CN1674708A - Method for switching in user attaching network server in universal right discriminating frame - Google Patents
Method for switching in user attaching network server in universal right discriminating frame Download PDFInfo
- Publication number
- CN1674708A CN1674708A CNA2004100309098A CN200410030909A CN1674708A CN 1674708 A CN1674708 A CN 1674708A CN A2004100309098 A CNA2004100309098 A CN A2004100309098A CN 200410030909 A CN200410030909 A CN 200410030909A CN 1674708 A CN1674708 A CN 1674708A
- Authority
- CN
- China
- Prior art keywords
- user
- impi
- imsi
- bsf
- hss
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses a method for accessing user attached network server in general authentication frame. Its key is that a new function is added for BSF in general authentication frame, namely, BSF can be used to judge the type of received user identification information, if it is IMPI, BSF can utilize Cx interface to transmit the message containing IMPI and requesting user to describe information to HSS, if it is IMSI, BSF can be used for converting IMSI into IMPI format, then utilize Cx interface to transmit the message containing conversion obtained IMPI and requesting user to describe information, if it is temporary identification or reauthentication identification, a failure message carrying cause value can be returned into user.
Description
Technical field
The present invention relates to third generation wireless communication technology field, be meant the method for a kind of access user attaching webserver (HSS) in the general authentication framework especially.
Background technology
In third generation wireless communication standard, general authentication framework is that of multiple applied business entity use is used to finish the universal architecture that user identity is verified, uses general authentication framework and can realize checking and identity verification using professional user.Above-mentioned multiple applied business can be that multicast/broadcast business, user certificate business, information provide business etc. immediately, it also can be agent service, for example a plurality of services link to each other with an agency, general authentication framework also is used as a kind of business to the agency and is handled, institutional framework can be very flexible, and, can use general authentication framework too for later business newly developed and check and identity verification using professional user.
Figure 1 shows that the structural representation of general authentication framework.General authentication framework is made up of entity (BSF) 102, the user attaching webserver (HSS) 103 and the network application entity (NAF) 104 of user 101, the checking of execution user identity initial inspection usually.BSF 102 is used for carrying out mutual identity verification with user 101, generates BSF 102 and user's 101 shared key simultaneously; Storage is used to describe description (Profile) file of user profile among the HSS 103, and HSS 103 also has the function that produces authentication information concurrently simultaneously.
When the user need use certain professional, if it knows that this service needed carries out mutual authentication process to BSF, then directly carry out mutual authentication to BSF, otherwise, the user can be at first and the NAF contact of this business correspondence, if this NAF uses general authentication framework, and sends requesting users and also do not recognize each other the card process to BSF, then notify and send requesting users and carry out authentication to BSF.
The card process of recognizing each other between user and the BSF is: after BSF receives authentication request from the user, at first obtain this user's authentication information to HSS, according to carrying out authentication between authentication information that is obtained and the user and key agreement protocol (AKA) carries out mutual authentication.Behind the authentication success, authenticated identity between user and the BSF mutually and generated shared key K s simultaneously.Afterwards, BSF distributes a conversation affair mark (TID) to give the user, and this TID is associated with Ks.
The user sends connection request to NAF after receiving this TID again, and has carried this TID in the request message.After NAF received request, this TID that whether has the user to carry at local search if NAF can not arrive this TID at local search, then inquired about to BSF earlier.After BSF inquires this TID, this TID and this TID counterpart keys information are included in the success response message that sends to NAF.After NAF receives success response message from BSF, think that promptly this user is the validated user through the BSF authentication, simultaneously NAF and the user key also having shared key K s or derived by Ks.At this moment, NAF and this user communicate by letter under the protection of the key K s or the key of being derived by Ks normally.If BSF can not then notify NAF not this user's information at local search to this TID, at this moment, NAF will notify the user to carry out authentication to BSF.
The scope of business that general authentication framework is supported is wider, not only support IP multimedia service, also support other business simultaneously, for example, multicast and broadcast (MBMS) business, support user certificate business etc., and during the user's of HSS index self storage profile file, can carry out according to user's international mobile subscriber identity (IMSI) or IP multimedia private user identity (IMPI).IMSI is more common sign, and its form is one 15 a numeric string, and IMPI is according to the customization of the form of network access Identifier (NAI), and its form is generally " IP multimedia private identity @ domain name ".IMSI and IMPI are permanent user ID.
Because the communication interface between BSF and the HSS is to reuse the Cx interface between the network entity and HSS in the IP multimedia service, and IMSI can't be carried and be discerned at Cx interface, therefore when the general Cx interface of BSF during, must be to identify certain user according to the IMPI that the NAI form customizes to HSS inquiry profile information.
In the prior art, when certain user need use general authentication framework, if this user support IP multimedia service so this user just have this sign of IMPI, at this with directly providing the IMPI of oneself to get final product during to BSF transmission authentication request as the user under the situation.If this user does not support IP multimedia service, this user does not have IMPI with regard to having only IMSI so, at this moment is responsible for converting IMSI to IMPI by the subscriber equipment end, so that can use in authentication communication.
The defective of said method is: the work that IMSI is converted to IMPI is finished at the subscriber equipment end, but in the application of reality, not necessarily all subscriber equipmenies all have this function.The subscriber equipment of early producing for example IMSI is not converted to the function of IMPI, but it can be supported the business of 3G, and also wish to use general authentication framework.In this case, these user terminals all can't use general authentication framework.As seen, in actual applications, be difficult to guarantee that all subscriber equipment ends all support IMSI is converted into the function of IMPI, so all users that do not possess this function will be ostracised outside general authentication framework, can't realize the extensive use of general authentication framework then.
Summary of the invention
In view of this, the objective of the invention is in general authentication framework, to provide the method for a kind of HSS of access, make and do not support the subscriber equipment that IMSI is converted into IMPI also can use general authentication framework.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method that inserts the user attaching webserver in the general authentication framework, this method may further comprise the steps:
A, after the entity B SF that carries out the checking of user identity initial inspection receives authentication request information from the user, judge whether the user totem information in this solicited message is IP multimedia private user identity IMPI or international mobile subscriber identity IMSI, if IMPI, then send the message of the request user description information that comprises IMPI to HSS by Cx interface, directly insert the user attaching webserver, if IMSI, after then IMSI being converted to IMPI, send the message of the request user description information that comprises IMPI again to HSS by Cx interface, insert the user attaching webserver, otherwise execution in step b;
B, return the failed message that carries cause value to the user.
Preferably, this method further comprises: after HSS receives the Query Information that comprises network access Identifier, judge and whether comprise the IMSI field in this network access Identifier, if have, after then this network access Identifier being changed back IMSI, according to IMSI index user description information, otherwise, according to network access Identifier index user description information.
Preferably, the described cause value of step b uses user's permanent identification for the prompting user.
Preferably, described user's permanent identification is IMPI or IMSI.
The present invention increases by a new function for the BSF in the general authentication framework, promptly judge the kind of the user totem information that receives by BSF, if IMPI, then BSF sends the message of the request user description information that comprises IMPI to HSS by Cx interface, if IMSI, after then BSF is converted to IMPI with IMSI, send the message of the request user description information that comprises the IMPI that is converted to HSS by Cx interface, if temporary mark or authentication sign are more then returned the failed message that carries cause value to the user.Use the present invention, make and do not support the subscriber equipment that IMSI is converted to the IMPI format function also can use general authentication framework, enlarged the scope of application of general authentication framework.The present invention realizes simply, and is easy to use.
Description of drawings
Figure 1 shows that the structural representation of general authentication framework;
Figure 2 shows that and use the flow chart that BSF of the present invention inserts HSS.
Embodiment
For making technical scheme of the present invention clearer, again the present invention is done detailed description further below in conjunction with accompanying drawing.
Thinking of the present invention is: after BSF receives authentication request information from the user, judge whether the user totem information in this solicited message is IMPI or IMSI, if IMPI, then send the message of the request user description information that comprises IMPI to HSS by Cx interface, directly insert the user attaching webserver, if IMSI, after then IMSI being converted to IMPI, send the message of the request user description information that comprises IMPI again to HSS by Cx interface, insert the user attaching webserver, otherwise return the failed message that carries cause value to the user.
Figure 2 shows that and use the flow chart that BSF of the present invention inserts HSS.
Step 201, the user sends authentication request message to BSF, prepares to use general authentication framework; The identification information that comprises the user in this authentication request message;
Step 202, BSF receives the authentication request message of the identification information that comprises the user;
Step 203, BSF judges the kind of the user totem information receive, if IMPI, then execution in step 206, if IMSI, then execution in step 205, if temporary mark or again authentication identify then execution in step 204;
Step 204, BSF returns the failed message that comprises failure reason value to the user, this cause value is the user totem information mistake, the prompting user resends the authentication request message that comprises permanent user ID, and process ends, this be because temporary mark or again authentication sign be zonal sign, and such sign do not distributed by HSS, thus HSS can not discern temporary mark and again authentication identify; Above-mentioned permanent user ID can be IMSI, also can be IMPI;
Step 205, BSF is converted to the IMPI form with IMSI, concrete conversion method is same as the prior art, and for example, certain user's IMSI is: 234150999999999, wherein, 234 is Mobile Country Code MCC, and 15 is Mobile Network Code, and 0999999999 is user's self identification, after then being converted to the IMPI form, its form is
234150999999999@15.234.IMSI.3gppnetwork.org, all contain the IMSI field among the IMPI through being converted to;
Step 206, BSF sends the message of the request user description information that comprises IMPI to HSS by Cx interface;
Step 207, HSS carries out index according to the information that receives in this locality, and the user description information that indexes is returned to BSF, after BSF receives the user description information that HSS returns, with user interactions, to carry out the process of mutual authentication.
HSS carries out index in this locality method is: judge at first whether the sign of receiving is real IMPI sign, promptly judge the field that whether has IMSI in the user ID that receives, if there is no, then be real IMPI sign, otherwise the sign that HSS receives is the IMPI that is converted by IMSI.
If what HSS received is real IMPI sign, then directly pass through IMPI index user's Profile file, generate the authentication data, Profile file and generation authentication data are together returned to BSF, finish mutual authentication process with the user by BSF, the user uses the result of authentication and corresponding business service device to communicate then.
If HSS receives is IMPI after the conversion, then HSS carries out opposite transfer process to receiving sign, be about to IMPI and decompose the IMSI that obtains the user, concrete transfer process is also same as the prior art, and then, generate the authentication data according to IMSI index user's Profile file, with the Profile file with generate the authentication data and together return to BSF, finish mutual authentication process with the user by BSF, the user uses the result of authentication and corresponding business service device to communicate then.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1, a kind of method that inserts the user attaching webserver in the general authentication framework is characterized in that this method may further comprise the steps:
A, after the entity B SF that carries out the checking of user identity initial inspection receives authentication request information from the user, judge whether the user totem information in this solicited message is IP multimedia private user identity IMPI or international mobile subscriber identity IMSI, if IMPI, then send the message of the request user description information that comprises IMPI to HSS by Cx interface, directly insert the user attaching webserver, if IMSI, after then IMSI being converted to IMPI, send the message of the request user description information that comprises IMPI again to HSS by Cx interface, insert the user attaching webserver, otherwise execution in step b;
B, return the failed message that carries cause value to the user.
2, method according to claim 1, it is characterized in that, this method further comprises: after HSS receives the Query Information that comprises network access Identifier, judge and whether comprise the IMSI field in this network access Identifier, if have, then this network access Identifier is changed back IMSI after, according to IMSI index user description information, otherwise, according to network access Identifier index user description information.
According to the method under claim 1 or 2, it is characterized in that 3, the described cause value of step b uses user's permanent identification for the prompting user.
4, method according to claim 3 is characterized in that, described user's permanent identification is IMPI or IMSI.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100309098A CN100397942C (en) | 2004-03-26 | 2004-03-26 | Method for switching in user attaching network server in universal right discriminating frame |
| PCT/CN2005/000340 WO2005093990A1 (en) | 2004-03-26 | 2005-03-18 | A method for accessing home subscriber server in universal authentication infrastructure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100309098A CN100397942C (en) | 2004-03-26 | 2004-03-26 | Method for switching in user attaching network server in universal right discriminating frame |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1674708A true CN1674708A (en) | 2005-09-28 |
| CN100397942C CN100397942C (en) | 2008-06-25 |
Family
ID=35046912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100309098A Expired - Fee Related CN100397942C (en) | 2004-03-26 | 2004-03-26 | Method for switching in user attaching network server in universal right discriminating frame |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100397942C (en) |
| WO (1) | WO2005093990A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100488314C (en) * | 2007-01-24 | 2009-05-13 | 中兴通讯股份有限公司 | A method for restricting the access of the user terminal in the 3G network |
| CN101287096B (en) * | 2007-04-13 | 2010-09-01 | 中国移动通信集团公司 | Card for implementing identification conversion and converting method |
| CN101022651B (en) * | 2006-02-13 | 2012-05-02 | 华为技术有限公司 | Combined right-discriminating construction and realizing method thereof |
| CN102833820A (en) * | 2012-08-20 | 2012-12-19 | 中国联合网络通信集团有限公司 | Internet protocol multimedia subsystem (IMS) access processing method, universal user identification module and terminal equipment |
| CN103095649A (en) * | 2011-10-31 | 2013-05-08 | 中兴通讯股份有限公司 | Combination authentication method and system of internet protocol multimedia subsystem (IMS) single sign on |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114125836A (en) * | 2020-08-10 | 2022-03-01 | 中国移动通信有限公司研究院 | Authentication method, device, equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0890282B1 (en) * | 1996-03-29 | 2003-01-15 | Telecom Securicor Cellular Radio Limited | Telecommunications system |
| JP2002157040A (en) * | 2000-11-22 | 2002-05-31 | Nippon Telegr & Teleph Corp <Ntt> | User authentication method and user authentication system using radio tag |
| EP1288765B1 (en) * | 2001-09-04 | 2007-11-21 | Telefonaktiebolaget LM Ericsson (publ) | Universal authentication mechanism |
| US7246236B2 (en) * | 2002-04-18 | 2007-07-17 | Nokia Corporation | Method and apparatus for providing peer authentication for a transport layer session |
| FR2842055B1 (en) * | 2002-07-05 | 2004-12-24 | Nortel Networks Ltd | METHOD FOR CONTROLLING ACCESS TO A CELLULAR RADIO COMMUNICATION SYSTEM THROUGH A WIRELESS LOCAL AREA NETWORK, AND CONTROL MEMBER FOR IMPLEMENTING THE METHOD |
-
2004
- 2004-03-26 CN CNB2004100309098A patent/CN100397942C/en not_active Expired - Fee Related
-
2005
- 2005-03-18 WO PCT/CN2005/000340 patent/WO2005093990A1/en active Application Filing
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022651B (en) * | 2006-02-13 | 2012-05-02 | 华为技术有限公司 | Combined right-discriminating construction and realizing method thereof |
| CN100488314C (en) * | 2007-01-24 | 2009-05-13 | 中兴通讯股份有限公司 | A method for restricting the access of the user terminal in the 3G network |
| CN101287096B (en) * | 2007-04-13 | 2010-09-01 | 中国移动通信集团公司 | Card for implementing identification conversion and converting method |
| CN103095649A (en) * | 2011-10-31 | 2013-05-08 | 中兴通讯股份有限公司 | Combination authentication method and system of internet protocol multimedia subsystem (IMS) single sign on |
| CN102833820A (en) * | 2012-08-20 | 2012-12-19 | 中国联合网络通信集团有限公司 | Internet protocol multimedia subsystem (IMS) access processing method, universal user identification module and terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100397942C (en) | 2008-06-25 |
| WO2005093990A1 (en) | 2005-10-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1943203B (en) | For the first mark of verifying entity and the method for the second mark | |
| EP1860906B1 (en) | A general authentication form and a method for implementing the authentication | |
| CN1802016A (en) | Method for carrying out authentication on user terminal | |
| CN1181648C (en) | Method for automatic searching between devices on network | |
| CN1509443A (en) | User's alias in communiction system | |
| US8554839B2 (en) | Method and device for intercommunicating address book information between different networks | |
| CN1674564A (en) | Method and apparatus for communicating via on-demand communication robot and mobile phone | |
| CN1773926A (en) | Connecting information management apparatus and connecting information management method | |
| CN101212464B (en) | Method for implementing general-purpose services in integrated network | |
| CN1777322A (en) | Method for treating user of updating IP address at network side | |
| CN100397942C (en) | Method for switching in user attaching network server in universal right discriminating frame | |
| CN101686247B (en) | Method and system of information processing | |
| CN1659558A (en) | Broker-based interworking using hierarchical certificates | |
| CN1830191A (en) | Transparent access authentication in GPRS core networks | |
| CN1303832C (en) | Authentication method and system for short message value-added service | |
| CN100456671C (en) | Method for distributing session affairs identifier | |
| CN1190036C (en) | Method and system for inquiry of user identification in mobile communication system | |
| CN110035089A (en) | A kind of network security verification method and system of distributed system | |
| CN100563159C (en) | Generic authentication system and visit the method that Network in this system is used | |
| CN100358391C (en) | Method for accessing mobile station for general packet wireless business and domain name server | |
| CN101668011B (en) | Method and system for realizing industrial application platform multimedia message transmission in different places | |
| CN101860606A (en) | Technology for carrying out classified statistics on mobile phone users in emergency system | |
| CN114697885A (en) | LAN group charging method and related device | |
| CN1514659A (en) | Performance control parameter changing method of mobile communication terminal | |
| CN102118750A (en) | Method, device and system for identifying cell base station of user traffic in CDMA (code division multiple access) network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080625 Termination date: 20200326 |