KR20050090561A - The method and system for authenticating user terminal in hrpd network - Google Patents

Abstract

According to the present invention, after the authentication server (AAA) of the high-speed packet data communication system pre-registers a subscriber authentication key (A ?? Key) corresponding to the authentication service subscriber information in order to authenticate the user terminal, the packet data serving node (PDSN) Upon receiving a subscriber information request (SubsInfo Request) including a subscriber number from the mobile station, it is determined whether the subscriber is an authentication service subscriber, and when the subscriber is an authentication service subscriber, a subscriber information response (SubsInfo Response) is transmitted to the packet data serving node (PDSN). And a method for authenticating a user terminal using a CHAP response received from a packet data serving node (PDSN) and a CHAP response generated by itself, and authenticating the user terminal. The present invention relates to an illegal function of a duplicated terminal by introducing an authentication function into a high rate packet data (HRPD) network. It is possible to prevent damage due to normal subscribers.

Description

The method and system for authenticating user terminal in HRPD network in high speed packet data communication system

The present invention relates to a method and system for authenticating a user terminal in a high-speed packet data communication system. In particular, an authentication function is introduced into a high rate packet data (HRPD) network to block illegal access of a duplicate terminal, and to activate an authentication function for each subscriber. The present invention relates to a method and system for authenticating a user terminal in a high-speed packet data communication system capable of appropriately adjusting a network load and a terminal load.

The development of science and technology and the improvement of the economic level are accelerating the establishment of a wide range of communication networks and communication terminals. The current mobile communication system is rapidly changing from a conventional voice call oriented communication service to a data communication providing a game, a video, and the like. The development of wireless mobile communication technology can be summarized as analog Advanced Mobile Phone System (AMPS), Cellular (Celluar) / Personal Communication Service (PCS), and International Mobile Telecommunication-2000 (IMT-2000). .

In general, IMT-2000 refers to a multimedia mobile communication service of a wired / wireless home concept that can transmit and receive voice, data, and video at high speed in a wired / wireless environment with one terminal. The service can be used anywhere in the world using a single terminal or user access card (eg, SIM, UIM, etc.), and global roaming is also possible because the related technology is standardized and uses the same frequency.

Currently, the 3rd Generation Partnership Projects (3GPP) and 3GPP2, two major organizations of the International Standardization Conference, are conducting standardization of the IMT-2000 system. Wireless access standards standardized by 3GPP2 include CDMA2000-1x and CDMA2000-1x (EVolution-Data Only), an evolution of CDMA2000-1x. CDMA2000-1xEV-DO provides bidirectional high-speed data service with transmission speed of up to 2.4Mbps exclusively for packet network. Therefore, a packet data communication system according to the CDMA2000-1xEV-DO wireless access standard requires a system configuration dedicated to a packet network, not a system configuration in which a circuit network and a packet network of the CDMA2000-1X are mixed.

The conventional mobile communication system includes an authentication center (AC), a home location register (HLR), a visitor location register (VLR), etc. for authentication of a mobile station (MS). have. However, there is a problem that cannot be applied to a high rate packet data (HRPD) system for high speed data transmission using components for authentication of a mobile station (MS). In addition, most mobile communication providers have a problem of not introducing an authentication system or using an authentication system due to network load and management problems.

This problem is a cause of neglect of the damage of normal subscribers due to the recent piracy terminal. In addition, due to the emergence of the counterfeit terminal, a method of performing authentication using a pair of subscriber number (MIN) and device number (ESN), which has been used or presented in part, is no longer the best method for mobile station (MS) authentication. It became.

Accordingly, in order to solve the above-described problem, an object of the present invention is to introduce an authentication function in the HRPD (High Rated Packet Data) network to prevent the damage of the normal subscriber due to illegal access of the duplicated terminal, etc. To provide a method and system for authenticating a user terminal in.

Another object of the present invention is to provide a method and system for authenticating a user terminal in a high-speed packet data communication system capable of appropriately adjusting a network load and a terminal load by enabling activation or deactivation of authentication function for each subscriber.

It is still another object of the present invention to authenticate a user terminal in a high speed packet data communication system capable of performing authentication by distinguishing between a case where a terminal type has its own PPP stack such as a personal digital assistant (PDA) or a notebook and the other. It is to provide a method and system.

It is still another object of the present invention to provide a method and system for authenticating a user terminal in a high speed packet data communication system capable of minimizing the load of a mobile station (MS) according to performing an authentication process.

It is still another object of the present invention to develop compatibility with conventional systems or systems to be developed later, and to minimize commercial network change, so that not only HRPD networks but also existing mobile communication networks (for example, IS-95A / B, The present invention provides a method and system for authenticating a user terminal in a high-speed packet data communication system having generality applicable to CDMA-1x).

In order to achieve the above objects, according to an aspect of the present invention, in the method of the authentication server (AAA) of the high-speed packet data communication system to authenticate the user terminal, at least one authentication service subscriber information and each of Pre-registering an A-Key corresponding to the authentication service subscriber information; Receiving a SubsInfo Request including a subscriber number from a packet data serving node (PDSN); Determining whether a subscriber corresponding to the subscriber number is an authentication service subscriber; In the case of an authentication service subscriber, transmitting a subscriber information response (SubsInfo Response) including a first CHAP challenge value to the packet data serving node (PDSN); Receiving an access request from the packet data serving node PDSN including subscriber identification information, a second CHAP challenge value, and a first CHAP response received from the user terminal; Extracting a subscriber authentication key corresponding to the subscriber identification information; Generating a second CHAP response by using terminal identification information corresponding to the user terminal, the subscriber authentication key, and the second CHAP challenge value; Determining whether the first CHAP response matches the second CHAP response; And transmitting an access accept to the packet data serving node (PDSN) when the first CHAP response and the second CHAP response match. A system, apparatus, and recording medium are provided that enable performing the user terminal authentication method.

In order to generate the CHAP response, the user terminal and / or the authentication server use the CHAP challenge value, the terminal identification information, and the subscriber authentication key as parameters, and generate an SSD (Shared Secret Data) generation algorithm. Generating new shared secret data (SSD_New) by using; Extracting shared secret data (SSD_A_New) of a predetermined size from the generated new shared secret data; And generating the CHAP response using an authentication algorithm using the CHAP challenge value, the terminal identification information, authentication data (Auth Data (IMSI_S1)), and the authentication shared secret data as parameters.

The method may further include determining whether the first CHAP challenge value matches the second CHAP challenge value before extracting a subscriber authentication key corresponding to the subscriber identification information. And transmitting an access reject to the packet data serving node PDSN when the first CHAP challenge value and the second CHAP challenge value do not match.

Storing, by the user terminal, a third CHAP challenge value and a third CHAP response used in n-1 times of user terminal authentication; receiving the first CHAP challenge value from the packet data serving node (PDSN) for n times user terminal authentication; Determining whether the first CHAP challenge value matches the third CHAP challenge value; If so, sending the third CHAP response to the packet data serving node (PDSN) as the first CHAP response; And in case of inconsistency, generating the first CHAP response and transmitting it to the packet data serving node PDSN.

The user terminal authentication method may include: transmitting a request for providing an ID and password to the user terminal via the packet data serving node (PDSN) when the subscriber is not an authentication service subscriber; Receiving an ID and password from the user terminal via the packet data serving node (PDSN); Determining whether the ID and password are valid using previously stored subscriber information; And if the ID and password are valid, transmitting an access accept to the packet data serving node PDSN.

The subscriber number may be a telephone number. The terminal identification information may be a terminal device serial number (ESN).

When the generated new shared secret data is 2n bits, the extracted shared secret data for authentication (SSD_A_New) may be upper n bits or lower n bits of the new shared secret data.

According to a preferred embodiment of the present invention, a method for authenticating a user terminal by an authentication server (AAA) of a high-speed packet data communication system includes at least one authentication service subscriber information and each authentication service subscriber information. Pre-registering a corresponding A-Key; Receiving a SubsInfo Request including a subscriber number from a packet data serving node (PDSN); Determining whether a subscriber corresponding to the subscriber number is an authentication service subscriber; Performing password authentication protocol (PAP) authentication when not an authentication service subscriber; In the case of an authentication service subscriber, transmitting a subscriber information response (SubsInfo Response) including a first CHAP challenge value to the packet data serving node (PDSN); Receiving an access request from the packet data serving node PDSN including subscriber access information, a second CHAP challenge value, and a first CHAP response received from the user terminal; Determining whether the subscriber access information includes subscriber identification information (IMSI); If it does not include subscriber identification information, performing PAP authentication; Extracting a subscriber authentication key corresponding to the subscriber identification information when the subscriber identification information is included; Generating a second CHAP response using the terminal identification information corresponding to the user terminal, the subscriber authentication key, and the second CHAP challenge value; Determining whether the first CHAP response matches the second CHAP response; And transmitting an access accept to the packet data serving node (PDSN) when the first CHAP response and the second CHAP response match. A system, apparatus, and recording medium are provided that enable performing the user terminal authentication method.

Determining whether the first CHAP challenge value matches the second CHAP challenge value before extracting a subscriber authentication key corresponding to the subscriber identification information; And transmitting an access reject to the packet data serving node PDSN when the first CHAP challenge value and the second CHAP challenge value do not match.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, the same reference numerals will be used for the same means regardless of the reference numerals in order to facilitate the overall understanding.

1 is a diagram schematically showing an overall system configuration for performing a user terminal authentication method in a high speed packet data communication system according to an exemplary embodiment of the present invention.

Referring to FIG. 1, a mobile communication service system 120 performing user authentication may include an access network (AN) 125 and an access network authentication server (AN-AAA) 130. ), A Packet Data Serving Node (PDSN) 135, an IP Network 140, an Authorization Authentication and Accounting (AAA) 145, and a Customer Information System 150. do.

The access network (AN) 125 includes a plurality of base station (ANTS: Access Terminal Transceiver Subsystem) and a control station (ANC). The base station (ANTS) connects the user terminal 110 to a control station (ANC), and includes a digital channel unit (DCU), a time / frequency control unit (TCU), and a radio frequency device ( It may include equipment such as Radio Frequency Unit (RFU) and Global Positioning System (GPS). Also. The base station ANTS performs a wired / wireless conversion function (that is, a function of wirelessly communicating with the user terminal 100 and performing a wired communication with the control station ANC). The control station (ANC) performs a function of coordinating a connection between a plurality of base stations (ANTS). In addition, although not shown in FIG. 1, the mobile communication service system 120 includes a general ATM switch network (GAN), a base station manager (BSM), a data location register (DLR), and a PDSN (135). Packet control function (PCF) for processing the packet data in conjunction with the) may be further included, but the function and configuration of the component will be apparent to those skilled in the art will be omitted.

The access network authentication server (AN-AAA) 130 performs a function of authenticating the user terminal 110 to use the packet data service through the access network (AN) 125 and authorizing the service. The access network authentication server 130 may store information such as a mobile terminal identification number (MIN), an electronic serial number (ESN) of the user terminal 110, and the like. The access network authentication server (AN-AAA) 130 authenticates the user terminal 100 accessing the access network (AN) 125 using a standardized Challenge Handshake Authentication Protocol (CHAP). .

The packet data serving node (PDSN) 135 provides a packet data service to the user terminal 110 and is connected to the Internet to provide various multimedia services to the user terminal 110.

When the user terminal 110 authenticated by the access network authentication server (AN-AAA) 130 requests a packet data service, the authentication server (AAA) 145 sends a shared secret data (SSD) to the user. In the case of the SSD authentication service subscriber, the authentication service is performed using the SSD generated through a predetermined method. The SSD is a 128-bit value used in the authentication operation between the user terminal 110 and the authentication server (AAA) 145 and uses a subscriber authentication key (A-key), a CHAP-Challenge parameter value, and an ESN. Can be generated. In addition, the authentication server (AAA) 145 is a case where the user terminal 110 is used as a wireless modem instead of a communication terminal (for example, by connecting the user terminal 110 and a laptop computer notebook computer In the case of using the wireless data service), authentication using the user access information (for example, a username and a password) received from the user terminal 110 is performed.

The customer information system 150 uses the user terminal 110 to receive personal information (eg, name, address, social security number, etc.) of a user who receives a packet data service, whether to subscribe to an SSD authentication service, and service status information (eg, For example, the service application, service termination, service suspension, stop transmission, device change, number change), and the like are stored and processed, and when the service state information is changed, it is transmitted to the access network authentication server (AAA) 145. In addition, the customer information system 150 transmits and stores a subscriber authentication key (A-key) to the user terminal 110 and the authentication server (AAA) 145 when the user subscribes to the SSD authentication service. A-key has a 64-bit value and is used as a parameter for creating an SSD. Of course, there is no restriction on how the A-key is stored in the user terminal 110 and the authentication server (AAA) 145. For example, the A-key is offline. Or a user authentication system (AAA) 145 and / or customer information system 150 by inputting a subscriber authentication key (A-key) to the user terminal 110 in a mobile communication agency on the May be further applied.

2 is a data flow diagram illustrating a method for authenticating a user terminal according to an embodiment of the present invention, and FIG. 3 is a diagram illustrating a method for generating shared secret data (SSD) according to an embodiment of the present invention. 4 is a diagram illustrating a method for generating a CHAP response according to an embodiment of the present invention.

Referring to FIG. 2, when an arbitrary user is newly registered as an SSD authentication service subscriber, the customer information system 150 assigns an A-key to an authentication server (AAA, hereinafter referred to as AAA) 145 and the corresponding. Transmit to user's user terminal 110 (step 205). In addition, the AAA 145 and the user terminal 110 store the received subscriber authentication key, where the customer information system 150 identifies with AAA 145 which user is newly registered as an SSD authentication service subscriber. Information (for example, telephone number, etc.) can be transmitted together. As described above, there is no limit to the method of allowing the A-key to be stored in the user terminal 110 and the AAA 145. For example, the A-key may be moved offline. In the communication agency, or stored in the user terminal 110, or the user enters the subscriber authentication key (A-key) in the user terminal 110 to the authentication server (AAA) 145 and / or customer information system 150 Other methods may be applied, such as transmitting.

When a data call is originated from the user terminal 110 in step 210, the access network (AN, hereinafter referred to as AN) 125 determines a handshake handshake using CHAP Challenge and CHAP Response with the user terminal 110 in step 215. Authentication Protocol) Perform authentication. At this time, the user terminal 110 generates a CHAP response using the stored ESN. That is, CHAP authentication transmits a validity message to the user terminal 110 after a link is established between the user terminal 110 and the AN 125, and performs a user authentication by checking a response received from the user terminal 110. It is. Steps 210 to 245 are defined as a standard, and will be described briefly.

In step 220, AN 125 accesses to an access network authentication server (AN-AAA, hereinafter AN-AAA) 130 (eg, Access Request (username = IMSI, CHAP-Password = f (ESN)). , 1xEVDO-TerminalAuthencication)). In this case, 1xEVDO-TerminalAuthentication is set to '1' and transmitted.

In step 225, the AN-AAA 145 determines whether 1xEVDO-TerminalAuthentication of the access request received through step 220 is set to '1', and if it is set to '1', inquires subscriber (username = IMSI) information. Authentication based on ESN. In operation 230, the AN-AAA 145 may determine an authentication result (eg, Access Accept (Callback-Id, ESN)) including an authentication result including an authentication result and a callback ID. 125).

The AN 125 transmits CHAP SUCCESS to the user terminal 110 when the authentication result received from the AN-AAA 145 is authentication success (for example, access approval) (step 235).

The AN 125 then performs an A11 registration with the packet data serving node (PDSN, hereinafter referred to as PDSN) 135 for the data call origination (step 240) from the user terminal 110 ( Step 245). Of course, if the data call origination in step 210 is transmitted to the PDSN 135 after step 235, step 240 may be omitted. The A11 connection between the AN 125 and the PDSN 135 is transmitted from the PDSN 135 to the AN 125 in response to an A11 registration request sent from the AN 125 to the PDSN 135 and in response thereto. This is done by A11 Registration Response.

In step 250, the PDSN 135 transmits a subscriber information request (eg, SubsInfo Request (Calling-Station-Id)) to the AAA 145 for subscriber information query. The subscriber information request may include subscriber identification information (eg, a phone number) for subscriber identification. Examples of the parameters constituting the subscriber information request (SubsInfo Request) are shown in Table 1 below. The parameter examples in Table 1 are for illustration only and not all the information included is necessarily to be included.

Table 1. Parameters of SubsInfo Request

designation Explanation MN_Table_Id MN Table Index of PDSN Calling-Station-Id MIN / IMSI format ESN B012CEF1 = 0x4230313243454631 Accounting Session Id Combination of Session ID and Timestamp NAS-Type NAS classification (for example, 1: PDSN-1x, 2: PDSN-1xEVDO) NAS IP Address PDSN's IP Address BS / MSC Address (Session Start) SID (4), NID (4), BSC ID (2), and BTS ID (2) at which the subscriber began receiving services Service-option Service options Proxy state Used to distinguish Proxy messages

The AAA 145 checks whether the subscriber is an SSD authentication service subscriber using the subscriber information corresponding to the subscriber information request received from the PDSN 135, generates a CHAP Challenge parameter, and then determines whether the subscriber is an SSD authentication subscriber. Send the subscriber information response (eg, SubsInfo Response (Auth_SVC, CHAP-Challenge)) including information for display (ie, authentication subscriber indication information, for example, Auth_SVC) and a CHAP Challenge value, to the PDSN 135. (Step 255). In this case, the CHAP Challenge value generated by the AAA may be a random value, a value sequentially increasing according to the number of authentications, or a value generated by a predetermined rule, and may vary according to an implementation method.

Examples of the parameters constituting the subscriber information response (SubsInfo Response) are shown in Table 2 below. The parameter examples in Table 2 are for illustration only and do not necessarily include all the information included.

Table 2. Parameters of SubsInfo Response

designation Explanation Calling-Station-Id MIN / IMSI format MSISDN MSISDN / MDN Format SubsInfo Result 0: Unsuccessful, 1: Successful ADR Include cause of failure AUTH_SVC Certification service registration (1 at registration) Terminal Capability Subscription terminal classification (for example, 0: Cdma2000 1x, 1: 1xEV-DO) Mobile Type Classification of Simple IP / Mobile IP Always On Always On Service Registration Proxy state Used to distinguish Proxy messages

In step 260, the PDSN 135 receives the CHAP if the subscriber information response (SubsInfo Response) received from the AAA 145 includes information indicating that the user is an SSD authentication service subscriber (for example, Auth_SVC). The CHAP authentication process is performed with the user terminal 110 using the challenge value. As described above, the subscriber information response (SubsInfo Response) transmitted from the AAA 145 to the PDSN 135 may not include the CHAP Challenge value. If the PDSN 135 receives the CHAP Challenge value from the AAA 145, the CHAP Challenge value received during the CHAP authentication process may be used. However, if only the SSD authentication service activation information (eg, Auth_SVC) is received from the AAA 145 and no CHAP Challenge value is received, the PDSN 135 generates the CHAP Challenge value to perform the CHAP authentication process. As described above, the present invention can reduce the network load since the SSD authentication service is performed only when the user is a subscriber of the SSD authentication service. The user terminal 110 generates the shared secret data SSD_A_New for authentication using the received CHAP Challenge value, and generates the CHAP response using the generated shared secret data SSD_A_New.

A process of generating a CHAP response by the user terminal 110 using the CHAP Challenge value will be briefly described with reference to FIGS. 3 and 4.

Referring to FIG. 3, the user terminal 110 uses the SSD generation algorithm using the prestored ESN value, the A-Key injected through step 210 and the CHAP Challenge value received through step 260. To generate shared secret data (SSD). For example, the ESN value can be 32 bits, the CHAP Challenge value can be 56 bits, the A-Key can be 64 bits, and the shared secret data generated by the SSD generation algorithm is 128 bits. It may be a value of. At this time, the user terminal 110 extracts the upper 64 bits (ie, the authentication shared secret data SSD_A_New) of the generated shared secret data SSD. Of course, the number of bits or location of the shared secret data for authentication may be variously configured according to the method of performing the authentication service, but in this case, the upper 64 bits of the generated shared secret data (SSD) are used as the shared secret data (SSD_A_New). The following description assumes the case of extraction as.

Thereafter, as shown in FIG. 4, the user terminal 110 generates and extracts shared secret data (SSD_A_New) for authentication generated by the method illustrated in FIG. 3, prestored ESN values and authentication data (Auth Data (IMSI_S1)). And a CHAP Challenge value received in step 260 as a parameter, and generates a CHAP response using a predetermined authentication algorithm (eg, DES, 3DES, AES, SEED, Blowfish, MD5, SHA1, etc.).

In addition, the user terminal 110 transmits the CHAP Response generated in step 260 to the PDSN 135. The CHAP Response generation process described above with reference to FIGS. 3 and 4 does not store previous authentication values (eg, shared secret data for authentication (SSD_A_New) or CHAP Response), or the CHAP Challenge value applied in the previous authentication process. It may be selectively performed only if the CHAP Challenge value received through step 260 is inconsistent. That is, if a previous authentication value (for example, shared secret data for authentication (SSD_A_New) or CHAP Response) is already stored and the CHAP Challenge value applied in the previous authentication process and the CHAP Challenge value received through step 260 are the same. If the stored authentication value is sufficient, there is no need to perform a separate CHAP Response generation process. Through this, the load generated during the CHAP response generation process of the user terminal 110 may be reduced.

Referring back to FIG. 2, in step 265, the PDSN 135 accesses a CHAP response received from the user terminal 110 and a CHAP challenge received from the AAA 145 through step 255 (eg, Access). Request (Username = IMSI @ realm, CHAP-Challenge, CHAP-Password = f (SSD))) is transmitted to the AAA 145. In this case, when the user identification information (for example, IMSI) received from the user terminal is not included, a predetermined default realm is added to the AAA 145. The default realm can be defined by the PDSN 135 and / or AAA 145, for network authentication using user identification information (e.g. IMSI or IMSI @ realm), and separate information for ISP authentication. (See description of FIG. 5). In addition, if the CHAP Challenge is not received from the AAA 145 through step 255 and the CHAP Challenge value generated by the PDSN is used in the CHAP authentication process, the CHAP Challenge value will be included. The CHAP-Password may be generated separately using the CHAP Response itself received from the user terminal 110 or a CHAP ID of a predetermined form and the CHAP Response received from the user terminal 110.

Examples of the parameters constituting the access request are shown in Table 3 below. The parameter examples in Table 3 are for illustrative purposes only and do not necessarily include all the information included.

Table 3. Parameters of Access Request

designation Explanation MSISDN MSISDN / MDN Calling-Station-Id IMSI User-Name Network authentication: IMSI @ realm or IMSIISP authentication: userid @ realm NAS-IP-Address PDSN's IP Address Correlation-ID Combination of Session ID and Timestamp User-Password Password entered by the user CHAP-Password CHAP Id & CHAP Response CHAP-Challenge Challenge assigned by AAA / PDSN Service option Service options (for example, 33: Cdma2000-1x, 59: 1xEVDO) IP Technology 1: Simple IP, 2: Mobile IP BS / MSC Address (PPP Start) SID (4), NID (4), BSC ID (2), and BTS ID (2) that the subscriber accesses the initial network to perform PPP configuration and have been assigned an IP address.

The AAA 145 determines whether it is HRPD network authentication using subscriber identification information (for example, Username = IMSI @ realm) received from the PDSN 135, and if the received CHAP Challenge value is the step 255 in HRPD network authentication, It is determined whether or not match with the CHAP Challenge value delivered to the PDSN (135) through. If there is a match, the user terminal 110 is authenticated using the shared secret data (SSD_A_New) included in the CHAP Challenge. Since the AAA 145 already knows the subscriber authentication key (A-Key), the ESN value corresponding to the user terminal 110, etc., the SSD generation method and the CHAP response generation method shown in FIGS. 3 and / or 4 are used. The validity of the CHAP-Password received from the PDSN 135 can be determined. Thereafter, if authentication is successful, the AAA 145 transmits an access acknowledgment (Access-Accept) to the PDSN 135 in step 270.

Examples of parameters constituting the access accept are shown in Table 4 below. The parameter examples in Table 4 are for illustration only and do not necessarily include all the information included.

Table 4. Parameters of Access Accept

designation Explanation MSISDN MSISDN / MDN Calling-Station-Id IMSI User-Name IMSI @ realm, userid @ realm NAS-IP-Address PDSN's IP Address Correlation-ID Combination of Session ID and Timestamp

In operation 275, the AAA 145 updates the shared secret data SSD_A_New for authentication received from the user terminal 110 with the shared secret data SSD corresponding to the user terminal 110. This is to prevent inconsistency of the shared secret data (SSD) between the user terminal 110 and the AAA 145.

In step 280, the PDSN 135 transmits the CHAP Success indicating the CHAP authentication success to the user terminal 110 when a connection acknowledgment indicating the authentication success is received from the AAA 145.

When the CHAP Success is received from the PDSN 135, the user terminal 110 updates the shared secret data (SSD) previously stored using the shared secret data (SSD_A_New) generated in step 260 in step 285.

Referring back to step 270, in case of authentication failure, the AAA 145 sends an access reject to the PDSN 135 in step 270.

Examples of the parameters configuring the access reject are shown in Table 5 below. The parameter examples in Table 5 are for illustration only and do not necessarily include all the information included.

Table 5. Parameters of Access Reject

designation Explanation MSISDN MSISDN / MDN Calling-Station-Id IMSI User-Name IMSI @ realm, userid @ realm NAS-IP-Address PDSN's IP Address Correlation-ID Combination of Session ID and Timestamp Reply-Message Reason for authentication failure

The PDSN 135 transmits the CHAP Fail indicating the CHAP authentication failure to the user terminal 110 when the access rejection indicating the authentication failure is received from the AAA 145 in step 280.

5 is a data flow diagram illustrating a user terminal authentication method according to another preferred embodiment of the present invention.

5 illustrates a method for authenticating a user terminal 110 when the user terminal 110 does not perform a function of a wireless communication terminal by itself but is coupled to an external device such as a notebook computer to perform a function of a wireless modem. It is shown.

Referring to FIG. 5, in step 205, when a user is newly registered as an SSD authentication service subscriber, the customer information system 150 sets a subscriber authentication key (A-key) as an authentication server (AAA, hereinafter referred to as AAA) 145. ) And the user terminal 110 of the user.

Thereafter, LCP negotiation is performed between the user terminal 110 and the mobile communication service system 120. Since the LCP negotiation process is obvious to those skilled in the art, a description thereof will be omitted. Processes such as steps 210 to 260 described above with reference to FIG. 2 may correspond to the LCP negotiation step.

However, in the case of FIG. 5, the user terminal 110 is used for the purpose of a wireless modem, and the actual authentication process is used in an external automation device (eg, a notebook computer, etc.) in which the user is coupled with the user terminal 110. The service to be authenticated is made. Therefore, HRPD network authentication using the SSD described above with reference to FIGS. 3 to 5 may not be automatically performed.

Accordingly, the user terminal 110 authenticates a Password Authentication Protocol (PAP) that includes an ID (eg, Username) and password (Password) received from the user (eg, via an external automation device) in step 510. A request (PAP Authentication-Request) is sent to the PDSN 135. Step 510 is not performed after all of the processes of steps 210 to 260 described with reference to FIG. 2 are completed, and may be performed at any process during the LCP negotiation process.

The PDSN 135 sends an access request (eg, Access Request (username = userid @ realm, user-password = PWD)) to the AAA 145 in step 515. The parameters of the connection request are illustrated in Table 3.

The AAA 145 performs authentication on the user using the ID and password received in step 515 and transmits the authentication result (for example, access approval or access rejection) to the PDSN 135 (step 515). The AAA 145 may perform authentication using, for example, whether the ID and password received through step 515 match the ID and password stored corresponding to the user.

The PDSN 135 transmits to the user terminal 110 a PAP authentication response (eg, PAP Authentication-Ack or PAP Fail) corresponding to the authentication performance result received in step 520 in step 525.

When user authentication is performed by the method illustrated in FIG. 5, the SSD update process described above with reference to FIGS. 2 to 4 is not performed.

6 is a flowchart illustrating a user terminal authentication process in an authentication server AAA according to an exemplary embodiment of the present invention.

Referring to FIG. 6, in step 610, the AAA 145 receives an access request from the PDSN 135.

The AAA 145 determines whether the user is an SSD authentication service subscriber using the access request received in step 615. If the subscriber is not a subscriber to the SSD authentication service, the process proceeds to step 620 to perform PAP (Password Authentication Protocol) authentication. However, if the subscriber is an SSD authentication service, the process proceeds to step 625.

In step 625, the AAA 145 determines whether the user identification information included in the access request has an IMSI value. Of course, the user identification information may be implemented in various forms in addition to the IMSI value, but in this case, it is assumed that the HRPD network authentication (ie, SSD authentication service) is performed when the user identification information is the IMSI value. If the user identification information does not have an IMSI value (eg, username = userid @ realm), the AAA 145 performs PAP authentication using the ID and password included in the access request in step 630. However, if the user identification information has an IMSI value (eg username = IMSI @ realm), then AAA 145 proceeds to step 635.

In step 635, the AAA 145 transmits the CHAP Challenge value and the subscriber information response (eg, SubsInfo Response) included in the access request received through step 610 to the PDSN 135 (see step 255 of FIG. 2). ), It is determined whether the CHAP Challenge value transmitted together with the information (eg, Auth_SVC) whether or not the SSD authentication subscriber. Of course, the CHAP Challenge value may be a value generated by the PDSN 135 and provided to the AAA 145, in which case, the CHAP Challenge value received from the PDSN 135 and the CHAP Challenge included in the connection request received through step 610. Determine whether the values match.

If each CHAP Challenge value does not match, the AAA 145 processes the authentication for the user terminal 110 as a failure at step 640. However, if the respective CHAP Challenge values match, step 645 is reached. Steps 635 and 640 may be omitted as steps that can be selectively included to reduce the network load generated in the process of performing authentication.

In step 645, the AAA 145 generates a CHAP-Password using an ESN value, A-Key, CHAP Challenge, etc. corresponding to the user terminal 110. In addition, it is determined whether the CHAP-Password generated in step 650 and the CHAP-Password included in the access request received in step 610 match. If the access request received in step 610 includes a CHAP-Response rather than a CHAP-Password, the AAA 145 generates a CHAP Response using each parameter and determines whether the CHAP Response matches each CHAP Response. . If each CHAP-Password (or each CHAP Response) does not match, the process proceeds to step 655 to process the authentication failure (Access Reject). However, if each CHAP-Password (or each CHAP Response) matches, the process proceeds to step 660 where authentication is successful and the SSD value is updated (that is, the shared secret data for authentication generated corresponding to the CHAP Challenge value). (SSD_A_New) is registered as a new SSD value.

In step 640 and step 655 of FIG. 6, the step after the authentication failure processing is shown as if the step is terminated. However, after the authentication failure processing, the AAA 145 performs a new HRPD authentication procedure with the user terminal 110 through the PDSN 135. You may.

As shown in Figure 6, during the LCP negotiation process (negotiation) authentication is performed prior to CHAP authentication, and when the negotiation fails, PAP authentication is performed. If the PAP authentication fails, the PDSN 135 blocks the call.

As described above, the method and system for authenticating a user terminal in a high-speed packet data communication system according to the present invention may introduce an authentication function into an HRPD (High Rated Packet Data) network to prevent damage of a normal subscriber due to illegal access of a copy terminal. Can be.

In addition, the present invention can enable or disable the authentication function for each subscriber to properly adjust the network load and the terminal load.

In addition, the present invention can perform authentication by distinguishing between a case where the terminal type has its own PPP stack such as a personal digital assistant (PDA) or a notebook computer and a case where the terminal type thereof does not.

In addition, the present invention can minimize the load on the mobile station (MS) in accordance with performing the authentication process.

In addition, the present invention is developed to be compatible with conventional systems or systems to be developed in the future, and to minimize commercial network change, thereby not only HRPD network but also existing mobile communication networks (for example, IS-95A / B, CDMA- 1x), etc., can be applied to the general purpose without modification.

Although the above has been described with reference to a preferred embodiment of the present invention, those skilled in the art to which the present invention pertains without departing from the spirit and scope of the present invention as set forth in the claims below It will be appreciated that modifications and variations can be made.

BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a schematic diagram illustrating an overall system configuration for performing a user terminal authentication method in a high speed packet data communication system according to an exemplary embodiment of the present invention.

2 is a data flow diagram showing a user terminal authentication method according to an embodiment of the present invention.

3 is a view showing a method for generating shared secret data (SSD) according to an embodiment of the present invention.

4 is a diagram illustrating a method for generating a CHAP response according to an embodiment of the present invention.

5 is a data flow diagram illustrating a user terminal authentication method according to another preferred embodiment of the present invention.

6 is a flow chart illustrating a user terminal authentication process in an authentication server (AAA) according to an embodiment of the present invention.

<Description of the symbols for the main parts of the drawings>

110: user terminal

120: mobile communication service system

125: access network (AN)

130: access network authentication server (AN-AAA: Access Network-Authorization Authentication and Accounting)

135: Packet Data Serving Node (PDSN)

140: IP network

145: Authorization Server (AAA: Authorization Authentication and Accounting)

150: customer information system

Claims (12)

In the authentication server (AAA: Authorization Authentication and Accounting) of the high-speed packet data communication system to authenticate the user terminal, Pre-registering at least one authentication service subscriber information and a subscriber authentication key (A-Key) corresponding to each authentication service subscriber information; Receiving a SubsInfo Request including a subscriber number from a packet data serving node (PDSN); Determining whether a subscriber corresponding to the subscriber number is an authentication service subscriber; In the case of an authentication service subscriber, transmitting a subscriber information response (SubsInfo Response) including a first CHAP challenge value to the packet data serving node (PDSN); Receiving an access request from the packet data serving node PDSN including subscriber identification information, a second CHAP challenge value, and a first CHAP response received from the user terminal; Extracting a subscriber authentication key corresponding to the subscriber identification information; Generating a second CHAP response by using terminal identification information corresponding to the user terminal, the subscriber authentication key, and the second CHAP challenge value; Determining whether the first CHAP response matches the second CHAP response; And Transmitting an access accept to the packet data serving node PDSN if the first CHAP response and the second CHAP response match User terminal authentication method comprising a. The method of claim 1, To generate the CHAP response, Generating new shared secret data (SSD_New) using a shared secret data (SSD) generation algorithm, using the CHAP challenge value, the terminal identification information, and the subscriber authentication key as parameters; Extracting shared secret data (SSD_A_New) of a predetermined size from the generated new shared secret data; And Generating the CHAP response using an authentication algorithm using the CHAP challenge value, the terminal identification information, authentication data (Auth Data (IMSI_S1)), and the shared secret data for authentication as a parameter; User terminal authentication method characterized in that the execution. The method of claim 1, Before the step of extracting the subscriber authentication key corresponding to the subscriber identification information, Determining whether the first CHAP challenge value matches the second CHAP challenge value; And Transmitting an access reject to the packet data serving node PDSN when the first CHAP challenge value and the second CHAP challenge value do not match User terminal authentication method characterized in that the execution. The method of claim 1, The user terminal, storing a third CHAP challenge value and a third CHAP response used in n-1th user terminal authentication; receiving the first CHAP challenge value from the packet data serving node (PDSN) for n times user terminal authentication; Determining whether the first CHAP challenge value matches the third CHAP challenge value; If so, sending the third CHAP response to the packet data serving node (PDSN) as the first CHAP response; And If there is a mismatch, generating the first CHAP response and transmitting it to the packet data serving node (PDSN). User terminal authentication method, characterized in that for executing. The method of claim 1, If the subscriber is not an authentication service subscriber, transmitting a request for providing an ID and password to the user terminal via the packet data serving node (PDSN); Receiving an ID and password from the user terminal via the packet data serving node (PDSN); Determining whether the ID and password are valid using previously stored subscriber information; And If the ID and password are valid, transmitting an access accept to the packet data serving node (PDSN) User terminal authentication method further comprising. The method of claim 1, The subscriber number is a telephone number User terminal authentication method characterized in that. The method of claim 1, The terminal identification information is a terminal device number (ESN: Electronic Serial Number) User terminal authentication method characterized in that. The method of claim 2, When the generated new shared secret data is 2n bits, the extracted shared secret data for authentication (SSD_A_New) is the upper n bits of the new shared secret data. User terminal authentication method characterized in that. The method of claim 2, When the generated new shared secret data is 2n bits, the extracted shared secret data for authentication (SSD_A_New) is the lower n bits of the new shared secret data. User terminal authentication method characterized in that. In the authentication server (AAA: Authorization Authentication and Accounting) of the high-speed packet data communication system to authenticate the user terminal, Pre-registering at least one authentication service subscriber information and a subscriber authentication key (A-Key) corresponding to each authentication service subscriber information; Receiving a SubsInfo Request including a subscriber number from a packet data serving node (PDSN); Determining whether a subscriber corresponding to the subscriber number is an authentication service subscriber; Performing password authentication protocol (PAP) authentication when not an authentication service subscriber; In the case of an authentication service subscriber, transmitting a subscriber information response (SubsInfo Response) including a first CHAP challenge value to the packet data serving node (PDSN); Receiving an access request from the packet data serving node PDSN including subscriber access information, a second CHAP challenge value, and a first CHAP response received from the user terminal; Determining whether the subscriber access information includes subscriber identification information (IMSI); If it does not include subscriber identification information, performing PAP authentication; Extracting a subscriber authentication key corresponding to the subscriber identification information when the subscriber identification information is included; Generating a second CHAP response using the terminal identification information corresponding to the user terminal, the subscriber authentication key, and the second CHAP challenge value; Determining whether the first CHAP response matches the second CHAP response; And Transmitting an access accept to the packet data serving node PDSN if the first CHAP response and the second CHAP response match User terminal authentication method comprising a. The method of claim 10, Before the step of extracting the subscriber authentication key corresponding to the subscriber identification information, Determining whether the first CHAP challenge value matches the second CHAP challenge value; And Transmitting an access reject to the packet data serving node PDSN when the first CHAP challenge value and the second CHAP challenge value do not match User terminal authentication method characterized in that the execution. In an authentication server (AAA: Authorization Authentication and Accounting) of a high speed packet data communication system that performs authentication of a user terminal, A storage unit for storing one or more authentication service subscriber information and a subscriber authentication key (A-Key) corresponding to each authentication service subscriber information; A receiving unit for receiving a SubsInfo Request and an Access Request from a Packet Data Serving Node (PDSN), wherein the subscriber information request includes a subscriber number, the access request includes subscriber identification information, A first CHAP challenge value, the first CHAP response received from the user terminal; A subscriber determination unit that determines whether a subscriber corresponding to the subscriber number is an authentication service subscriber; In case of an authentication service subscriber, a SubsInfo Response including a second CHAP challenge value is transmitted to the packet data serving node PDSN, and the first CHAP response and the second CHAP response match. A transmission unit for transmitting an access acceptance to the packet data serving node (PDSN); An authentication key extraction unit for extracting a subscriber authentication key corresponding to the subscriber identification information; A generator configured to generate the second CHAP response by using terminal identification information corresponding to the user terminal, the subscriber authentication key, and the first CHAP challenge value; And CHAP response determination unit for determining whether the first CHAP response and the second CHAP response match Authentication server comprising a.