying Material that is used to approve even can be bound to and identify the certain payments agency of manager collaborative work, wherein user terminal is shared key with identifying manager.

In another related fields of the present invention, adopted above-mentioned isolation scheme to improve checking and cryptographic key agreement (AKA) based on inquiry-response.Briefly, by the first group of AKA parameter that is used to visit the network of being managed by Virtual network operator being separated with the second group of AKA parameter that is used to visit the service that is provided by the service provider with predetermined function (as pseudo-random function), can improve common AKA process, with representing of at least a portion of first group of AKA parameter as the input that generates second group of AKA parameter.The advantage of doing like this is, the key material that promptly is used in service access is lost or be stolen, and it can not be used to the basic network visit.

The invention provides following advantage:

Approval to effective stalwartness of service agreement in the communication system

Prevent that the user from denying the service agreement of importing

The new commerce possibility of serving as credible service agreement manager is provided for Virtual network operator.For example, the natural role in the process that can collect payment of operator.

Expand the effective way of basic inquiry-response process (as UMTS/GSM AKA), make it possible to that payment agreement is tied to the user and identify.

With the convenient migration of existing foundation structure.

Realize easily, needn't introduce new GSM or UMTS Subscriber Identity Module (SIM).Anyway change terminal always to hold new payment agreement.

Will appreciate that other advantage provided by the present invention after the description to embodiment of the present invention below reading.

Summary of drawings

Can understand the present invention and wherein more multiple target and advantage best with reference to the description of doing below in conjunction with accompanying drawing, in the accompanying drawing:

Fig. 1 is the simplified schematic diagram according to basic participant of the preferred embodiments of the invention and their correlation;

Fig. 2 roams into the handshaking schematic diagram that master site is identified in the interviewed network time-shifted moving communication system as the mobile subscriber;

Fig. 3 is the handshaking schematic diagram that is used for having in the mode that is often implemented in cellular system today the evaluation of entrusting checking;

Fig. 4 is to be the schematic diagram that the service agreement approval general scheme that proposed illustrates overall structure and basis according to the preferred embodiments of the invention;

Fig. 5 is to use the service agreement approval of special-purpose endorsement key and the exemplary signal exchange schematic diagram of possible off-line verification;

Fig. 6 A is to use the exemplary signal exchange schematic diagram of the service agreement online verification of special-purpose endorsement key;

Fig. 6 B is to use the exemplary signal exchange schematic diagram of existing AKA key as the service agreement online verification of endorsement key;

Fig. 7 A is an exemplary signal exchange schematic diagram of setting up user's appraisal evidence by the appraising datum after sheltering in conjunction with the off-line verification of service agreement;

Fig. 7 B uses private key or existing AKA key to the approval of service agreement, sets up the exemplary signal exchange schematic diagram of user's appraisal evidence in conjunction with the online verification of evaluation and service agreement by the appraising datum after sheltering;

Fig. 8 A is based on the approval of cradit note and the exemplary signal exchange schematic diagram of possible online verification;

Fig. 8 B is based on the approval of cradit note and the exemplary signal exchange schematic diagram of online verification;

Fig. 9 is based on the exemplary signal exchange schematic diagram of the approval of cradit note, and wherein basic cradit note is prepared by evaluation/payment management device representative of consumer;

Figure 10 is based on the exemplary signal exchange schematic diagram of the contract signature of the verification msg after the sheltering of introducing permission ISP off-line verification;

Figure 11 is the exemplary signal exchange schematic diagram that the contract signature of Figure 10 realizes;

Figure 12 A is based on the integrated service agreement approval of the AKA-of set of cipher key of different separation and the exemplary signal exchange schematic diagram of possible off-line verification;

Figure 12 B is based on the integrated service agreement approval of the AKA-of set of cipher key of different separation and the exemplary signal exchange schematic diagram of online verification;

Figure 13 introduces identity agency and payment agency, adopts the exemplary schematic block diagram of the distributed realization of the credit chain of setting up between identity agency, payment agency and the ISP;

Figure 14 is the exemplary signal exchange schematic diagram of service agreement approval in the back paying scene of configuration shown in Figure 13;

Figure 15 is the exemplary signal exchange schematic diagram of service agreement approval in the pre-payment scene of configuration shown in Figure 13;

Figure 16 is the schematic block diagram that an example of service agreement manager is shown according to the preferred embodiments of the invention;

Figure 17 is according to the preferred prominent schematic block diagram that scheme illustrates ISP's a example of executing of the present invention;

Figure 18 illustrates the schematic block diagram of an example of user terminal according to the preferred embodiments of the invention.

Invention embodiment describes in detail

Run through among these figure, identical reference character will be used for corresponding or identical parts.

Summary

From begin with reference to the figure 1 basic participant of general introduction and their correlation may be more useful, Fig. 1 is the schematic overview according to the communication system of proposed invention.

Basic participant comprises user 10, ISP 20 and is commonly referred to credit supplier 30 additional party that on behalf of ISP and/or user, credit supplier can finish different tasks.Have by sharing the credit relationship that key is set up between credit supplier 30 and the user (or user terminal of correct configuration).Credit supplier 30 and ISP 20 can have an agreement that is indicated as the credit relationship of contract form.Relation between user 10 and the ISP 20 is regarded the credit relationship of derivation usually as, and this credit relationship is to set up when asking or the service that is provided by the ISP is provided.

Credit supplier can the Virtual network operator of creditable relation be relevant with it with the user, and for example this credit relationship is set up by order or pre-paid account.

The credit relationship of this foundation shows with encrypt relation by the shared key that activates inquiry-response process (as be used for GSM/UMTS AKA (checking and cryptographic key agreement) process and/or similar process) usually.Virtual network operator can with ISP's protocols having, this agreement is shown by similar encrypt relation usually.The ISP can carry out indirectly checking mutually subsequently and adopt inquiry-response process, for example GSM/UMTSAMA for the terminal use of service with them.

Known when a mobile subscriber roams in another network that interviewed operator manages by what is called, use the basis of credit of home-operator, as the illustrative of Fig. 2 and Fig. 3 as user rs authentication.

Fig. 2 carries out the handshaking schematic diagram that the user identifies by the home-operator in the mobile communication system with online verification when a mobile subscriber roams in the interviewed network.

Basic UMTS AMA process adopts shares key K i; for example relevant subscription key or the key of therefrom deriving with user-operator's order; to produce response and two session keys to inquiry; one is used for Confidentiality protection (Ck), and one is used for flow integrity protection (Ik) between user and the interviewed operator.Home-operator, perhaps HSS/AuC (main client server/evaluating center) and HLR/AuC (HLR more precisely, attaching position register), generate a random enquire (RAND) and identify token (AUTN), writ of appraisement bridge queen cause user is used for verifying that inquiry is new and is generated by home-operator.From this inquiry with share cipher key calculation response (RES/XRES) and key (Ck, Ik).In GSM AKA, do not generate Integrity Key or identify token, but basic inquiry-response process is identical.Shared key is often implemented in UMTS SIM card (USIM) used in SIM card used in the GSM mobile device or the UMTS mobile device, depends on that AKA realizes.

With reference to figure 2, it can be expanded with standard more or less and identify that agreement (EAP) is corresponding, has summed up a kind of approach that realizes required signaling below:

In the starting stage, the user sends identifier to interviewed operator, and interviewed operator is forwarded to home-operator with this identifier.According to this identifier, the HSS/AuC of home-operator end or equivalent unit obtain corresponding key, generate a quintet (RAND, AUTN, Ck, Ik, XRES) and transmission

1. inquiry (RAND), evaluation token (AUTN) are to interviewed operator.These parameters are transmitted to the user by interviewed operator.

2. inquiry (RAND), evaluation token (AUTN)

This AUTN of customer inspection, if no problem, with regard to calculated response (RES), confidentiality key (Ck) and Integrity Key (Ik).Response is beamed back home-operator by interviewed operator

3. response (RES)

4. response (RES)

Home-operator is checked the response (XRES) whether RES equals to expect.If just secret key safety be sent to interviewed operator.

5. integrality and confidentiality key (Ik and Ck).

Home-operator is seen from terminal use's RES and is confirmed that this terminal use is tested and appraised by interviewed operator.But home-operator not this user has been accepted the evidence of what service.

If realize this signaling in the mode of in cellular system, being done today, home-operator even the evidence that will not have the user to identify so.In this case, with reference to figure 3, signaling is as follows:

1.RAND、AUTN、Ik、Ck、XRES

2.RAND、AUTN

Subscriber checking AUTN, if no problem, with regard to calculated response RES, confidentiality key Ck and Integrity Key Ik.

3.RES

Whether interviewed Network Check RES equals XRES.If then this user is by checking.

Exemplary universal scheme to the service agreement approval

Fig. 4 is for the schematic diagram on overall structure and basis is shown according to the service agreement approval general scheme that the preferred embodiments of the invention proposed.

The inventor has realized that User Agreement, especially user that the ISP must be able to prove that the user has accepted to provide mean this services pay together, comprise the checking (customer acceptance of service agreement/service fee) of the service fee of acceptance.This by or by the 3rd trusted party (as Virtual network operator or etc. efficacious prescriptions) carry out that the user identifies and be even more important during payment/charge.

Therefore, for the purpose of the approval of the service agreement between ISP and the user, propose that on behalf of ISP and/or user, credit supplier 30 serve as the generic service protocol manager.Comprise preparation according to the approval scheme of preferred basic embodiment of the present invention to the related service protocol information, and according to the encryption of cipher key shared between service agreement manager and the user terminal, so that generate the service agreement authorization information of user's signature to the information of preparation.The authorization information of user's signature is forwarded to the ISP subsequently, can realize the checking to service agreement according to the credit relationship between ISP and the service protocol manager.

Suitably the preparation of the service agreement information (electronic contract) of electronic form is normally finished in contract preparation/initialization unit 22 by the ISP or is initialized by it at least, but this information can be prepared by any one party that relates to, as long as user and ISP accept this agreement.For example, service agreement manager 30 can select to represent ISP 20 to prepare this service agreement information.

Encryption to service agreement information is normally finished in the tamper-resist module 12 of user side in user terminal 10.Preferably, user terminal 10 is according to finishing encryption from sharing the local endorsement key of deriving of key crypto engine 14, so that generate required authorization information.But in some implementations, encryption can be finished in crypto engine 34 in crypto engine 14 and by service agreement manager 30 by user terminal 10.

The authorization information of user signature is had refusal-prevention effect by the minimum fact that is forwarded to ISP 20 from user terminal 10 safely.But preferably, online or off-line carries out by the service agreement manager in checking, is perhaps directly carried out by the ISP.In off-line procedure, authorization information comprises the verification portion of user's signature at least, and preferably also comprise corresponding inquiry or and user identity other input together, authorization information is stored in the memory cell usually, and ISP 20 can obtain authorization information and provide it to accept the evidence of this service agreement as the user subsequently from this memory cell.In line process, authorization information directly is transmitted to service agreement manager 30 more or less from ISP 20 usually, activates online evidence thus.According to the authorization information that provides, calculating that service agreement manager 30 can be correlated with subsequently and/or comparison, with in authentication unit 36 checking user whether reality accepted this service agreement.

The service agreement manager can be associated with the database of the association key Ki that comprises user ID and one group of user easily.This makes the association key that the service agreement manager can be for various purposes (for example generate the encryption that the user identifies parameter, service agreement information and/or service agreement checking) visits given user according to corresponding user ID.

As described later, checking can also directly be carried out in authentication unit 26 by ISP 20.

Credit relationship between ISP 20 and the service protocol manager 30 should be given security about statement or by the data that the service agreement manager provides for the ISP.Because the information that sends (for example, service agreement information, metering data, evaluation parameter and/or other suitable information) be counted as responsive usually and the identity communication party is that above-mentioned assurance is necessary, so the communication link between ISP and the service protocol manager should be safe.This can by (as) use TLS or IPSec or the single message of encryption/signature to realize.

The integrated approval of the AKA-of service agreement/checking

May be more useful from the integrated approval/verification environment of the AKA-of service agreement, beginning to describe the present invention.

In a series of preferred embodiments, the approval of service agreement especially service fee is to integrate with evaluation and the cryptographic key agreement (AKA) (for example GMS/UMTS AMA or similarly evaluation) based on the inquiry-response that are used for access to netwoks, uses to be generally the identical shared key that AKA adopts.Adopting the very big advantage of the integrated approval of AKA-is can multiplexing existing foundation structure.

In this context, suppose usually credible service agreement manager for identify user, authorized user access services and/or set up the user the evidence of granted service service condition serve as evaluation/payment management device.In typical scene, Virtual network operator can be embodied as evaluation/payment management device the safety system that is used to set up the reliable and secure communication between user and the accessing points.Operator is also with the creditable relation of ISP and communicate by letter with them on these safety chains.Respond services access request, evaluation/payment management device adopt and send requesting users cipher key shared (being typically expressed as Ki) and identify, be authorized, approve and/or payment or charging process with help.

About service fee, for the User Agreement of services pay can be bound to UMTS/GSMAMA or similar evaluation.This preferably should be guaranteeing that the user can not realize in this mode of stage denial of service agreement afterwards to the ISP.

Fig. 5 is to use the service agreement approval of special-purpose endorsement key and the exemplary signal exchange schematic diagram of possible off-line verification.In this example, expanded common inquiry-response (AKA) scheme with obtaining of additional session key and Additional Services protocol information, the additional session key that is obtained will only be shared between user and operator.

Consider the user who wants to visit the service that provides by the ISP.Usually before being provided, service must identify this user.User ID needs not to be a public identifier, but it should allow to be mapped to a user-dependent key K i, and it can make correctly charges to correct account.For example, if user and home-operator have order relations, key K i can be a subscription key, or the encryption key relevant with the pre-payment account number.The transmission of user ID is illustrated by the broken lines usually, because this can be regarded as initial phase, also part is because this may be the part of the evaluation vector batch processing between ISP and the operator.Usually need the ISP to receive the information of the identity that can be used in definite and user-dependent evaluation/payment management device from the user; The identity of user's home-operator for example.This makes the ISP sending out user ID to the request transfer of AKA parameter to relevant evaluation/payment management.According to the user ID that receives, evaluation/payment management device identifies key K i and generates suitable AKA parameter.Identify/the payment management device generates random enquire RAND and is the response XRES that the input of given function g calculates expectation according to key K i and random enquire RAND, and generate common integrality and confidentiality key Ik and Ck according to Ki and RAND.

The user should be also with meaning this services pay.Agreement should make the ISP can prove that the user has affirmativelyd agree agreement later.The thought here is when carrying out user's evaluation and cryptographic key agreement and generate to identify parameter (as RAND and XRES, and integrality and confidentiality key Ik, Ck), generates additional service agreement endorsement key, is expressed as Rk.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN、Ik、Ck、XRES

The ISP generates service agreement information, and the service agreement information that is generated comprises one or more items of information, as service identifiers, service fee, effective degree, ISP's identifier or the like.Below, illustrate service agreement information by the expense parameters C OST_UNIT that represents a set-point (service unit expense).If desired, this expense parameter also can follow a nonce with its randomization, follow a timestamp with the indication effective time, also can follow service identifier and ISP's identifier.

2.RAND、AUTN、COST_UNIT

Customer inspection AUTN, if no problem, just according to standard A KA computation schemes response RES, confidentiality key Ck and Integrity Key Ik.In addition, expansion AKA scheme generates endorsement key Rk, and it is also based on shared key K i and RAND.Rk is used to calculate MAC (message authentication code) COST_MAC subsequently on RAND and COST_UNIT.COST_MAC＝MAC(Rk，RAND||COST_UNIT)。COST_MAC and evaluation response RES are returned to the ISP together.The ISP must not pseudo-manufacturing system COST_MAC to realize the approval purpose.

3.RES、COST_MAC

The ISP checks whether RES mates XRES.The ISP also keeps authorization information, and for example user ID, RAND, COST_UNIT and COST_MAC are with the later evidence of User Agreement.

If desired or asked, the ISP can be transmitted to authorization information the evaluation/payment management device of operator's end afterwards.

4.COST_UNIT、COST_MAC、USER?ID、RAND

Evaluation/payment management the device of operator end serves as validator subsequently and checks that (Rk RAND||COST_UNIT) has accepted service agreement and service fee with the checking user to the XMAC=MAC whether COST_MAC equal to expect.

Certainly, exist the user to forge the possibility of COST_MAC.For this purpose, can carry out at random on-line testing to COST_MAC, this action be arranged to prevent the user with some strategies.

In essence, this illustrative methods is based on the endorsement key of sharing between operator and the user expands basic AKA, but this endorsement key is not distributed to the ISP.This endorsement key can be used for " signature " message by the user, and operator can verify user's " signature " message.As mentioned above, an exemplary solution is to use the reliability that the MAC data is sent to user and verification msg together with RAND from the key of RAND derivation.

Should be appreciated that, at first finish common AKA signaling, the ISP locate to verify RES whether equal XRES and subsequently when the user when the ISP asks to serve, finish on the safety chain approval signaling feasible equally.This means the ISP after the user of success identifies, mail sending charge per message is given the user with parameters C OST_UNIT and relevant information when the service request that receives from the user.The user calculates COST_MAC subsequently and returns COST_MAC and give the ISP, to activate the checking to service agreement.

Fig. 6 A is the exemplary signal exchange schematic diagram that service agreement is carried out online verification with special-purpose endorsement key.This example relates to the online user and identifies and serve protocol verification.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN

The ISP generates relevant service agreement information, as service fee parameters C OST_UNIT to be transferred to the user.

2.RAND、AUTN、COST_UNIT

Customer inspection AUTN, if no problem, with regard to calculated response RES, confidentiality key Ck, Integrity Key Ik and endorsement key Rk.Calculate COST_MAC and return to the ISP together with it with to the response RES that identifies.

3.RES、COST_MAC

To online verification, the ISP transmits RES and holds to operator.After also can be simultaneously COST_UNIT and COST_MAC being appended to RES.

4.RES、COST_UNIT、COST_MAC

The XMAC whether response (XRES) whether evaluation/payment management device inspection RES equals to expect and COST_MAC equal to expect.If the user has a pre-paid account, manager can also check whether this user has enough deposits on his account number.If these conditions all just satisfy key is sent to the ISP.

5.Ik、Ck

When the ISP receives when being used to protect the key of the session between user and the ISP, this represents that also service agreement is no problem.

In addition, as preceding with reference to as described in the off-line case, at first finish common AKA signaling and subsequently when the user be feasible when the ISP asks to serve, finishing the approval signaling on the safety chain again.This often means that checking RES and key Ik, Ck are sent to the ISP, and when receiving service request, start special approval signaling by the ISP subsequently.But, will mainly the integrated example of AKA-be described below with integrated AKA and approval signaling.

Fig. 6 B is to use existing AKA key service agreement to be carried out the exemplary signal exchange schematic diagram of online verification as endorsement key.If the ISP always just carried out the online verification of service agreement before sending key from operator's end, COST_MAC will combine as endorsement key with Ik and needn't expand AKA so, to generate special endorsement key Rk.But the ISP will be less than the ability of record and maintenance service agreement evidence, because he will receive the integrity protection that key Ik is used for session subsequently.Operator can keep the hash to agreement, so that the ISP can not go back to change data.

Approval in conjunction with the appraising datum after sheltering

Shown in Fig. 7 A and Fig. 7 B, can change user's evaluation and allow to identify evidence, thereby make the ISP can provide the user to be identified the vaild evidence that has passed through by reality with the verification msg after sheltering by introducing.

This overall evaluation is based on inquiry-response process at first, and evaluation/payment management device generation Expected Response XRES and user generate corresponding response RES subsequently in this process.The basic thought here is to introduce one to shelter function f, and it shelters the Expected Response of generation, and transmission after sheltering Expected Response XRES ' rather than initial Expected Response XRES give the ISP.The user generates in a conventional manner and transmits corresponding user and responds RES, and ISP thereby receive Expected Response XRES ' after sheltering from the operator termination, and receives the response RES of domestic consumer from the user.The ISP is subsequently by holding the user after a used identical example calculation of sheltering function is sheltered to respond RES ' in operator.In order to identify the user, the ISP verify simply the user after the sheltering of calculating respond RES ' whether with receive from operator's termination shelter after Expected Response XRES ' corresponding.This masking procedure makes the ISP can prove that the user has correctly been identified to pass through, and also prevents simultaneously and/or removed and stolen attack.

Can before payment is transmitted, inquire subsequently the ISP with provide response or preferably response-inquiry to and/or the service agreement authorization information, be physically located in this network and/or used other service to prove this user.

Obviously, between evaluation/payment management device and the ISP relation is arranged, the relation between them means to have exchanged between evaluation/payment management device and ISP shelters function.This must also be correct to two sides common similar information and/or function to those.

Fig. 7 A is an exemplary signal exchange schematic diagram of setting up user's appraisal evidence by the appraising datum after sheltering in conjunction with the off-line verification of service agreement.Except common AKA parameter, the Expected Response XRES ' after evaluation/payment management device is sheltered according to XRES and optional function generation of sheltering random enquire SALT.For example, shelter random enquire and can or be generated as fully independently random value based on random enquire RAND.Subsequently, Expected Response XRES ' after transmission is sheltered and random enquire RAND may be together with optionally sheltering SALT at random to the ISP.If use the service agreement off-line verification of band Rk, so just can issue Ik and Ck together with RAND, AUTN and XRES '.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN、XRES’、Ik、Ck、[SALT]

2.RAND、AUTN、COST_UNIT

3.RES、COST_MAC

The ISP generates RES ' and checks Expected Response XRES ' after whether response RES ' after sheltering equals to shelter with the identical RAND/SALT that imports at random with identical example sheltering function f subsequently.The ISP (thought afterwards and obtained) preferably in position that storage RES, RAND, USER were as appraisal evidence information,, if necessary also identify and the evidence of service agreement as the service agreement authorization information together with COST_UNIT, COST_MAC as the user.If identified/payment management device or some other related fields query requests provide given user's the appraisal evidence and the service agreement of acceptance, and the ISP can send to one side of operator to this information.

4.RES、RAND、USER?ID、COST_UNIT、COST_MAC

Should be noted that can off-line many batches of the multiple service that provides by the ISP of transmission at random the service agreement authorization information and without any need for checking again.

Preferably, evaluation/payment management device takes out subsequently with given user-dependent key K i and according to the RAND and the key K i calculation expectation response XRES that receive, and RES value that relatively receives at last and the XRES value that calculates, pass through to verify whether the user has located to be identified the server supplier.If RES value coupling XRES value just thinks that proof information is effective.In a like fashion, evaluation/payment management device is according to the service agreement authorization information XMAC of the endorsement key Rk that receives from the ISP and RAND, COST_MAC calculation expectation.Evaluation/payment management device compares COST_MAC and XMAC subsequently with service for checking credentials agreement.

In addition, the ISP is transmitted given user's RES value and user ID simply.Identify in this case ,/the payment management device need compare between RES and XRES allowing to for user storage XRES value (perhaps allowing to recomputate the RAND value of corresponding XRES value) usually.

Optionally do not shelter random enquire SALT if having explicitly to send from evaluation/payment management device, the ISP can derive it before the checking of identifying, preferably according to random enquire RAND.Subsequently by the ISP by the user respond RES and optionally, receive or derive shelter random enquire SALT as the input of sheltering function f, the user who calculates after sheltering responds RES '.

As above, sheltering random enquire SALT is optionally, and can neglect from qualification process.In this case, do not have random enquire SALT be respectively be used to calculate the Expected Response XRES ' after sheltering and shelter after the user respond the input of sheltering function f of RES '.But, in order to increase fail safe, especially defeat precomputation to attack, preferably include and shelter random enquire SALT as sheltering the function input.Thereby, shelter random enquire SALT can by evaluation/payment management device be generated as random value completely and subsequently and Expected Response XRES ' and random enquire RAND after sheltering be sent to the ISP together.But,, also can derive and shelter random enquire SALT from random enquire RAND for fear of the extra signaling between operating side and the server supplier.In this case, evaluation/payment management device is preferably sheltered random enquire SALT by a certain function h generation of random enquire RAND.Therefore, do not need to send the special random enquire SALT that shelters, shelter random enquire SALT and can generate from random enquire RAND with identical function h to the ISP.The just multiplexing simply random enquire RAND of the example of random enquire SALT after available the sheltering is as the random enquire SALT after sheltering, and therefore h is represented as single function.

Function h can be public function or with legal person's (for example home-operator) of ISP and evaluation/payment management device between the relevant or function of issue together of Business agreement.

On the one hand generate Expected Response after sheltering by evaluations/payment management device with it, the function f that the user after being sheltered with its calculating by the ISP on the one hand responds can not be one-way function and/or hash function.Preferably, sheltering function is cryptographic Hash function, possesses to make it to be fit to the single channel function and the attribute that find two to hash to the difference input of a common value.

Sheltering function f can be public function, perhaps the special purpose function known to evaluation/payment management device and the ISP.In the later case, special use shelter function can be relevant with the Business agreement between the ISP with legal person's (for example given home-operator) of evaluation/payment management device.If the legal person of evaluation/payment management device, home-operator for example, with several different ISPs this Business agreement is arranged, can use a corresponding special purpose function for each ISP by this operator, promptly each operator-supplier's agreement is sheltered function with a special use and is shown.

In order to carry out the migration relevant smoothly, preferably when calculating the Expected Response that distributes, the notification service supplier whether to adopt and shelter function with existing foundation structure.Thereby, preferably be used to issue the agreement of identifying parameter with such indication expansion.Equally, if there are different selections of sheltering between the function, can also in agreement, comprise which to use shelter the indication of function.

If wish at line process, shown in Fig. 7 B, it is suitable just directly assay certificate information and service protocol verification information to be forwarded to evaluation/payment management from the ISP more or less.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN、XRES’、[SALT]

2.RAND、AUTN、COST_UNIT

3.RES、COST_MAC

The ISP generates RES ' and checks Expected Response XRES ' after whether response RES ' after sheltering equals to shelter.Signaling is proceeded then.

4.RES、COST_UNIT、COST_MAC

One side of operator, compare RES, COST_MAC and XRES, XMAC respectively.If be proved to be successful, just secret key safety be transferred to the server supplier.

5.Ik、Ck

As previously mentioned, to the online verification of service agreement, can use special-purpose endorsement key Rk or Integrity Key Ik as the endorsement key that calculates COST_MAC and XMAC parameter.

For the more information on the masking procedure, submitted on October 22nd, 10/278,362,2002 with reference to our common unsettled US patent application serial number, be incorporated herein it.

Exemplary method based on cradit note

Below we will describe some examples that adopt based on the integrated approval of service agreement AKA-of the method for cradit note.

Normally well-known based on the payment system of cradit note in the literature, as referring to US patent 5,739,511.

A kind of special cradit note system is based on by known hash function and repeats the thought of (giving determined number) N hash BASE_TICKET in the START_TICKET:

START_TICKET＝HASH(HASH(..HASH(BASE_TICKET)))，

Wherein BASE_TICKET is usually corresponding to TICKET_N, and START_TICKET generates the primary image of START_TICKET or used final TICKET corresponding to TICKET_0. paying side.A side who receives payment can check subsequently whether this primary image hashes in that cradit note.Because cradit note is to be mutually related by hash function or other suitable one-way function, can obtain START_TICKET from arbitrarily more cradit note by this function of repeated application.This means that the proof procedure that does not need to repeat complicated and time consumption just can obtain the inspection to the payment transaction progress.It is directly related with the quantity of the cradit note that the user was consumed of service with the number of times that obtains initial cradit note to use hash function.

It is that basic cradit note is uncertain that this system based on cradit note wants a condition of safety.Thereby can by cascade some at random the hash of entity and other Given information element form basic cradit note.

According to the present invention, can expand previously described approval scheme and its modification in this way, so that the encryption approval MAC (being expressed as TICKET_MAC) that the user can return START_TICKET and START_TICKET and COST_UNIT to be allowing to the payment that some incidents/service is approved, and needn't and operator between the repetition agreement is arranged or carries out new user's evaluation.

How to generate START_TICKET some modification are arranged.Main feature is that the ISP should be able to verify that START_TICKET is real, and is by identifying that the user who passes through sends or the user that represents evaluation to pass through sends.

The particular solution that cradit note generates is that the user generates BASE_TICKET and derives START_TICKET.The user uses endorsement key (as Rk) subsequently and calculate approval TICKET_MAC on START_TICKET and COST_UNIT, and sends START_TICKET and TICKET_MAC to the ISP.ISP or be checking storage authentication information afterwards possible in the off-line procedure, perhaps online one side of the operator checking TICKET_MAC that sends to of this message to accept this cradit note.

Fig. 8 A is based on the approval of cradit note and the exemplary signal exchange schematic diagram of possible off-line verification.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN、Ik、Ck、XRES

The ISP generates relevant service agreement information, lifts the row explanation by expense parameters C OST_UNIT here, and preferably this information and essential AKA parameter is sent to the user.

2.RAND、AUTN、COST_UNIT

If customer inspection AUTN no problem, just calculates RES, key Ik, Ck, preferably also has Rk.The user generates BASE_TICKET and obtains START_TICKET by repeating the selected number of times of hash.Rk is used to calculate TICKET_MAC subsequently on START_TICKET and COST_UNIT, and TICKET_MAC=MAC (Rk, START_TICKET||COST_UNIT).If wish to have tangible randomization, also can be according to MAC (Rk, START_TICKET||COST_UNIT||RAND) calculating TICKET_MAC.TICKET_MAC and START_TICKET are returned to the ISP together with RES.

3.RES、START_TICKET、TICKET_MAC

The ISP is that later service agreement proof keeps authorization information, for example user ID, RAND, COST_UNIT and COST_MAC.

Because cradit note is used by the user, the ISP can check TICKET-i-=HASH (TICKET-i) for each bill, perhaps can obtain START-TICKET by using hash function repeatedly.If desired or request, the ISP can transmit authorization information afterwards, as COST_UNIT, START_TICKET, LAST_TICKET and TICKET_MAC, to the evaluation/payment management device of operator end.This makes evaluation/payment management device can verify that TICKET_MAC and definite cradit note quantity that is consumed are so that collect suitable expense to the user.

Fig. 8 B is based on the approval of cradit note and the exemplary signal exchange schematic diagram of off-line verification.This example relates to that the online user identifies and to the checking of service agreement based on cradit note.

Summed up the basic example handshaking below:

1.RAND、AUTN

The ISP generates relevant service agreement information to be transferred to the user, as service fee parameters C OST_UNIT.

2.RAND、AUTN、COST_UNIT

If customer inspection AUTN no problem, just calculates RES, key Ik and Ck, preferably also has Rk.The user generates BASE_TICKET and obtains START_TICKET, calculates TICKET_MAC then.TICKET_MAC and START_TICKET are returned to the ISP together with RES.

3.RES、START_TICKET、TICKET_MAC

For online evaluation and checking, the ISP transmits RES and holds to operator.Can be simultaneously to RES additional COST_UNIT, START_TICKET and TICKET_MAC.

4.RES、COST_UNIT、START_TICKET、TICKET_MAC

Evaluation/payment management device checks whether RES equals the XMAC whether Expected Response (XRES) and TICKET_MAC equal to expect.If these conditions all satisfy, just key is issued the ISP.

5.Ik、Ck

The user brings into use cradit note subsequently, and the ISP checks cradit note.The LAST_TICkET that receives finally is transmitted to operator's end from the ISP, with the subsequent treatment of verifying and paying the bill.

Fig. 9 is based on the exemplary signal exchange schematic diagram of the approval of cradit note, and wherein basic cradit note is prepared by evaluation/payment management device representative of consumer.In this example, operator end generates that other relevant information generates BASE_TICKET, and derivation START_TICKET according to COST_UNIT information and (or represent the ISP to prepare by operator) that receive from the ISP.Operator uses endorsement key (as Rk) that BASE_TICKET is encrypted as ENC_TICKET=ENC subsequently, and (Rk BASE_TICKET) and with it sends to the ISP together with START_TICKET.The ISP transmits ENC_TICKET subsequently, preferably gives the user together with RAND and AUTN, and the user can extract BASE_TICKET by deciphering.The user can derive START_TICKET subsequently, in case and the ISP visit necessary session key Ik, Ck and just begin to consume cradit note.Because have only the user can decipher BASE_TICKET and thereby generate correct primary image, approval has just obtained guaranteeing.

Summed up basic exemplary signal exchange below:

1.RAND、AUTN、ENC_TICkET、START_TICKET

2.RAND、AUTN、ENC_TICKET

If customer inspection AUTN no problem, just calculates RES, key Ik and Ck, preferably also has Rk.The user is by with Rk deciphering ENC_TICKET and generate BASE_TICkET easily, and obtains START_TICkET subsequently.The user returns RES and gives the ISP.

3.RES

Identify that for the online user ISP transmits RES and holds to operator.

4.RES

Evaluation/payment management device checks whether RES equals Expected Response XRS, and is identifying that successfully the back sends session key to the ISP.

5.Ik、Ck

The user starts the consumption cradit note subsequently, and the ISP checks cradit note.The LAST_TICKET that receives is transmitted to the subsequent treatment that operator verifies and pays the bill from the ISP.

Should be appreciated that the validation phase in whole signaling needn't comprise the cradit note process of filling in, but must carry out later on.

General contract signature

As previously shown, service agreement information can be general electronic contract.For general electronic contract signature, one allows the specially designed embodiment of ISP's off-line verification to relate to by the identical local example of function of sheltering all being sheltered by the authorization information of service agreement manager generation expectation authorization information and user's signature.

The solution that is used to sign the contract that comprises a plurality of different service agreement information below on its citation form and above-mentioned payment system based on cradit note similarity is arranged, it also utilizes and is used for the mechanism of sheltering that the user identifies that approval is identical.

This solution has the hypothesis of shared key based on user and generic service protocol manager.When the payment that concentrates on whole process is a little more partly gone up, below the service agreement manager b referred to as sometimes the payment supplier.If the payment supplier is a honeycomb GSM/UMTS operator, just there is so shared key and and is stored among (U) SIM of user side.General relatively setting has been shown among Figure 10.

Preferably, ISP 20 or payment supplier 30 preparations will be by the contracts of user's 10 signatures.Usually, this contract is distributed to all parties concerned subsequently safely.The payment supplier of operator's end, the keyed Hash of the shared cipher key calculation contract in the use keyed Hash function is expressed as contract signature MAC.The keyed Hash function can be used as the hash of real keyed Hash or heel keying function and carries out.Be fit to AKA and (U) particular solution of SIM situation be in the AKA process, contract to be hashed among the variable R AND_CONT corresponding with common RAND, then this RAND_CONT is imported into the AKA process, and generate the signature MAC corresponding by this way with common RES.Signature AMC also can generate under the help of one of key that comes from the AKA process.This AUTN variable that usually supposition is correct can with or the sequence number checking mechanism be under an embargo.

Signature MAC passes through (public) subsequently and shelters function (this refers to aforementioned vague generalization of sheltering function f).Sheltering function is cryptographic Hash function, and promptly it can not find the primary image of the output of this function in practice.Signature MAC after sheltering is sent to ISP 20 is used for verifying the user by him contract signature.

He has also adopted shared key and has passed through keyed Hash function calculation signature MAC when the user signs a contract.The user sends signature MAC to the ISP, and the ISP knows public function and so the inspection signature sheltered.

In order to give the reliability of a simple process check contract of user, can in transmission contract itself, issue the user to the signature MAC after sheltering.Contract also can comprise out of Memory used in the complete course of payment, for example publicly shelters SALT used in the function.

When using the AKA process, contract signature thought equals to allow the RAND in the AKA process become the HASH of the contract dataset that the user will sign.

Figure 11 is when re-using the AKA process, the exemplary signal exchange schematic diagram that the signature of the contract of Figure 10 realizes.

When the service request that receives from the user, if the ISP is the user ID contract CONT that receives to be prepared also will be transmitted to the service agreement manager together with it by the ISP.The service agreement manager function y of CONT as agreed generates RAND_CONT.(Ki, RAND_CONT) the signature MAC of calculation expectation is expressed as XMAC to the service agreement manager according to Ki and RAND_CONT:XMAC=g subsequently.This signature MAC is sheltered to the signature of the expectation after sheltering MAC by the generic mask function m subsequently, is expressed as XMAC ', also can select to shelter the additional input of function with sheltering inquiry RAND/SALT at random as this.

1.XMAC’、RAND/SALT

The ISP transmits contract CONT subsequently and gives the user.

2.CONT

If RAND_CONT does not transmit from operator end, the user just generates it with the example of function y, and according to Ki and RAND_CONT calculate user's signature MAC:MAC=g (Ki, RAND_CONT).This MAC is forwarded to the ISP.

3.MAC

User's signature MAC after service provides the example calculation of available subsequently generic mask function m to shelter is expressed as MAC ', and the MAC ' that finally relatively calculates and the XMAC ' that receives from operator's termination are with the checking contract.Preferably, the ISP keeps the authorization information as MAC, RAND_CONT/CONT and USER ID.If be subjected to service agreement manager inquiry or wish the service agreement manager at line process, the ISP can be transmitted to the service agreement manager to this authorization information.

The service agreement manager verifies subsequently whether MAC equals XMAC, and is equal then mean that service agreement based on contract has obtained final checking and the user has impliedly passed through evaluation.

The new features of general contract signature process are that the verification msg after its permission is sheltered by introducing by the ISP is carried out off-line verification.In other words, the contract that carries out between ISP (SP) and the operator is prepared can to separate from the contract signature/checking of carrying out between user and the ISP (SP) in time.The using naturally of this scheme comprise when in the session of a SP-operator for the same subscriber under the different condition (for example, in different time or different service class) or condition of similarity under the situation of a plurality of users (for example, when the order purpose is provided) when preparing many parts of contracts.

The separation of key material

In other method, return the integrated approval of AKA-of service agreement once more, the AkA data can with fake-the safety input of random function (PRF) to be to derive one group of new AKA data and/or endorsement key.

By this example, not that the AKA process is directly expanded to generate additional keys Rk, but ciphering key k and Ik can be as the safety inputs of pseudo-random function, and pseudo-random function is used for obtaining new confidentiality key Ck ' and Integrity Key Ik ', endorsement key (Rk) and new response (RES ').Use and issue Ck ' and Ik ' rather than Ck and Ik.Adopt this mode just can change the AKA scheme that is often implemented in the smart card.

A main benefit is when access services, can separate GSM/UMTS key material that uses and the key material that is used for user's evaluation and approval.Thereby the Keying Material that promptly is used in service loses or stolen, and it can not be used to visit basic communication service.

Adopting a modification of separating step is to generate new shared key used in the complete AKA scheme with it.

If we use K (i) expression Keying Material usually, derive step so and can represent that (K (i), SALT), wherein PRF is a pseudo-random function to K (i+1)=PRF.SALT should comprise random information, and can comprise as to the service and/or the unique information of ISP.For example, PRF may be implemented as Security Real Time Protocol (SRTP).

Although K (i), should be appreciated that other data also can be used as the PRF function parameters normally from the dateout of basic AKA.In addition, the number of input parameter and outcome variable may change to some extent according to actual application-specific.

Figure 12 A is based on the integrated approval of service agreement AKA-of keying group of different separation and the exemplary signal exchange schematic diagram of possible online verification.

Evaluation/payment management device generates common AKA data according to safe key Ki and random enquire RAND.Allow K (0)=[Ck, Ik, XRES]].Evaluation/payment management device calculating K (1)=[Ck ', Ik ', Rk, XRES ']=PRF (K (0), RAND/SALT).SALT can equal the combination of RAND and ISP ID SP_ID.

1.RAND、AUTN、Ik’、Ck’、XRES’、[SALT]

2.RAND、AUTN、COST_UNIT、[SALT]

The user checks AUTN as usual.He moves AKA obtaining K (0)=Ik then, and Ck, RES also go up at K (0) and use PRF to obtain K (1)=Ck ', Ik ', Rk and RES '.The user also generates COST_MAC with Rk on RAND and COST_UNIT.

3.RES’、COST_MAC

The ISP checks whether RES ' mates the XRES ' that receives from operator's termination, and storage authentication information is fetched when needing after thinking.If inquired or own active, the ISP can transmit authorization information and carry out the service agreement checking to operator's end.

Figure 12 B is based on the integrated approval of service agreement AKA-of keying group of different separation and the exemplary signal exchange schematic diagram of online verification.

1.RAND、AUTN、XRES’、[SALT]

2.RAND、AUTN、COST_UNIT、[SALT]

The user checks AUTN as usual, moves AKA then with derivation K (0)=Ik, and Ck, RES also use PRF to derive K (1)=Ck ', Ik ', Rk and RES ' on K (0).The user also generates COST_MAC with Rk on RAND and COST_UNIT.

3.RES’、COST_MAC

The ISP checks whether RES ' mates the XRES ' that receives from operator's termination, and transmits authorization information and give carrier side to carry out the service agreement checking.

4.COST_UNIT、COST_MAC

If COST_MAC mates XMAC, just session key Ik ', Ck ' are transferred to the ISP to be used for the communication between ISP and the user.

5.Ck’、Ik’

Certainly, above-mentioned solution based on cradit note can also be based on the key material of deriving from initial AKA parameter.

Should be appreciated that the evaluation and the separating of key material that are used for the key material that general network inserts and are used to visit the service that is provided by the ISP are general independent characteristics of the present invention, it is not limited to the combination in any approved with service agreement.

In said process, suppose that SALT is available at operator's end and user there.If SALT equals RAND, this generally is right, if but should use as timestamp or be independent of out of Memory the SALT of RAND value, these values must obtain user's agreement or send to the user.A situation about being even more important is, when the user can not determine real SP_ID (ISP's identity) but have to depend on the information and this SP_ID that receive to be used for separating the parameter that is used for different service provider from context.Can in the AUTN parameter in the standard A KA process, transmit this information in this case, perhaps as above sign in the described MACed message and send i.e. keying MAC protection sensitive parameter for contract.The key that is used for keying MAC should only be shared between operator and user, for example Ik or Rk.

This is generally corresponding to generate the relevant AKA parameter of service from basic AKA process.

Relate to payment agency's expressivity application

Figure 13 relates to identity agency and payment agency and adopts the exemplary schematic block diagram of the distributed realization of the credit chain of setting up between identity agency, payment agency and the ISP.

In the scene that will describe, we have introduced an additional participant, and promptly the payment agency 40.Thereby the setting of Figure 13 comprises user 10, ISP 20, shares the evaluation manager 30 of key and the agency 40 that pays the bill with user 10.Payment agency can and some operators/evaluations manager relation is arranged and mediates user's authentication information between operator and the ISP, help the payment/user capability of validation of payment and processing payment/charge data.The payment agency can serve as the role of trusted third party, and this role can verify user's service agreement.

Payment can be linked to the user has had the relation of payment with it operator, perhaps oneself links or carries out by independent parties or by the payment agency.

We also introduce user identity agency's notion, are configured in usually and operator's end of identifying that manager is relevant.The user may want different identity is used in different services.The identity agency is mapped to the user identity (being IMSI) that is used for operator to the user identity that is used for service access usually.The identity agency can be taken place in a plurality of steps.

User's service ID and the user relation between the ID at operator place must be given the identity agency.Usually operation identity agency's operator will generate this pairing.For security reasons, nature will move last identity agent functionality by operator.

Service ID can have several portions.Single part can be indicated the payment agency and the identity agency that will use.A user certainly uses some payment agencies to given operator's identity.Payment the agency can keep when can't show which operator and the relevant record of given user's service ID when user's service ID obtains this information.

Below, will be with reference to two signaling schemes of scene description shown in Figure 13.The first string is used for back paid subscription user, and second scheme is used for prepaid services.

Back paying scene

Figure 14 is the exemplary signal exchange schematic diagram of the service agreement approval in the back paying scene in shown in Figure 13 the setting.

1. the user's service ID that comprises the Agent ID of paying the bill, USER_SERVICE_ID, PB_ID

2.USER_SERVICE_ID、SP_ID

The payment agency knows this user's service ID, and the agency is relevant with which operator/identity.

3.USER_SERVICE_ID、SP_ID、PB_ID

The operator of serving as the identity proxy role is mapped to USER_SERVICE_ID the inner ID (IMSI) of operator and obtains corresponding AKA parameters R AND, AUTN and K (0)=[Ck, Ik, XRES].The derivation K (1) of operator=[Ck ', Ik ', XRES]=PRF (K (0), [RAND, PB_ID]), wherein PB_ID is the payment Agent ID, RAND is optional.Depend on PB_ID by explicitly by K (1), just Keying Material has been tied to specific payment agency.

4.RAND, AUTN, Ck ', Ik ', (SP_ID||PB_ID, the MAC of keying (Ik, SP_ID||PB_ID))

Ciphering key k ' and the Ik ' secure communication between agency and the user that is used to pay the bill.Thereby Ik ' can as endorsement key when calculating COST_MAC, Ck ' can be used for deriving as ENC_TICKET.

Payment agency derive subsequently K (2)=[Ck ", I " k, XRES "]=PRF[K (1), [RAND, SP_ID]].

5.RAND, AUTN, Ck ", Ik ", XRES ", SP_ID||PB_ID, the MAC of keying (Ik, SP_ID||PB_ID))

6.RAND, AUTN, COST_UNIT, SP_ID||PB_ID, the MAC of keying (Ik, SP_ID||PB_ID))

Customer inspection AUTN also uses and shares key K i, the RAND that receives and pseudo-random function calculating K (0), K (1) and K (2).

7.RES”

The ISP checks RES " and determine user's evaluation rank.The ISP uses Ck now " with Ik " start the safe use that is connected to the user.

When calling the service that a user must pay for it, this user should send COST_MAC.

8.COST_MAC

9.COST_UNIT、COST_MAC

Payment proxy authentication COST_MAC, and start course of payment.

10.OK

The pre-payment scene

Figure 15 is the exemplary signal exchange schematic diagram that service agreement is approved in the pre-payment scene in shown in Figure 13 the setting.

We show as the user and use prepaid account and situation during the cradit note that obtains being generated by payment agency in this case.Here, ignored for derived score from AKA parameter needed transmission to contextual information.

1.USER_SERVICE_ID、PB_ID

2.USER_SERVICE_ID、COST_UNIT、SP_ID

The payment agency knows USER_SERIVCE_ID, and the agency is relevant with which operator/identity.

3.USER_SERVICE_ID、COST_UNIT、SP_ID、PB_ID

Operator is mapped to the inner ID (IMSI) of operator with USER_SERVICE_ID and obtains corresponding AKA parameters R AND, AUTN and generate K (0)=[Ck, Ik, XRES].The derivation K (1) of operator=[Ck ', Ik ', XRES ']=PRF (K (0), [RAND, PB_ID]), wherein PB_ID is the payment Agent ID, RAND is optional.Depend on PB_ID by explicitly by K (1), just XRES ' and key material have been tied to the certain payments agency.

Operator also checks the user prepayment account.According to the strategy that is adopted, operator keeps the number N# of COST_UNITS and N# is issued the payment agency on user account.

4.RAND、AUTN、Ck’、Ik’、N#

The payment agency generates BASE_TICKET and uses Ck ' to calculate START_TICKET and ENC_TICKET as encryption key.Generate START_TICkET so that it is effective to counting N ' # less than some of the N# of COST_UNITS.

Payment agency then derive K (2)=[Ck ", Ik ", RES "]=PRF[k (1), [RAND, SP-Id]]

5.RAND、AUTN、C”k、I”k、XRES”、ENC_TICKET、START_TICKET

6.RAND、AUTN、COST_UNIT、START_TICKET、ENC_TICKET

Customer inspection AUTN also uses and shares key K i, the RAND that receives and pseudo-random function calculating K (0), K (1) and K (2).

7.RES”

The ISP checks RES " and use Ck " with I " k starts the safe use that is connected to the user.

When having called the user and be necessary for the service of its paying, the user should send TICKET to the ISP.The user deciphers ENC_TICkET and repeats the HASH function with the quantity that checks the cradit note that he has and check whether START_TICKET is effective for this reason.

The user sends TICKET then, is called TICKET_i.

8.TICKET_i

The ISP checks the cradit note that receives.When session was closed, last cradit note that the ISP will receive was issued the payment agency.

9.LAST_TICKET

The payment agency checks the cradit note that receives and generates the charge record that the charge record is sent to operator.

10.CHARGING_RECORD

At last, adjust user account in view of the above.

Weight-evaluation

The ISP may want to have the possibility of identifying the user again for different reasons.A kind of approach that realizes this target is to repeat to generate K (n), promptly when identifying generation the n time, uses Keying Material K (n+1)=PRF[K (n), [RAND, SP_ID]].This means that the ISP visits the example PRF of pseudo-random function PRF, so that can generate required evaluation parameter and session key.Briefly, the ISP generates the new session key and the Expected Response on n+1 rank with pseudo-random function, and sends RAND to the user in weight-evaluation request.The user generates new session key and n+1 rank user response with pseudo-function at random subsequently, and the n+1 rank user who returns generation responds to the ISP.The ISP can verify the response that receives subsequently, and begins and telex network according to new session key.

Preferably, n is sent to the user, and the user can keep a simple playback lists to avoid Replay Attack.

More on the realization aspect

Above-mentioned steps, action and algorithm can be realized with software/hardware or combination in any wherein.Realize for hardware, can use ASIC (application-specific integrated circuit (ASIC)) technology or other traditional circuit technology arbitrarily.Although for security reasons first-selected special tamper resistant hardware, the software that is subjected to due care is realized more convenient usually.

Figure 16 is the schematic block diagram that an example of service agreement manager is shown according to the preferred embodiments of the invention.The service agreement manager 30 of Figure 16 mainly is included in communication interface 31, database 32, evaluation and keying unit 33, authentication unit 36, optional record keeping unit 37 and the payment/charge unit 38 of external communication link.Database 32 comprises the information as user ID and association key Ki information.Identify to be used to generate relevant evaluation and key parameter, and can preserve used optionally sheltering and pseudo-random function in the different embodiments with keying unit 33.Authentication unit 36 is carried out correlation computations and/or comparison, whether has accepted the service agreement that provides with the checking user.Optionally record keeping unit 37 can representative of consumer generate relevant cradit note also/or finish the cradit note checking.As its name suggests, Payment Unit 38 is handled the transmission of payment and is guaranteed correct account has correctly been carried out charge.

Figure 17 is the schematic block diagram according to the preferred embodiments of the invention explanation ISP's a example.The ISP 20 of Figure 17 mainly is included in communication interface 21, contract preparatory unit 22, optional evaluation unit 23, the information of external communication link and transmits and/or memory cell 25 and optional authentication unit 26.In contract preparatory unit 22, the ISP prepares the related service protocol information according to the precondition of working as that institute's requested service and service are used usually.In addition, contract is prepared to represent the ISP to finish by the opposing party, in any case but common this external contract prepare all will initiate from the ISP.Signature of contract after sheltering and/or user are identified the ISP can and/or identify checking and/or the user's evaluation of finishing in the unit 23 service agreement of accepting at authentication unit 26.In off-line procedure, the ISP gives service agreement manager 30 or can want storage authentication information in unit 25 by other of service agreement manager appointment in order to want to transmit authorization information later on.

Figure 18 is the schematic block diagram according to an example of the preferred embodiments of the invention explanation user terminal.The user terminal 10 of Figure 18 mainly is included in the communication interface 11 and the tamper-resist module 12 of external communication link.Tamper-resist module may be similar to can mobile device SIM or usim card, comprise I/O unit 101, AKA algorithm unit 102, safety realize (encapsulation) shared key K i 103, be used for looking like the cryptographic processing unit 104 of purposes such as MAC/ deciphering, and be used for optional record keeping unit 105 based on the approval of cradit note.Even can between AKA unit and application toolkit environment, suitable interface be arranged by realize function as the software in (U) SIM application toolkit environment of (U) SIM as the encryption.

Only provided above-mentioned embodiment, should be appreciated that the present invention more than that as example.The more changes, changes and improvements that keep disclosed here and propose the basic basic principle of claim are all in scope and spirit of the present invention.

Claims (46)

1. be used for a kind of method of the service agreement approval between communication system user and the ISP, said method comprising the steps of:

-between user terminal and service protocol manager, share key, described ISP and the creditable relation of described service agreement manager safely;

-preparation service agreement information;

-according to described shared key described service agreement information is carried out encryption to generate the service agreement authorization information of user's signature;

-transmit the authorization information of described user's signature to described ISP, to allow to according to the credit relationship service for checking credentials agreement between described ISP and the described service agreement manager.

2. according to the process of claim 1 wherein that step of service agreement information being carried out encryption of living in is implemented in the described user terminal by safety, to generate the authorization information of described user's signature.

3. according to the method for claim 1 or 2, the wherein said step that service agreement information is carried out encryption is according to carrying out from the local endorsement key of deriving of described shared key.

4. according to the method for claim 2, also comprise the following steps:

-generate the authorization information of expecting in described service agreement manager to small part according to described service agreement information and described shared key;

Whether-the authorization information of verifying described user signature at described service agreement manager is corresponding to the authorization information of described expectation.

5. according to the method for claim 2, the authorization information of wherein said user's signature random enquire that to be response start from described service agreement manager and described service agreement information and in described user terminal, generate.

6. according to the method for claim 2, the authorization information of wherein said user's signature generates in described user side according to the initialized cradit note of user side and described service agreement information.

7. according to the process of claim 1 wherein that the step of described preparation service agreement information is initialized by described ISP.

8. according to the process of claim 1 wherein that the described step that service agreement information is carried out encryption comprises the following steps:

-described service agreement manager carries out encryption according to described shared key to described service agreement information, represents that with the encryption that generates described service agreement information described encryption represents to be forwarded to described user; With

-described user terminal represents to carry out encryption according to described shared key to described encryption, to generate the authorization information of described user's signature.

9. according to the method for claim 8, the step that wherein said service agreement manager is finished encryption may further comprise the steps:

-generate cradit note according to described service agreement information; With

-according to encrypting described cradit note from the local endorsement key of deriving of described shared key; And

The step that described user terminal carries out encryption comprises, according to the step of the cradit note of described encryption being deciphered from the local described endorsement key of deriving of described shared key.

10. according to the method for claim, wherein said service agreement information is general electronic contract, and described method also comprises the following steps:

-described service agreement manager generates the service agreement authorization information of expectation according to described shared key and described electronic contract;

-described service agreement manager is sheltered the authorization information that function is sheltered described expectation by one;

The expectation authorization information that-described service agreement manager is transmitted after described the sheltering is given described ISP;

-described ISP shelters the authorization information that described user signs by an identical example sheltering function, the authorization information of the user's signature after sheltering with generation;

-described ISP verifies that whether the authorization information of the user's signature after described the sheltering is corresponding to the expectation authorization information after described the sheltering that obtains from described service agreement manager.

11. method according to claim 10, the step that wherein said service agreement manager generates the service agreement authorization information of expectation comprises that a hash conduct of using contract is based on the evaluation of common inquiry-response and the step of the random enquire in the cryptographic key agreement process.

12. according to the method for claim 10, the wherein said function of sheltering is a cryptographic Hash function.

13. according to the process of claim 1 wherein described approval method quilt be used for network insertion based on the evaluation of inquiry-response with cryptographic key agreement (AKA) process integration be in the same place, described shared key is identical with the key that is used for AKA.

14. according to the method for claim 13, Keying Material that wherein is used for service agreement approval and the Keying Material isolation that is used for described AKA process based on inquiry-response.

15. according to the method for claim 14, the wherein said Keying Material that is used to approve is to generate by described pseudo-random function according to the Keying Material as the AKA of the input of described pseudo-random function.

16. according to the method for claim 14, the wherein said Keying Material that is used to approve is bound to and identifies the payment agency that of manager cooperation is concrete, described evaluation manager and described user terminal are shared described key.

17. according to the method for claim 14, the wherein said Keying Material that is used to approve is bound to described ISP, so that the corresponding Keying Material of described Keying Material with another ISP separated.

18. according to the process of claim 1 wherein described service agreement information comprise service charge information and, and described service agreement manager is the payment supplier of the representative of consumer payment of handling described service.

19. method according to claim 1, wherein said service agreement manager comprise user identity agency and be arranged in described ISP and described identity agency between the payment agency, set up a credit chain between ISP, payment agency and identity agency, described identity agency shares described key with described user terminal.

20., also comprise the step of described payment agency according to the authorization information of the endorsement key checking user signature that obtains from described identity agency, derives according to described shared key according to the method for claim 19.

21. be used for a kind of system of the service agreement approval between communication system user and the ISP, described system comprises:

-the device of shared key between user terminal and service protocol manager, creditable relation between described ISP and the described service agreement manager;

The device of-preparation service agreement information;

-close described service agreement information is carried out encryption according to described share, with the device of the service agreement authorization information that generates user's signature; With

-transmit the authorization information of described user's signature to described ISP, with the device that allows to service agreement be verified according to the credit relationship between described ISP and the described service agreement manager;

22., wherein described service agreement information is carried out safe being implemented in the described user terminal of described device quilt of encryption according to the system of claim 21.

23., wherein described service agreement information is carried out the described device of encryption according to operating from the local endorsement key of deriving of described shared key according to the system of claim 21 or 22.

24. the system according to claim 22 also comprises:

-at described service agreement manager, generate the device of the authorization information of expectation according to described service agreement information and described shared key to small part; With

-at described service agreement manager, whether the authorization information of verifying described user signature is corresponding to the device of the authorization information of described expectation.

25. according to the system of claim 22, the authorization information of wherein said user signature random enquire that to be response start from the service agreement manager and described service agreement information and described user terminal, generate.

26. according to the system of claim 22, the authorization information of wherein said user's signature generates in described user terminal according to initialized cradit note of user side and described service agreement information.

27. according to the system of claim 21, wherein said service agreement information is prepared by described ISP.

28. according to the system of claim 21, wherein the described device that described service agreement information is carried out encryption comprises:

-at described service agreement manager, described service agreement information is carried out encryption according to described shared key, with the device that the encryption that generates described service agreement information is represented, described encryption represents to be forwarded to described user; With

-at described user terminal, described encryption is represented to carry out encryption, with the device of the authorization information that generates described user signature according to described shared key.

29. according to the system of claim 28, wherein the described device that carries out encryption at described service agreement manager comprises:

-generate the device of cradit note according to described service agreement information; With

-according to the device of encrypting described cradit note from the local endorsement key of deriving of described shared key; And

The described device that carries out encryption in user terminal comprises, according to the device of the cradit note of described encryption being deciphered from the local described endorsement key of deriving of described shared key.

30. according to the system of claim 21, the information of service agreement described in the base is general electronic contract, and described system also comprises:

-at the device of described service agreement manager according to the service agreement authorization information of described shared key and described electronic contract generation expectation;

-shelter the device of the authorization information of described expectation at described service agreement manager by sheltering function;

-the authorization information of expectation after described service agreement manager is transmitted described sheltering is given described ISP's device;

-the device of authorization information of user's signature after described ISP is sheltered described user signature by the identical example of sheltering function authorization information is sheltered with generation;

-after described ISP verifies described sheltering user signature authorization information whether corresponding to obtain from described service agreement manager shelter after the device of authorization information of expectation.

31. according to the system of claim 30, the described device that wherein generates the service agreement authorization information of expectation comprises that the keyed hash conduct of using contract is based on the evaluation of common inquiry-response and the device of the random enquire in the cryptographic key agreement process.

32. according to the system of claim 30, wherein sheltering function is cryptographic Hash function.

33. according to claim 21 system, wherein said endorsement system quilt is in the same place with the system integration of cryptographic key agreement (AKA) process with the evaluation based on inquiry-response that is used for access to netwoks, described shared key is identical with the shared key that is used for AKA.

34. according to the system of claim 33, also comprise will be used for the Keying Material of service agreement approval with the device of the Keying Material isolation that is used for described AkA based on inquiry-response.

35. according to the system of claim 34, the wherein said Keying Material that is used to approve is that the input as described pseudo-random function generates by described pseudo-random function according to the Keying Material that is used for AKA.

36. according to the system of claim 34, the wherein said Keying Material that is used to approve is bound to and identifies the concrete payment agency of of manager cooperation, described evaluation manager and described user terminal are shared described key.

37. according to the system of claim 34, the wherein said Keying Material that is used to approve is bound to described ISP, so that described Keying Material and the corresponding Keying Material that is used for other ISP are isolated.

38. according to the system of claim 21, wherein said service agreement information comprises service charge information, and described service agreement manager is to be used for the payment supplier that representative of consumer is handled the payment of described service.

39. system according to claim 21, wherein said service agreement manager comprise user identity agency and be arranged in described ISP and described identity agency between the payment agency, and between ISP, payment agency and identity agency, having set up a credit chain, described identity agency shares described key with described user.

40., also be included in described payment agency verifies the authorization information of described user's signature according to the endorsement key according to described shared key derivation that obtains from described identity agency device according to the system of claim 39.

41. a user terminal comprises:

-preserve the device with external service protocol manager cipher key shared, creditable relation between described service agreement manager and the ISP safely;

The device of the information of the service agreement between-reception representative of consumer and the described ISP;

-according to described shared key described service agreement is represented that information security ground carries out encryption, with the device of the service agreement authorization information that generates user's signature;

-transmit described user's signature authorization information to described ISP, with the device that can verify service agreement according to the credit relationship between described ISP and the described service agreement manager.

42. a kind of service agreement manager of the service agreement in the help supervisory communications between user and the ISP, described service agreement manager comprises:

-safety is preserved the device with the user terminal cipher key shared, described service agreement manager and the creditable relation of described ISP;

-receive the device of the service agreement authorization information of the user's signature that generates according to the information representation and the described shared key of described service agreement by user terminal;

-according to the authorization information of described shared key authentication user signature, and therefore confirm the device of user to the acceptance of service agreement.

43. provide a kind of ISP of service according to service agreement given between user and the ISP to the user in the communication system, described ISP comprises:

-with the build one's credit device of device of service agreement manager, described service agreement manager and user terminal are shared key;

-receive to the device of the authorization information of user's signature that small part generates according to the information representation of described service agreement and described shared key from described user terminal;

-by sheltering the device that function generates the authorization information of the user's signature after sheltering;

-receiving the device of the authorization information of the expectation after sheltering by an identical example sheltering function from described service agreement manager, the authorization information of described expectation to small part generates according to described service agreement information and described shared key;

Whether the authorization information of the user signature of-checking after sheltering is corresponding with the authorization information of expectation after described the sheltering, to confirm the device of user to the acceptance of service agreement.

44. be used for improvedly relating to the user based on the evaluation of inquiry-response and a kind of method of cryptographic key agreement (AKA), the ISP and and the Virtual network operator of the creditable relation of described ISP, described Virtual network operator and described user share key with mutual generation AkA parameter, wherein improve to be to realize, and separately to be predefined function by the input of the part of described first group of AKA parameter being represented be used as described second group of AKA parameter with these two groups of AKA parameters by separating by the first group of AKA parameter that is used for accesses network of Virtual network operator management and the second group of AKA parameter that is used to visit the service that provides by the ISP.

45. method according to claim 44, wherein said first group of AKA parameter and described second group of AKA parameter are to generate according to described shared key and the inquiry that starts at the Virtual network operator end at Virtual network operator end and user side, and described second group of AkA parameter is transferred to described ISP safely from described Virtual network operator.

46. according to the method for claim 45, wherein said ISP is also by generating at least a portion of described second group of AkA parameter another and organize the AKA parameter as the described predefined function of the input purpose of attaching most importance to-identifies.

47. according to the method for claim 44, wherein said predefined function is a pseudo-random function.

Images