JP2008015696A - Authentication method, mobile communication terminal device, domain system, home domain system, and authentication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To speed up authentication of a mobile communication terminal device moving between different kinds of domains. <P>SOLUTION: When receiving a MAC address from a base station belonging to a second domain system 120<SB>2</SB>, a mobile communication terminal device 110 inquires of a first domain system 120<SB>1</SB>about identification information of the second domain system 120<SB>2</SB>. The first domain system 120<SB>1</SB>searches this information in itself and inquires of the second domain system 120<SB>2</SB>in the case of the absence. When this information is returned from the second domain system 120<SB>2</SB>, the first domain system 120<SB>1</SB>informs the mobile communication terminal device 110. When receiving an authentication preparation request to the second domain system 120<SB>2</SB>from the mobile communication terminal device 110, a home domain system 120<SB>3</SB>generates an authentication key and sends it to the mobile communication terminal device 110 and the second domain system 120<SB>2</SB>. WHen the mobile communication terminal device 110 is actually moved, the authentication key is used to perform authentication. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an authentication method, a mobile communication terminal device, a domain system, a home domain system, and an authentication system. More specifically, an authentication method for performing authentication required when a base station that is a wireless communication destination of the mobile communication terminal apparatus is changed due to movement of the mobile communication terminal apparatus, and a mobile communication terminal apparatus that is an authentication target by the authentication method The present invention relates to an authentication system that uses the authentication method, a domain system that constitutes the authentication system, and a home domain system that is a contract partner of communication of a mobile communication terminal device.

  2. Description of the Related Art Conventionally, a wired network network in which an information communication device such as a computer is connected as a communication terminal device has been remarkable. Furthermore, in recent years, network networks for connecting to a wireless local area network (LAN) from indoors and outdoors, and base stations that are radio stations for connecting to the network have been developed, and mobile phones and PDAs (Personal Digital Assistants) have been developed. An environment in which communication terminal devices such as the above can be connected to the Internet from any place is being prepared. Under such an environment, the communication terminal device can connect to the network by making a contract with an Internet service provider (hereinafter also referred to as “ISP”).

  In general, in order to connect to the Internet through an ISP, the communication terminal device is authenticated by logging in (Authentication), the “connection to the Internet” service is authorized (Authorization), and charging according to the use of the service is managed ( Accounting). These are collectively referred to as “AAA”, and the AAA is performed each time the communication terminal apparatus is connected to the network.

  By the way, a mobile communication terminal apparatus which is a movable communication terminal apparatus is connected to the Internet network via a base station which is an access point (hereinafter also referred to as “AP”). For this reason, the mobile communication terminal device needs to change the base station to be connected with the movement. The act of changing the base station to be connected is called handover.

  During such a handover, communication is interrupted until access authentication and authority confirmation of the mobile communication terminal device in the destination domain system (that is, the destination “management domain”) is completed. For this reason, various methods have been proposed for eliminating or shortening the communication interruption time during handover.

  For example, an FPANA (Fast Protocol for Carrying Authentication for Network Access) method has been proposed as a method for performing high-speed handover between the same domains (hereinafter referred to as “conventional example 1”). It is described in. In the technique of the conventional example 1, authentication session information about a mobile communication terminal apparatus performed with an AAA system is transferred from an access router (hereinafter also referred to as “AR”) before transfer using a CT (Context Transfer) protocol. By transferring to the access router of the transfer destination, new access authentication and authority confirmation in the destination AR can be omitted, and high-speed handover can be realized.

  In addition, an example of a high-speed authentication technique that can be applied at the time of handover between different domains is described in the following Patent Document 1 (hereinafter referred to as “conventional example 2”). The technology of Conventional Example 2 enables high-speed handover between APs by transferring a common key of an authentication session between APs using information on peripheral APs provided in advance in APs in a wireless network system. Technology.

Another example of the fast authentication technique that can be applied at the time of handover between different domains is described in the following Non-Patent Document 2 (hereinafter referred to as “Conventional Example 3”). The technique of Conventional Example 3 is a technique for performing handover prediction in a state in which the mobile communication terminal apparatus is in the domain before moving in handover between different domains, and performing all authentication with the destination domain in advance.
JP 2004-222300 A Y.Kainuma and three others, “FPANA: combining PANA and FMIPv6 for fast authentication at handover”, [online], December 3, 2005, IETF PANA WG, [searched July 1, 2006], Internet <URL: http://bgp.potaroo.net/ietf/idref/draft-hiko-pana-fpana/> A.Dutta and three others, “A framework of Media-Independent Pre-Authentication (MPA) (draft-ohba-mobopts-mpa-framework-00.txt)”, [online], February 13, 2005, MOBOPTS Research Group, [Search July 1, 2006], Internet <URL: http://rfc.netvolante.jp/internet-drafts/draft-ohba-mobopts-mpa-framework-00.txt>

  In order to apply the technology of the above-described Conventional Example 2 to authentication at the time of handover between different domains, in order to realize a technology for transferring authentication session information, a certain domain system has a base station of another domain with a different operator. It is necessary to grasp information and to realize a secure communication path between domain systems. However, in a multi-domain environment, it is difficult to exchange base station configuration information or directly configure a trust relationship. Therefore, it is difficult to shorten the blocking time for handover by exchanging authentication session information as in the case of the same domain.

  Furthermore, even if problems such as trust relationships are solved, in order to be able to create a common key for the authentication session in advance at the access point before movement and transmit it to the access point that is the expected movement destination, It is essential to change the existing base station that is an access point. For this reason, in order to apply the technique of the conventional example 2, the cost by the improvement to the existing base station also becomes enormous. Even in this aspect, the technology of Conventional Example 2 is difficult to apply to authentication during handover between different domains.

  In addition, in order to apply the technology of Conventional Example 3 to authentication at the time of handover between different domains, it is necessary to implement PANA in order to perform authentication with the access router of the destination domain network. It must be ensured that the other domain network adopts PANA. Further, in the technology of Conventional Example 3, since all processes including authentication other than the start of communication between devices at the time of handover are performed in advance, it is difficult to apply when the overlap time between wireless networks during movement is small. .

  In order to apply the high-speed authentication technique similar to the technique of the above-described conventional example 1 to authentication at the time of handover between different domains, the access router in the source domain knows the IP address of the access router in the post-movement domain. It is necessary to establish a secure communication path between the transfer source access router and the transfer destination access router. However, as in the case of the technique of Conventional Example 2 described above, it is difficult to exchange base station configuration information or directly configure a trust relationship in a multi-domain environment.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a new authentication method and authentication system capable of high-speed authentication at the time of handover between different domains.

  It is another object of the present invention to provide a mobile communication terminal device and a domain system that can be employed when constructing an authentication system according to the present invention.

  According to a first aspect of the present invention, there is provided an authentication method for performing authentication required when a base station that is a radio communication destination of the mobile communication terminal apparatus is changed due to movement of the mobile communication terminal apparatus, Whenever the mobile communication terminal apparatus newly detects the identification information of the second base station transmitted from a second base station different from the first base station performing radio communication, the mobile communication terminal apparatus Inquiry of communication information including identification information of an access router connecting the second base station in the domain system to which the second base station belongs to the first domain system to which the first base station belongs A domain inquiry step for inquiring a certain domain system; and the first domain system that has received the domain system inquiry has a case where the second base station does not belong to the first domain system. Domain information acquisition step of acquiring communication information including identification information of an access router in the second domain system from the second domain system to which the second base station belongs using the detected identification information of the second base station A terminal transfer step in which the first domain system that has acquired the communication information transfers the communication information to the mobile communication terminal device; and the mobile communication terminal device transmits the second base for the second domain system. A first authentication preparation requesting step for transmitting an authentication preparation request for communication via a station to the first domain system; and a home domain system in which the first domain system is a system of a contracted domain of the mobile communication terminal device And when the second domain system is not the home domain system, the authentication preparation request The received first domain system transmits a second authentication preparation request to the home domain system; and the home domain system is connected between the mobile communication terminal device and the first domain system. A first key generation step of generating a first authentication key used for authentication between the mobile communication terminal device and the second domain system based on authentication session information; and the home domain system uses the first authentication key as the first authentication key A first authentication information transmitting step of transmitting to the second domain system first authentication information to which information for specifying a mobile communication terminal device is added; and the second domain system receiving the first authentication information includes the authentication information A first reception response step of returning a first reception confirmation to the home domain system indicating that the first reception confirmation is received; A first authentication reporting step in which the home domain system transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the first authentication key; A first final authentication step of performing authentication between the mobile communication terminal device and the second domain system using the first authentication key when the terminal device starts wireless communication with the second base station. And an authentication method.

  In this authentication method, when the mobile communication terminal apparatus moves, the mobile communication terminal apparatus uses the second base station by radio waves transmitted from a second base station that is different from the first base station currently performing radio communication. The identification information is newly detected. This means that the mobile communication terminal apparatus has entered an area where the connectable area of the first base station and the connectable area of the second base station overlap, and the mobile communication terminal apparatus may be changed over to the base station. It shows that there is sex. Therefore, in order to start preparation for transfer, the mobile communication terminal apparatus uses the second base station identification information to the first domain system to which the first base station belongs in the domain inquiry process. The communication information including the identification information of the access router that connects the second base station in another domain system to which the base station belongs is inquired.

  The first domain system that has received this inquiry is in the case where the second base station does not belong to the first domain system, that is, when the mobile communication terminal device is moving to a jurisdiction area of a domain system different from the current one. Since the first domain system does not hold information about other domain systems, the identification information of the access router in the second domain system can be obtained by inquiring the second domain system to which the second base station belongs in the domain information acquisition step. Get communication information including.

  Note that the communication information is stored in the first domain system for a predetermined period in order to improve processing efficiency. Thereby, when the inquiry about the said 2nd base station is received again, the information for communication can be responded at high speed.

  Next, in the terminal transfer step, the first domain system transfers the acquired communication information to the mobile communication terminal device that is the domain information inquiry source. Then, in the first authentication preparation request step, the mobile communication terminal device uses the obtained access router identification information to request authentication preparation for performing communication via the second base station with respect to the second domain system. Is transmitted to the first domain system.

  Next, when the first domain system is not a home domain system that is a system of a contracted domain of the mobile communication terminal device and the second domain system is not a home domain system, that is, the first domain system and the second domain system If both are domain systems different from the home domain system, in the second authentication preparation request step, the first domain system transmits an authentication preparation request received from the mobile communication terminal device to the home domain system. Subsequently, in the first key generation step, the home domain system that has received the authentication preparation request, based on the authentication session information between the mobile communication terminal apparatus and the first domain system, the mobile communication terminal apparatus and the second domain system A first authentication key used for authentication during the period is newly generated.

  Subsequently, in the first authentication information transmitting step, the home domain system is information necessary for the second domain system to authenticate the mobile communication terminal device, and information that identifies the mobile communication terminal device as the first authentication key. The first authentication information added with is transmitted to the second domain system. In response to this, the second domain system returns a first reception confirmation indicating that the authentication information has been received to the home domain system in the first reception response step. As a result, in the second domain system, preparation for authentication for starting communication with the mobile communication terminal device via the second base station is completed, so the home domain system that has received the first reception confirmation In the first authentication reporting step, the fact that preparation for authentication is completed is transmitted to the mobile communication terminal device together with the first authentication key.

  And when a mobile communication terminal device moves to the jurisdiction area of a 2nd base station, the process for the start of radio | wireless communication between 2nd base stations of a mobile communication terminal device is performed. That is, in the first final authentication step, authentication processing is performed between the mobile communication terminal device and the second domain system using the prepared first authentication key. Authentication is performed by some kind of authentication method using the first authentication key. For example, a challenge-response method or the like can be adopted.

  Therefore, according to the authentication method of the present invention, it is possible to exchange a minimum amount of information necessary for authentication even between heterogeneous domain systems that do not have a mutual trust relationship. High-speed handover can be performed.

  In the authentication method of the present invention, when the first domain system is the home domain system, the first domain system that has received the authentication preparation request from the mobile communication terminal apparatus is configured to receive the authentication information from the mobile communication terminal apparatus. When the validity of the access authority in the second domain system is determined and the determination is affirmative, the mobile communication terminal is based on authentication session information between the mobile communication terminal apparatus and the first domain system. A second key generation step of generating a second authentication key used for authentication between a device and the second domain system; and information identifying the mobile communication terminal device by the first domain system as the second authentication key A second authentication information transmitting step of transmitting the second authentication information to which the second authentication information is added to the second domain system; and A second reception response step in which the second domain system that has received the authentication information returns a second reception confirmation to the first domain system indicating that the second authentication information has been received; The first domain system transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the second authentication key; A second final authentication step of performing authentication between the mobile communication terminal device and the second domain system using the second authentication key when starting wireless communication with the second base station; Can be provided.

  In this case, the first domain system that has received the authentication preparation request from the mobile communication terminal apparatus determines the validity of the access authority in the second domain system of the mobile communication terminal apparatus in the second key generation step, and If the result is positive, the second authentication used for authentication between the mobile communication terminal device and the second domain system based on the authentication session information between the mobile communication terminal device and the first domain system. Generate a key. Subsequently, in the second authentication information transmitting step, the first domain system transmits second authentication information in which information for specifying the mobile communication terminal device is added to the second authentication key to the second domain system. In the second reception response step, the second domain system that has received the second authentication information returns a second reception confirmation indicating that the second authentication information has been received to the first domain system.

  As a result, preparation for authentication with the mobile communication terminal device is completed on the second domain system side. Therefore, the first domain system that has received the second reception confirmation receives the second authentication report in the second authentication report step. The fact that preparation for authentication for communication via the second base station has been completed is transmitted to the mobile communication terminal device together with the authentication key.

  Then, when the mobile communication terminal apparatus moves to the jurisdiction area of the second base station, processing for starting wireless communication with the second base station is performed in the second final authentication step. That is, authentication is performed at high speed between the mobile communication terminal device and the second domain system using the second authentication key. If the authentication is successful, the transfer of the mobile communication terminal device to the base station of the second domain is completed.

  In the authentication method according to the present invention, when the second domain system is the home domain system, the first domain system transmits the authentication preparation request to the second domain system. And the second domain system determines the validity of the authority of the mobile communication terminal device, and if the determination is affirmative, authentication between the mobile communication terminal device and the first domain system is performed. A third key generating step of generating a third authentication key used for authentication between the mobile communication terminal device and the second domain system based on session information; and the second domain system, together with the third authentication key, A third authentication reporting step for transmitting to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed; and between the second base station and And a third final authentication step of performing authentication between the mobile communication terminal device and the second domain system using the third authentication key when starting the wireless communication. .

  In this case, when the first domain system transmits an authentication preparation request to the second domain system in the third authentication preparation request step, the second domain system that has received the request, that is, the home domain system, receives the third key. In the generation step, the validity of the authority of the mobile communication terminal device is determined. If the determination is affirmative, the mobile communication terminal is based on authentication session information between the mobile communication terminal device and the first domain system. A third authentication key used for authentication between the device and the second domain system is generated. Subsequently, in the third authentication reporting step, the second domain system transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the third authentication key.

  And when a mobile communication terminal device moves to the jurisdiction area of a 2nd base station, the process for the start of radio | wireless communication between 2nd base stations is performed. That is, in the third final authentication step, authentication is performed between the mobile communication terminal device and the second domain system using the third authentication key. If the authentication is successful, the transfer of the mobile communication terminal device to the base station of the second domain is completed.

  As described above, when a transfer to a base station of another domain occurs in the mobile communication terminal device, if the home domain system exists separately from both the other domain system and the transfer source domain system, the transfer source domain system is the home domain system. In other cases, or when the other domain system is a home domain system, it is possible to change at high speed.

  In the authentication method of the present invention, the communication information including the domain system inquiry and the identification information of the access router in the second domain system may be transmitted to the first domain system and the second domain without going through the home domain system. It can be sent to and received from the domain system.

  In this case, the communication information including the domain system inquiry and the identification information of the access router in the second domain system is not transmitted between the first domain system and the second domain system via the communication network or the like without using the home domain system. It is also possible to send and receive between them.

  In the authentication method of the present invention, the communication information including the domain system inquiry and the identification information of the access router in the second domain system is transmitted to the first domain system and the second domain system via the home domain system. Are transmitted and received between each other.

  In this case, the communication information including the domain system inquiry and the identification information of the access router in the second domain system is not directly transmitted and received between the first domain system and the second domain system. It can also be made via. As a result, even when there is no trust relationship between the first domain system and the second domain system, both domains exchange information via the home domain system with which the communication destination is contracted. Handover between networks can be enabled.

  Further, the authentication method of the present invention employs a protocol in which the mobile communication terminal apparatus does not prepare a communication identifier of the mobile communication terminal apparatus necessary for the mobile communication terminal apparatus to perform communication on a network. The second domain system creates the communication identifier and transmits it to the mobile communication terminal device.

  In this case, since the mobile communication terminal apparatus does not employ a protocol that holds or automatically generates a communication identifier for its own communication, it is necessary to obtain the communication identifier from the outside. . For this reason, the second domain system creates the communication identifier and transmits it to the mobile communication terminal device. Here, the second domain system can transmit the communication information including the communication identifier in the communication information that is a response to the above-mentioned domain system inquiry, or returns in the first reception response step. The authentication information may be transmitted together with the reception.

  From a second point of view, the present invention is a mobile communication terminal device including a transmission / reception unit that receives radio waves transmitted from a base station, the first domain being a domain system to which the currently connected base station belongs. The communication information including the identification information of the access router in the second domain system to which the base station that is the communication destination candidate after the movement of the mobile communication terminal device belongs to the system is transmitted to the base station that is the communication destination candidate after the movement. Inquiry using identification information, domain information requesting means for obtaining communication information including identification information of an access router in the second domain system from the first domain system; and an authentication preparation request for the second domain system; Sent to the home domain system which is the contract destination of the communication contract of the mobile communication terminal device, and the home domain system And when the preparation for authentication is completed together with the authentication key from the system, and when moving to the jurisdiction area of the second domain, the second domain system uses the authentication key received from the home domain system. And an authentication control means for performing authentication between the mobile communication terminal device and the mobile communication terminal device.

  In this mobile communication terminal apparatus, the domain information requesting means is connected to the first domain system, which is the system of the domain to which the base station that is currently wirelessly communicating, belongs to the base station that is the communication destination candidate after the mobile communication terminal apparatus The communication information including the identification information of the access router in the second domain system to which the node belongs is inquired using the identification information of the base station which is the communication destination candidate after movement. By receiving a response from the first domain system to the inquiry, the mobile communication terminal device acquires the communication information.

  When the communication information of the second domain is acquired in this way, the authentication control means sends an authentication preparation request to the second domain system via the first domain, etc., and the home domain that is the contract destination of the communication contract of the mobile communication terminal device Send it to the system. Thereafter, the fact that the preparation for authentication is completed is received via the first domain together with the authentication key created by the home domain system. This completes preparation for authentication after movement for the mobile communication terminal device. Then, when moving to the jurisdiction area of the second domain, authentication is performed at a high speed with the second domain system using the authentication key received from the home domain system.

  From a third aspect, the present invention is a domain system that is different from any of the contracting parties of the communication contract of the first or second mobile communication terminal device, and includes at least one own domain base station; At least one access router that connects the first mobile communication terminal device that is in radio communication with a first base station that is one of the own domain base stations, and a second different from the first base station. When receiving a domain system inquiry which is an inquiry for communication information of the domain system to which the second base station belongs with the identification information of the base station, the identification information of the access router in the domain system is searched in the own domain system. A search means for performing a search by the search means, when it is determined that the second base station does not belong to its own domain system Inquiry transmission means for sending a request for returning the first communication information including identification information of the access router in the adjacent domain system to at least one adjacent domain system; In this case, identification information reporting means for reporting information for communication in the adjacent domain to the mobile communication terminal device; a second base station for the domain system to which the second base station belongs from the first mobile communication terminal device; When receiving the authentication preparation request for communication via the first mobile domain, the first home domain system transmits the authentication preparation request to the first home domain system which is the contracted domain system of the first mobile communication terminal device. The response from the system to the authentication preparation request includes the fact that the authentication preparation was successful together with the authentication key. Authentication preparation transmission / reception means for sending the authentication preparation completion report to the mobile communication terminal device upon receipt of an authentication preparation completion report; accompanied by identification information about a third base station belonging to the own domain system from the adjacent domain system; Inquiry response means for returning communication information of its own domain when receiving a domain system inquiry which is an inquiry of second communication information including identification information of an access router in the domain system to which the third base station belongs; An authentication key for communication from a second home domain system that is a contract destination of the second mobile communication terminal device via a third base station that is one of the base stations in the own domain, and the second mobile communication terminal When receiving the identification information of the device, the second mobile communication terminal device prepares for authentication for communication via the third base station, and Authentication preparation means for reporting completion of certificate preparation to the second home domain system; when the second mobile communication terminal device starts wireless communication with the third base station, the authentication key is used to A final authentication means for performing authentication between the second mobile communication terminal device and the own domain system.

  In this domain system, identification information of a second base station that is different from the first base station is received from the first mobile communication terminal device that is performing radio communication with the first base station that is one of its own domain base stations. Upon receiving a domain system query that is a query of first communication information including identification information of the access router in the domain system to which the second base station belongs, the search means identifies the access router in the domain system to which the second base station belongs. Search for information in your domain system. As a result of the search by the search means, when the identification information of the access router cannot be detected, that is, when it is determined that the second base station does not belong to the own domain system, the inquiry transmission means sends at least one adjacent domain A request for returning the first communication information including the identification information of the access router in the adjacent domain system is sent to the system.

  Here, when inquiring about the first communication information including the identification information of the access router in the second domain, the inquiry when there are a plurality of adjacent domain systems can be made one by one for the adjacent domain, or by multicast or the like. You can also make inquiries all at once. When receiving a reply including the first communication information including the identification information of the access router in the adjacent domain system, the identification information reporting means reports the adjacent domain communication information to the mobile communication terminal apparatus.

  Note that the communication information is stored in the first domain system for a predetermined period in order to improve processing efficiency. Thereby, when the inquiry about the said 2nd base station is received again, the information for communication can be responded at high speed.

  Further, when receiving an authentication preparation request for communication via the second base station for the domain system to which the second base station belongs from the first mobile communication terminal apparatus that has received the report, the authentication preparation transmission / reception means includes: An authentication preparation request is transmitted to the first home domain system which is the contracted domain system of the mobile communication terminal device. Then, when an authentication preparation completion report including the fact that the authentication preparation is successful together with the authentication key is received from the first home domain system as a response to the authentication preparation request, the authentication preparation completion report is sent to the first mobile communication terminal device. send.

  In addition, the second communication information including the identification information of the access router in the domain system to which the third base station belongs with the identification information about the third base station belonging to the own domain system from the adjacent domain system of the own domain system. When receiving the inquiry, the inquiry response means searches the identification information of the access router in the own domain from within the own domain system, and returns the second communication information to the adjacent domain system.

  Further, the authentication preparation means includes an authentication key and a second key for communication from the second home domain system, which is a contract destination of the second mobile communication terminal device, via the third base station which is one of the base stations in the own domain When receiving identification information of the mobile communication terminal device, prepare for authentication for communication via the third base station by the second mobile communication terminal device, and report completion of authentication preparation to the second home domain system To do.

  The final authentication means uses the authentication key when the second mobile communication terminal apparatus starts wireless communication with the third base station in accordance with the movement of the second mobile communication terminal apparatus. An authentication process is performed between the mobile communication terminal device and the own domain system. If the authentication performed in this way is successful, the transfer of the second mobile communication terminal device to the base station of the own domain system is completed.

  In the domain system of the present invention, a protocol is employed in which the first mobile communication terminal apparatus does not prepare a communication identifier for the mobile communication terminal apparatus necessary for communication on the network. In this case, any one of the identification information reporting unit and the authentication preparation transmitting / receiving unit transmits the communication identifier notified after being created in the adjacent domain system to the mobile communication terminal device. be able to.

  In this case, since the first mobile communication terminal device does not employ a protocol that pre-stores or automatically generates a communication identifier for its own communication, it is necessary to acquire the communication identifier from the outside. is there. For this reason, the adjacent domain system creates the communication identifier and transmits it to the mobile communication terminal device. The timing of transmission of the communication identifier by the adjacent domain system is the response time to the above domain system inquiry. Or there may be a reply that the authentication information has been received. In the former case, the identification information reporting means transmits the communication identifier included in the first communication information and transmitted to the mobile communication terminal device. In the latter case, the authentication preparation transmitting / receiving means transmits the communication identifier returned together with the reception of the authentication information to the mobile communication terminal device.

  In the domain system of the present invention, a protocol is employed in which the second mobile communication terminal apparatus does not prepare a communication identifier of the mobile communication terminal apparatus necessary for communication on the network. In this case, either the inquiry response unit or the authentication preparation unit creates the communication identifier and transmits it to the mobile communication terminal device.

  In this case, since the second mobile communication terminal device does not employ a protocol that preliminarily holds or automatically generates a communication identifier for its own communication, it is necessary to acquire the communication identifier from the outside. is there. For this reason, the communication identifier is created by the domain system of the present invention, that is, the domain system to which the third base station belongs (that is, the own domain system), and is transmitted to the mobile communication terminal apparatus. Here, in the own domain system, the inquiry response means may create the communication identifier for the response to the authentication preparation request, and transmit the communication information including the communication identifier. Alternatively, the authentication preparation means can be transmitted together with the fact that the authentication information has been received.

  From a fourth aspect, the present invention is a home domain system that is a system of a contract destination domain of a communication contract of a mobile communication terminal device, and the first base station with which the mobile communication terminal device is currently wirelessly communicating is The movement from the mobile communication terminal device to the second domain system to which the second base station that is the destination candidate of the mobile communication terminal device belongs belongs to the second domain system different from itself through the first domain system to which the mobile communication terminal device belongs. Based on authentication session information between the mobile communication terminal device and the first domain system when receiving an authentication preparation request which is a request for authentication preparation of the communication terminal device, the mobile communication terminal device and the second domain First key generation means for generating a first authentication key used for authentication with the system; and information identifying the mobile communication terminal device is added to the first authentication key Key transmitting means for transmitting the first authentication information to the second domain system; and when the fact that the first authentication information is received from the second domain system is received, the movement via the first domain And a first preparation report means for transmitting to the communication terminal device that the authentication preparation is successful together with the first authentication key.

  In this home domain system, the mobile communication terminal apparatus moves from the mobile communication terminal apparatus to the mobile communication terminal apparatus destination candidate via a first domain system different from itself to which the first base station currently performing radio communication belongs. When receiving an authentication preparation request that is an authentication preparation request of the mobile communication terminal apparatus for a second domain system different from itself, to which the second base station belongs, the first key generation means Based on the authentication session information with the first domain system, a first authentication key used for authentication between the mobile communication terminal device and the second domain system is generated.

  Subsequently, the key transmission means transmits the first authentication information in which the information for identifying the mobile communication terminal device is added to the first authentication key to the second domain system. After that, when the fact that the first authentication information has been received is received from the second domain system, the first preparation report means sends the first authentication key to the mobile communication terminal device via the first domain system. Sends information that authentication preparation was successful. This completes preparation for authentication between the second domain system and the mobile communication terminal device.

  Further, in the home domain system of the present invention, when the first base station belongs to itself, communication information including identification information about an access router in the domain system to which the second base station belongs from the mobile communication terminal device Search means for searching for identification information of the second base station in the own domain system when the inquiry is received; and as a result of the search by the search means, the second base station belongs to the own domain system. If not, inquiry transmission means for sending a request for returning communication information including identification information of the access router in the adjacent domain to at least one adjacent domain system; communication of the second domain system; Communication including identification information of an access router in the second domain system when receiving a reply to the service information Identification information reporting means for reporting information to the mobile communication terminal device; when receiving an authentication preparation request for communication via the second base station for the second domain system from the first mobile communication terminal device; Second key generation means for generating a second authentication key used for authentication between the mobile communication terminal apparatus and the second domain system based on authentication session information between the mobile communication terminal apparatus; Authentication information transmitting means for transmitting, to the second domain system, second authentication information with information identifying the mobile communication terminal device added to a key; from the second domain system receiving the second authentication information; 2 When receiving a reply of reception confirmation that the authentication information has been received, the fact that preparation for authentication for communication via the second base station is completed together with the second authentication key. A second preparation reporting means for transmitting to the serial mobile communication terminal; may further comprise a.

  In this case, when receiving an inquiry for communication information including identification information about the access router in the domain system to which the second base station belongs from the mobile communication terminal device, the search means identifies the second base station. Based on the information, the identification information of the access router that connects the second base station is searched for in the home domain system.

  As a result of the search by the search means, when the identification information cannot be detected, that is, when it is determined that the second base station does not belong to its own home domain system, the inquiry transmission means includes at least one adjacent domain system A request for returning communication information including the identification information of the access router in the adjacent domain is sent to. Here, the communication information including the identification information of the access router in the second domain in order to request the at least one adjacent domain known by the home domain system to search the adjacent domain system. Inquire.

  When the communication information including the identification information of the access router in the second domain system is received as a result of the inquiry to the adjacent domain system, the identification information report means sends the communication information of the second domain system. To the mobile communication terminal device. The communication information that has received the reply is stored in the home domain system for a predetermined period in order to improve processing efficiency. Thereby, when the inquiry about the said 2nd base station is received again, the information for communication can be responded at high speed.

  In addition, when receiving an authentication preparation request for performing communication via the second base station for the second domain system from the first mobile communication terminal apparatus, the second key generation means and the mobile communication terminal apparatus Based on the authentication session information with the home domain system, a second authentication key used for authentication between the mobile communication terminal device and the second domain system is generated.

  Subsequently, the authentication information transmitting means transmits second authentication information in which information for identifying the mobile communication terminal device is added to the second authentication key to the second domain system. Then, when receiving a reply of reception confirmation that the second authentication information has been received from the second domain system that has received the second authentication information, the second preparation report means, together with the second authentication key, 2 The fact that preparation for authentication for communication via the base station is completed is transmitted to the mobile communication terminal apparatus. Thus, preparation for authentication between the second domain system and the mobile communication terminal device is completed.

  Further, in the home domain system of the present invention, when the second base station belongs to itself, a domain system inquiry that is an inquiry for communication information including identification information of an access router in the own domain system is sent from the first domain system. An inquiry response means for returning communication information including identification information of an access router in the own domain system when received; an authentication preparation request for communication via the second base station from the first domain system; A third key generating means for generating a third authentication key used for authentication with the mobile communication terminal device based on authentication session information between the mobile communication terminal device and the home domain system when received; The mobile communication terminal device indicates that preparation for authentication for communication via the second base station is completed together with the third authentication key. A third preparation report means for transmitting to the mobile communication terminal apparatus using the third authentication key when the mobile communication terminal apparatus starts wireless communication with the second base station. And a final authentication means for performing.

  In this case, when receiving an inquiry about communication information including identification information of the access router in the own domain system from the first domain system, the inquiry response means detects the identification information of the access router in the own domain system. The communication information including the identification information of the access router in the home domain system is returned to the first domain system.

  Also, when receiving an authentication preparation request for communication via the second base station from the first domain system, the third key generation means is based on the authentication session information between the mobile communication terminal device and the first domain system. A third authentication key used for authentication with the mobile communication terminal device is generated. Subsequently, the third preparation report means transmits to the mobile communication terminal apparatus that the preparation for authentication for communication via the second base station is completed together with the third authentication key.

  In addition, when the mobile communication terminal apparatus starts moving and wireless communication with the second base station is started, the final authentication unit is configured so that the mobile communication terminal apparatus communicates with the second base station. At the start of wireless communication, authentication is performed with the mobile communication terminal device using the third authentication key. This completes authentication between the home domain system, which is the destination domain system, and the mobile communication terminal device.

  In the home domain system of the present invention, a protocol is employed in which the mobile communication terminal device does not prepare the communication identifier of the mobile communication terminal device necessary for communication on the network. In this case, the domain system to which the second base station belongs can create the communication identifier and notify the mobile communication terminal apparatus.

  In this case, since the mobile communication terminal apparatus does not employ a protocol that holds or automatically generates a communication identifier for its own communication, it is necessary to obtain the communication identifier from the outside. . For this reason, the communication identifier is created by the domain system to which the second base station belongs and is transmitted to the mobile communication terminal apparatus. Here, if none of the second base stations belong to the home domain, the home domain returns a response indicating that the domain system to which the second base station belongs responds to the domain system inquiry or that authentication information has been received. The communication identifier transmitted from time to time is transmitted as it is to the mobile communication terminal device. When both of the second base stations belong to the home domain, in the home domain, the inquiry response means creates the communication identifier for responding to the authentication preparation request, and includes the communication information in the communication information. The communication identifier may be included in the transmission, or the authentication preparation means may be transmitted together with the fact that the authentication information has been received.

  From a fifth viewpoint, the present invention provides a home domain system that is a system of a contracted domain of a mobile communication terminal device, and a plurality of access routers that connect at least one base station different from the home domain system. Another domain system, and an authentication system that performs authentication required when a base station that is a wireless communication destination is changed by movement of the mobile communication terminal device, wherein the home domain system includes: The destination of the mobile communication terminal apparatus is moved from the mobile communication terminal apparatus via the first domain system that is one of the other domain systems to which the first base station with which the mobile communication terminal apparatus is currently wirelessly communicating belongs. It is one of the other domain systems to which the candidate second base station belongs, and is different from the first domain system When receiving an authentication preparation request which is an authentication preparation of the mobile communication terminal device for a two-domain system, based on authentication session information between the mobile communication terminal device and the first domain system, Key generation means for generating an authentication key used for authentication with the second domain system; and a key for transmitting authentication information with information identifying the mobile communication terminal device added to the authentication key to the second domain system The authentication preparation is successful with the authentication key for the mobile communication terminal device via the first domain when receiving the fact that the authentication information has been received from the second domain system; Preparation completion reporting means for transmitting a message, wherein the first domain system is different from the first base station from the mobile communication terminal device. Identification of the second base station upon receipt of a domain system inquiry which is an inquiry for communication information including identification information of an access router in the domain system to which the second base station belongs with identification information of the second base station Search means for searching for information in the own domain system; and if it is determined that the second base station does not belong to the own domain system as a result of the search by the search means, at least one adjacent domain system Inquiry sending means for sending a return request which is a request for returning communication information including identification information of the access router in the adjacent domain; and when receiving a reply of the identification information of the second domain system, Identification information for reporting communication information including identification information of an access router in the system to the mobile communication terminal device Reporting means; when the mobile communication terminal apparatus receives an authentication preparation request for communication via the second base station for the domain system to which the second base station belongs, to the home domain system, the authentication Sending a preparation request, and when receiving an authentication preparation completion report including that the authentication preparation has been successful together with the authentication key as a response to the authentication preparation request from the home domain system, An authentication preparation transmission / reception means for sending to the mobile communication terminal device, and when the second domain system receives the return request, an inquiry for returning communication information including identification information of an access router in the own domain system A response means; receiving an authentication key and identification information of the mobile communication terminal device from the home domain system The authentication preparation means for performing authentication preparation for communication via the second base station by the mobile communication terminal apparatus and reporting completion of the authentication preparation to the home domain system; An authentication system comprising: final authentication means for performing authentication between the mobile communication terminal device and the own domain system using the authentication key when starting wireless communication with the second base station. .

  This authentication system is an authentication system that performs authentication required when a base station that is a wireless communication destination is changed due to movement of the mobile communication terminal device, and is a system in a contracted domain of the mobile communication terminal device. A home domain system and a plurality of other domain systems other than the home domain system are provided. The other domain system includes at least one base station and an access router that connects the base stations.

  In this authentication system, upon receiving an inquiry for communication information including identification information of an access router in another domain system to which the second base station belongs from the mobile communication terminal device, the first domain system If the mobile communication terminal device does not belong to the first domain system, that is, if the mobile communication terminal device is about to move to a different jurisdiction area of the domain system than the current one, the first domain system has the second base station to which the second base station belongs. By making an inquiry to the domain system, communication information including identification information of the access router in the second domain system is acquired.

  The communication information that has received the reply is stored in the first domain system for a predetermined period in order to improve processing efficiency. Thereby, when the inquiry about the said 2nd base station is received again, the information for communication can be responded at high speed. Subsequently, the first domain system transfers the acquired communication information to the mobile communication terminal device that is the domain information inquiry source.

  Thereafter, when a request for authentication preparation for performing communication via the second base station for the second domain system using the domain communication information is received from the mobile communication terminal device, the first domain system receives the mobile communication terminal. If it is not the home domain system that is the system of the contracted domain of the device and the second domain system is not the home domain system, the first domain system sends the authentication preparation request received from the mobile communication terminal device Send to home domain system. Subsequently, the home domain system that has received the authentication preparation request uses the authentication session information between the mobile communication terminal device and the first domain system for authentication used for authentication between the mobile communication terminal device and the second domain system. Generate a new key.

  Subsequently, the home domain system uses the second domain system as authentication information, which is information necessary for the second domain system to authenticate the mobile communication terminal device and adds information for identifying the mobile communication terminal device to the authentication key. Send to. Upon receiving this, the second domain system returns a reception confirmation indicating that the authentication information has been received to the home domain system. The home domain system that has received the confirmation transmits to the mobile communication terminal device that the preparation for authentication is completed together with the first authentication key.

  And when a mobile communication terminal device moves to the jurisdiction area of a 2nd base station, the process for the start of radio | wireless communication between 2nd base stations of a mobile communication terminal device is performed. That is, authentication processing is performed between the mobile communication terminal device and the second domain system using the prepared authentication key.

  That is, in the authentication system of the present invention, authentication related to a mobile communication terminal apparatus is performed by exchanging the minimum information necessary for switching between mobile communication terminal apparatuses between different domains using the authentication method of the present invention described above. It can be performed.

  Further, in the authentication system of the present invention, when the mobile communication terminal apparatus adopts a protocol that does not prepare the communication identifier of the mobile communication terminal apparatus necessary for performing communication on the network. The domain system to which the second base station belongs may create the communication identifier and transmit it to the mobile communication terminal device.

  In this case, since the mobile communication terminal apparatus does not employ a protocol that holds or automatically generates a communication identifier for its own communication, it is necessary to obtain the communication identifier from the outside. . For this reason, the second domain system creates the communication identifier and transmits it to the mobile communication terminal device. Here, the second domain system can transmit the communication information including the communication identifier in the communication information that is a response to the above-mentioned domain system inquiry, or it is transmitted together with the reception of the authentication information. You can also do it.

  As described above, according to the authentication method and authentication system of the present invention, even when the mobile communication terminal apparatus performs handover between heterogeneous domains having no trust relationship, the communication cut-off time of the mobile communication terminal apparatus due to handover is reduced. There is an effect that it can be shortened.

  In addition, the mobile communication terminal device and the domain system of the present invention can be used for constructing the authentication system of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to FIGS. In these drawings, the same or equivalent elements are denoted by the same reference numerals, and redundant description is omitted.

[Constitution]
FIG. 1 shows an outline of a system configuration in the authentication system 100. The system includes a mobile communication terminal device 110, a domain system 120 _j (j = 1, 2,...), A communication partner terminal device 130 _n (n = 1, 2,...), And a communication network 140. Here, one of the domain systems 120 _j is a home domain system operated by a contracting business operator of the mobile communication terminal device 110. Then, the mobile communication terminal device 110 can select any one of the domain systems 120 _j (j = 1, 2,...) Including the home domain system based on a contract between a home domain business operator and another domain system business operator. Communication is also possible. The Internet system is constructed by these components. The authentication system 100 operates based on IPv6 (Internet Protocol Version 6) as a communication protocol.

<Configuration of mobile communication terminal device 110>
As shown in FIG. 2, the mobile communication terminal device 110 includes a control unit 200 and a wireless communication unit 201. Here, in order to practice the function of the mobile communication terminal device 110, the control unit 200 performs various processes and controls resources provided in the mobile communication terminal device 110 including the wireless communication unit 201. In addition, the wireless communication unit 201 transmits and receives a wireless signal to and from the domain system 120 _j (more specifically, a base station in the domain system 120 _j ).

  The control unit 200 includes an authentication control function unit 210 that is an authentication control unit and a CARD agent unit 220 that is a domain information request unit. Here, the authentication control function unit 210 includes an authentication preparation control unit 211, an authentication preparation information DB 212, and an authentication unit 213.

  The authentication preparation information DB 212 is an area for managing information such as an authentication key necessary for performing the authentication process generated and transmitted by the home domain system of the mobile communication terminal device 110. Information can be managed as a database because there can be a plurality at the same time.

  In the mobile communication terminal device 110 configured as described above, the authentication preparation control unit 211 and the CARD agent unit 220 cooperate to prepare for authentication in order to perform authentication required when changing the base station to be communicated. Process. Further, the authentication unit 213 performs processing for final authentication.

  Next, processing for preparing for authentication in the mobile communication terminal apparatus 110 will be described. This process is started when the wireless communication unit 201 in the mobile communication terminal device 110 receives information including a new MAC address from a new base station.

  Next, the authentication function in the mobile communication terminal apparatus 110 will be described in more detail with reference to FIGS.

  In step S10 of FIG. 3, the CARD agent unit 220 receives a beacon protocol that is a protocol that is periodically transmitted from a new base station. Accordingly, the CARD agent unit 220 acquires new MAC address information, and the process proceeds to step S11. This process is performed every time a beacon is received from a new base station, and also corresponds to a case where a plurality of candidate base stations exist simultaneously.

  In step S11, the CARD agent unit 220 recognizes that the base station having the new MAC address is one of new destination candidates. Then, in order to acquire information such as the IP (Internet Protocol) address of the access router to which the new destination candidate base station is connected and the destination domain name, the CARD agent unit 220 includes the mobile communication terminal device 110. A CARD request is issued to the currently communicating domain system. In the CARD request, the new MAC address information is designated as a parameter.

  Next, in step S12, the CARD agent unit 220 receives a CARD reply that is a response from the domain system that has received the CARD request. Subsequently, the process proceeds to step S13. In step S13, the CARD reply information is reported to the authentication preparation control unit 211. When the process of step S13 is completed, the process returns to the beginning.

  Upon receiving the CARD reply reported from the CARD agent unit 220 in step S13, the authentication preparation control unit 211 starts processing for authentication preparation. In this processing, as shown in FIG. 4, first, in step S19, a flag indicating that the information is included in the CARD reply, indicating that the movement is to an external domain (hereinafter also referred to as “external domain migration flag”). It is determined whether or not is ON. If the result of the determination is affirmative, it means that the mobile communication terminal device 110 is predicted to move to another domain, so preparation for authentication to another domain is required. The process proceeds to step S20, and an authentication preparation process is performed.

  In step S20, the authentication preparation control unit 211 requests authentication preparation for the destination domain toward the home domain system that is the contract destination of the communication contract of the mobile communication terminal device.

  In step S21, it is determined whether or not the requested authentication preparation information has been acquired. If the result of the determination is affirmative, the process proceeds to step S22. In step S22, the information is stored in the authentication preparation information DB 212. When the process of step S22 is completed, the process in the flow of FIG. 4 ends. On the other hand, if the result of the determination in step S19 is negative, the process ends.

  Next, processing for final authentication by the authentication unit 213 will be described. This process starts when a change occurs in the base station of the wireless communication destination. In this process, as shown in FIG. 5, first, in step S23, authentication information corresponding to the change to the base station is read from the authentication preparation information DB 212, and it is determined whether or not valid authentication information exists. The If the result of the determination is affirmative, the process proceeds to step S24.

  In step S24, it is determined whether or not the “external domain migration flag” is ON for the authentication information. If the result of the determination is affirmative, it means that the change-destination base station belongs to a domain system different from the previous domain system (also referred to as “other domain system”). Fast authentication between.

  If the result of determination in step S24 is negative, it means that the change-destination base station is in the same domain, so the authentication unit 213 performs high-speed authentication with the same domain system.

  If the result of the determination in step S23 is negative, it means that the authentication preparation information does not exist or exists but is not valid, so the process proceeds to step S27. In step S27, general authentication is performed without using authentication preparation information.

<< Configuration of Domain System 120 _j >>
As shown in FIG. 6, the domain system 120 _j (j = 1, 2,...) Is a server for searching for an access router that connects a base station that is a movement candidate destination of the mobile communication terminal device 110. (Candidate Access Router Discovery) server 121 _j , authentication server 122 _j , base station 124 _jmk (m = 1, 2,...), (K = 1, 2,...) An access router 123 _jm that connects a plurality of base stations including the base station 124 _jmk is provided.

<< Configuration of CARD Server 121 _j >>
As shown in FIG. 7, the CARD server 121 _j includes a control unit 300 _j and a communication control unit 301 _j . The control unit 300 _j includes an AR information analysis function unit 310 _{j serving as} a search unit and an adjacent CARD server cooperation function unit 320 _j . Here, the AR information analysis function unit 310 _j includes an AR information analysis unit 311 _{j, a} base station identification information, and an AR information correspondence table 312 _j . The adjacent CARD server cooperation function unit 320 _j includes an inquiry unit 321 _j that is an inquiry transmission unit, a response unit 322 _j that is an identification information reporting unit and an inquiry response unit, and an adjacent CARD server list 323 _j .

AR information analysis unit 311 _j in the AR address analyzing function unit 310 _j were corresponding to the MAC address of the base station is a candidate destination from a mobile communication terminal device 110, the query information on the access router that connects the base station receive. In this case, the AR information analysis unit 311 _j refers to the “base station identification information and AR information correspondence table” 312 _j which is a table covering all base stations in its own domain, and the base station identification information The IP address of the access router, which is AR information, connected to the base station specified by the MAC address is searched.

If the corresponding IP address is not detected as a result of the search, it means that the base station does not exist in the own domain system. Therefore, the inquiry unit 321 _j is a list of CARD servers in the adjacent domain “adjacent” The “CARD server list” 323 _j is referred to. Then, the adjacent CARD server existing in the list is inquired about the identification information of the access router. When receiving the reply of the identification information, the response unit 322 _j transfers the identification information toward the mobile communication terminal device 110.

When the response unit 323 _j receives a query for communication information including the identification information of the access router of the domain to which the CARD server belongs from the adjacent CARD server, the response unit 323 _j queries the AR information analysis function unit 310 _j The IP address of the access router corresponding to the identification information that has been Further, the domain name of the own domain and the “external domain migration flag” are added to the information, and the reply is made to the adjacent CARD server that is the inquiry source.

Next, the function of the CARD server 121 _j will be described in more detail with reference to FIGS. The CARD server 121 _j, first, in step S30, the communication control unit 301 _j of the 1CARD server 121 _j receives the CARD request. Subsequently, the process proceeds to step S31.

Next, in step S31, AR information analyzing function unit 310 _j is whether the CARD request is from a mobile communication terminal device. If the result of the determination is affirmative, the process proceeds to step S32.

In step S32, the AR information analysis unit 311 _j refers to the “base station identification information and AR information correspondence table” 312 _j , and is a base station indicated by the MAC address notified by the CARD request, which is AR information. The IP address of the access router to which is connected is searched. As a result of the search, it is determined whether or not the corresponding IP address has been searched.

Here, if the result of the determination is affirmative, it means that the access router and the base station exist in the domain system managed by the CARD server 121 _j . In this case, the process proceeds to step S33. In step S33, the IP address of the access router as the searched NAR is returned as a CARD reply to the mobile communication terminal apparatus 110, and the process is terminated.

  If the result of determination in step S32 is negative, that is, if the change to the base station is for a heterogeneous domain, the process proceeds to step S34. In step S34, an inquiry process to the adjacent CARD server is performed.

  In this inquiry process, as shown in FIG. 9, first, in step S40, it is determined whether or not it is within the process time limit. If the result of the determination is negative, the process proceeds to step S45, the inquiry failure is returned to the mobile communication terminal device 110 that is the inquiry source, and the process of step S34 is terminated. If the result of the determination is affirmative, the process proceeds to step S41.

Next, in step S41, CARD request to all CARD servers in adjacent CARD server list 323 _j is equal to or sent or. If the result of the determination is affirmative, the process proceeds to step S45, a query failure is returned to the mobile communication terminal device 110 that is the query source, and the process of step S34 is terminated. If the result of the determination is negative, the process proceeds to step S42.

Next, in step S42, the inquiry section 321 _j of the adjacent CARD server cooperation function unit 320 _j refers to the adjacent CARD server list 323 _j, and transmits the CARD request to each neighbor CARD server that exists in the list. Thereafter, the process proceeds to step S43.

  In step S43, it is determined whether or not a CARD reply has been acquired. If the result of the determination is negative, it means that no CARD reply is returned from the CARD server, and the process returns to the beginning. If the result of the determination is affirmative, the process proceeds to step S44.

In step S44, an “external domain migration flag” is added to the returned CARD reply, and the response unit 322 _j returns a CARD reply to the mobile communication terminal device 110. This completes the processing of step S33. Note that the communication information returned by the CARD reply is stored in the CARD server 121 _j for a certain period.

Returning to FIG. 8, if the result of the determination in step S31 is negative, it means that the CARD server has received an inquiry from the adjacent CARD server. In this case, the process proceeds to step S35. In step S35, as in step S32, the AR address analysis unit 311 _j refers to the “base station identification information and AR information correspondence table” 312 _j and uses the MAC address of the base station notified by the CARD request, The IP address of the access router to which the base station is connected is searched. As a result of the search, it is determined whether or not the corresponding IP address has been searched.

If the result of the determination is affirmative, the process proceeds to step S36, and a CARD reply is returned from the response unit 322 _j to the CARD server 121 _j that is the inquiry source. If the result of the judgment is a negative, the process proceeds to step S37, to the CARD server 121 _j is querying from the response unit 322 _j, returns a failure CARD request.

<< Configuration of Authentication Server 122 _j >>
As shown in FIG. 10, the authentication server 122 _j includes a control unit 400 _j and a communication control unit 401 _j . The control unit 400 _j includes an authentication preparation control function unit 410 _j and an address analysis unit 420 _j of the domain authentication server. The authentication preparation control function unit 410 _j includes an authentication preparation control unit 411 _j as a key transmission unit or first to third key transmission unit, and a preparation completion report unit or first to third preparation report unit, and a key generation unit. Alternatively, an authentication key generation unit 412 and an authentication session information DB 413 _j as first to third key generation means are provided.

  Here, if the authentication server is not the home authentication server of the mobile communication terminal device 110, the mobile communication terminal device 110 simply receives an authentication preparation request to the movement candidate destination domain made to the home domain system, and Send to domain system. Further, it mediates transmission of authentication information and a response to the authentication information performed between the migration candidate destination domain system and the home domain system. When the preparation for authentication is made, the fact that the authentication key and the generated authentication key are transmitted from the home domain system to the mobile communication terminal device 110 is mediated.

On the other hand, when the authentication server 122 _j is a home authentication server that is an authentication server of a system in a contract destination domain of a communication contract of the mobile communication terminal device 110, upon receiving an authentication preparation request from the mobile communication terminal device 110, the authentication preparation The control unit 411 _j performs an authority check as to whether or not the mobile communication terminal device 110 can access a domain for which authentication preparation is requested.

If the authorization was valid, the authentication key generation unit 412 _j reads the data corresponding to the current authentication session information of the authentication session information DB 413 _j from the mobile communication terminal device 110, the destination candidates based on this An authentication key used for authentication with a domain and its expiration date are generated. The authentication session information DB 413 _j stores data for the number of mobile communication terminal devices in which the domain is the home domain and a session is established.

Further, the address analysis unit 420 _j of the authentication server analyzes the IP address of the authentication server of the domain based on the domain name that is the authentication preparation destination notified in accordance with the authentication preparation request.

The authentication preparation control unit 411 _j uses the authentication key generated by the authentication key generation unit 412 _j and the authentication information obtained by adding the user ID, which is identification information of the mobile communication terminal device 110, to the IP address of the authentication server of the domain. It transmits to the domain system of the movement destination candidate of the mobile communication terminal device 110 by the address. When the fact that the authentication information has been received from the domain system is received, the mobile communication terminal device 110 is transmitted together with the authentication key to the effect that the preparation for authentication has been completed.

Next, the function of the authentication server 122 _j will be described in more detail with reference to FIG. First, in step S50, the authentication preparation control unit 411 _j of the home authentication server 122 _j receives the authentication preparation request transmitted by the authentication preparation control unit 211 of the mobile communication terminal device 110. Subsequently, the process proceeds to step S51.

In step S51, the authentication preparation control unit 411 _j performs the domain in which the mobile communication terminal device 110 requests the authentication preparation, that is, the domain system to which the base station of the movement destination candidate of the mobile communication terminal device 110 belongs (hereinafter referred to as “movement destination domain”). It is determined whether or not the system can be accessed. If the result of this determination is affirmative, it means that mobile communication terminal apparatus 110 has access authority, and the process proceeds to step S52.

In step S52, the authentication key generation unit 412 _j uses the authentication key with an expiration date used for authentication performed by the mobile communication terminal apparatus 110 with the access router (hereinafter also referred to as “NAR”) in the destination domain, and the expiration date. Generate. The generation of the authentication key is performed based on the current authentication information about the mobile communication terminal device 110 read from the authentication session information DB 413 _j . This reduces the time and effort of key generation. Subsequently, the process proceeds to step S53.

In step S53, the address analysis portion 420 _j of the authentication server, based on the domain name is notified authentication ready destination with the corresponding authentication preparation request, it analyzes the IP address of the authentication server of the domain, obtaining. Subsequently, the process proceeds to step S54.

In step S54, the authentication preparation control unit 411 _j is the information such as the ID of the authentication key and the expiration date and the mobile communication terminal device 110 toward the NAR, to the authentication server of the destination domain. Subsequently, the process proceeds to step S55.

In step S55, the authentication preparation control unit 411 _j is determines whether it has received a success report from the NAR. If the result of the determination is affirmative, the process proceeds to step S56.

In step S56, the authentication preparation control unit 411 _j is the authentication key thus generated and its expiration date, to the mobile communication terminal device 110 together with the fact that authentication preparation is successful.

If the result of determination in step S51 is negative and the mobile communication terminal device 110 does not have the authority to access the domain, or the result of determination in step S55 is negative and authentication preparation from the NAR is successful. If no report is made, the process proceeds to step S57. In step S57, the authentication preparation control unit 411 _j transmits that authentication preparation has failed to the mobile communication terminal apparatus 110.

<Configuration of access router 123 _jm >
As shown in FIG. 12, the access router 123 _jm includes a control unit 500 _jm and a communication control unit 501 _jm . The control unit 500 _jm is provided with an authentication control function unit 510 _jm, authentication control function unit 510 _jm as an authentication preparation means and the final certification means, authentication preparation control unit 511 _jm, authentication preparation information DB512 _jm, and the authentication unit 513 _jm .

The authentication preparation control unit 511 _jm acquires authentication preparation information added with an authentication key, an expiration date, and identification information of the mobile communication terminal device 110 from the home domain system, and stores the authentication preparation information in the authentication preparation information DB 512 _jm . Then, when the mobile communication terminal apparatus 110 is about to start wireless communication with the base station under its control, the authentication unit 513 _jm performs authentication using the challenge-response method using the authentication preparation information. Further, the authentication preparation information DB 512 _jm is an area for managing the authentication preparation information acquired from the home domain system. However, since there may be a plurality of mobile communication terminal apparatuses that use the base station as a wireless communication destination candidate, Information is managed as.

The function of the authentication preparation control unit 511 _jm of the access router will be described in more detail with reference to FIG. First, in step S60, authentication preparation information is received from the home authentication server. Subsequently, the process proceeds to step S61.

In step S61, the authentication preparation success is returned to the authentication server that is the source of the authentication preparation information. Thereafter, the process proceeds to step S62. In step S62, the acquired authentication preparation information is stored in the authentication preparation information DB 512 _jm . When the process ends, the process returns to the beginning.

Next, the function of the authentication unit 513 _jm of the access router will be described in more detail with reference to FIG. First, in step S63, an authentication request is received from the mobile communication terminal device 110. Subsequently, the process proceeds to step S64.

In step S64, the corresponding authentication preparation information is read out from the authentication preparation information DB 512 _jm based on the ID of the mobile communication terminal device notified with the authentication request detected in step S63. Subsequently, the expiration date of the information is examined, and it is determined whether or not the information is valid. If the result of the determination is affirmative, the process proceeds to step S65.

  In step S65, authentication is performed with the mobile communication terminal device using the challenge-response method using the authentication key in the authentication preparation information. When step S65 ends, the process returns to the beginning.

  The determination result in step S64 is negative when the validity period of the authentication information has expired or when the mobile communication terminal apparatus 110 has moved before the completion of authentication preparation. In this case, since authentication cannot be performed based on the authentication preparation information, the process proceeds to step S66. In step S66, general authentication, which is normal authentication with the mobile communication terminal device, is performed. When step S66 ends, the process returns to the beginning.

[Operation]
The operation in the present embodiment will be described with reference to FIGS. In the following description, the first domain stem 120 ₁ is the source domain system to which the mobile communication terminal device 110 is currently connected, and the second domain system 120 ₂ moves the mobile communication terminal device 110. It is assumed that it is the previous domain system.

<When Third Domain System 120 ₃ is the home domain system>
In this case, as shown in FIG. 15, the authentication system 101 includes the first domain stem 120 ₁ , the second domain system 120 _2, and the home domain system 120 ₃ . Each domain system has the configuration shown in FIG. 6, and j = 1 and m = 1 are applied to the first domain stem 120 ₁ . 1 is applied to k. Hereinafter, the same applies to each domain system. Here, the base station 124 ₁₁₁ is a base station in which the mobile communication terminal apparatus 110 is currently performing radio communication, and the base station 124 ₂₁₁ has moved after the mobile communication terminal apparatus 110 has moved. It is a wireless communication destination candidate. The access router 123 ₁₁ is a PAR (Previous AR), and the access router 123 ₂₁ is a NAR (Next AR). In addition, the authentication server 122 ₃ has become a home authentication server.

  Steps S101 to S111 in FIG. 15 show an authentication operation procedure in the authentication system. Hereinafter, the procedure will be described in the order of steps S101 to S111.

In this authentication system 101, first, in step S101 of FIG. 15, the mobile communication terminal apparatus 110 _obtains the MAC address of the base station 124 ₂₁₁ by radio waves of the adjacent base station 124 ₂₁₁ during wireless communication with the base station 124 _111. get. As a result, the authentication operation starts.

Next, in step S102, the mobile communication terminal apparatus 110 uses the MAC address to make a CARD request to the _first CARD server 121 ₁ that is the CARD server of the domain to which the mobile communication terminal apparatus 110 belongs.

Next, in step S103, the 1CARD server 121 _1, for NAR information of the base station 124 ₂₁₁ that received the inquiry references the "base station identification information and AR information corresponding table" 312 _1, the appropriate NAR Search for an IP address.

Here, in the first domain system _1201, the results of the search will be a negative one. Then, the first CARD server 121 ₁ refers to the “neighboring CARD server list” 323 _1, and the second CARD server 121 ₂ of the second domain that is an adjacent domain existing in the list is informed of the IP address of the NAR. Queries information such as addresses.

Then, in step S104, the 2CARD server 121 ₂ refers to the "base station identification information and AR information corresponding table" 312 ₂ itself, to get the IP address of the corresponding NAR, adding information's domain name Then, it is returned to the _first CARD server 121 ₁ that is the inquiry source.

Subsequently, in step S105, the first CARD server 121 ₁ having received the reply adds an “external domain migration flag” and transfers the CARD reply to the mobile communication terminal device 110. In response to this, the mobile communication terminal apparatus 110 sends an authentication preparation request to the home authentication server 122 ₃ of the home domain system 120 ₃ of the mobile communication terminal apparatus 110 via the first authentication server 122 ₁ in step S106. Send.

In step S107, the home authentication server 122 ₃ First, the mobile communication terminal device 110 determines whether there is a right to access the second domain. If the result of the determination is affirmative, the current authentication session information of the mobile communication terminal device 110 is read from the authentication session information DB 413 _j and based on this, the mobile communication terminal device 110 and generates an authentication key and its expiration date used for authentication with the target base station of the access router NAR123 _2.

Subsequently, in step S108, the home authentication server 122 ₃ transmits the information added an ID or the like of the mobile communication terminal device 110 to the authentication key or the like, to the second authentication server 122 ₂ through NAR123 _2. In step S109, the NAR 123 ₂ receiving this reports to the home authentication server 122 ₃ that the authentication preparation information has been successfully received.

Then, in step S110, the home authentication server 122 ₃ together with the authentication key or the like, through the first authentication server 122 ₁ to the effect that the mobile communication terminal device 110 is authenticated, the preparation that request is successful in step S106, the mobile communication terminal device 110.

Thereafter, when the mobile communication terminal apparatus 110 actually moves under the second domain and starts wireless communication with the base station 124 ₂₁₁ connected to the NAR 123 ₂ in step S111, the NAR 123 is started in step S108. ₂ receives, also by using the authentication key mobile communication terminal device 110 is received in step S110, between the NAR123 ₂ and the mobile communication terminal apparatus 110 performs authentication by Challenge-Response method. If the authentication is successful, the inter-domain movement of the mobile communication terminal device 110 is completed, and communication can be resumed.

<When the first domain system is a home domain system>
Then, the first domain system ₁₂₀₁ will be described for the case where the home domain system.

In this case, as shown in FIG. 16, the authentication system 102 includes the first domain stem 120 ₁ and the second domain system 120 ₂ . In this case, similarly to the case of the authentication system 101 described above, each domain system has the configuration shown in FIG. 6, and j = 1 and m = 1 are applied to the first domain stem 120 _1. To do. 1 is applied to k. Hereinafter, in the same manner for each domain system, the base station 124 ₁₁₁ is a base station where the mobile communication terminal apparatus 110 is currently performing wireless communication, and the base station 124 ₂₁₁ is the wireless communication destination after the mobile communication terminal apparatus 110 has moved. Is a candidate. The access router 123 ₁₁ is a PAR, and the access router 123 ₂₁ is a NAR.

  Steps S201 to 211 in FIG. 16 show the procedure of the authentication operation in this authentication system. Hereinafter, the procedure will be described in the order of steps S201 to 211.

In this authentication system 102, first, in step S201 of FIG. 16, the mobile communication terminal apparatus 110 _obtains the MAC address of the base station 124 ₂₁₁ by radio waves of the adjacent base station 124 ₂₁₁ during wireless communication with the base station 124 _111. get. As a result, the authentication operation of the authentication system starts.

Next, in step S202, the mobile communication terminal apparatus 110 uses the MAC address to make a CARD request to the _first CARD server 121 ₁ that is the CARD server of the domain to which the mobile communication terminal apparatus 110 belongs.

Next, in step S203, the 1CARD server 121 _1, for NAR information of the base station 124 ₂₁₁ that received the inquiry references the "base station identification information and AR information corresponding table" 312 _1, the appropriate NAR Search for an IP address.

In the present embodiment, since it is assumed that the user intends to move to a second domain different from the first domain, the search result is negative. Then, the first CARD server 121 ₁ refers to the “neighboring CARD server list” 323 _1, and the second CARD server 121 ₂ of the second domain that is an adjacent domain existing in the list is informed of the IP address of the NAR. Queries information such as addresses.

Then, in step S204, the second CARD server 121 ₂ refers to its own “base station identification information and AR information correspondence table” 412 ₂ , acquires the IP address of the corresponding NAR, and adds the domain name information to which it belongs. Then, it is returned to the _first CARD server 121 ₁ that is the inquiry source.

Subsequently, in step S205, the first CARD server 121 ₁ having received the reply adds an “external domain migration flag” and transfers the CARD reply to the mobile communication terminal device 110.

The mobile communication terminal device 110 which has received this, in step S206, with respect to the first authentication server 122 ₁ transmits an authentication preparation request.

Next, in step S207, the first authentication server 1221 _first determines whether or not the mobile communication terminal device 110 has the authority to access the second domain. If the result of the determination is affirmative, the current authentication session information of the mobile communication terminal device 110 is read from the authentication session information DB 413 _j and based on this, the mobile communication terminal device 110 and generates an authentication key and its expiration date used for authentication with the target base station of the access router NAR123 _2.

Subsequently, in step S208, the first authentication server 122 ₁ transmits the information added an ID or the like of the mobile communication terminal device 110 to the authentication key or the like, to the second authentication server 122 ₂ through NAR123 _2. In step S209, the NAR 123 ₂ that has received this reports to the first authentication server 122 ₁ that the authentication preparation information has been successfully received through the second authentication server 122 ₂ .

Then, in step S210, the first authentication server 122 ₁ together with the authentication key or the like, and transmits the effect that authentication ready mobile communication terminal apparatus 110 requests in step S206 has succeeded in mobile communication terminal apparatus 110.

Thereafter, when the mobile communication terminal apparatus 110 actually moves under the second domain and starts wireless communication with the base station 124 ₂₁₁ connected to the NAR 123 ₂ in step S211, the NAR 123 is determined in step S208. ₂₁ , and using the authentication key received by the mobile communication terminal device 110 in step S <b> ₂₁₀ , authentication is performed between the NAR 123 ₂₁ and the mobile communication terminal device 110 by the Challenge-Response method. If the authentication is successful, the inter-domain movement of the mobile communication terminal device 110 is completed, and communication can be resumed.

<When the destination second domain system is a home domain system>
Next, the second domain system ₁₂₀₂ will be described for the case where the home domain system.

In this case, as shown in FIG. 17, the authentication system 103 includes the first domain stem 120 ₁ and the second domain system 120 ₂ . In this case, similarly to the case of the authentication system 101 described above, each domain system has the configuration shown in FIG. 6, and j = 1 and m = 1 are applied to the first domain stem 120 _1. To do. 1 is applied to k. Hereinafter, in the same manner for each domain system, the base station 124 ₁₁₁ is a base station where the mobile communication terminal apparatus 110 is currently performing wireless communication, and the base station 124 ₂₁₁ is the wireless communication destination after the mobile communication terminal apparatus 110 has moved. Is a candidate. The access router 123 ₁₁ is a NAR, and the access router 123 ₂₁ is a PAR.

  Steps S301 to S311 in FIG. 17 show the procedure of the authentication operation in this authentication system. Hereinafter, the procedure will be described in the order of steps S301 to S311.

In this authentication system 103, first, in step S301 of FIG. 17, the mobile communication terminal apparatus 110 _obtains the MAC address of the base station 124 ₂₁₁ by radio waves of the adjacent base station 124 ₂₁₁ during wireless communication with the base station 124 _111. get. As a result, the authentication operation of the authentication system starts.

Next, in step S302, the mobile communication terminal apparatus 110 uses the MAC address to make a CARD request to the _first CARD server 121 ₁ that is the CARD server of the domain to which the mobile communication terminal apparatus 110 belongs.

Next, in step S303, the 1CARD server 121 _1, for NAR information of the base station 124 ₂₁₁ that received the inquiry references the "base station identification information and AR information corresponding table" 312 _1, the appropriate NAR Search for an IP address.

Since this embodiment assumes the case where it tries to move to the 2nd domain different from a 1st domain, the result of a search becomes a negative thing. Then, the first CARD server 121 ₁ refers to the “neighboring CARD server list” 323 _1, and the second CARD server 121 ₂ of the second domain that is an adjacent domain existing in the list is informed of the IP address of the NAR. Queries information such as addresses.

Then, in step S304, the 2CARD server 121 ₂ refers to the "base station identification information and AR information corresponding table" 312 ₂ itself, to get the IP address of the corresponding NAR, adding information's domain name Then, it is returned to the _first CARD server 121 ₁ that is the inquiry source.

Subsequently, in step S 305, the first CARD server 121 ₁ that has received the reply adds an “external domain migration flag” and transfers the CARD reply to the mobile communication terminal device 110.

Receiving this, the mobile communication terminal apparatus 110 transmits an authentication preparation request to the second authentication server 122 ₂ via the first authentication server 122 ₁ in step S306.

In step S307, the second authentication server 122 ₂ first determines whether or not the mobile communication terminal device 110 has a valid right to access the second domain. If the result of the determination is affirmative, the current authentication session information of the mobile communication terminal device 110 is read from the authentication session information DB 413 _j and based on this, the mobile communication terminal device 110 and Then, an authentication key used for authentication with the access router NAR123 ₂₁ of the movement-destination base station and its expiration date are generated.

Subsequently, in step S308, the second authentication server 122 ₂ transmits information obtained by adding the ID of the mobile communication terminal device 110 to the authentication key or the like to the NAR 123 ₂₁ . In step S309, the NAR 123 ₂₁ that has received this reports to the second authentication server 122 ₂ that the authentication preparation information has been successfully received.

Then, in step S310, the second authentication server 122 ₂ informs the mobile communication terminal via the first authentication server 122 ₁ that the authentication preparation requested by the mobile communication terminal device 110 in step S306 is successful along with the authentication key and the like. To device 110.

Thereafter, when the mobile communication terminal apparatus 110 actually moves under the second domain and starts wireless communication with the base station 124 ₂₁₁ connected to the NAR 123 ₂₁ in step S311, the NAR 123 is determined in step S308. _{21 and} authentication using the challenge-response method is performed between the NAR 123 ₂₁ and the mobile communication terminal apparatus 110 using the authentication key received by the mobile communication terminal apparatus 110 in step S310. If the authentication is successful, the inter-domain movement of the mobile communication terminal device 110 is completed, and communication can be resumed.

As described above, the authentication system 101 is an authentication system that performs authentication required when a base station that is a wireless communication destination is changed due to movement of the mobile communication terminal apparatus 110. the home domain system 120 ₃ is a system contractor domains, and a plurality of other domain system other than the home domain system.

In the authentication system 101, when receiving the inquiry identification information of another domain system from the mobile communication terminal device 110 and the second base station 124 ₂₁₁ belongs, first domain system 120 _1, the second base station 124 ₂₁₁ the If it does not belong to the first domain system 120 ₁ , that is, if the mobile communication terminal device 110 is about to move to a jurisdiction area of a domain system different from the current one, the first domain system will be the second base station 124 _211. by querying the second domain system 120 ₂ belonging acquires communication information including identification information of the access router in the second domain system 120 _2. Subsequently, the first domain system 120 _{1 transfers} the acquired communication information to the mobile communication terminal device 110 that is the inquiry source of the domain information.

Thereafter, when receiving the authentication preparation request for communication via the second base station 124 ₂₁₁ for the second domain system 120 ₂ using the communication information of a domain from the mobile communication terminal device 110, first domain system If 120 ₁ is not a home domain system that is a system of a contracted domain of mobile communication terminal apparatus 110 and second domain system 120 ₂ is not a home domain system, first domain system 120 ₁ The authentication preparation request received from the terminal device 110 is transmitted to the home domain system. Subsequently, the home domain system certified preparation request, based on the authentication session information between the mobile communication terminal device 110 and the first domain system 120 _1, the mobile communication terminal device 110 and the second domain system 120 ₂ An authentication key and an expiration date used for authentication are newly generated.

Subsequently, the home domain system 120 ₃ adds information that is necessary for the second domain system 120 ₂ to authenticate the mobile communication terminal apparatus 110 and that identifies the mobile communication terminal apparatus 110 to the authentication key or the like. authentication information, and transmits to the second domain system 120 _2. Receiving this, the second domain system 120 ₂ returns a reception confirmation indicating that the authentication information has been received to the home domain system 120 ₃ . Home Domain System 120 ₃ that has received the acknowledgment, transmits the effect that preparation of authentication with the first authentication key is completed to the mobile communication terminal apparatus 110.

Then, when the mobile communication terminal device 110 has moved to the jurisdiction area of the second base station 124 ₂₁₁ performs processing for starting wireless communication between the second base station 124 ₂₁₁ of mobile communication terminal apparatus. In other words, by using the authentication key which has been prepared, it performs authentication processing with the mobile communication terminal device 110 and the second domain system 120 _2.

  That is, the authentication system 101 of the present invention can perform authentication related to the mobile communication terminal 110 using the above-described authentication method of the present invention.

The authentication system 102 is an authentication system that performs authentication required when a base station that is a wireless communication destination is changed due to movement of the mobile communication terminal device 110, and is a contract destination domain of the mobile communication terminal device 110. a home first domain system 120 ₁ which is the domain system is a system, and at least one other domain system other than the home domain system.

In the authentication system 102, upon receiving the inquiry identification information of another domain system from the mobile communication terminal device 110 and the second base station 124 ₂₁₁ belongs, first domain system 120 _1, the second base station 124 ₂₁₁ the If it does not belong to the first domain system 120 ₁ , that is, if the mobile communication terminal device 110 is about to move to a jurisdiction area of a domain system different from the current one, the first domain system will be the second base station 124 _211. by querying the second domain system 120 ₂ belonging acquires communication information including identification information of the access router in the second domain system 120 _2. Subsequently, the first domain system 120 _{1 transfers} the acquired communication information to the mobile communication terminal device 110 that is the inquiry source of the domain information.

Thereafter, when receiving a request for authentication preparation for performing communication via the second base station 124 ₂₁₁ for the second domain system 120 ₂ using the identification information of the domain from the mobile communication terminal device 110, first domain system 120 _{When 1} is a home domain system that is a system of a contracted domain of the mobile communication terminal device 110 and the second domain system 120 ₂ is not a home domain system, the first domain system 120 ₁ is a mobile communication terminal certified preparation request received from the device 110, based on the authentication session information between the mobile communication terminal device 110 and the first domain system 120 _1, authentication between the mobile communication terminal device 110 of the second domain system 120 ₂ An authentication key used for the authentication and its expiration date are newly generated.

Subsequently, the first domain system 120 ₁ is an authentication information that is necessary for the second domain system 120 ₂ to authenticate the mobile communication terminal apparatus 110 and adds information for identifying the mobile communication terminal apparatus 110 to the authentication key. Information is transmitted to the second domain system 120 ₂ . Receiving this, the second domain system 120 ₂ returns a reception confirmation indicating that the authentication information has been received to the first domain system 120 ₁ . The first domain system 120 _{1 that} has received the confirmation transmits to the mobile communication terminal device 110 that the preparation for authentication is completed together with the first authentication key and the like.

Then, when the mobile communication terminal device 110 has moved to the jurisdiction area of the second base station 124 ₂₁₁ performs processing for starting wireless communication between the second base station 124 ₂₁₁ of mobile communication terminal apparatus. In other words, by using the authentication key which has been prepared, it performs authentication processing with the mobile communication terminal device 110 and the second domain system 120 _2.

  That is, the authentication system 102 of the present invention can also perform authentication related to the mobile communication terminal 110 using the above-described authentication method of the present invention.

The authentication system 103 is an authentication system that performs authentication required when a base station that is a wireless communication destination is changed due to movement of the mobile communication terminal device 110, and is a contract destination domain of the mobile communication terminal device 110. and the home domain second domain system ₁₂₀₂ is a system is a system, and at least one other domain system other than the home domain system.

When the authentication system 103 receives an inquiry about communication information including identification information of an access router in another domain system to which the second base station 124 ₂₁₁ belongs from the mobile communication terminal device 110, the second base station 124 ₂₁₁ If the mobile communication terminal apparatus 110 does not belong to the first domain system 120 ₁ , that is, if the mobile communication terminal apparatus 110 is about to move to a different jurisdiction area of the domain system, the first domain system 120 ₁ 124 ₂₁₁ by querying the second domain system 120 ₂ belonging to acquire the second communication information of the domain system 120 _2. Subsequently, the first domain system 120 _{1 transfers} the acquired identification information to the mobile communication terminal device 110 that is the inquiry source of the domain information.

Thereafter, when receiving a request for authentication preparation for performing communication via the second base station 124 ₂₁₁ for the second domain system 120 ₂ using the identification information of the domain from the mobile communication terminal device 110, first domain system 120 _{When 1} is not a home domain system that is a system of a contracted domain of the mobile communication terminal device 110 and the second domain system 120 ₂ is a home domain system, the first domain system 120 ₁ The authentication preparation request received from the device 110 is transmitted to the second domain system 120 ₂ . Subsequently, the second domain system 120 ₂ having received the authentication preparation request, based on the authentication session information between the mobile communication terminal device 110 and the first domain system 120 ₁ , the mobile communication terminal device 110 and the second domain system 120 _2. An authentication key used for authentication during the period and its expiration date are newly generated.

Subsequently, the second domain system 120 ₂ transmits to the mobile communication terminal device 110 that the preparation for authentication is completed together with the authentication key and the like.

Then, when the mobile communication terminal device 110 has moved to the jurisdiction area of the second base station 124 ₂₁₁ performs processing for starting wireless communication between the second base station 124 ₂₁₁ of mobile communication terminal apparatus. In other words, by using the authentication key which has been prepared, it performs authentication processing with the mobile communication terminal device 110 and the second domain system 120 _2.

  That is, the authentication system 103 of the present invention can also perform authentication related to the mobile communication terminal 110 using the above-described authentication method of the present invention.

[Modification of Embodiment]
Further, in the above embodiment, the operation for CARD request to the adjacent CARD server is described, in this case, with respect to high all or partially may be present in adjacent CARD server list 323 ₁ adjacent CARD server You can inquire. The inquiry may be by unicast, and may be inquired by broadcast or multicast according to the scale of the system.

  In the above embodiment, when a CARD server receives a CARD request from an adjacent CARD server, the CARD server searches only within its own domain and returns a CARD reply. However, depending on the configuration of the CARD server, the CARD server may further A CARD request may be transmitted to a group of adjacent CARD servers of the server.

  Further, in the above embodiment, the access router performs authentication with the mobile communication terminal device by the Challenge-Response method, but may perform it by another method capable of authentication.

  Further, in the above embodiment, when the first CARD server and the second CARD server communicate with each other, the communication is simply performed via the communication network, but it is also possible to perform the exchange via the CARD server of the home domain system.

When the authentication system adopts IPv4 (Internet Protocol Version 4) instead of IPv6 as a communication protocol, a domain system having a configuration as shown in FIG. 18 is used. The domain system differs from the domain system shown in FIG. 6 only in that it further includes a DHCP (Dynamic Host Configuration Protocol) server 125 _j .

When IPv4 is adopted, the mobile communication terminal apparatus 110 cannot create an IP address based on the NAR IP address information. Therefore, the CARD server 121 _j in the domain system that has received the CARD request requests the DHCP server 125 _j to distribute the IP address of the mobile communication terminal device 110. Subsequently, the CARD server 121 _j includes the distributed IP address as part of the communication information in the CARD reply, or the authentication server 122 _j indicates that the preparation for authentication is successful and the mobile communication terminal device 110. Here, the IP address of the mobile communication terminal device 110 can be created in response to the authentication preparation request.

  Therefore, even when the authentication system adopts IPv4, it is possible to acquire the IP address of the mobile communication terminal device in advance and resume high-speed communication.

  As described above, the authentication method of the present invention can be applied to an authentication method between different domains.

The mobile communication terminal device, domain system, and home domain system of the present invention can be applied to a system that performs the authentication method of the present invention.

  Further, the authentication system of the present invention can be applied to a system using the authentication method of the present invention.

It is a figure which shows notionally the structure of the authentication system of this invention. It is the block diagram which showed the internal structure of the mobile communication terminal device in this invention. It is the flowchart which showed the function of the CARD agent which is a structural block of a mobile communication terminal device. It is the flowchart which showed the function of the authentication preparation control part which is a structural block of a mobile communication terminal device. It is the flowchart which showed the function of the authentication part which is a structural block of a mobile communication terminal device. It is a figure which shows notionally the structure of the domain system in the authentication system of this invention. It is the block diagram which showed the internal structure of the CARD server in this invention. It is the flowchart which showed the function of the CARD server. It is the flowchart which showed the function of the adjacent server inquiry in a CARD server. It is the block diagram which showed the internal structure of the authentication server in this invention. It is the block diagram which showed the internal structure of the access router in this invention. It is the flowchart which showed the function of the authentication server. It is the flowchart which showed the function of the authentication preparation control part which is a structural block of an access router. It is the flowchart which showed the function of the authentication part which is a structural block of an access router. It is the figure 1 which shows the flow of authentication operation | movement of the authentication system in embodiment. FIG. 3 is a second diagram illustrating a flow of an authentication operation of the authentication system in the embodiment. It is FIG. 3 which shows the flow of authentication operation | movement of the authentication system in embodiment. It is a figure which shows notionally the structure of the domain system in the authentication system which is a modification of embodiment.

Explanation of symbols

110 ... mobile communication terminal device, 120 _j ... domain system, 121 _j ... CARD server, 122 _j ... authentication server, 123 _jm ... access router, 124 _jmk ... base station, 125 _j ... DHCP server, 130 _n ... correspondent terminal device , 140 ... communication network, 200 ... control section, 201 ... wireless communication section, 210 ... authentication function control section, 211 ... authentication preparation control section, 212 ... authentication preparation information DB, 213 ... authentication section, 220 ... CARD agent section, 300 _j ... control unit, 301 _j ... communication control unit, 310 _j ... AR information analysis function unit, 311 _j ... AR information analysis unit, 312 _j ... base station identification information and AR information correspondence table, 320 _j ... adjacent CARD server cooperation function Department, 321 _j ... inquiry unit, 322 _j ... responding section, 323 _j ... adjacent CARD server list, 400 _j ... controller, 401 _j ... communication control unit 410 _j ... authentication preparation control function unit, 411 _j ... authentication preparation control unit, 412 _j ... authentication key generation unit, 413 _j ... authentication session information DB, 420 _j ... address analyzing unit of the authentication server, 500 _jm ... controller, 501 _jm ... communication control unit, 510 _jm ... authentication control function unit, 511 _jm ... authentication preparation control unit, 512 _jm ... authentication preparation information DB, 513 _jm ... authentication unit.

Claims (17)

An authentication method for performing authentication required when a base station that is a wireless communication destination of the mobile communication terminal device is changed due to movement of the mobile communication terminal device,
When the mobile communication terminal apparatus newly detects identification information of the second base station transmitted from a second base station that is different from the first base station that is performing radio communication, the mobile communication terminal apparatus Inquiry of communication information including identification information of an access router connecting the second base station in the domain system to which the second base station belongs to the first domain system to which the first base station belongs A domain query process for querying a domain system;
The first domain system that has received the domain system inquiry uses the detected identification information of the second base station when the second base station does not belong to the first domain system. A domain information acquisition step of acquiring communication information including identification information of an access router in the second domain system from the second domain system to which
A terminal transfer step in which the first domain system that has acquired the communication information transfers the communication information to the mobile communication terminal device;
A first authentication preparation requesting step in which the mobile communication terminal device transmits an authentication preparation request for communication via the second base station to the second domain system to the first domain system;
The authentication preparation request is received when the first domain system is not a home domain system that is a system of a contracted domain of the mobile communication terminal device and the second domain system is not the home domain system A second authentication preparation requesting step in which the first domain system transmits the authentication preparation request to the home domain system;
The home domain system generates a first authentication key used for authentication between the mobile communication terminal device and the second domain system based on authentication session information between the mobile communication terminal device and the first domain system. A first key generation step;
A first authentication information transmitting step in which the home domain system transmits, to the second domain system, first authentication information in which information identifying the mobile communication terminal device is added to the first authentication key;
A first reception response step in which the second domain system that has received the first authentication information returns a first reception confirmation indicating that the authentication information has been received to the home domain system;
The home domain system that has received the first reception confirmation transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the first authentication key. The certification reporting process;
When the mobile communication terminal apparatus starts wireless communication with the second base station, a first authentication is performed between the mobile communication terminal apparatus and the second domain system using the first authentication key. An authentication method comprising: a final authentication step; When the first domain system is the home domain system, the first domain system that has received the authentication preparation request from the mobile communication terminal device has access authority in the second domain system of the mobile communication terminal device. When the validity is determined and the determination is affirmative, the mobile communication terminal device and the second domain system are based on authentication session information between the mobile communication terminal device and the first domain system. A second key generation step of generating a second authentication key used for authentication during the period;
A second authentication information transmitting step in which the first domain system transmits, to the second domain system, second authentication information in which information identifying the mobile communication terminal device is added to the second authentication key;
Second reception in which the second domain system that has received the second authentication information in the second authentication information transmission step returns a second reception confirmation indicating that the second authentication information has been received to the first domain system. A response step;
The first domain system that has received the second reception confirmation transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the second authentication key. 2 certification reporting process;
A second final authentication step of performing authentication between the mobile communication terminal device and the second domain system using the second authentication key when starting wireless communication with the second base station; The authentication method according to claim 1, further comprising: A third authentication preparation requesting step in which the first domain system transmits the authentication preparation request to the second domain system when the second domain system is the home domain system;
The second domain system that has received the authentication preparation request from the first domain system determines the validity of the authority of the mobile communication terminal device, and if the determination is affirmative, the mobile communication terminal A third key generation step of generating a third authentication key used for authentication between the mobile communication terminal device and the second domain system based on authentication session information between the device and the first domain system;
A third authentication reporting step in which the second domain system transmits to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the third authentication key;
A third final authentication step of performing authentication between the mobile communication terminal device and the second domain system using the third authentication key when starting wireless communication with the second base station; The authentication method according to claim 1, further comprising:   Communication information including the domain system inquiry and the identification information of the access router in the second domain system is transmitted and received between the first domain system and the second domain system without going through the home domain system. The authentication method according to claim 1, wherein:   Communication information including the domain system inquiry and the identification information of the access router in the second domain system is transmitted and received between the first domain system and the second domain system via the home domain system. The authentication method according to claim 1, wherein:   When adopting a protocol that does not prepare the mobile communication terminal device communication identifier necessary for the mobile communication terminal device to communicate on the network, the second domain system, The authentication method according to claim 1, wherein the communication identifier is generated and transmitted to the mobile communication terminal device. A mobile communication terminal device comprising a transmission / reception unit for receiving radio waves transmitted from a base station,
The first domain system, which is the domain system to which the currently connected base station belongs, includes access router identification information in the second domain system to which the base station that is the communication destination candidate after the mobile communication terminal device moves The communication information is inquired using the identification information of the base station that is the communication destination candidate after the movement, and the communication information including the identification information of the access router in the second domain system is acquired from the first domain system. Domain information request means;
An authentication preparation request for the second domain system is sent to a home domain system that is a contract partner of the communication contract of the mobile communication terminal device, and the fact that the preparation for authentication is completed together with an authentication key is received from the home domain system. And an authentication control means for performing authentication with the second domain system using the authentication key received from the home domain system when moving to the jurisdiction area of the second domain. A mobile communication terminal device.   In the case of adopting a protocol that does not prepare its own communication identifier necessary for performing communication on the network, the communication communication that has been notified after being created in the second domain system 8. The mobile communication terminal apparatus according to claim 7, wherein communication is performed with the second domain system using an identifier. It is a domain system different from any of the contract parties of the communication contract of the first and second mobile communication terminal devices,
At least one local domain base station;
At least one access router connecting the own domain base station;
The first mobile communication terminal apparatus that is performing radio communication with a first base station that is one of the own domain base stations, and the second base station identification information that is different from the first base station. Search means for searching for identification information of an access router in the domain system in the own domain system when receiving a domain system inquiry which is an inquiry of identification information of a domain system to which two base stations belong;
As a result of the search by the search means, if it is determined that the second base station does not belong to its own domain system, the identification information of the access router in the adjacent domain system is included for at least one adjacent domain system Inquiry transmission means for sending a request for returning the first communication information;
Identification information reporting means for reporting communication information of the adjacent domain to the mobile communication terminal device when receiving a reply of communication information of the adjacent domain;
When the first mobile communication terminal apparatus receives an authentication preparation request for communication via the second base station for the domain system to which the second base station belongs, the contract destination domain system of the first mobile communication terminal apparatus The authentication preparation request is transmitted to the first home domain system, and the preparation for authentication including the fact that the authentication preparation is successful together with the authentication key as a response to the authentication preparation request from the first home domain system is completed. Authentication preparation transmission / reception means for sending the authentication preparation completion report to the mobile communication terminal device when receiving the report;
A domain system which is an inquiry for information for second communication including identification information of an access router in the domain system to which the third base station belongs with identification information about the third base station belonging to the own domain system from the adjacent domain system Inquiry response means for returning communication information of the own domain when receiving an inquiry;
An authentication key for communication from a second home domain system that is a contract partner of the second mobile communication terminal device via a third base station that is one of base stations in the own domain, and the second mobile communication terminal device Authentication that prepares authentication for communication via the third base station by the second mobile communication terminal device and reports the completion of the authentication preparation to the second home domain system when receiving the identification information Preparation means;
When the second mobile communication terminal apparatus starts wireless communication with the third base station, the final authentication is performed between the second mobile communication terminal apparatus and the own domain system using the authentication key. A domain system comprising: an authentication means;   When the first mobile communication terminal apparatus adopts a protocol that does not prepare a communication identifier of the mobile communication terminal apparatus necessary for communication on the network, the identification information reporting means And the authentication preparation transmitting / receiving means transmits the communication identifier notified after being created in the adjacent domain system to the mobile communication terminal device. Domain system.   If the second mobile communication terminal device adopts a protocol that does not prepare the communication identifier of the mobile communication terminal device necessary for communication on the network, the inquiry response means and 11. The domain system according to claim 9, wherein any one of the authentication preparation means creates the communication identifier and transmits it to the mobile communication terminal device. A home domain system that is a system of a contract domain of a communication contract of a mobile communication terminal device,
The mobile communication terminal apparatus is a destination candidate of the mobile communication terminal apparatus from the mobile communication terminal apparatus via a first domain system different from itself to which the first base station with which the mobile communication terminal apparatus is currently wirelessly communicating belongs. Between the mobile communication terminal device and the first domain system when receiving an authentication preparation request that is a request for authentication preparation of the mobile communication terminal device for a second domain system to which the two base stations belong First key generation means for generating a first authentication key used for authentication between the mobile communication terminal device and the second domain system, based on the authentication session information of;
First key transmitting means for transmitting, to the second domain system, first authentication information in which information identifying the mobile communication terminal device is added to the first authentication key;
Successful preparation for authentication together with the first authentication key toward the mobile communication terminal device via the first domain system upon receipt of reception of the first authentication information from the second domain system A first preparation report means for transmitting a message indicating the completion of the operation. When the first base station belongs to itself, the mobile communication terminal device receives an inquiry for communication information including identification information about an access router in a domain system to which the second base station belongs. Search means for searching for identification information of two base stations in the own domain system;
As a result of the search by the search means, when it is determined that the second base station does not belong to its own domain system, communication including identification information of an access router in the adjacent domain with respect to at least one adjacent domain system Inquiry transmission means for sending a request for returning information for use;
Identification information reporting means for reporting communication information including identification information of an access router in the second domain to the mobile communication terminal device when receiving a reply of identification information of the second domain system;
When receiving an authentication preparation request for communication via the second base station for the second domain system from the first mobile communication terminal device, based on authentication session information with the mobile communication terminal device, Second key generation means for generating a second authentication key used for authentication between the mobile communication terminal device and the second domain system;
Second key transmission means for transmitting second authentication information, in which information for identifying the mobile communication terminal device is added to the second authentication key to the second domain system;
When receiving a reply of receipt confirmation that the second authentication information has been received from the second domain system that has received the second authentication information, the second base station, together with the second authentication key, The home domain system according to claim 12, further comprising: a second preparation report unit that transmits to the mobile communication terminal device that the preparation for authentication for communication via the communication is completed. When the second base station belongs to itself, when receiving a domain system inquiry that is an inquiry for communication information including identification information of an access router in the own domain system from the first domain system, access in the own domain system Inquiry response means for returning communication information including router identification information;
When receiving an authentication preparation request for communication via the second base station from the first domain system, the mobile communication terminal based on authentication session information between the mobile communication terminal apparatus and the first domain system Third key generation means for generating a third authentication key used for authentication with the device;
Third preparation report means for transmitting to the mobile communication terminal device that the preparation for authentication for communication via the second base station is completed together with the third authentication key;
And a final authentication means for performing authentication with the mobile communication terminal device using the third authentication key when the mobile communication terminal device starts wireless communication with the second base station. 14. The home domain system according to claim 12 or 13, characterized in that:   The second base station belongs when a protocol is employed in which the mobile communication terminal apparatus does not prepare a communication identifier of the mobile communication terminal apparatus necessary for the mobile communication terminal apparatus to communicate on the network. The home domain system according to any one of claims 12 to 14, wherein a domain system creates the communication identifier and transmits it to the mobile communication terminal device. A home domain system which is a system of a contracted domain of a mobile communication terminal device, and a plurality of other domain systems including at least one base station and an access router connecting the base stations, which are different from the home domain system, An authentication system that performs authentication required when a base station that is a wireless communication destination is changed due to movement of the mobile communication terminal device,
The home domain system is
The mobile communication terminal apparatus moves from the mobile communication terminal apparatus via the first domain system, which is one of the other domain systems, to which the first base station with which the mobile communication terminal apparatus is currently wirelessly communicating belongs. Authentication preparation request which is one of the other domain systems to which the second candidate base station belongs, and is a preparation for authentication of the mobile communication terminal device for a second domain system different from the first domain system And generating an authentication key used for authentication between the mobile communication terminal device and the second domain system based on authentication session information between the mobile communication terminal device and the first domain system. Key generation means;
Key transmitting means for transmitting authentication information in which information identifying the mobile communication terminal device is added to the authentication key to the second domain system;
When the fact that the authentication information is received from the second domain system is received, the fact that the preparation for authentication is successful is transmitted to the mobile communication terminal device together with the authentication key via the first domain. Preparation completion reporting means; and the first domain system comprises:
A domain that is an inquiry about communication information including identification information of an access router in a domain system to which the second base station belongs with identification information of a second base station different from the first base station from the mobile communication terminal device Search means for searching for identification information of the second base station in its own domain system when receiving a system inquiry;
As a result of the search by the search means, when it is determined that the second base station does not belong to its own domain system, communication including identification information of an access router in the adjacent domain with respect to at least one adjacent domain system Inquiry sending means for sending a return request which is a request for returning information for use;
Identification information reporting means for reporting communication information including identification information of an access router in the second domain system to the mobile communication terminal device when receiving a reply of identification information of the second domain system;
When receiving an authentication preparation request for communication via the second base station for the domain system to which the second base station belongs from the mobile communication terminal device, the authentication preparation request is transmitted to the home domain system In addition, when receiving an authentication preparation completion report including that the authentication preparation has been successful together with the authentication key as a response to the authentication preparation request from the home domain system, the authentication preparation completion report is sent to the mobile communication terminal. Authentication preparation transmission / reception means to be sent to the device
The second domain system is
Inquiry response means for returning communication information including identification information of an access router in the own domain system when receiving the return request;
When receiving an authentication key and identification information of the mobile communication terminal device from the home domain system, prepare for authentication for communication via the second base station by the mobile communication terminal device, and complete the preparation for authentication Authentication preparation means for reporting to the home domain system;
Final authentication means for performing authentication between the mobile communication terminal apparatus and the own domain system using the authentication key when the mobile communication terminal apparatus starts wireless communication with the second base station; An authentication system comprising: The second base station belongs when a protocol is employed in which the mobile communication terminal apparatus does not prepare a communication identifier of the mobile communication terminal apparatus necessary for the mobile communication terminal apparatus to communicate on the network. The authentication system according to claim 16, wherein a domain system creates the communication identifier and transmits it to the mobile communication terminal device.

Images