Summary of the invention
The purpose of this invention is to provide a kind of, be directed in the SUPL business under user terminal is in roaming condition, how SET authenticates the SLP of home domain with the visit territory, and do not need to change the solution that SUPL service call message itself realizes verification process.
According to a first aspect of the invention, a kind of method that a home domain target terminal user is carried out the running fix of secured user's aspect of being used in the home domain running fix equipment of wireless network is provided, described target terminal user belongs to the home domain at this running fix equipment place, and be in the visit territory outside the described home domain, this method may further comprise the steps: receive the visit territory relevant information from the running fix equipment in the described visit territory; Running fix equipment in the described visit territory is authenticated; If described authentication is passed through, described visit territory relevant information is sent to described target terminal user; Accept the authentication of described target terminal.
According to a second aspect of the invention, a kind of running fix equipment that is used for a user terminal is carried out the running fix of secured user's aspect in wireless network is provided, described user terminal belongs to the home domain at this running fix equipment place, and be in the visit territory outside the described home domain, comprise: a receiving system is used for receiving the visit territory relevant information from the running fix equipment that belongs to described visit territory; An authenticate device is used for coming the running fix equipment to described visit territory to authenticate; A dispensing device is used for, and when described authentication is passed through, described visit territory relevant information is sent to described target terminal user.
According to a third aspect of the invention we, a kind of method of being used to carry out the running fix of secured user's aspect in the user terminal of mobile location service supported in wireless network also is provided, described user terminal is in the visit territory outside the home domain, and this method may further comprise the steps: receive the visit territory relevant information from running fix equipment in the described home domain; Newly-built one or more communicating to connect between described user terminal and running fix equipment; Fetch by described newly-built communication link the running fix equipment in the described home domain is authenticated; If authentication is passed through, then use described visit territory relevant information to carry out running fix.
According to a forth aspect of the invention, a kind of user terminal that is used for the running fix of secured user's aspect in wireless network also is provided, described user terminal is arranged in the visit territory outside the home domain, it is characterized in that, comprise: a receiving system is used for receiving the message from the described visit territory relevant information of described home domain running fix equipment; One connects apparatus for establishing, is used for newly-built one or more communicating to connect between described user terminal and home domain running fix equipment; An authenticate device is used for authenticating by the running fix equipment that described newly-built communication link fetches described home domain; A positioner is used for utilizing described visit territory relevant information to carry out running fix when described authentication is passed through.
According to a fifth aspect of the invention, a kind of method that is used for a target terminal user is carried out the auxiliary moving location in the visit territory running fix equipment of wireless network also is provided, described target terminal user is just roamed in the described visit territory by its home domain, wherein, the root certificate authority in described visit territory is different with the root certificate authority of described home domain, said method comprising the steps of: send visit territory relevant information to the running fix equipment in the home domain of described target terminal user; Certificate that the described home domain root certificate authority that presets signs and issues to the visit territory root certificate authority running fix equipment to described home domain is provided, authenticates by the running fix equipment of cross-certification mechanism described visit territory in order to the running fix equipment of described home domain.
According to a sixth aspect of the invention, a kind of visit territory running fix equipment that is used for a target terminal user is carried out the auxiliary moving location at wireless network also is provided, described target terminal user is just roamed in the described visit territory by its home domain, comprise: a storage device is used for preserving visit territory relevant information; A dispensing device is used to send the running fix equipment of described visit territory relevant information to described home domain; It is characterized in that, when the root certificate authority of the root certificate authority in described visit territory and described home domain not simultaneously, described storage device also prestores described home domain root certificate authority and gives the visit territory certificate that root certificate authority is signed and issued; Described dispensing device also is used for the running fix equipment of giving described home domain for the visit territory certificate that root certificate authority is signed and issued described home domain root certificate authority, authenticates by the running fix equipment of cross-certification mechanism to described visit territory in order to the running fix equipment of described home domain.
Compared with prior art, the present invention can realize the mobile location service of secured user's aspect by the indirect authentication of SET to V-SLP under SET is in roaming condition; And in the verification process and H-SLP verification process to V-SLP of SET to H-SLP, fetch the realization authentication by newly-built communication link, need not to change the message related to calls of SUPL business itself, thereby can reduce change, realize the reduction of cost existing hardware device.
Embodiment
Below with reference to accompanying drawing, and in conjunction with specific embodiments the present invention is described in detail.Should be appreciated that the present invention is not limited to specific embodiment.
Fig. 1 is for being in the wireless network schematic diagram of realizing safe aspect running fix under the roaming condition according to of the present invention in terminal, comprising 1 a, user terminal 2 of a home domain SLP (H-SLP) and a visit territory SLP (V-SLP) 3.Wherein, user terminal 2 roams into the visit territory by its home domain.
When needs carry out running fix to user terminal 2, need the relevant information in its residing visit territory (such as address information etc.) be sent to user terminal 2 by the SLP 1 of home domain, user terminal 2 utilizes described visit territory relevant information to obtain positional information in the visit territory then.In order to guarantee that whole running fix process is believable in user level, user terminal 2 need authenticate V-SLP 3.For this purpose, can directly authenticate, directly authenticate by 2 couples of H-SLP 1 of user terminal again, thereby can realize the indirect authentication of 2 couples of V-SLP 3 of user terminal by 1 couple of V-SLP 3 of H-SLP.
Fig. 2 is an embodiment according to the present invention, is used for a user terminal is carried out the flow chart of the method for secured user's aspect running fix in home domain SLP (H-SLP is also referred to as running fix equipment) 1.Be in running fix roaming condition under because the present invention only relates to user terminal, suppose that therefore this user terminal is in one and visits in the territory.
In step S101, H-SLP receives a running fix request to user terminal in its home domain, and this running fix request can be initiated by this user terminal or other user terminals, is also initiated by network side.Enter step S102 subsequently.
In step S102, H-SLP receive from the SLP (V-SLP) in this user terminal visit of living in territory with the relevant information in visit territory.The described information relevant with the visit territory can be the address information in visit territory, or target terminal user is used in other information that running fix is carried out in the visit territory.At this moment, H-SLP can not determine whether this visit territory relevant information is credible, therefore need authenticate it.
In step S103, preferably, in order not change the call information of secured user's aspect mobile location service itself, H-SLP need be communicating to connect between verification process other newly-built one or more and the V-SLP.Should be appreciated that the present invention can newly-builtly communicate to connect, and by authentication information is invested in the running fix message related to calls to come V-SLP is authenticated.
Subsequently, in step S104, H-SLP fetches by newly-built communication link visit territory mobile device is authenticated.
In a preferred embodiment, if the root certificate at visit domain authentication center is identical with the root certificate of home domain authentication center, then H-SLP can utilize the root certificate that presets home domain authentication center that V-SLP 3 is authenticated.Otherwise V-SLP 3 need preset the root certificate authority in territory (home domain) under the H-SLP 1 and give the certificate that the root certificate authority in territories (visit territory) is signed and issued under the V-SLP 3.This certificate that H-SLP 1 utilizes V-SLP 3 to send over authenticates V-SLP 3 by cross-certification mechanism.
In step S105, judge whether authentication is passed through, also promptly whether credible from the information of V-SLP? if authentication is passed through, then enter step S106, otherwise whole running fix process finishes.
In step S106, H-SLP will send to described user terminal by the described visit territory relevant information of authentication, be used for running fix.
Fig. 3 is an embodiment according to the present invention, is used for a user terminal is carried out the block diagram of the home domain SLP (H-SLP is also referred to as running fix equipment) 1 of secured user's aspect running fix in wireless network.
H-SLP described here is defined as the SLP in the affiliated territory (home domain) of target terminal user, also promptly is used for the user terminal of its home domain is carried out the SLP of running fix.
Be in running fix roaming condition under because the present invention only relates to user terminal, suppose that therefore this user terminal is in one and visits in the territory.
As shown in FIG., H-SLP 1 comprises a receiving system 11, authenticate device 13, a dispensing device 14.
Receiving system 11 is used to receive a running fix request to described user terminal, and this running fix request can be initiated by this user terminal or other user terminals, is also initiated by network side.Subsequently, this receiving system 11 also be used for receiving from the SLP (V-SLP) in this user terminal visit of living in territory with the relevant information in visit territory.The described information relevant with the visit territory can be the address information in visit territory, or target terminal user is used in other information that running fix is carried out in the visit territory.At this moment, H-SLP can not determine whether this visit territory relevant information is credible, therefore need authenticate it.
Authenticate device 13 is used for V-SLP is authenticated, and wherein authentication information can be attached in the mobile location service message related to calls and transmit.
Preferably, H-SLP 1 also can comprise a storage device 15, wherein prestore the root certificate of the authentication center of home domain, with, if the root certificate at the root certificate of described home domain authentication center and visit domain authentication center is not simultaneously, V-SLP 3 prestores the root certificate authority in territory (home domain) under the H-SLP 1 and gives the certificate that the root certificate authority in territories (visit territory) is signed and issued under the V-SLP 3;
If the root certificate at visit domain authentication center is identical with the root certificate of home domain authentication center, then described authenticate device 13 can utilize the root certificate of the home domain authentication center that prestores in the storage device 15 that V-SLP is authenticated.Otherwise the home domain root certificate authority that authenticate device 13 can need to utilize V-SLP 3 to send over is given the visit territory certificate that root certificate authority is signed and issued, and utilizes this certificate by cross-certification mechanism V-SLP to be authenticated.
In a preferred embodiment, in order not change the mobile location service message related to calls, can set up one or more new traffic separately for verification process and connect, therefore, SLP 1 comprises that also one connects apparatus for establishing 12, is used for newly-built one or more communicating to connect between H-SLP and V-SLP.Then, authenticate device 13 is used for fetching by described newly-built communication link V-SLP is authenticated.
If the authentication of 13 couples of V-SLP of authenticate device is passed through, confirm promptly that also the information from V-SLP is credible, then notify dispensing device 14.Dispensing device 14 is used for described visit territory relevant information is sent to described target terminal.
Fig. 4 is an embodiment according to the present invention, supports to be used in the user terminal of mobile location service to carry out the flow chart of the method for secured user's aspect running fix in wireless network.Be in running fix roaming condition under because the present invention only relates to user terminal, suppose that therefore this user terminal is in one and visits in the territory.
In step S201, user terminal 2 receive the SLP (H-SLP is also referred to as home domain running fix equipment) that comes from its home domain with its relevant information in visit of living in territory.The described information relevant with the visit territory can be the address information in visit territory, or target terminal user is used in other information that running fix is carried out in the visit territory.But user terminal 2 can not determine whether this H-SLP 1 is credible, therefore need authenticate it.
In the prior art, when 1 couple of H-SLP of user terminal authenticates, be that authentication information is attached in the mobile location service message related to calls, this will change message related to calls itself, thereby bring the bigger change of hardware.Therefore, in the present invention, user terminal 1 will be specially for verification process set up one or more and H-SLP between new communicating to connect, also promptly enter step S202.
In step S202, user terminal 2 newly-built one or more communicating to connect between described user terminal and H-SLP.Enter step S203 subsequently.
In step S203, user terminal 2 fetches by described newly-built communication link described H-SLP is authenticated.
In a preferred embodiment, user terminal 2 can utilize the root certificate of the home domain authentication center of wherein presetting, and comes to come H-SLP is authenticated by Transport Layer Security (TLS) agreement.
In step S204, judge whether authentication is passed through, also be whether described H-SLP credible? if authentication is passed through, then enter step S205, otherwise the running fix process finishes.
In step S205, user terminal 2 utilizes by the described visit territory relevant information of authentication and carries out further running fix.
Fig. 5 is an embodiment according to the present invention, is used for the block diagram of the user terminal of secured user's aspect running fix in wireless network.Be in running fix roaming condition under because the present invention only relates to user terminal, suppose that therefore this user terminal is in one and visits in the territory.
As shown in FIG., user terminal 2 comprises that a receiving system 21, one connect apparatus for establishing 22, one second authenticate device 23, a positioner 24.
Described receiving system 21 be used to receive from H-SLP with its relevant information in visit of living in territory.The described information relevant with the visit territory can be the address information in visit territory, or target terminal user is used in other information that running fix is carried out in the visit territory.At this moment, but user terminal 2 can not determine whether this H-SLP 1 is credible, therefore need authenticate it.
Unlike the prior art, in order not change mobile location service message related to calls itself, need communicate to connect for verification process newly-built one or more.
Described connection apparatus for establishing 22 is used for newly-built one or more communicating to connect between described user terminal 2 and H-SLP 1.
Described authenticate device 23 is used for authenticating by the running fix equipment that described newly-built communication link fetches described home domain.
In a preferred embodiment, user terminal 2 also comprises a storage device 25, is used to prestore the root certificate of its home domain authentication center.Described authenticate device 23 is used to utilize the root certificate of described home domain authentication center, comes by Transport Layer Security (TLS) agreement the running fix equipment in the described home domain to be authenticated.
If the authentication of 23 couples of H-SLP of authenticate device is passed through, confirm promptly that also the information from H-SLP is believable, then notify positioner 24.Positioner 24 will utilize described visit territory relevant information to carry out further running fix.
Fig. 6 is embodiment according to the present invention, at the visit territory of wireless network SLP (V-SLP, hereinafter to be referred as running fix equipment) be used for a target terminal user 2 is carried out the flow chart of the method for auxiliary moving location in 3. because only relating to user terminal 2, the present invention is in running fix under the roaming condition, therefore suppose that this user terminal 2 is just roamed in the visit territory by its home domain. and suppose that the root certificate authority in described visit territory is different with the root certificate authority of described home domain, give the visit territory certificate that root certificate authority is signed and issued and preset described home domain root certificate authority in the running fix equipment in visit territory.
In step S301, V-SLP 3 will visit the territory relevant information and give H-SLP;
Subsequently, in step 302, V-SLP 3 sends to H-SLP 1 for the visit territory certificate that root certificate authority is signed and issued the described home domain root certificate authority that presets.H-SLP 1 will utilize the described home domain root certificate authority that is sended over by V-SLP 3 to give the root certificate of the home domain authentication center that visit territory certificate that root certificate authority is signed and issued and H-SLP 1 preset, and come by cross-certification mechanism described V-SLP to be authenticated.
Fig. 7 is an embodiment according to the present invention, at the block diagram that is used for a target terminal user is carried out the visit territory SLP (V-SLP is hereinafter to be referred as running fix equipment) 3 of auxiliary moving location of wireless network.Be in running fix roaming condition under because the present invention only relates to user terminal 2, suppose therefore that this user terminal 2 is just being roamed into by its home domain to visit in the territory.
As shown in FIG., V-SLP 3 comprises a storage device 31 and a dispensing device 32.
Described storage device 31 is used for preserving visit territory relevant information, also needs to preset the home domain root certificate authority and gives the visit territory certificate that root certificate authority is signed and issued.
Described dispensing device 32 is used to send described visit territory relevant information to H-SLP 1.
Further the root certificate authority in the described visit of supposition territory is different with the root certificate authority of described home domain, so also prestores the certificate that the root certificate authority in territory (home domain) signs and issues for the root certificate authority in V-SLP 3 affiliated territories (visit territory) under the H-SLP 1 in the storage device 31.
And described dispensing device 32 also is used for giving H-SLP 1 for the visit territory certificate that root certificate authority is signed and issued described home domain root certificate authority.H-SLP 1 will utilize described home domain root certificate authority give the visit territory certificate that root certificate authority is signed and issued with and the root certificate of the home domain authentication center of presetting, come described V-SLP to be authenticated by cross-certification mechanism.
After user terminal 2 successfully authenticates H-SLP 1, H-SLP will set up one or more and communicate to connect authenticated user terminal 2.Authentication mechanism can be PSK-TLS, also can be other modes, and this paper does not do discussion.So just can satisfy the safety requirements of user level positioning service, promptly in target terminal user 2 and (V/H) carry out two-way authentication between the SLP.
More than specific embodiments of the invention are described.Need to understand being, the present invention is not limited to above-mentioned specific for execution mode, and those skilled in the art can make various distortion or modification within the scope of the appended claims.