KR101504175B1 - System and method of Integrated authentication center of 3G/LTE and IMS - Google Patents

Abstract

The present invention relates to an authentication system and method for a wireless communication system, and more particularly, to a system and method for integrated authentication of 3G/LTE and IMS. According to the system and method, an IMS authentication server is integrated with a 3G/LTE authentication server so that a plurality of authenticated subscriber databases are integrated, thereby reducing the size of a database. Furthermore, synchronization failure that may occur at the time of derived PRID authentication is prevented to avoid an error of an authentication system, so that the efficiency of a network structure can be remarkably improved. The present invention discloses an integrated LTE and IMS authentication system comprising: an LTE authentication server for LTE authentication; an IMS authentication server for IMS authentication; and an integrated subscriber database in which authentication information of LTE subscribers and VoLTE subscribers are integrally managed. According to the present invention, the LTE authentication server and the IMS authentication server are integrally operated so that an efficiently configured subscriber database can be shared. Furthermore, a network can be more efficiently configured and managed, and problems of the derived PRID authentication can be resolved.

Description

System and method for integrated authentication of 3G / LTE and IMS < RTI ID = 0.0 > and /

The present invention relates to an authentication system and method of a wireless communication system, and more specifically, by integrating an IMS authentication server in an authentication server of 3G / LTE, a plurality of authentication subscriber databases are integrated to greatly reduce the size of a database, LTE < / RTI > and IMS integrated authentication system capable of dramatically improving the network structure by preventing synchronization errors in authenticated PRID (derived PRID) authentication and improving errors in the authentication system.

Background of the Invention [0002] Wireless communication systems are continuously evolving, and a variety of standard wireless communication systems are coexisting in the market. As a representative example thereof, a VoLTE system, which is a LTE-based VoIP service in recent years following a wireless LAN such as Wi-Fi, a 3G mobile communication system, and an LTE wireless communication system, can be mentioned. However, a conventional commercial wireless communication system is subject to user authentication for the purpose of maintaining security on communication, accounting, QoS control, and the like. Accordingly, various authentication servers are implemented and used for each wireless communication system.

Typically, an authentication server or an authentication center (AuC) authenticates subscribers and supports encryption for wireless communication intervals. The authentication server (AuC) judges whether the subscriber is legitimate by using the secret key and algorithm shared with the terminal, permits the service to the legitimate subscriber, and blocks the service if the subscriber is an illegal subscriber. The authentication server (AuC) also prevents eavesdropping by encrypting the wireless communication interval using the generated authentication parameters.

Recently, in a commercial mobile communication system, a system in which a fourth generation LTE system is added in parallel for data communication service has been established while using a 3G network for a voice call. Accordingly, a 3G / LTE authentication server is implemented and operated . Recently, a VoIP service using an IMS (IP Multimedia Subsystem), that is, a VoLTE service, has been additionally provided. Accordingly, an IMS authentication system for authenticating an LTE authentication system and a VoLTE service is separately installed .

However, in order to provide LTE service, LTE authentication is required, and the only method of LTE authentication is EPS-AKA (Evolved Packet Core-Authentication & Key Agreement). EPS- AKA uses Universal Subscriber Identity Module (USIM) AuC). IMS-AKA is an international subscriber identity module (ISIM) and IMS authentication. Thus, each of the above LTE authentication servers and IMS-AKA has been conventionally used for providing VoLTE service, and IMS-AKA is a representative method of IMS authentication. The authentication server has been independently implemented and operated. However, since the subscriber using the VoLTE service must be an LTE subscriber and therefore the subscriber receiving the IMS authentication is assumed to be LTE-authenticated, rather than operating the respective authentication servers separately, It is possible to share the subscriber database configured efficiently, and it becomes possible to configure and operate the network more efficiently.

Also, in the derived PRID (authenticated PRID) authentication, which is a procedure in which a subscriber who does not have an ISIM receives an IMS authentication using a USIM, in order to process using the separated IMS authentication server, the Ki, OPc, AMF And the synchronization between the USIM and the SQN can not be performed, so that a synchronization failure occurs. Thus, a resync procedure is required.

Accordingly, there is a need for an integrated LTE and IMS authentication system and method that can solve problems such as inefficiency and derived PRID It is a fact that I can not.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems of the prior art, and it is an object of the present invention to provide a method and system for efficiently sharing a subscriber database configured, efficiently configure and operate a network, And to provide an integrated LTE and IMS authentication system and method capable of solving the problem in the mobile communication system.

According to an aspect of the present invention, there is provided an integrated LTE and IMS authentication system including an LTE authentication server for LTE authentication; An IMS authentication server for IMS authentication; And an integrated subscriber database in which authentication information of an LTE subscriber and a VoLTE subscriber are integrated and managed. When the IMS authentication server processes a derived PRID (derived PRID) authentication, a PRID is generated using an IMSI stored in a USIM If a USIM subscriber exists, a PRID is generated based on the IMSI, and authentication processing using Ki, OPc, and AMF of the USIM is performed. And if the USIM subscriber does not exist, it is processed as an unknown subscriber.

Herein, each subscriber authentication information of the unified subscriber database may include an IMSI field and a Home_Domain_Number field.

Also, the Home_Domain_Number field has an index value composed of numbers, and the index value may be a value that matches one-on-one with each real domain registered in the system information.

In addition, the Home_Domain_Number field may have an index value composed of a 1-byte number.

In addition, each subscriber authentication information of the unified subscriber database may be shared with one field by synchronizing the ISIM SQN with the USIM SQN using the PS / CS SQN domain separation.

Also, the LTE authentication server and the IMS authentication server may be implemented as one server.

According to another aspect of the present invention, there is provided an integrated LTE and IMS authentication method including the steps of: (a) searching an integrated subscriber database using information included in an authentication message received by an LTE authentication server or an IMS authentication server; And (b) determining whether the LTE authentication server or the IMS authentication server authenticates based on the result of the unified subscriber database search, and the unified subscriber database integrally manages the authentication information of the LTE subscriber and the VoLTE subscriber (A1) generating a PRID using an IMSI stored in a USIM; and when the IMS authentication server processes a derived PRID authentication, the step (a) further comprises: (a1) generating a PRID using an IMSI stored in a USIM; (A2) a USIM subscriber is inquired to a part excluding the domain from the PRID, and if there is a USIM subscriber, a PRID is generated based on the IMSI and an authentication process is performed using Ki, OPc, and AMF of the USIM And if the USIM subscriber does not exist, processing it as an Unknown Subscriber.

Herein, each subscriber authentication information of the unified subscriber database includes an IMSI field and a Home_Domain_Number field. The Home_Domain_Number field is composed of a 1-byte number and has an index matching each one of actual domains registered in the system information Value. ≪ / RTI >

In addition, each subscriber authentication information of the unified subscriber database may be shared with one field by synchronizing the ISIM SQN with the USIM SQN using the PS / CS SQN domain separation.

According to the present invention, an LTE authentication server and an IMS authentication server are integrally operated to share an efficiently configured subscriber database. Further, the network can be configured and operated more efficiently, and a derived PRID (derived PRID) And has the effect of disclosing an integrated LTE and IMS authentication system and method that can solve the problem in authentication.

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a configuration diagram of a conventional separate LTE and IMS authentication system.
2 is a configuration diagram of an integrated LTE and IMS authentication system according to an embodiment of the present invention.
3 is a configuration diagram of an integrated LTE and IMS authentication system having an integrated authentication server according to an embodiment of the present invention.
4 is a diagram illustrating a structure of SQN synchronization in an integrated LTE and IMS authentication system according to an embodiment of the present invention and a comparison with an isolated case.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments will be described in detail below with reference to the accompanying drawings.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The terms first, second, etc. may be used to describe various components, but the components are not limited by the terms, and the terms are used only for the purpose of distinguishing one component from another Is used.

According to the present invention, when separate LTE and IMS authentication servers are configured according to the prior art, inefficiency of a subscriber database to be operated redundantly and separate servers for operating a derived PRID It is possible to share a subscriber database that greatly reduces the size of a database by configuring an integrated LTE and IMS authentication system including a subscriber database, And more particularly, to an integrated LTE and IMS authentication system and method capable of more efficiently configuring and operating, and also capable of solving the problems in derived PRID (derived PRID) authentication.

FIG. 2 illustrates a block diagram of an integrated LTE and IMS authentication system 200 according to an embodiment of the present invention. 2, the integrated LTE and IMS authentication system 200 according to an exemplary embodiment of the present invention includes an LTE authentication server 110 for authentication in the LTE service, an IMS And an integrated subscriber database 210 in which the authentication server 130 and the authentication information of the LTE subscriber and the VoLTE subscriber are integrated and managed.

Hereinafter, the integrated LTE and IMS authentication system 200 according to an exemplary embodiment of the present invention will be described in detail. First, the LTE authentication server 110 is checked. The LTE authentication server 110 receives the information of an object of authentication such as an International Multimedia Service Module (IMSI), a Ki, an OPc, and an AMF to determine whether or not the LTE subscriber is an LTE subscriber. At this time, the method used is the Evolved Packet Core-Authentication & Key Agreement (EPS-AKA), and the authentication process between the Universal Subscriber Identity Module (USIM) and the LTE authentication server 110 is performed. Further, in conjunction with the authentication process described above, an integrity verification / protection and encryption process for security in wireless communication may be performed.

The LTE authentication server 110 can be constructed and operated according to the prior art, so that it will not be discussed in detail here.

Next, we will look at the IMS authentication server 130. The IMS authentication server 130 receives the information of the person to be authenticated, such as PRID (Private User ID), Ki, OPc, and AMF, and determines whether or not to authenticate by determining whether it is a VoLTE subscriber. At this time, the method used is an IP Multimedia Subsystem-Authentication & Key Agreement (IMS-AKA), and the authentication process between the ISIM (International Subscriber Identity Module) and the IMS authentication server 130 is performed.

Further, the IMS authentication server 130 may use a derived PRID to process the IMS authentication for the subscriber having no ISIM and having only the USIM. A terminal provided with only a USIM without an ISIM can attempt to process a call by deriving a PRID using an IMSI stored in a USIM. For example, if IMSI = 450081234567890, mnc = 08, mcc = 450, you can generate derived PRID = 450081234567890@ims.mnc008.mcc450.3gppnetwork.org.

However, there are two problems in processing the derived PRID (derived PRID) to the separated IMS authentication server 130 according to the prior art. Second, there is no way to synchronize the SQN with the USIM, which is synchronized with the authentication server (AuC) and the SQN, by performing the LTE authentication. Therefore, the derived PRID (derived PRID) A synchronization error occurs in the process and a resynchronization process must be performed.

On the other hand, in the case of the integrated LTE and IMS authentication system 200 according to the embodiment of the present invention, since the integrated subscriber database 210 manages all the Ki, OPc, AMF and SQN of the USIM, So that it can be solved easily. At this time, the derived PRID (derived PRID) can be processed as follows.

(1) First, if the PRID according to the IMS authentication message does not exist in the IMS subscriber, the USIM subscriber is inquired based on the PRID excluding the domain.

(2) If a USIM subscriber exists as a result of the inquiry, a derived PRID is generated in the same manner as the previous case using the corresponding IMSI, and authentication processing is performed using Ki, OPc, and AMF of the USIM.

(3) If the USIM subscriber does not exist, it is processed as an unknown subscriber.

Therefore, in the case of the separated IMS authentication server 130 according to the related art, a synchronization failure may occur in the derived PRID processing for the IMS authentication targeting the subscriber having only the USIM without the ISIM And a separate subscriber database and algorithm are required. On the other hand, the integrated LTE and IMS authentication system 200 according to an embodiment of the present invention performs processing without separate subscriber database and algorithm by the above-described method , And a synchronization error (Synchronization Failure) does not occur.

FIG. 3 shows a block diagram of an integrated LTE and IMS authentication system 300 having an integrated authentication server according to an embodiment of the present invention. 3, an integrated LTE and IMS authentication system 300 having an integrated authentication server according to an exemplary embodiment of the present invention includes an LTE / IMS integrated authentication server 310 and an integrated subscriber database 210 And the like.

The LTE authentication server 110 and the IMS authentication server 130 are integrated into one server as in the case of the LTE / IMS integrated authentication server 310. Thus, in the case of an IMS subscriber without an LTE subscriber, In addition, when the 3G / LTE authentication server and the IMS server are integrated into one server, the IMS-AKA is processed using the same Milenage algorithm used in the 3G authentication method 3G-AKA, Thereby preventing overlapping implementations.

Furthermore, the LTE authentication server 110 may be a 3G / LTE authentication server in which 3G and LTE authentication functions for voice call service and data communication service are implemented together, and a voice call function is implemented by VoLTE, If there is no call service function, it may be the LTE authentication server 110 in which the LTE authentication function is implemented singly.

Finally, look at the integrated subscriber database 210. The unified subscriber database 210 may include both LTE subscriber authentication information and VoLTE subscriber authentication information. Since the VoLTE service is a VoIP service using an LTE network, a subscriber using VoLTE must be an LTE subscriber, so that it can be assumed that a VoLTE subscriber must receive LTE authentication. In this case, rather than independently configuring and operating the LTE subscriber database 120 and the VoLTE subscriber database 140, it is possible to configure the subscriber database and the network more efficiently by integrating and operating the LTE subscriber database 120 and the VoLTE subscriber database 140.

The subscriber data necessary for EPS-AKA for LTE authentication are IMSI, Ki, OPc, AMF and shared with USIM. Also, there are a maximum of 32 SQN Arrays synchronized with the subscriber's USIM each time the subscriber is authenticated.

Subscriber data necessary for IMS-AKA for VoLTE authentication are PRID, Ki, OPc, and AMF and shared with ISIM. In addition, there are a maximum of 32 SQN arrays synchronized with the ISIM of the subscriber each time the subscriber is authenticated.

The LTE subscriber data and the IMS subscriber data are separate data that are separated by standard because USIM and ISIM are used separately. However, by integrating it properly as described below, the LTE subscriber data and the IMS subscriber data are constructed and operated in the integrated subscriber database 210.

First, since PRID takes the form of IMSI @ home_domain, it is possible to implement the integrated LTE and IMS authentication system 200 according to an embodiment of the present invention in the form of Table 1 without having to separately have a PRID. Table 1 below shows examples of PRID implementations.

Subscriber information IMSI 450081234567890 Home_Domain_Number n Other authentication information omitted below Other authentication information omitted below System Information Home_Domain_Number Home_Domain One abcd.com 2 efgh.com 3 ijkl.com 4 mnop.com ... ... N xyz.com

Here, the Home_Domain_Number of the subscriber information is a 1-byte parameter and is mapped to the actual domain registered in the system information on a one-to-one basis. For example, in Table 1, if the Home_Domain_Number of the subscriber information is 4, the IMS subscriber can be recognized as 450081234567890@mnop.com and call processing can be performed.

Next, the SQN can be shared. The SQN is data that exists to protect the replay attack in the AKA. It can use 32 SQNs in both the ISIM and the USIM according to the standard specifications. The SQN is transmitted to the LTE subscriber database 120 and the VoLTE subscriber database 130 synchronized with the SQN It is synchronized with 32 storage spaces. However, if the LTE / IMS domain is separately implemented by applying the PS / CS SQN domain separation according to the 3GPP TS 33.102 standard to the SQN storage space of the LTE subscriber database 120, the USIM / ISIM and the SQN Synchronization is enabled. FIG. 4 illustrates a structure of SQN synchronization in the integrated LTE and IMS authentication system 200 according to an exemplary embodiment of the present invention, which is compared with the conventional authentication system. As shown in FIG. 4 (a), the 3G / LTE authentication system and the IMS authentication system synchronize and manage the subscriber authentication information of the USIM and the ISIM, respectively, as separate information, Integrated LTE and IMS < RTI ID = 0.0 >

In the authentication system 200, since the subscriber authentication information of the USIM and the ISIM are integrated and synchronized and managed, there is no need to additionally allocate the SQN storage space, and the storage space used can be greatly reduced as shown in Table 2 below. Table 2 below shows the size of the subscriber information according to the separation and integration of the authentication system.

When implementing separation, the subscriber information (size) Subscriber information (size) PRID (64 bytes) Home_Domain_Number (1 byte) Ki (16 bytes) Ki (16 bytes) OPc (16 bytes) OPc (16 bytes) AMF (2 bytes) AMF (2 bytes) SQN1 (6 bytes) SQN2 (6 bytes) ... SQN32 (6 bytes) Total size (290 bytes) Total size (35 bytes)

As shown in Table 2, when the 3G / LTE authentication system and the IMS authentication system are separately implemented, the size of the subscriber authentication information required for each subscriber in the IMS authentication system reaches 290 bytes, It is possible to use only 35 bytes as the subscriber authentication information size for each subscriber, thereby greatly reducing the storage capacity of the subscriber database.

In addition, as mentioned earlier, the integration of 3G / LTE authentication system and IMS authentication system makes it unnecessary to implement separate subscriber database and processing algorithm for derived PRID (derived PRID) processing, It is possible to prevent the occurrence of problems.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments described in the present invention are not intended to limit the technical spirit of the present invention but to illustrate the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

110: LTE authentication server
120: LTE subscriber database
130: IMS authentication server
140: VoLTE subscriber database
200: Integrated LTE and IMS authentication system
210: Integrated subscriber database
300: Integrated LTE and IMS authentication system with integrated authentication server
310: Integrated LTE / IMS authentication server

Claims (9)

An LTE authentication server responsible for LTE authentication;
An IMS authentication server for IMS authentication; And
And an integrated subscriber database in which authentication information of LTE subscribers and VoLTE subscribers are integrated and managed,
When the IMS authentication server processes derived PRID authentication,
The PRID is generated and processed using the IMSI stored in the USIM,
At this time, a USIM subscriber is inquired from the PRID excluding the domain,
If there is a USIM subscriber, the PRID is generated based on the IMSI, the authentication process is performed using Ki, OPc, and AMF of the USIM,
And if the USIM subscriber does not exist, processes it as an unknown subscriber. The method according to claim 1,
Wherein each subscriber authentication information of the unified subscriber database comprises:
IMSI field,
And a Home_Domain_Number field. 3. The method of claim 2,
The Home_Domain_Number field has an index value composed of numbers,
Wherein the index value is a value matched with each real domain registered in the system information on a one-to-one basis. The method of claim 3,
Wherein the Home_Domain_Number field has an index value composed of 1-byte numbers. The method according to claim 1,
Wherein each subscriber authentication information of the unified subscriber database comprises:
Wherein the ISIM SQN is synchronized with the USIM SQN using the PS / CS SQN domain separation and shared as a single field. The method according to claim 1,
Wherein the LTE authentication server and the IMS authentication server are implemented as a single server. (a) searching an integrated subscriber database using information included in an authentication message received by an LTE authentication server or an IMS authentication server; And
(b) determining whether the LTE authentication server or the IMS authentication server authenticates based on the result of the unified subscriber database search,
The integrated subscriber database integrates and manages authentication information of an LTE subscriber and a VoLTE subscriber,
When the IMS authentication server processes derived PRID authentication,
The step (a)
(a1) generating a PRID using an IMSI stored in a USIM; And
(a2) a USIM subscriber is inquired as a part excluding the domain from the PRID,
If there is a USIM subscriber, the PRID is generated based on the IMSI, the authentication process is performed using Ki, OPc, and AMF of the USIM,
And if the USIM subscriber does not exist, processing the unified subscriber with an unidentified subscriber. 8. The method of claim 7,
Wherein each subscriber authentication information of the unified subscriber database comprises:
IMSI field,
A Home_Domain_Number field,
Wherein the Home_Domain_Number field is composed of a 1-byte number and has an index value matched with each real domain registered in system information on a one-to-one basis. 8. The method of claim 7,
Wherein each subscriber authentication information of the unified subscriber database comprises:
Wherein the ISIM SQN is synchronized with the USIM SQN using the PS / CS SQN domain separation and shared as one field.

Images