WO2004102874A1 - A method of implementing high speed data packet operation authentication - Google Patents
A method of implementing high speed data packet operation authentication Download PDFInfo
- Publication number
- WO2004102874A1 WO2004102874A1 PCT/CN2004/000495 CN2004000495W WO2004102874A1 WO 2004102874 A1 WO2004102874 A1 WO 2004102874A1 CN 2004000495 W CN2004000495 W CN 2004000495W WO 2004102874 A1 WO2004102874 A1 WO 2004102874A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- message
- user terminal
- ssd
- eap
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000008569 process Effects 0.000 claims description 22
- 238000010295 mobile communication Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 description 10
- 230000004044 response Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 230000006855 networking Effects 0.000 description 4
- 238000013403 standard screening design Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W74/00—Wireless channel access
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
Definitions
- the present invention relates to network authentication technology, and particularly to a method for implementing high-rate packet data service authentication. Background of the invention
- CDMA is an advanced digital cellular mobile communication technology. It is one of the most important 3G wireless transmission technologies (RTT) accepted by the International Telecommunication Union (ITU). It has undergone IS95 since the standard was first issued by Qualcomm in 1990. , CDMA2000 lx two important stages.
- the CDMA2000 lx network structure includes a mobile station (MS), a base transceiver station (BTS), a base station controller (BSC), a packet control function (PCF), a packet data service service point (PDSN), and service authentication. , Authorization and Accounting Server (AAA) and IS-41 core network.
- the IS-41 core network includes a mobile switching center (MSC), a visitor location register (VLR), and a home location register (HLR).
- MSC / VLR and HLR / Authentication Center (AuC).
- the shared secret data (SSD) is stored in the terminal and the HLR / AuC as one of the authentication input parameters
- A-key is stored in the terminal and the HLR / AuC, which is exclusively used to update the SSD.
- the authentication result is calculated by the cellular authentication and voice encryption (CAVE) algorithm with parameters such as SSD, random number, electronic serial number (ESN), and mobile subscriber identification number (MIN), and is calculated by MSC / VLR or HLR / AuC compares whether the authentication results are consistent.
- CAVE cellular authentication and voice encryption
- the system will 'initiate an SSD update. After the SSD update is successful, that is, the SSDs on the terminal side and the network side remain consistent. The next time the user accesses, the user terminal uses the authentication results calculated by the SSD. It should be the same as the authentication result calculated in HLR / AuC. In order for authentication to succeed.
- CDMA2000 HRPD (CDMA2000 lxEV-DO), referred to as HRPD, is an upgrade of CDMA2000 lx technology and provides high-speed packet data services.
- the single user downlink rate is up to 2.4 Mbps.
- the networking structure of HRPD network phase 1 includes an access terminal (AT), an access network (AN), AN AAA> PCF, and PDSN> AAA.
- the HRPD network mainly uses AN AAA for user authentication. After the authentication is successful, ANAAA returns the terminal's International Mobile Subscriber Identity (IMSI) signal to the AT for subsequent processes such as handover and billing.
- IMSI International Mobile Subscriber Identity
- the BSC / PCF and AN AAA interface-A12 interface is used. This interface uses remote access dial-up user service protocol (RADIUS).
- the authentication mechanism mainly includes password authentication protocol (PAP) and query-handshake authentication. Protocol (CHAP). Because the confidentiality of the CHAP protocol is relatively better, authentication using the CHAP protocol is more extensive.
- CHAP uses a private key-based message digest (MD-Message Digest) identity authentication algorithm. As shown in Figure 3, taking CHAP as an example, the authentication process of RADIUS protocol is as follows:
- Step 301 The user terminal and the network side negotiate through PPP / LCP to confirm that the CHAP protocol is used for authentication;
- Step 302 The AN initiates authentication by sending an authentication query (Challenge) message to the user terminal, and the message includes a random number generated by the AN;
- Step 303 The user terminal calculates the digest from the random number using the encryption algorithm specified by the CHAP protocol, and then sends the user name and the digest to the AN through a Response message.
- Step 305 AN AAA uses the same algorithm to calculate the digest from the random number, and compares whether the digest is consistent with the one sent by the terminal. If they are consistent, the authentication is successful and AN AAA sends Access Accept message to AN, otherwise, authentication fails;
- Step 306 The AN sends a Success message to the user terminal to notify the user terminal that the authentication is successful.
- WLANs wireless local area networks
- IP Internet Protocol
- WLAN networks include many different technologies.
- IEEE 802.11b which uses the 2.4GHz frequency band and has a maximum data transmission rate of 11Mbps.
- IEEE 802.11g and Bluetooth technology are also used in this frequency band. Among them, the highest data transmission rate of 802.11g can reach 54Mbps.
- Other new technologies, such as IEEE 802.11a and ETSI BRAN Hiperlan2 use the 5GHz frequency band, and the maximum transmission rate can reach 54Mbps.
- WLAN and various wireless mobile communication networks such as: GSM, Code Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, Time Division Duplex-Synchronous Code Division Multiple Access (TD-SCDMA) system, CDMA2000 system Interoperability is becoming the focus of current research.
- 3GPP2 3rd Generation Partnership Project 2
- an object of the present invention is to provide a method for implementing high-rate packet data service authentication, which is simple and convenient to maintain.
- the authentication entity uses a user identification module-based authentication mechanism to authenticate a user terminal that has established a physical connection with the access network, and uses the user information stored in the user terminal's own user identification module as the user identity;
- the authentication entity generates, based on the user identity, a second random number containing authentication for the user terminal and a second authentication number corresponding to the second random number calculated according to the shared secret data SSD stored on the network side;
- the user terminal calculates according to the second random number and the SSD saved by the user terminal to obtain a first authentication number, and the authentication entity compares the first authentication number with the second authentication number. If they are the same, the authentication entity The user terminal is successfully authenticated; otherwise, the authentication fails.
- the authentication entity is a preset authentication server or an authentication center in a wireless mobile communication system.
- the second random number is obtained from an authentication center in the wireless mobile communication system, and the SSD is stored in a home location register HLR / AuC on the network side.
- the second random number is obtained from the authentication server, and the SSD is stored in the HLR / AuC on the network side, or the authentication server.
- the method further includes:
- the authentication entity notifies the HLR on the network side of the authentication result, and the HLR judges whether the current authentication This is the first authentication. If it is the first authentication, update the SSD, and then perform step C. Otherwise, the authentication fails.
- the method further includes:
- the process of updating the SSD includes:
- Dl and HLR generate SSD update random numbers, and calculate the authentication number corresponding to SSD update random numbers
- the user terminal updates the random number according to the SSD, uses the system's original SSD generation algorithm to recalculate its own SSD, and then calculates the authentication number corresponding to the SSD update random number based on the recalculated SSD.
- Step D1 further includes:
- Dll and HLR send the SSD update random number (RADNSSD) and its corresponding authentication number to the authentication entity;
- the authentication entity sends an Access-Challenge message to the access network, which carries an EAP-Request / UIM / Update message of RADNSSD;
- Step D2 includes:
- the user terminal After receiving the EAP-Request / UIM / Update message sent by the access network, the user terminal uses the RANDSSD to calculate a new SSD, and randomly generates a random number RANDBS, and then calculates the authentication number AUTHBS corresponding to RANDBS according to the new SSD Sending the RANDBS to the access network via an EAP-Response / UIM / Challenge message;
- the access network sends the EAP-Response / UIM / Challenge message to the authentication entity.
- the authentication entity obtains the base station to query the random number RANDBS and its corresponding query by interacting with the HLR. Query the authentication number AUTHBS, which is calculated according to the RANDBS and the SSD saved by itself;
- the authenticating entity sends an Access-Challenge message to the access network, which contains the EEAAPP-RReeqquueesstt // UUIIMM // CChhaalllleennggee message carrying the authentication number AAUUTTHHBBSS; the access network receives the received After the message is sent, it will be sent to the user terminal. .
- Step-by-step DD33 package includes:
- the access network After the access network has received the text, it will send EEAAPP--RReessppoonnssee UUIIMM // ssuucccceessss to the authentication verification entity, which carries a carrying band The related RRAADDIIUUSS is attributed, and the authentication confirms that the entity updates the SSDSDD of the new user after receiving the message. .
- the SSSSDD described in step DD22 is updated according to the SSSSDD described according to the SSSSDD, the number of new random machines, the serial number of the electronic and electronic substrings, and the mobile users. Calculate the identification code and password. .
- the described steps AA include:
- the user terminal After the user terminal receives the authentication certificate, please request it, and then read the user's user ID to identify the user's user who saved it in the identification module.
- the user ’s personal information, and the user ’s personal information will be used as his own personal identity, and then the user ’s personal identity will be described
- the copy of the identification mark is sent to the authentication entity by sending it through the access network. .
- the network access mentioned above communicates with the end-user terminal of the user through the ⁇ agreement or the CCHHAAPP agreement.
- the access network sends the request to the user terminal to send the authentication certificate to the user terminal.
- Qiutong has realized the message through EEAAPP--RReeqquueesstt // IIddeennttiittyy;
- Step by step AA22 includes:
- the access network After receiving the message, the access network sends it to U-AAA through an Access-Request message, and initiates an authentication request to U-AAA.
- Step B further includes:
- U-AAA sends the second random number obtained by authenticating the user terminal to the user terminal through the access network.
- the step of sending to the user terminal through the access network in step B includes:
- the authentication entity encapsulates the second random number in an EAP-Request / UIM / Challenge message, and then sends it to the access network through an Access-Challenge message.
- the access network After receiving the Access-Challenge message sent by the authentication entity, the access network strips the EAP-Request / UIM / Challenge from the Access-Challenge text, and sends the packet to the user terminal.
- Step C further includes:
- the user terminal After the user terminal calculates the first authentication number, the user terminal sends the first authentication number to the authentication entity through the access network.
- the step of the user terminal sending the first authentication number to the authentication entity through the access network in step C includes:
- the user terminal sends the first authentication number to the access network through an EAP-Response / UIM / Challenge message;
- the access network encapsulates the received EAP-Response / UIM / Challeng message in an Access-Request message, and sends the encapsulated Access-Request message to the authentication entity.
- step C the method further includes:
- the authentication entity notifies the user terminal of the authentication success / failure through the access network.
- the authentication entity communicates with the home location register through the ANSI-41D protocol. Letter.
- the access network is a wireless local area network.
- the present invention has the following advantages and characteristics:
- the present invention uses the existing CDMAIS-41 core network to support national roaming, and does not need to set up a national dedicated network of AN AAA, which saves investment costs.
- Unified authentication in multi-mode networks Users do not need to manually enter user names and passwords, which is convenient to use, and other network services and HRPD services can be unified account opening, unified identification, and unified authentication in HLR through IMSI, which is easy for operators to operate. .
- HRPD users can continue to use the previous UIM cards of IS95 / CDMA2000 lx users, which will help IS95 / CDMA2000 lx users to migrate to HRPD users.
- the user terminal can also perform authentication on the network side to implement mutual authentication between the network and the terminal, that is, network-to-terminal authentication, and terminal-to-network authentication, with high security.
- authentication on the network side to implement mutual authentication between the network and the terminal, that is, network-to-terminal authentication, and terminal-to-network authentication, with high security.
- Figure 1 shows the networking diagram of the IS95 / CDMA2000 lx system
- FIG. 2 is a schematic diagram of HRPD network networking
- FIG. 3 is a schematic flowchart of HRPD authentication in the prior art
- FIG. 4 is a schematic diagram of a network structure for implementing the present invention.
- FIG. 5 is a schematic flowchart of implementing the first boot-up for authentication according to the first embodiment of the present invention
- FIG. 6 is a schematic flowchart of the specific embodiment for implementing the second-booting for authentication according to the first embodiment of the present invention.
- FIG. 7 is a schematic flowchart of implementing authentication for the first time in the second embodiment of the present invention
- FIG. 8 is an example flowchart of communication between a user terminal and an access network in the present invention through a CHAP protocol.
- the core content of the present invention is as follows:
- the authentication entity uses a user identification module-based authentication mechanism to authenticate a user terminal that has been physically connected to the access network, and uses the user information stored in the user terminal's own user identification module to identify the user. Identification; the authentication entity generates, based on the user identity, a second random number containing authentication for the user terminal and a second authentication number corresponding to the second random number calculated based on the shared secret data stored on the network side; the user The terminal calculates according to the second random number and the shared secret data SSD saved by itself, and obtains the first authentication number. The authentication entity compares the first authentication number with the second authentication number. If the authentication number is the same, the authentication entity checks the user. The terminal authentication is successful; otherwise, the authentication fails.
- the network accessed by the user terminal may be a WLAN network.
- the authentication entity can be a preset authentication server or the original authentication center.
- the authentication server and HLR can communicate through the ANSI-41D protocol.
- the second random number can be generated by any entity on the network side, such as HLR / AuC, AAA, and so on. And the SSD is stored in the HLR / AuC on the network side, or it can be stored in the authentication server.
- the second random number is generated by the HLR / AuC
- the second authentication number can be directly obtained from the HLR / AuC.
- the second random number is generated by AAA
- the second authentication number can be obtained from the home location register / AuC according to the user identity and the first random number.
- the AT and AN can communicate through the CHAP protocol, or the EAP protocol, or the original CDMA2000 air interface message for communication.
- the networking structure for implementing the method of the present invention includes AT, AN, a user identification module-based authentication, authorization, and accounting server (U-AAA), PCF, PDSN, AAA, and HLR.
- AN provides a data connection between the terminal and the packet-switched data network, which is equivalent to BTS and BSC in CDMA2000 lx, and of course also equivalent to WLAN; and
- U-AAA is preset and is a server dedicated to authentication and accounting. .
- the network elements used here do not need to be changed; user terminals must be HRPD terminals or hybrid terminals that support HRPD, such as: HRPD / GSM, HRPD / CDMA2000 lx, HRPD / Wireless Local Area Network (WLAN), etc.
- the terminal hardware must support reading UIM cards or provide external card readers, support EAP-UIM protocol, support authentication through GSM HLR or CDMA HLR;
- AN requires that the air interface and A12 interface support the EAP-UIM authentication protocol, where the air interface It is EAP-UIM over PPP, and the A12 interface is EAP-UIM over RADIUS 0 AAA can be canceled, and the accounting function is realized by the preset U-AAA.
- the U-AAA network element replaces the AN AAA, and it is mainly required to support the IS41 protocol of CDMA and be able to support the EAP-UIM over RADIUS authentication protocol.
- the HLR and AuC are generally physically located in the same entity, and the unified tube is hereinafter referred to as the HLR.
- the certification process during the first startup includes three parts: first certification, SSD update, and second certification.
- the authentication performed by the AT for the first time startup is the first authentication, and when the AT is powered on for the first time, the first authentication of the AT always fails because the SSDs stored on the system side and the AT side are inconsistent. Therefore, after the first authentication fails, an SSD update is performed, that is, the RANDSSD is issued through the EAP-REQUEST / UIM / Update message, and the new SSD is calculated through the same SSD generation algorithm through the RANDSSD, ESN, and A-key in the AT and HLR. SSD. Since the above information on the AT and HLR sides is the same and the algorithm is the same, the output SSD is also the same.
- Step 801 An HRPD session is established between the AT and the AN, and the AT is ready to exchange data on the access stream.
- Step 802 The AT and AN initiate PPP and LCP negotiation for access authentication.
- Step 803 The AN initiates a Random Challenge and sends it to the AT through a CHAP Challenge message.
- Step 804 The AT performs CAVE-based authentication and sends a CHAP Response.
- Step 805 The AN sends an A12-Access Request message to U-AAA.
- Step 806 The U-AAA constructs a message according to the content of the A12-Access Request message.
- AUTHREQ message and send it to HLR / AuC.
- Step 807 The HLR / AuC executes a CAVE-based authentication process. If the authentication passes,
- the HLR / AuC will send an authentication response return result (authreq) message to the U-AAA, and it contains
- Step 808 The U-AAA stores the SSD allocated by the HLR / AuC.
- Step 809 The U-AAA sends an A12-Access Accept message to the AN.
- Step 810 The AN returns a CHAP authentication success message (CHAP Authentication) to the AT.
- CHAP authentication success message CHAP Authentication
- Step 811 The AT and AN then perform subsequent processing.
- Step 501 A physical connection is established between the WLAN MS and the WLAN.
- Step 502 The WLAN MS initiates an authentication request to the WLAN, that is, the WLAN MS sends an EAPoL-Start message to the network.
- Step 503 The WLAN sends a request for a username (EAP-Request / Identity) message to the WLAN MS, starts authentication, and requests the WLAN MS to send the user identity.
- Step 504 After receiving the EAP-Request / Identity message, the WLAN MS reads out the information stored in the UIM card through the corresponding interface as its own user identity, and responds to the user name (EAP-Response / Identity). The text is sent to the WLAN.
- Step 505 After receiving the EAP-Response / Identity message, the WLAN initiates an authentication request to the U-AAA through an Access-Request message in the Radius protocol, and the EAP-Response / Identity message.
- Step 506 After receiving the Access-Request message sent by the WLAN, the U-AAA takes out the user identity carried in the U-AAA, and then judges the type of the user identity according to its related configuration information. If it is a UIM type, it is accessing A query (Access-Challenge) message is encapsulated in an EAP-UIM authentication start (EAP-Request / UIM / Start) message, and then sent to the WLAN; otherwise, it is not processed.
- EAP-UIM authentication start EAP-Request / UIM / Start
- Step 507 After receiving the Access-Challenge message, the WLAN strips the EAP-Request / UIM / Start message, and then sends the stripped message to the WLAN MS.
- Step 508 After the WLAN MS receives the EAP-Request / UIM / Start message sent by the WLAN, the WLAN MS includes a random number Nonce_MT generated by itself, and includes it in the attribute AT_NONCE_MT, and then sends to the WLAN The random number of the EAP-Response / UIM / Start message indicates that the EAP-UIM authentication protocol is agreed to be used.
- Step 509 After receiving the EAP-Response / UIM / Start message from the WLAN MS, the WLAN encapsulates the EAP-Response / UIM / Start message in an Access-Request message, and then sends the Access-Request message to U-AAA. .
- Step 510 After receiving the Access-Request message sent by the LAN, the U-AAA determines to adopt a unique query method, that is, the U-AAA generates a random number (RANDU) -the second random number for authenticating the WLAN MS, and according to itself, The saved SSD calculates the second authentication number (AUTHU2) corresponding to the random number, thereby forming an authentication set.
- RANDU random number
- AUTHU2 the second authentication number
- Step 511 U-AAA encapsulates RANDU in EAP-Request / UIM / Challenge
- the RANDU and MAC are then sent to the LAN through the Access-Challenge message; here, the MAC is generated by U-AAA according to the received random number Nonce_MT and the EAP-Request message to be issued.
- Step 512 After the WLAN receives the Access-Challenge message sent by the U-AAA, it strips the EAP-Request UIM / Challenge from the Access-Challenge message, and sends the stripped message to the WLAN MS.
- Step 513 When the WLAN MS receives the EAP-Request / UIM / Challenge message, it first verifies that the MAC in the received EAP message is correct. If it is wrong, the WLAN MS sends an error message to the network and terminates the process. Otherwise, the RANDU and WLAN MS are taken out, and the first authentication number (AUTHU1) is calculated according to the RANDU and the ESN, SSD, and MIN obtained from the UIM.
- AUTHU1 the first authentication number
- Step 514 The WLAN MS AUTHU1 ESN, MIN, and the recalculated MAC are sent to the WLAN through an EAP-Response / UIM / Challenge message.
- Step 515 The WLAN encapsulates the received EAP-Response UIM / Challeng message in an access request (Access-Request) message of the Radius protocol, and sends the encapsulated Access-Request message to U-AAA.
- Access-Request access request
- Step 516 After receiving the Access-Request packet sent by the WLAN, U-AAA parses AUTHU1 and judges whether AUTHU1 is consistent with AUTHU2 calculated by itself. If they are consistent, U-AAA passes the WLAN MS authentication. Otherwise, the authentication process fails.
- Step 517 U-AAA sends an Access-Accept message containing the EAP-Success message to the WLAN network side (authentication is successful); or U-AAA sends an Access-Reject 4 message containing the EAP-Failure 4 message to the WLAN ( Authentication failed).
- Step 518 After the WLAN receives the Access-Accept message sent by the U-AAA, it strips out the EAP-Success message and sends the EAP-Success message to the WLAN. The MS notifies the WLAN MS that the authentication is successful. If the Access-Reject message is received, the EAP-Failure message is stripped out, and each WLAN MS is sent to notify the WLAN MS of the authentication failure.
- Steps 601 to 615 are the same as steps 501-515 in FIG. 5.
- Steps 616 to 617 The U-AAA device compares AUTHU1 with AUTHU1 stored in the local machine. If they are the same, it means that the client is authenticated and sends an EAP-Success message to the WLAN MS via WLAN. Otherwise, it responds to the HLR with authentication failure. After receiving the response from the HLR, the HLR randomly generates two random numbers, RANDSSD and RANDU, and calculates the corresponding AUTHU according to the RANDU, and then sends the ANDSSD RANDU / AUTHU to U-AAA to start the process of updating the SSD.
- Step 618 U-AAA sends an Access-Challenge message to the WLAN, which contains an EAP-Request / UIM / Update message carrying a RADNSSD random number.
- Step 619 The WLAN sends an EAP-Request UIM / Update message to the WLAN.
- Step 621 The WLAN sends the EAP-Response / UIM / Challenge to the authentication server U-AAA in the EAP Over RADIUS message format.
- Step 622 After receiving the EAP-Response / UIM / Challenge, the U-AAA passes and The HLR interacts to obtain the base station query random number (RANDBS) and its corresponding query authentication result (AUTHBS).
- RANDBS base station query random number
- AUTHBS query authentication result
- the HLR randomly generates RANDBS, and calculates AUTHBS according to the random number and the SSD saved by itself.
- Step 623 The U-AAA sends an Access-Challenge message to the WLAN, which contains an EAP-Request UIM / Challenge message carrying the AUTHBS authentication number.
- Step 624 After receiving the EAP-Request / UIM / Challenge message, the WLAN sends the message to the WLAN MS.
- Step 625 After receiving the EAP-Request / UTM / Challenge message sent by the WLAN, the WLAN MS parses out the AUTHBS in the EAP-Request / UTM / Challenge message, and then compares whether the parsed AUTHBS is consistent with the AUTHBS calculated by the WLAN MS. The AAA authentication is passed, and then an EAP-Response / UIM / success message is sent to the WLAN.
- Step 626 After receiving the message, the WLAN sends the EAP-Response UIM / success to the authentication server U-AAA in the format of an Access-Request message with the relevant RADIUS attributes, indicating that the SSD update process is over.
- Step 627 After receiving the Access-Request message sent by the WLAN, U-AAA determines the unique query method based on the RANDU and AUTHU received from the HLR in step 616; Steps 628-Step 635 are the same as 511 in FIG. 5 ⁇ Step 518.
- step 632 the U-AAA simultaneously notifies the HLR / AuC to update the SSD stored in the AuC, and the AuC updates the local SSD according to the received notification message.
- Step 701 A physical connection is established between the WLAN MS and the WLAN.
- Step 702 the WLAN MS requests authentication from the network, that is, the WLAN MS requests the network Send an EAPoL-Start message.
- Step 703 The WLAN sends a request username (EAP-Request / Identity) message to the WLAN MS to start authentication, and requests the WLAN MS to send the user identity.
- EAP-Request / Identity a request username (EAP-Request / Identity) message
- Step 704 After receiving the EAP-Request / Identity message, the WLAN MS reads out the information stored in the UIM card through the corresponding interface as its own user identity, and responds to the user name (EAP-Response / Identity). 4 The text is sent to the WLAN.
- Step 705 After receiving the EAP-Response Identity message, the WLAN initiates an authentication request to the U-AAA through an Access-Request message in the Radius protocol, and the message encapsulates an EAP-Response / Identity message.
- Step 706 After receiving the Access-Request message sent by the WLAN, the U-AAA extracts the user ID carried in the Access-Request packet, and then judges the type of the user ID according to its related configuration information. If it is a UIM type, it queries the access.
- the (Access-Challenge) message encapsulates a request for EAP-UIM authentication start (EAP-Request UIM / Start) message, and then sends it to the WLAN, otherwise, it is not processed.
- Step 707 After receiving the Access-Challenge message, the WLAN strips out the EAP-Request / UIM / Start message, and then sends the stripped message to the WLAN MS.
- Step 709 After receiving the EAP-Response UIM / Start message from the WLAN MS, the WLAN encapsulates the EAP-Response / UIM / Start message in an Access-Request message, and then sends the Access-Request message to U-AAA.
- Step 710 After receiving the Access-Request message sent by the WLAN, the U-AAA determines that the global authentication method is adopted, that is, the U-AAA generates an authentication method for the WLAN MS.
- Random number (RAND) a second random number
- AUTHR2 a second authentication number
- MAC Corresponding message authentication code
- Step 711 U-AAA encapsulates the RAND and MAC in the EAP-Request / UIM / Challenge message, and then sends it to the WLAN through the Access-Challenge message.
- Step 712 After the WLAN receives the Access-Challenge message sent by the U-AAA, it strips out the EAP-Request / UIM / Challenge from the Access-Challenge message, and sends the stripped message to the WLAN MS.
- Step 713 After the WLAN MS receives the EAP-Request / UIM / Challenge message, it takes out the RAND in it, and the WLAN MS calculates the first authentication number (AUTHR1) according to the RAND and the password read from the UIM card.
- AUTHR1 the first authentication number
- Step 714 1 ⁇ ] ⁇ 48 sends 811113 ⁇ 41, £ 8> 1,] ⁇ 1 ⁇ ] ⁇ ⁇ , and RANDC to the WLAN through the EAP-Response UIM / Challenge message.
- the RA DC is derived by the WLAN MS according to the received RAND.
- Step 715 The WLAN encapsulates the received EAP-Response / UIM / Challeng message in an Radius protocol Access-Request message, and sends the encapsulated Access-Request message to U-AAA. .
- Step 716 After receiving the Access-Request message sent by the WLAN, the U-AAA determines the corresponding RAND according to the RANDC in the U-AAA; then the U-AAA judges whether the user's SSD has been obtained, and if so, parses out the AUTHR1 among them. Whether AUTHR1 is consistent with the AUTHR2 of the user terminal stored by itself. If they are the same, the U-AAA authentication of the WLAN MS is passed; otherwise, the authentication process fails.
- Step 717 U-AAA sends an Authentication Success (Access-Accept) message to the WLAN containing the EAP-Success and MAC values; or U-AAA sends EAP-Failure message and MAC-value authentication failure (Access-Reject) message.
- Access-Accept Authentication Success
- MAC-value authentication failure Access-Reject
- Step 718 After the WLAN receives the Access-Accept message sent by the U-AAA, it strips out the EAP-Success message and sends the EAP-Success message to the WLAN MS to notify the WLAN MS that the authentication is successful. After the Access-Reject message, the EAP-Failure message is stripped out, and each WLAN MS is sent to notify the WLAN MS of the authentication failure. When the WLAN MS first checks the MAC, it only confirms that the EAP-request message is correct when the received MAC value matches the locally calculated MAC.
- the first embodiment is a unique query process
- the second embodiment is a global authentication process.
- the two processes are basically the same, except that when the U-AAA authenticates the WLAN MS, the types of random numbers generated are different, and WLAN MS and U-AAA are different.
- the parameters carried in the authentication message vary from time to time.
- the WLAN MS uses the CAVE algorithm and uses RANDU, A-key, MIN, and ESN as input parameters to generate AUTHU; for global authentication, when U-AAA sends the generated RAND to the WLAN MS, the WLAN MS generates the AUTHR by using the CAVE algorithm with RAND, A-key, MIN, and ESN as input parameters.
- the LAN MS sends the parameter to U-AAA after calculating AUTHU; for global authentication, the WLAN MS sends U-AAA to U-AAA after calculating AUTHR Send this parameter and send RANDC parameter to U-AAA at the same time, this parameter is derived according to RAND.
- the WLAN MS After calculating the AUTHU or AUTHR, the WLAN MS sends a response message to the U-AAA.
- the response message includes the electronic serial number (ESN) and mobile subscriber identification number (MIN) of the WLAN MS.
- the WLAN MS After receiving the UIM authentication start message (EAP-request / UIM / Start) sent by U-AAA, the WLAN MS internally generates a random number
- AT—NONCE—MT sends the random number to U-AAA through the message EAP-response / UIM / Start as the terminal-to-network authentication parameter.
- U-AAA After U-AAA receives the AT_NONCE_MT sent by the WLAN MS, it calculates the response MAC through an algorithm, and sends the MAC to the WLAN MS through a subsequent EAP-request message.
- the WLAN MS first checks the MAC. Only when the received MAC parameters match the locally calculated MACs, it is confirmed that the EAP-request message is correct.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN03131035.4 | 2003-05-16 | ||
CN03131035 | 2003-05-16 | ||
CN04007188 | 2004-03-02 | ||
CN200410007188.9 | 2004-03-02 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004102874A1 true WO2004102874A1 (en) | 2004-11-25 |
Family
ID=35578870
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2004/000495 WO2004102874A1 (en) | 2003-05-16 | 2004-05-17 | A method of implementing high speed data packet operation authentication |
Country Status (3)
Country | Link |
---|---|
CN (2) | CN1327648C (en) |
RU (1) | RU2321972C2 (en) |
WO (1) | WO2004102874A1 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101212295B (en) * | 2006-12-26 | 2010-11-03 | 财团法人资讯工业策进会 | System, device, and method for applying for electronic evidence and transmitting key for mobile electronic device |
CN101383816B (en) * | 2007-09-06 | 2015-09-02 | 财团法人工业技术研究院 | wireless network authentication system and method thereof |
CN102026184B (en) * | 2009-09-16 | 2013-08-07 | 华为技术有限公司 | Authentication method, authentication system and relevant device |
EA017487B1 (en) * | 2011-08-18 | 2012-12-28 | Али Магомед Оглы Аббасов | Method of information transceiving |
WO2019010701A1 (en) * | 2017-07-14 | 2019-01-17 | Zte Corporation | Methods and computing device for transmitting encoded information during authentication |
EP4181093A4 (en) * | 2020-07-22 | 2023-08-23 | Huawei Technologies Co., Ltd. | Authentication detection method, apparatus and system |
CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5172414A (en) * | 1991-09-13 | 1992-12-15 | At&T Bell Laboratories | Speech and control message encrypton in cellular radio |
US5943425A (en) * | 1996-05-10 | 1999-08-24 | Lucent Technologies, Inc. | Re-authentication procedure for over-the-air activation |
US5729537A (en) * | 1996-06-14 | 1998-03-17 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatus for providing anonymous data transfer in a communication system |
CN1191703C (en) * | 2001-12-31 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Safe inserting method of wide-band wireless IP system mobile terminal |
-
2004
- 2004-03-02 CN CNB2004100071889A patent/CN1327648C/en not_active Expired - Fee Related
- 2004-05-17 CN CNA2004800012910A patent/CN1706150A/en active Pending
- 2004-05-17 WO PCT/CN2004/000495 patent/WO2004102874A1/en active Application Filing
- 2004-05-17 RU RU2005140546/09A patent/RU2321972C2/en active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
Also Published As
Publication number | Publication date |
---|---|
RU2005140546A (en) | 2006-07-27 |
RU2321972C2 (en) | 2008-04-10 |
CN1551561A (en) | 2004-12-01 |
CN1706150A (en) | 2005-12-07 |
CN1327648C (en) | 2007-07-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7515906B2 (en) | Method of implementing authentication of high-rate packet data services | |
WO2004102884A1 (en) | A method for performing authentication in a wireless lan | |
AU2003243680B2 (en) | Key generation in a communication system | |
US8630414B2 (en) | Inter-working function for a communication system | |
US7760710B2 (en) | Rogue access point detection | |
US8094821B2 (en) | Key generation in a communication system | |
US9232398B2 (en) | Method and apparatus for link setup | |
JP5193850B2 (en) | Wireless communication method | |
CN106921965B (en) | Method for realizing EAP authentication in W L AN network | |
WO2011017924A1 (en) | Method, system, server, and terminal for authentication in wireless local area network | |
CN100334850C (en) | A method for implementing access authentication of wireless local area network | |
WO2004102874A1 (en) | A method of implementing high speed data packet operation authentication | |
CN100527668C (en) | Method for implementing compatibility between WAPI protocol and 802.1X protocol | |
WO2004102883A1 (en) | A kind of method to realize user authentication | |
EP1968274A1 (en) | Method for supporting an existing authentication infrastructure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 20048012910 Country of ref document: CN |
|
REG | Reference to national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1073741 Country of ref document: HK |
|
WWE | Wipo information: entry into national phase |
Ref document number: 3406/CHENP/2005 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005140546 Country of ref document: RU |
|
122 | Ep: pct application non-entry in european phase |