CN1841998A - Method for terminal user safety access soft handoff network - Google Patents

Method for terminal user safety access soft handoff network Download PDF

Info

Publication number
CN1841998A
CN1841998A CN 200510011503 CN200510011503A CN1841998A CN 1841998 A CN1841998 A CN 1841998A CN 200510011503 CN200510011503 CN 200510011503 CN 200510011503 A CN200510011503 A CN 200510011503A CN 1841998 A CN1841998 A CN 1841998A
Authority
CN
China
Prior art keywords
iad
marginal
call service
service controller
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200510011503
Other languages
Chinese (zh)
Other versions
CN100579012C (en
Inventor
胡宪利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200510011503A priority Critical patent/CN100579012C/en
Publication of CN1841998A publication Critical patent/CN1841998A/en
Application granted granted Critical
Publication of CN100579012C publication Critical patent/CN100579012C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for the end users safely switch-in the soft changing network, which comprises: user end registers in the calling server controller by the marginal switch-in gateway to achieve the double direction identification between the user end and the calling server controller and /or between the marginal switch-in gateway and the calling server controller; the safety transition of the signal order which sets an end user safety layer and a marginal switch-in gateway layer to do the safety transition of the signal order between the marginal switch-in gateway and the calling server, wherein the end user safety layer is used to achieve the safety transmission between the end user and the calling server controller; the marginal switch-in gateway safety layer is used to do the safety transmission between the marginal switch-in gateway and the calling server controller.

Description

A kind of method of terminal user safety access soft handoff network
Technical field
The present invention relates to communication field, particularly relate to and being applied in based on IP communication network architectural framework.
Background technology
Development along with the Internet and broadband technology, the voice transfer of IP based network (VOIP) technology has obtained increasing application in enterprise network and public network, but because the opening of IP network, there are some safety issues in the VOIP technology, as user account deception, equipment deception etc.At these safety problems, system equipment need be verified terminal use's identity, cause system resource by steal with the deception that prevents the terminal use; And the terminal use needs system equipment is verified too, in case the deception of locking system equipment and cause user profile to be stolen.
At present, in the security system of communication system, popular way is a unilateral authentication, promptly has only system that the terminal use is authenticated, and the terminal use does not then authenticate system; Even two-way authentication is arranged, it also only is mode end to end, gateway device between the intercommunication link or agent equipment are not then authenticated, and generally the IP terminal equipment is to be linked in the Soft core net by marginal IAD, therefore also is very easy to cause the leakage of confidential information in this case; Signaling is transmitted between terminal and system in mode expressly, is also easily usurped by other illegality equipments and gets or revise.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of method of terminal user safety access soft handoff network, is used to realize the two-way authentication of terminal use/marginal IAD and system, improves the security performance of system.
To achieve these goals, the invention provides a kind of method of terminal user safety access soft handoff network, be applicable to IP network system based on soft switch, this IP network system comprises at least one call service controller, marginal IAD, Security Authentication Service device and plural user terminal, and described marginal IAD possesses the Xin Lingdaili function between call controller and user terminal at least; It is characterized in that, comprise the steps:
Registration step, described user terminal is registered on described call service controller by described marginal IAD, be implemented under the intervention of described Security Authentication Service device the two-way authentication between described user terminal and call service controller and/or described marginal IAD and the described call service controller;
The signaling security transmitting step, terminal user safety layer and marginal IAD safe floor are set between described user terminal, marginal IAD and call service server carry out the signaling security transmission, described terminal user safety layer is used to realize the safe transmission between terminal use and the call service controller, and described marginal IAD safe floor is used for the signaling between terminal use and the call service controller is carried out safe transmission between marginal IAD and call service controller.
The method of above-mentioned terminal user safety access soft handoff network, wherein, described terminal use or marginal IAD, at least be provided with one or more authentication security parameter group, be used for providing authentication, encryption, any one or a few protected mode parameters needed information of integrity protection; Each authentication security parameter group corresponding to described terminal use or marginal IAD; the Certificate Authority parameter group of one correspondence is set in described Security Authentication Service device, is used for providing authentication, encryption, the needed computing information of any one or a few protected mode of integrity protection of described terminal use and marginal IAD.
The method of above-mentioned terminal user safety access soft handoff network; wherein; according to each Certificate Authority parameter group, described Security Authentication Service device further provides any one or a few protected mode parameters needed information in authentication, encryption, the integrity protection by calculating a Certificate Authority vector.
The method of above-mentioned terminal user safety access soft handoff network, wherein, behind described authenticating step, described call service controller is preserved described marginal IAD cryptographic algorithm key and/or integral algorithm key, and terminal use's cryptographic algorithm key and/or integral algorithm key; And distribute marginal IAD cryptographic algorithm key and/or integral algorithm key, and terminal use's cryptographic algorithm key and/or integral algorithm key to described marginal IAD; Distribute terminal use's cryptographic algorithm key and/or integral algorithm key to the terminal use.
The method of above-mentioned terminal user safety access soft handoff network, wherein, described registration step further comprises:
Step 501, terminal equipment is initiated login request message;
Step 502 is forwarded to the call service controller with login request message after marginal IAD is received;
Step 503 after the call service controller is received login request message, is analyzed and is obtained terminal use and marginal IAD identification information;
Step 504, call service controller judge whether marginal IAD is registered, and registered words are execution in step 508 then; Otherwise the call service controller is initiated marginal IAD authentication request to the Security Authentication Service device;
Step 505, Security Authentication Service device are searched marginal IAD Certificate Authority parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to marginal IAD to the call service controller;
Step 506, call service controller are chosen a marginal IAD Certificate Authority vector from all the Certificate Authority vectors corresponding to marginal IAD, in follow-up signaling process marginal IAD is authenticated; After the call service controller will pass through marginal IAD checking, execution in step 507; Otherwise execution in step 513;
Step 507, the call service controller is registered operation to marginal IAD, and the relevant information that belongs to marginal IAD in the marginal IAD Certificate Authority vector that will choose sends to marginal IAD;
Step 508, the call service controller is initiated the terminal user authentication request to the Security Authentication Service device;
Step 509, Security Authentication Service device are searched terminal user authentication authorization parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to the terminal use to the call service controller;
Step 510, the call service controller is chosen a terminal user authentication authorization vector from all the Certificate Authority vectors corresponding to the terminal use, pass through marginal IAD Xin Lingdaili function then, in follow-up signaling process the terminal use is authenticated; If the call service controller passes through terminal user authentication, then execution in step 511; Otherwise execution in step 513;
Step 511, call service controller are carried out user registration, and with the terminal use succeed in registration information, the relevant information that belongs to marginal IAD in the terminal user authentication authorization vector chosen sends to marginal IAD;
Step 512, marginal IAD sends to the terminal use with the relevant information that belongs to the terminal use in the terminal user authentication authorization vector with the response message that succeeds in registration; Withdraw from flow process;
Step 513, the call service controller sends the registration failure response to marginal IAD; And
Step 514, marginal IAD sends to the terminal use with the registration failure response message.
The method of above-mentioned terminal user safety access soft handoff network wherein, is utilized described terminal user safety layer to carry out safe transmission and is comprised the steps: again
Described call service controller adopts on the call service controller and the cryptographic algorithm key between the terminal use and integral algorithm key carry out the step of safe transmission: to being sent to the signaling of terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that terminal is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
Described terminal use adopt the terminal use to go up and the call service controller between cryptographic algorithm key and the integral algorithm key step of carrying out safe transmission: to being sent to the signaling of call service controller, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that the call service controller is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
The method of above-mentioned terminal user safety access soft handoff network wherein, is utilized described marginal IAD safe floor to carry out safe transmission and is comprised the steps: again
Described marginal IAD adopts the cryptographic algorithm key on the marginal IAD and between the call service controller and the step of integral algorithm key: after receiving that the call service controller is sent to the signaling of user terminal, utilize corresponding cryptographic algorithm and integral algorithm that signaling is decrypted and handle and completeness check, send to user terminal then; Simultaneously, handle and completeness check, obtain wherein information utilizing call service controller on the terminal use and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted; After receiving that user terminal is sent to the signaling of call service controller, then utilize corresponding cryptographic algorithm and integral algorithm that signaling is carried out encryption and integrity protection, simultaneously, handle and completeness check utilizing call service controller on the call service controller and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted, obtain wherein information;
Described call service controller adopts on the call service controller and the step of cryptographic algorithm key information between the marginal IAD and integral algorithm key: the call service controller is passed through the signaling that marginal IAD is sent to user terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; User terminal is passed through the signaling that marginal IAD is sent to the call service controller, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
The method of above-mentioned terminal user safety access soft handoff network, wherein, also comprise described terminal use's system authentication step: in step 501, the carried terminal user is to the system authentication relevant information in the registration message; In step 508, the call service controller sends the terminal use to the system authentication request to the Security Authentication Service device simultaneously; In step 509, the Security Authentication Service device returns the terminal use to system authentication information to the call service controller simultaneously; In step 510, the call service controller sends the terminal use to terminal to system authentication information in the terminal user authentication flow process, after receiving, the terminal use carries out system authentication, system authentication fails then that the terminal use initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out the terminal user authentication flow process.
The method of above-mentioned terminal user safety access soft handoff network wherein, also comprises the system authentication step of described marginal IAD: in step 502, carry marginal IAD in the registration message to the system authentication relevant information; In step 504, the call service controller simultaneously to Security Authentication Service device limit IAD to the system authentication request; In step 505, the Security Authentication Service device returns marginal IAD to system authentication information to the call service controller simultaneously; In step 506, the call service controller sends marginal IAD to terminal to system authentication information in marginal IAD identifying procedure, after receiving, the limit IAD carries out system authentication, the then marginal IAD of system authentication failure initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out marginal IAD identifying procedure.
The method of above-mentioned terminal user safety access soft handoff network, wherein, comprise password in the authentication security parameter group of described terminal use/marginal IAD, described call service controller is provided with the independent verification step to described terminal use/marginal IAD password.
The method of above-mentioned terminal user safety access soft handoff network, wherein, comprise password in described terminal use/marginal IAD authentication security parameter group, described password is the part of key, or with described password other security information computings acquisition keys with terminal/marginal IAD configuration; Described authentication security server obtains described terminal use/marginal IAD key to obtain identical mode with described key.
The method of above-mentioned terminal user safety access soft handoff network, wherein, in described step 510, described call service controller sends to described marginal IAD with the authentication information relevant with described terminal use, entrust described marginal IAD that described terminal use is authenticated, after if described marginal IAD passes through described terminal user authentication, give described call service controller, execution in step 511 with the message informing of described terminal user authentication success; Otherwise the information that sends described terminal authentication failure is to described call service controller, execution in step 513.
The method of above-mentioned terminal user safety access soft handoff network; wherein; in described step 510; described call service controller sends to marginal IAD with the relevant information of one or two aspect of encryption relevant with described terminal use in the described terminal user authentication authorization vector and these two aspect relevant informations of integrity protection in authenticating step; be transmitted to the terminal use further by marginal IAD again, thereby the mode that adopts described signaling security hop to describe is carried out the signaling transmission in follow-up signaling step.
The method of above-mentioned terminal user safety access soft handoff network wherein, is initiated the registration step of described marginal IAD to the call service controller after described marginal IAD enters service state.
The method of above-mentioned terminal user safety access soft handoff network, wherein, the logic function module that described Security Authentication Service device is described call service controller.
The method of above-mentioned terminal user safety access soft handoff network, wherein, in the described signaling security transmitting step, described terminal user safety layer/marginal IAD safe floor adopts and encrypts, integrity protection any one or two kinds of protected modes.
The method of above-mentioned terminal user safety access soft handoff network, wherein, in the described signaling security transmitting step, the described terminal user safety layer/needed security parameter information of marginal IAD safe floor is configured in respectively in described call service controller, the terminal use/marginal IAD.
The method of above-mentioned terminal user safety access soft handoff network, wherein, in the described signaling security transmitting step, the signaling between described call service controller and the described marginal IAD only transmits in described marginal IAD safe floor mode.
The method of above-mentioned terminal user safety access soft handoff network, wherein, two-way authentication between described user terminal and call service controller and/or described marginal IAD and the described call service controller has certain timeliness, need carry out two-way authentication again after the inefficacy.
Adopt the present invention, the user can be linked in the flexible exchanging network by marginal IAD safely, and compared with prior art, the present invention has the authentication mode more than a group between call service controller and terminal use; Whether the marginal IAD that the checking user inserts is legal; Signaling transmission can adopt in encryption, this dual mode of integrity protection one or both modes to protect between call service controller and the terminal use; Can realize the two-way authentication of terminal use and system; Can realize the two-way authentication of marginal IAD and system.
Describe the present invention below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
Description of drawings
Fig. 1 is terminal use's access soft handoff network schematic diagram;
Fig. 2 is a BAC register flow path schematic diagram;
Fig. 3 is terminal use's register flow path schematic diagram.
Embodiment
In the IP network architectural framework of the present invention based on Softswitch technology, there is at least one core control equipment, will be referred to as call service controller (CSCF) hereinafter; Plural subscriber terminal equipment user; A marginal IAD (BAC); A Security Authentication Service device (SAS).
In the present invention, a terminal use or a marginal IAD, have one or more authentication security parameter group at least, each authentication security parameter group provides one or more mode parameters needed information in the secured fashions such as authentication, encryption, integrity protection; Each authentication security parameter group corresponding to each terminal use or each marginal IAD; in certificate server, all will deposit the Certificate Authority parameter group of a correspondence, be used for providing the needed computing information of one or more modes of the secured fashion such as authentication, encryption, integrity protection of terminal use and marginal IAD.
In the present invention, according to each Certificate Authority parameter group, certificate server will finally can calculate a Certificate Authority vector, and one or more mode parameters needed information in the secured fashions such as authentication, encryption, integrity protection are provided.
In the present invention, marginal IAD possesses the Xin Lingdaili function between call service controller and terminal use at least.
Method described in the invention comprises two parts, and one is registration part, and one is the signaling security hop.
Registration part is finished terminal by the registering functional of marginal IAD on the call service controller, in registration process, be implemented under the intervention of Security Authentication Service device the two-way authentication between terminal and the call service controller, between marginal IAD and the call service controller.After authentication was passed through, the call service controller was preserved marginal IAD cryptographic algorithm key and integral algorithm key, and terminal use's cryptographic algorithm key and integral algorithm key; And distribute marginal IAD cryptographic algorithm key and integral algorithm key, and terminal use's cryptographic algorithm key and integral algorithm key to marginal IAD; Distribute terminal use's cryptographic algorithm key and integral algorithm key to the terminal use.Idiographic flow is as follows:
101, terminal equipment is initiated login request message;
102, after marginal IAD is received login request message is forwarded to the call service controller;
103, after the call service controller is received login request message, analyze and obtain terminal use and marginal IAD identification information;
104, the call service controller judges whether marginal IAD is registered, and registered words are execution in step 108 then; Otherwise the call service controller is initiated marginal IAD authentication request to the Security Authentication Service device;
105, the Security Authentication Service device is searched marginal IAD Certificate Authority parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to marginal IAD to the call service controller;
106, the call service controller is chosen a marginal IAD Certificate Authority vector from all the Certificate Authority vectors corresponding to marginal IAD, in follow-up signaling process marginal IAD is authenticated; After the call service controller will pass through marginal IAD checking, execution in step 107; Otherwise execution in step 113;
107, the call service controller is registered operation to marginal IAD, and the relevant information that belongs to marginal IAD in the marginal IAD Certificate Authority vector that will choose sends to marginal IAD;
108, the call service controller is initiated the terminal user authentication request to the Security Authentication Service device;
109, the Security Authentication Service device is searched terminal user authentication authorization parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to the terminal use to the call service controller;
110, the call service controller is chosen a terminal user authentication authorization vector from all the Certificate Authority vectors corresponding to the terminal use, passes through marginal IAD Xin Lingdaili function then, in follow-up signaling process the terminal use is authenticated; If the call service controller passes through terminal user authentication, then execution in step 111; Otherwise execution in step 113;
111, the call service controller carries out user registration, and with the terminal use succeed in registration information, the relevant information that belongs to marginal IAD in the terminal user authentication authorization vector chosen sends to marginal IAD;
112, marginal IAD will belong to terminal use's relevant information in the terminal user authentication authorization vector and the response message that succeeds in registration sends to the terminal use; Withdraw from flow process;
113, the call service controller sends the registration failure response to marginal IAD;
114, marginal IAD sends to the terminal use with the registration failure response message.
In the present invention, the signaling security hop is finished safe transmission signaling capability between terminal, marginal IAD and call service controller, and its level is divided into terminal user safety layer, marginal IAD safe floor.Wherein, the terminal user safety layer is meant the safe transmission part between terminal use and the call service controller; limit IAD safe floor then is meant signaling between terminal use and the call service controller is further carried out safeguard protection between marginal IAD and call service controller, carries out hop.Specifically describe as follows:
The terminal user safety layer is meant that the plaintext signaling between call service controller and the terminal use adopts the cryptographic algorithm and the protection algorithm integrallty of arranging between them that signaling is handled.Concrete,
A, call service controller adopt on the call service controller and cryptographic algorithm key between the terminal use and integral algorithm key: to being sent to the signaling of terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that terminal is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
B, terminal use then adopt on the terminal use and cryptographic algorithm key and integral algorithm key between the call service controller: to being sent to the signaling of call service controller, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that the call service controller is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
Limit IAD safe floor, then being meant will be after the process safe handling of ground floor through the signaling after this layer safe handling, and what transmit between call service controller and the terminal use all is the ciphertext signaling.When signaling need be passed through marginal IAD, call service controller and marginal IAD will adopt the cryptographic algorithm and the protection algorithm integrallty of arranging between call service controller and the marginal IAD, once more signaling be handled.Concrete,
A, marginal IAD adopt cryptographic algorithm key and the integral algorithm key on the marginal IAD and between the call service controller: after receiving that the call service controller is sent to the signaling of terminal, utilizing corresponding cryptographic algorithm and integral algorithm that signaling is decrypted handles and completeness check, send to terminal then, simultaneously, also will utilize call service controller on the terminal use and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted and handle and completeness check, obtain wherein information; After receiving that terminal is sent to the signaling of call service controller; then utilize corresponding cryptographic algorithm and integral algorithm that signaling is carried out encryption and integrity protection; simultaneously; also will utilize call service controller on the call service controller and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted and handle and completeness check, obtain wherein information.
B, call service controller adopt on the call service controller and cryptographic algorithm key information between the marginal IAD and integral algorithm key: the call service controller is passed through the signaling that marginal IAD is sent to terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; Terminal is passed through the signaling that marginal IAD is sent to the call service controller, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
Further, in the present invention, each authentication security parameter group of terminal use or marginal IAD comprises a kind of authentication mode at least, and has comprised the parameter of authentication mode needs; Accordingly, certificate server can calculate at least and comprise parameter informations such as a kind of authentication mode type, authentication code at least in the Certificate Authority vector that provides.
Further, in the present invention, each authentication security parameter group of terminal use or marginal IAD can comprise a kind of cipher mode, and the cipher mode parameters needed; Accordingly, certificate server can calculate and comprise parameter informations such as a kind of encryption algorithm type, cryptographic algorithm key in the Certificate Authority vector that provides.
Further, in the present invention, each authentication security parameter group of terminal use or marginal IAD can comprise a kind of integrity protection mode, and integrity protection mode parameters needed; Accordingly, certificate server can calculate and comprise parameter informations such as a kind of integral algorithm type, integral algorithm key in the Certificate Authority vector that provides.
Further, the terminal use also can authenticate system, and the carried terminal user is to the system authentication relevant information in the registration message in step 101; In step 108, the call service controller sends the terminal use to the system authentication request to the Security Authentication Service device simultaneously; In step 109, the Security Authentication Service device returns the terminal use to system authentication information to the call service controller simultaneously; In step 110, the call service controller sends the terminal use to terminal to system authentication information in the terminal user authentication flow process, after receiving, the terminal use carries out system authentication, system authentication fails then that the terminal use initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out the terminal user authentication flow process.
Further, marginal IAD also can authenticate system, carries marginal IAD in the registration message in step 102 to the system authentication relevant information; In step 104, the call service controller simultaneously to Security Authentication Service device limit IAD to the system authentication request; In step 105, the Security Authentication Service device returns marginal IAD to system authentication information to the call service controller simultaneously; In step 106, the call service controller sends marginal IAD to terminal to system authentication information in marginal IAD identifying procedure, after receiving, the limit IAD carries out system authentication, the then marginal IAD of system authentication failure initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out marginal IAD identifying procedure.
Further, can comprise password in the terminal user authentication security parameter group, the call service controller increases the independent checking flow process to terminal use's password.
Further, can comprise password in the terminal user authentication security parameter group, password serves as the part of key, and correspondingly the authentication security server takes identical mode to obtain terminal use's key key.
Further, can comprise password in the terminal user authentication security parameter group, password can obtain key through computing with other security information of terminal configuration, and correspondingly the authentication security server takes identical mode to obtain terminal use's key.
Further, can comprise password in the marginal IAD authentication security parameter group, the call service controller increases the independent checking flow process to marginal IAD password.
Further, can comprise password in the marginal IAD authentication security parameter group, password serves as the part of key, and correspondingly the authentication security server takes identical mode to obtain marginal IAD key key.
Further, can comprise password in the IAD authentication security parameter group of limit, password can obtain key through computing with other security information of marginal IAD configuration, and correspondingly the authentication security server takes identical mode to obtain marginal IAD key.
Further, the marginal IAD that step 104 of the present invention is described in the step 107 can be carried out before this flow process separately to call service controller register flow path, initiated after entering service state by marginal IAD.
Further, in step 110, the call service controller can send to the authentication information relevant with the terminal use marginal IAD, entrust marginal IAD that the terminal use is authenticated, after if marginal IAD passes through terminal user authentication, give call service controller, execution in step 111 with the message informing of terminal user authentication success; Otherwise the information that sends the terminal authentication failure is to the call service controller, execution in step 113.
Further; in step 110; the call service controller can send to marginal IAD with the relevant information of one or two aspect of encryption relevant with the terminal use in the terminal user authentication authorization vector and these two aspect relevant informations of integrity protection in the flow process of authentication; be transmitted to the terminal use further by marginal IAD again, thereby the mode that can adopt the signaling security hop to describe is carried out the signaling transmission in follow-up signaling process.
Further, the Security Authentication Service device among the present invention can be a logic function module in the call service controller.
Further, the partial function of the Security Authentication Service device among the present invention can be a logic function module in the call service controller.Such as marginal IAD encryption section function, marginal IAD integrity protection partial function etc.
Further, in the signaling security hop among the present invention, the terminal user safety layer can adopt one or both modes in encryption, this dual mode of integrity protection, and perhaps dual mode does not adopt.
Further, in the signaling security hop among the present invention, the needed security parameter information of terminal user safety layer can configure in call service controller and terminal use respectively.
Further, in the signaling security hop among the present invention, marginal IAD safe floor can adopt one or both modes in encryption, this dual mode of integrity protection, and perhaps dual mode does not adopt.
Further, in the signaling security hop among the present invention, the needed security parameter information of marginal IAD safety laminar can configure in call service controller and marginal IAD respectively.
Further, in the signaling security hop among the present invention, can only adopt marginal IAD safe floor mode to transmit in the signaling between call service controller and the marginal IAD, use marginal IAD safe floor to replace terminal use's layer safe floor by marginal IAD.
In the present embodiment, cryptographic algorithm and integral algorithm all adopt symmetric encipherment algorithm, session key can directly obtain according to the shared key that is pre-configured on communication entity and the Security Authentication Service device, also can calculate acquisition according to sharing key and random number on this basis.
In accompanying drawing 1, the networking schematic diagram of terminal access soft handoff network has been described.Wherein, UE is meant the terminal use, and BAC is meant marginal IAD, and MGC is meant the call service controller, and SAS is meant the Security Authentication Service device; Dotted line among the figure is meant that the safety certification parameter of each functional entity leaves on the SAS, and solid line is represented to communicate to connect relation between each functional entity.
In accompanying drawing 2, a BAC has been described to the flow process that MGC initiates registration, be described in detail as follows:
201, BAC initiates register requirement to MGC, carries BAC sign, system authentication random value RandA in login request message.
202, after MGC receives, send authentication request (comprising BAC authentication and system authentication), carry BAC sign and RandA to the Security Authentication Service device;
203, the Security Authentication Service device produces a random number R andB, calculates BAC authentication word, integrity protection key IKbac, cryptographic algorithm ciphering key Kbac, and calculates the system authentication word according to random number R andA.A Ciphering Key AV formed in RandB, BAC authentication word and integrity protection key IKbac, cryptographic algorithm ciphering key kbac, system authentication word;
204, the Security Authentication Service device sends the authentication success response message to MGC, carries Ciphering Key AV;
205, MGC preserves Ciphering Key AV get off;
206, MGC responds registration failure message of BAC, and indication BAC initiates register requirement again, and carries RandB and system authentication word among the Ciphering Key AV in message;
207, BAC calculates an authentication word according to RandA, more consistent with the system authentication word that obtains from MGC, unanimity is then by system authentication, and then calculates integrity protection key IKbac, cryptographic algorithm ciphering key Kbac and BAC authentication word according to RandB; Otherwise withdraw from flow process, registration failure;
208, BAC initiates register requirement again to MGC, carries BAC authentication word in message, and with integrity protection key IKbac message is carried out integrity protection;
209, after MGC receives message, carry out integrity checking earlier, check not by then sending registration failure message, execution in step 211 to BAC; Otherwise relatively the BAC authentication word that sends over of certificate server whether with send over from BAC consistent, inconsistently then send registration failure message, execution in step 211 to BAC; Otherwise BAC is registered operation;
210, MGC sends the message that succeeds in registration to BAC;
211, MGC sends BAC authentication result notice to the Security Authentication Service device.
In accompanying drawing 3, a terminal use has been described to the register flow path that MGC initiates, be described in detail as follows:
301, terminal use UE initiates register requirement to BAC, carried terminal user ID, system authentication random value RandC in login request message.
302, after BAC receives terminal use's register requirement is sent to MGC, and message is carried out integrity protection with integrity protection key IKbac;
302, after MGC receives message, carry out integrity checking.The words that inspection is not passed through are then responded the BAC registration failure, and BAC is transmitted to UE again, withdraws from flow process;
304, after MGC receives, send authentication request (comprising UE authentication and system authentication), carry UE sign and RandC to the Security Authentication Service device;
305, the Security Authentication Service device produces a random number R andD, calculates UE authentication word and cryptographic algorithm key IKbac, and calculates the system authentication word according to random number R andC.A Ciphering Key AV formed in RandD, UE authentication word and cryptographic algorithm key K u, system authentication word;
306, the Security Authentication Service device sends the authentication success response message to MGC, carries Ciphering Key AV;
307, MGC preserves Ciphering Key AV get off;
308, MGC responds a UE registration failure of BAC message and initiates register requirement again with indication UE, carries RandD and system authentication word among the Ciphering Key AV in message;
309, after BAC receives registration failure message, be transmitted to UE;
More whether 310, UE calculates an authentication word according to RandC, consistent with the system authentication word that obtains from MGC, and unanimity is then by system authentication, and then calculates the cryptographic algorithm key and UE authenticates word according to RandD; Otherwise withdraw from flow process, registration failure;
311, UE initiates register requirement again to BAC, carries UE authentication word in message;
312, BAC carries out the integrity protection processing with IKbac to message;
313, BAC transmits the UE login request message to MGC;
314, after MGC receives message, carry out integrity checking earlier, check not by then sending UE registration failure message, execution in step 316 to BAC; Otherwise relatively the UE authentication word that sends over of certificate server whether with send over from UE consistent, inconsistently then send registration failure message, execution in step 316 to BAC; Otherwise UE is registered operation;
315, MGC sends the message that succeeds in registration to BAC, and with the Ku among the CKbac encrypting and authenticating vector AV, carries in message then to BAC; Whole message adopts IKbac that message is carried out integrity protection and handles;
316, after BAC receives MGC message, carry out integrity checking.Inspection is passed through, and then uses the Ku in the Ckbac decrypt; Otherwise the UE registration failure, notice MGC registration failure, the flow process below continuing;
317, BAC transmits registering result message to UE;
318, MGC sends BAC authentication result notice to the Security Authentication Service device.
In an embodiment, how describe the terminal use in detail safely by a flow process of marginal IAD call service controller registration, register command and register flow path aspect to wherein relating to only are schematic explanation, and be for reference.
Adopt the present invention, the user can be linked in the flexible exchanging network by marginal IAD safely, specifically, following benefit is arranged:
1, authentication mode more than one group is arranged between call service controller and the terminal use;
2, whether the marginal IAD of checking user access is legal;
3, signaling transmission can adopt in encryption, this dual mode of integrity protection one or both modes to protect between call service controller and the terminal use;
4, can realize the two-way authentication of terminal use and system;
5, can realize the two-way authentication of marginal IAD and system.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.

Claims (19)

1, a kind of method of terminal user safety access soft handoff network, be applicable to IP network system based on soft switch, this IP network system comprises at least one call service controller, marginal IAD, Security Authentication Service device and plural user terminal, and described marginal IAD possesses the Xin Lingdaili function between call controller and user terminal at least; It is characterized in that, comprise the steps:
Registration step, described user terminal is registered on described call service controller by described marginal IAD, be implemented under the intervention of described Security Authentication Service device the two-way authentication between described user terminal and call service controller and/or described marginal IAD and the described call service controller; And
The signaling security transmitting step, terminal user safety layer and marginal IAD safe floor are set between described user terminal, marginal IAD and call service server carry out the signaling security transmission, described terminal user safety layer is used to realize the safe transmission between terminal use and the call service controller, and described marginal IAD safe floor is used for the signaling between terminal use and the call service controller is carried out safe transmission between marginal IAD and call service controller.
2, the method for terminal user safety access soft handoff network according to claim 1, it is characterized in that, described terminal use or marginal IAD, at least be provided with one or more authentication security parameter group, be used for providing authentication, encryption, any one or a few protected mode parameters needed information of integrity protection; Each authentication security parameter group corresponding to described terminal use or marginal IAD; the Certificate Authority parameter group of one correspondence is set in described Security Authentication Service device, is used for providing authentication, encryption, the needed computing information of any one or a few protected mode of integrity protection of described terminal use and marginal IAD.
3, the method for terminal user safety access soft handoff network according to claim 2; it is characterized in that; according to each Certificate Authority parameter group, described Security Authentication Service device further provides any one or a few protected mode parameters needed information in authentication, encryption, the integrity protection by calculating a Certificate Authority vector.
4, according to the method for claim 1,2 or 3 described terminal user safety access soft handoff networks, it is characterized in that, behind described authenticating step, described call service controller is preserved described marginal IAD cryptographic algorithm key and/or integral algorithm key, and terminal use's cryptographic algorithm key and/or integral algorithm key; And distribute marginal IAD cryptographic algorithm key and/or integral algorithm key, and terminal use's cryptographic algorithm key and/or integral algorithm key to described marginal IAD; Distribute terminal use's cryptographic algorithm key and/or integral algorithm key to the terminal use.
5, the method for terminal user safety access soft handoff network according to claim 4 is characterized in that, described registration step further comprises:
Step 501, terminal equipment is initiated login request message;
Step 502 is forwarded to the call service controller with login request message after marginal IAD is received;
Step 503 after the call service controller is received login request message, is analyzed and is obtained terminal use and marginal IAD identification information;
Step 504, call service controller judge whether marginal IAD is registered, and registered words are execution in step 508 then; Otherwise the call service controller is initiated marginal IAD authentication request to the Security Authentication Service device;
Step 505, Security Authentication Service device are searched marginal IAD Certificate Authority parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to marginal IAD to the call service controller;
Step 506, call service controller are chosen a marginal IAD Certificate Authority vector from all the Certificate Authority vectors corresponding to marginal IAD, in follow-up signaling process marginal IAD is authenticated; After the call service controller will pass through marginal IAD checking, execution in step 507; Otherwise execution in step 513;
Step 507, the call service controller is registered operation to marginal IAD, and the relevant information that belongs to marginal IAD in the marginal IAD Certificate Authority vector that will choose sends to marginal IAD;
Step 508, the call service controller is initiated the terminal user authentication request to the Security Authentication Service device;
Step 509, Security Authentication Service device are searched terminal user authentication authorization parameter group, through calculate to obtain and return all Certificate Authority vectors corresponding to the terminal use to the call service controller;
Step 510, the call service controller is chosen a terminal user authentication authorization vector from all the Certificate Authority vectors corresponding to the terminal use, pass through marginal IAD Xin Lingdaili function then, in follow-up signaling process the terminal use is authenticated; If the call service controller passes through terminal user authentication, then execution in step 511; Otherwise execution in step 513;
Step 511, call service controller are carried out user registration, and with the terminal use succeed in registration information, the relevant information that belongs to marginal IAD in the terminal user authentication authorization vector chosen sends to marginal IAD;
Step 512, marginal IAD sends to the terminal use with the relevant information that belongs to the terminal use in the terminal user authentication authorization vector with the response message that succeeds in registration; Withdraw from flow process;
Step 513, the call service controller sends the registration failure response to marginal IAD; And
Step 514, marginal IAD sends to the terminal use with the registration failure response message.
6, the method for terminal user safety access soft handoff network according to claim 1 is characterized in that, utilizes described terminal user safety layer to carry out safe transmission and comprises the steps: again
Described call service controller adopts on the call service controller and the cryptographic algorithm key between the terminal use and integral algorithm key carry out the step of safe transmission: to being sent to the signaling of terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that terminal is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
Described terminal use adopt the terminal use to go up and the call service controller between cryptographic algorithm key and the integral algorithm key step of carrying out safe transmission: to being sent to the signaling of call service controller, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; To the signaling that the call service controller is sent, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
7, according to the method for claim 1 or 6 described terminal user safety access soft handoff networks, it is characterized in that, utilize described marginal IAD safe floor to carry out safe transmission and comprise the steps: again
Described marginal IAD adopts the cryptographic algorithm key on the marginal IAD and between the call service controller and the step of integral algorithm key: after receiving that the call service controller is sent to the signaling of user terminal, utilize corresponding cryptographic algorithm and integral algorithm that signaling is decrypted and handle and completeness check, send to user terminal then; Simultaneously, handle and completeness check, obtain wherein information utilizing call service controller on the terminal use and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted; After receiving that user terminal is sent to the signaling of call service controller, then utilize corresponding cryptographic algorithm and integral algorithm that signaling is carried out encryption and integrity protection, simultaneously, handle and completeness check utilizing call service controller on the call service controller and the cryptographic algorithm key between the terminal use and integral algorithm key that signaling is decrypted, obtain wherein information;
Described call service controller adopts on the call service controller and the step of cryptographic algorithm key information between the marginal IAD and integral algorithm key: the call service controller is passed through the signaling that marginal IAD is sent to user terminal, utilize corresponding cryptographic algorithm and integral algorithm to carry out encryption and integrity protection; User terminal is passed through the signaling that marginal IAD is sent to the call service controller, then utilize corresponding cryptographic algorithm and integral algorithm to be decrypted and handle and completeness check.
8, the method for terminal user safety access soft handoff network according to claim 5 is characterized in that, also comprises described terminal use's system authentication step: in step 501, the carried terminal user is to the system authentication relevant information in the registration message; In step 508, the call service controller sends the terminal use to the system authentication request to the Security Authentication Service device simultaneously; In step 509, the Security Authentication Service device returns the terminal use to system authentication information to the call service controller simultaneously; In step 510, the call service controller sends the terminal use to terminal to system authentication information in the terminal user authentication flow process, after receiving, the terminal use carries out system authentication, system authentication fails then that the terminal use initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out the terminal user authentication flow process.
9, according to the method for claim 5 or 8 described terminal user safety access soft handoff networks, it is characterized in that, the system authentication step that also comprises described marginal IAD: in step 502, carry marginal IAD in the registration message to the system authentication relevant information; In step 504, the call service controller simultaneously to Security Authentication Service device limit IAD to the system authentication request; In step 505, the Security Authentication Service device returns marginal IAD to system authentication information to the call service controller simultaneously; In step 506, the call service controller sends marginal IAD to terminal to system authentication information in marginal IAD identifying procedure, after receiving, the limit IAD carries out system authentication, the then marginal IAD of system authentication failure initiatively withdraws from flow process, otherwise cooperates the call service controller to carry out marginal IAD identifying procedure.
10, according to the method for claim 1,2,3,5,6 or 8 described terminal user safety access soft handoff networks, it is characterized in that, comprise password in the authentication security parameter group of described terminal use/marginal IAD, described call service controller is provided with the independent verification step to described terminal use/marginal IAD password.
11, according to the method for claim 1,2,3,5,6 or 8 described terminal user safety access soft handoff networks, it is characterized in that, comprise password in described terminal use/marginal IAD authentication security parameter group, described password is the part of key, or with described password other security information computings acquisition keys with terminal/marginal IAD configuration; Described authentication security server obtains described terminal use/marginal IAD key to obtain identical mode with described key.
12, the method for terminal user safety access soft handoff network according to claim 5, it is characterized in that, in described step 510, described call service controller sends to described marginal IAD with the authentication information relevant with described terminal use, entrust described marginal IAD that described terminal use is authenticated, after if described marginal IAD passes through described terminal user authentication, give described call service controller, execution in step 511 with the message informing of described terminal user authentication success; Otherwise the information that sends described terminal authentication failure is to described call service controller, execution in step 513.
13; the method of terminal user safety access soft handoff network according to claim 5; it is characterized in that; in described step 510; described call service controller sends to marginal IAD with the relevant information of one or two aspect of encryption relevant with described terminal use in the described terminal user authentication authorization vector and these two aspect relevant informations of integrity protection in authenticating step; be transmitted to the terminal use further by marginal IAD again, thereby the mode that adopts described signaling security hop to describe is carried out the signaling transmission in follow-up signaling step.
14, the method for terminal user safety access soft handoff network according to claim 5 is characterized in that, initiates the registration step of described marginal IAD to the call service controller after described marginal IAD enters service state.
15, the method for terminal user safety access soft handoff network according to claim 1 is characterized in that, the logic function module that described Security Authentication Service device is described call service controller.
16, the method for terminal user safety access soft handoff network according to claim 1; it is characterized in that; in the described signaling security transmitting step, described terminal user safety layer/marginal IAD safe floor adopts and encrypts, integrity protection any one or two kinds of protected modes.
17, the method for terminal user safety access soft handoff network according to claim 1, it is characterized in that, in the described signaling security transmitting step, the described terminal user safety layer/needed security parameter information of marginal IAD safe floor is configured in respectively in described call service controller, the terminal use/marginal IAD.
18, the method for terminal user safety access soft handoff network according to claim 1, it is characterized in that, in the described signaling security transmitting step, the signaling between described call service controller and the described marginal IAD only transmits in described marginal IAD safe floor mode.
19, the method for terminal user safety access soft handoff network according to claim 1, it is characterized in that, two-way authentication between described user terminal and call service controller and/or described marginal IAD and the described call service controller has certain timeliness, need carry out two-way authentication again after the inefficacy.
CN200510011503A 2005-03-30 2005-03-30 Method for terminal user safety access soft handoff network Expired - Fee Related CN100579012C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200510011503A CN100579012C (en) 2005-03-30 2005-03-30 Method for terminal user safety access soft handoff network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200510011503A CN100579012C (en) 2005-03-30 2005-03-30 Method for terminal user safety access soft handoff network

Publications (2)

Publication Number Publication Date
CN1841998A true CN1841998A (en) 2006-10-04
CN100579012C CN100579012C (en) 2010-01-06

Family

ID=37030855

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200510011503A Expired - Fee Related CN100579012C (en) 2005-03-30 2005-03-30 Method for terminal user safety access soft handoff network

Country Status (1)

Country Link
CN (1) CN100579012C (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009109093A1 (en) * 2008-03-06 2009-09-11 华为技术有限公司 Method, device and system for certifying response message
CN101127663B (en) * 2007-09-13 2010-11-03 北京交通大学 A system and method for access of mobile self-organized network to integrated network
CN101888623A (en) * 2010-05-14 2010-11-17 东南大学 Safety service-based mobile network safety protection method
CN101119206B (en) * 2007-09-13 2011-03-02 北京交通大学 Identification based integrated network terminal united access control method
WO2012092870A1 (en) * 2011-01-07 2012-07-12 中兴通讯股份有限公司 Proxy method, device and system for voip service
CN101350721B (en) * 2007-07-20 2012-08-08 华为技术有限公司 Network system, network access method and network appliance
CN108712421A (en) * 2018-05-18 2018-10-26 中国联合网络通信集团有限公司 Method and device, soft switch method of calling and the system of access gateway registration
CN114500066A (en) * 2022-02-08 2022-05-13 北京沃东天骏信息技术有限公司 Information processing method, gateway and communication system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350721B (en) * 2007-07-20 2012-08-08 华为技术有限公司 Network system, network access method and network appliance
CN101127663B (en) * 2007-09-13 2010-11-03 北京交通大学 A system and method for access of mobile self-organized network to integrated network
CN101119206B (en) * 2007-09-13 2011-03-02 北京交通大学 Identification based integrated network terminal united access control method
WO2009109093A1 (en) * 2008-03-06 2009-09-11 华为技术有限公司 Method, device and system for certifying response message
CN101888623A (en) * 2010-05-14 2010-11-17 东南大学 Safety service-based mobile network safety protection method
CN101888623B (en) * 2010-05-14 2012-08-22 东南大学 Safety service-based mobile network safety protection method
WO2012092870A1 (en) * 2011-01-07 2012-07-12 中兴通讯股份有限公司 Proxy method, device and system for voip service
CN108712421A (en) * 2018-05-18 2018-10-26 中国联合网络通信集团有限公司 Method and device, soft switch method of calling and the system of access gateway registration
CN114500066A (en) * 2022-02-08 2022-05-13 北京沃东天骏信息技术有限公司 Information processing method, gateway and communication system

Also Published As

Publication number Publication date
CN100579012C (en) 2010-01-06

Similar Documents

Publication Publication Date Title
KR101508576B1 (en) Home node-b apparatus and security protocols
CN1961557A (en) Method and system for a secure connection in communication networks
EP2713546B1 (en) Method and apparatuses for establishing a data transmission via sip
EP2208330B1 (en) Method and apparatuses for determining whether femtocell is authorized to provide wireless connectivity to a mobile unit
CN1719795A (en) Device and process for wireless local area network association and related products
CN1841998A (en) Method for terminal user safety access soft handoff network
CN1668005A (en) An access authentication method suitable for wired and wireless network
CN1751533A (en) Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system
US20090191845A1 (en) Network enforced access control for femtocells
CN101052033A (en) Certifying and key consulting method and its device based on TTP
CN1929398A (en) Security setting method in wireless communication network, storage medium, network system and client device
CN1859093A (en) Method for verifying user terminal in IP multimedia subsystem
CN1805333A (en) Data security in wireless network system
CN1946233A (en) Mechanism to avoid double-encryption in mobile networks
CN1859729A (en) Authentifying method and relative information transfer method
CN101030854A (en) Method and apparatus for inter-verifying network between multi-medium sub-systems
CN101056456A (en) Method and secure system for authenticating the radio evolution network
CN1929371A (en) Method for negotiating key share between user and peripheral apparatus
CN1870812A (en) Method for selecting safety mechanism of IP multimedia subsystem acess field
CN1614903A (en) Method for authenticating users
CN1977559A (en) Method and system for protecting information exchanged during communication between users
CN103795966B (en) A kind of security video call implementing method and system based on digital certificate
CN101047505A (en) Method and system for setting safety connection in network application PUSH service
CN1658547A (en) Crytographic keys distribution method
US8442527B1 (en) Cellular authentication for authentication to a service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100106

Termination date: 20180330

CF01 Termination of patent right due to non-payment of annual fee