WO2004102874A1

WO2004102874A1 - A method of implementing high speed data packet operation authentication

Info

Publication number: WO2004102874A1
Application number: PCT/CN2004/000495
Authority: WO
Inventors: Zhuo Li; Shikui Guo; Yang Shao; Jianghai Gao; Dianfu Chen; Zhiming Li; Weidong Wu
Original assignee: Huawei Technologies Co., Ltd.
Priority date: 2003-05-16
Filing date: 2004-05-17
Publication date: 2004-11-25
Also published as: RU2005140546A; RU2321972C2; CN1551561A; CN1706150A; CN1327648C

Abstract

The invention discloses a method of implementing high speed data packet operation authentication, the method includes: user terminal establishing physical connection with access network takes user information saved in user identify module as user identity, starts to authenticate with the authentication entity based on the user identify module; according to said user identity, authentication entity gets the second random data and the second authentication value related to the second random data computed by share secret data; said user terminal computes the first authentication value based on the second random data and share secret data saved itself, authentication entity compares the first authentication value with the second authentication value, if equal, the authentication is succeed, if not equal, the authentication is failing. The method is that authentication is security, cost is lower, operation is conveniency.

Description

Method for implementing high-rate packet data service authentication

The present invention relates to network authentication technology, and particularly to a method for implementing high-rate packet data service authentication. Background of the invention

CDMA is an advanced digital cellular mobile communication technology. It is one of the most important 3G wireless transmission technologies (RTT) accepted by the International Telecommunication Union (ITU). It has undergone IS95 since the standard was first issued by Qualcomm in 1990. , CDMA2000 lx two important stages.

As shown in Figure 1, the CDMA2000 lx network structure includes a mobile station (MS), a base transceiver station (BTS), a base station controller (BSC), a packet control function (PCF), a packet data service service point (PDSN), and service authentication. , Authorization and Accounting Server (AAA) and IS-41 core network. Among them, the IS-41 core network includes a mobile switching center (MSC), a visitor location register (VLR), and a home location register (HLR).

User authentication in CDMA IS95 and CDMA 20001 x networks is done jointly by MSC / VLR and HLR / Authentication Center (AuC). In addition, the shared secret data (SSD) is stored in the terminal and the HLR / AuC as one of the authentication input parameters, and the same password (A-key) is stored in the terminal and the HLR / AuC, which is exclusively used to update the SSD. When authentication is required, the authentication result is calculated by the cellular authentication and voice encryption (CAVE) algorithm with parameters such as SSD, random number, electronic serial number (ESN), and mobile subscriber identification number (MIN), and is calculated by MSC / VLR or HLR / AuC compares whether the authentication results are consistent. If they are not the same, the system will 'initiate an SSD update. After the SSD update is successful, that is, the SSDs on the terminal side and the network side remain consistent. The next time the user accesses, the user terminal uses the authentication results calculated by the SSD. It should be the same as the authentication result calculated in HLR / AuC. In order for authentication to succeed.

CDMA2000 HRPD (CDMA2000 lxEV-DO), referred to as HRPD, is an upgrade of CDMA2000 lx technology and provides high-speed packet data services. The single user downlink rate is up to 2.4 Mbps.

As shown in FIG. 2, the networking structure of HRPD network phase 1 includes an access terminal (AT), an access network (AN), AN AAA> PCF, and PDSN> AAA. The HRPD network mainly uses AN AAA for user authentication. After the authentication is successful, ANAAA returns the terminal's International Mobile Subscriber Identity (IMSI) signal to the AT for subsequent processes such as handover and billing. In the HRPD authentication process, the BSC / PCF and AN AAA interface-A12 interface is used. This interface uses remote access dial-up user service protocol (RADIUS). The authentication mechanism mainly includes password authentication protocol (PAP) and query-handshake authentication. Protocol (CHAP). Because the confidentiality of the CHAP protocol is relatively better, authentication using the CHAP protocol is more extensive.

CHAP uses a private key-based message digest (MD-Message Digest) identity authentication algorithm. As shown in Figure 3, taking CHAP as an example, the authentication process of RADIUS protocol is as follows:

Step 301: The user terminal and the network side negotiate through PPP / LCP to confirm that the CHAP protocol is used for authentication;

Step 302: The AN initiates authentication by sending an authentication query (Challenge) message to the user terminal, and the message includes a random number generated by the AN;

Step 303: The user terminal calculates the digest from the random number using the encryption algorithm specified by the CHAP protocol, and then sends the user name and the digest to the AN through a Response message. Step 304: The AN uses the RADIUS protocol access request (Access on the A12 interface). Request) message carrying username, random number and digest to AN AAA;

Step 305: AN AAA uses the same algorithm to calculate the digest from the random number, and compares whether the digest is consistent with the one sent by the terminal. If they are consistent, the authentication is successful and AN AAA sends Access Accept message to AN, otherwise, authentication fails;

Step 306: The AN sends a Success message to the user terminal to notify the user terminal that the authentication is successful.

It can be seen from the above process that, in the prior art, when an HRPD network user is authenticated, AN AAA needs to be used, and the authentication process is a one-way method of network to user.

Currently, with the development of market economy and science and technology, more and more operators need to operate multiple networks at the same time. For example, operators with IS95 / CDMA2000 lx networks also want to continue to expand their services to CDMA2000 lxDO networks, and in CDMA2000 lxDO networks, special AN AAAs must be established for authentication. This authentication method requires users of multi-mode terminals to open accounts in two places, HLR and AN AAA. The authentication methods are not unified, maintenance is not convenient, and it is not conducive to unified operation. In addition, a national special AN AAA needs to be established HRPD user authentication is performed on the network, and the network construction cost is high. Since the authentication method is a single authentication of the user to the network, the authentication is not secure.

In addition, wireless local area networks (WLANs), as a high-speed wireless data access technology, have received increasing attention. The WLAN network is mainly used for transmitting Internet Protocol (IP) packet data packets, that is, wireless access of a user terminal is completed through an access point (AP), and then IP packet transmission is completed through a network controller and a connecting device. WLAN networks include many different technologies. One of the more widely used technical standards is IEEE 802.11b, which uses the 2.4GHz frequency band and has a maximum data transmission rate of 11Mbps. IEEE 802.11g and Bluetooth technology are also used in this frequency band. Among them, the highest data transmission rate of 802.11g can reach 54Mbps. Other new technologies, such as IEEE 802.11a and ETSI BRAN Hiperlan2, use the 5GHz frequency band, and the maximum transmission rate can reach 54Mbps.

With the rise and development of WLAN technology, WLAN and various wireless mobile communication networks, such as: GSM, Code Division Multiple Access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) system, Time Division Duplex-Synchronous Code Division Multiple Access (TD-SCDMA) system, CDMA2000 system Interoperability is becoming the focus of current research. In the 3rd Generation Partnership Project 2 (3GPP2) standardization organization, the work of WLAN users accessing the 3GPP2 network is currently underway. Summary of the invention

In view of this, an object of the present invention is to provide a method for implementing high-rate packet data service authentication, which is simple and convenient to maintain.

A. The authentication entity uses a user identification module-based authentication mechanism to authenticate a user terminal that has established a physical connection with the access network, and uses the user information stored in the user terminal's own user identification module as the user identity;

B. The authentication entity generates, based on the user identity, a second random number containing authentication for the user terminal and a second authentication number corresponding to the second random number calculated according to the shared secret data SSD stored on the network side;

C. The user terminal calculates according to the second random number and the SSD saved by the user terminal to obtain a first authentication number, and the authentication entity compares the first authentication number with the second authentication number. If they are the same, the authentication entity The user terminal is successfully authenticated; otherwise, the authentication fails.

The authentication entity is a preset authentication server or an authentication center in a wireless mobile communication system.

When the authentication entity is an authentication center in a wireless mobile communication system, the second random number is obtained from an authentication center in the wireless mobile communication system, and the SSD is stored in a home location register HLR / AuC on the network side.

When the authentication entity is a preset authentication server, the second random number is obtained from the authentication server, and the SSD is stored in the HLR / AuC on the network side, or the authentication server.

After the authentication fails in step C, the method further includes:

The authentication entity notifies the HLR on the network side of the authentication result, and the HLR judges whether the current authentication This is the first authentication. If it is the first authentication, update the SSD, and then perform step C. Otherwise, the authentication fails.

After the authentication fails in step C, the method further includes:

Update the SSD before performing the steps. .

The process of updating the SSD includes:

Dl and HLR generate SSD update random numbers, and calculate the authentication number corresponding to SSD update random numbers;

D2. The user terminal updates the random number according to the SSD, uses the system's original SSD generation algorithm to recalculate its own SSD, and then calculates the authentication number corresponding to the SSD update random number based on the recalculated SSD.

D3. Compare whether the authentication number calculated by the user terminal is consistent with the authentication number calculated in the HLR. If they are the same, update the SSD on the user terminal side; otherwise, the SSD update fails.

Step D1 further includes:

Dll and HLR send the SSD update random number (RADNSSD) and its corresponding authentication number to the authentication entity;

D12. The authentication entity sends an Access-Challenge message to the access network, which carries an EAP-Request / UIM / Update message of RADNSSD;

D13. The access network sends the EAP-Request / UIM / Update text to the user terminal. Step D2 includes:

D21. After receiving the EAP-Request / UIM / Update message sent by the access network, the user terminal uses the RANDSSD to calculate a new SSD, and randomly generates a random number RANDBS, and then calculates the authentication number AUTHBS corresponding to RANDBS according to the new SSD Sending the RANDBS to the access network via an EAP-Response / UIM / Challenge message;

D22. The access network sends the EAP-Response / UIM / Challenge message to the authentication entity. The authentication entity obtains the base station to query the random number RANDBS and its corresponding query by interacting with the HLR. Query the authentication number AUTHBS, which is calculated according to the RANDBS and the SSD saved by itself;

D23. The authenticating entity sends an Access-Challenge message to the access network, which contains the EEAAPP-RReeqquueesstt // UUIIMM // CChhaalllleennggee message carrying the authentication number AAUUTTHHBBSS; the access network receives the received After the message is sent, it will be sent to the user terminal. .

Step-by-step DD33 package includes:

DD3311, After receiving the EEAAPP--RReeqquueesstt // UUIIMM // CChhaalllleennggee message by terminating with the user's terminal, compare and calculate the AAUUTTHHBBSS among them and calculate with yourself Is the AAUUTTHHBBSS consistent? If it is consistent, update the SSDSSDD on the side of the end-user terminal of the new user, and verify the entity with the pair-end authentication of the user-end terminal. Pass the authentication certificate and send it to EEAAPP--RReessppoonnssee // UUIIMM // ssuucccceessss in parallel and send it to the access network;

DD3322, After the access network has received the text, it will send EEAAPP--RReessppoonnssee UUIIMM // ssuucccceessss to the authentication verification entity, which carries a carrying band The related RRAADDIIUUSS is attributed, and the authentication confirms that the entity updates the SSDSDD of the new user after receiving the message. .

The SSSSDD described in step DD22 is updated according to the SSSSDD described according to the SSSSDD, the number of new random machines, the serial number of the electronic and electronic substrings, and the mobile users. Calculate the identification code and password. .

The described steps AA include:

AAll ,, and access network to send a certificate of authentication to the user terminal;

ΑΑ22, "" After the user terminal receives the authentication certificate, please request it, and then read the user's user ID to identify the user's user who saved it in the identification module. The user ’s personal information, and the user ’s personal information will be used as his own personal identity, and then the user ’s personal identity will be described The copy of the identification mark is sent to the authentication entity by sending it through the access network. .

The network access mentioned above communicates with the end-user terminal of the user through the ΕΑΑΡΡ agreement or the CCHHAAPP agreement. . When the request for authentication certificate is sent through the EEAAPP protocol agreement, in step AA11, the access network sends the request to the user terminal to send the authentication certificate to the user terminal. Qiutong has realized the message through EEAAPP--RReeqquueesstt // IIddeennttiittyy;

Step by step AA22 includes:

AA2211, * Identification to the access network;

A22. After receiving the message, the access network sends it to U-AAA through an Access-Request message, and initiates an authentication request to U-AAA.

Step B further includes:

U-AAA sends the second random number obtained by authenticating the user terminal to the user terminal through the access network.

The step of sending to the user terminal through the access network in step B includes:

B1. The authentication entity encapsulates the second random number in an EAP-Request / UIM / Challenge message, and then sends it to the access network through an Access-Challenge message.

B2. After receiving the Access-Challenge message sent by the authentication entity, the access network strips the EAP-Request / UIM / Challenge from the Access-Challenge text, and sends the packet to the user terminal.

Step C further includes:

After the user terminal calculates the first authentication number, the user terminal sends the first authentication number to the authentication entity through the access network.

The step of the user terminal sending the first authentication number to the authentication entity through the access network in step C includes:

C 1. The user terminal sends the first authentication number to the access network through an EAP-Response / UIM / Challenge message;

C2. The access network encapsulates the received EAP-Response / UIM / Challeng message in an Access-Request message, and sends the encapsulated Access-Request message to the authentication entity.

While performing step C, the method further includes:

The authentication entity notifies the user terminal of the authentication success / failure through the access network.

The authentication entity communicates with the home location register through the ANSI-41D protocol. Letter.

The access network is a wireless local area network.

As can be seen from the above method, the present invention has the following advantages and characteristics:

1. The present invention uses the existing CDMAIS-41 core network to support national roaming, and does not need to set up a national dedicated network of AN AAA, which saves investment costs.

2. Unified authentication in multi-mode networks. Users do not need to manually enter user names and passwords, which is convenient to use, and other network services and HRPD services can be unified account opening, unified identification, and unified authentication in HLR through IMSI, which is easy for operators to operate. . At the same time, HRPD users can continue to use the previous UIM cards of IS95 / CDMA2000 lx users, which will help IS95 / CDMA2000 lx users to migrate to HRPD users.

3. Using the EAP-UIM protocol, the user terminal can also perform authentication on the network side to implement mutual authentication between the network and the terminal, that is, network-to-terminal authentication, and terminal-to-network authentication, with high security. Brief description of the drawings

Figure 1 shows the networking diagram of the IS95 / CDMA2000 lx system;

Figure 2 is a schematic diagram of HRPD network networking;

FIG. 3 is a schematic flowchart of HRPD authentication in the prior art;

4 is a schematic diagram of a network structure for implementing the present invention;

FIG. 5 is a schematic flowchart of implementing the first boot-up for authentication according to the first embodiment of the present invention; FIG. 6 is a schematic flowchart of the specific embodiment for implementing the second-booting for authentication according to the first embodiment of the present invention.

FIG. 7 is a schematic flowchart of implementing authentication for the first time in the second embodiment of the present invention; and FIG. 8 is an example flowchart of communication between a user terminal and an access network in the present invention through a CHAP protocol. Mode of Carrying Out the Invention

The core content of the present invention is as follows: The authentication entity uses a user identification module-based authentication mechanism to authenticate a user terminal that has been physically connected to the access network, and uses the user information stored in the user terminal's own user identification module to identify the user. Identification; the authentication entity generates, based on the user identity, a second random number containing authentication for the user terminal and a second authentication number corresponding to the second random number calculated based on the shared secret data stored on the network side; the user The terminal calculates according to the second random number and the shared secret data SSD saved by itself, and obtains the first authentication number. The authentication entity compares the first authentication number with the second authentication number. If the authentication number is the same, the authentication entity checks the user. The terminal authentication is successful; otherwise, the authentication fails.

Here, the network accessed by the user terminal may be a WLAN network. The authentication entity can be a preset authentication server or the original authentication center. The authentication server and HLR can communicate through the ANSI-41D protocol. The second random number can be generated by any entity on the network side, such as HLR / AuC, AAA, and so on. And the SSD is stored in the HLR / AuC on the network side, or it can be stored in the authentication server. When the second random number is generated by the HLR / AuC, the second authentication number can be directly obtained from the HLR / AuC. When the second random number is generated by AAA, the second authentication number can be obtained from the home location register / AuC according to the user identity and the first random number. The AT and AN can communicate through the CHAP protocol, or the EAP protocol, or the original CDMA2000 air interface message for communication.

The technical solution of the present invention will be described in detail below with reference to the drawings and specific embodiments.

As shown in FIG. 4, the networking structure for implementing the method of the present invention includes AT, AN, a user identification module-based authentication, authorization, and accounting server (U-AAA), PCF, PDSN, AAA, and HLR. Here, AN provides a data connection between the terminal and the packet-switched data network, which is equivalent to BTS and BSC in CDMA2000 lx, and of course also equivalent to WLAN; and U-AAA is preset and is a server dedicated to authentication and accounting. . The network elements used here, such as: BTS, PCF, PDSN, and HLR, do not need to be changed; user terminals must be HRPD terminals or hybrid terminals that support HRPD, such as: HRPD / GSM, HRPD / CDMA2000 lx, HRPD / Wireless Local Area Network (WLAN), etc. And the terminal hardware must support reading UIM cards or provide external card readers, support EAP-UIM protocol, support authentication through GSM HLR or CDMA HLR; AN requires that the air interface and A12 interface support the EAP-UIM authentication protocol, where the air interface It is EAP-UIM over PPP, and the A12 interface is EAP-UIM over RADIUS ₀ AAA can be canceled, and the accounting function is realized by the preset U-AAA. The U-AAA network element replaces the AN AAA, and it is mainly required to support the IS41 protocol of CDMA and be able to support the EAP-UIM over RADIUS authentication protocol. In addition, the HLR and AuC are generally physically located in the same entity, and the unified tube is hereinafter referred to as the HLR.

It should be noted that the certification process during the first startup includes three parts: first certification, SSD update, and second certification. The authentication performed by the AT for the first time startup is the first authentication, and when the AT is powered on for the first time, the first authentication of the AT always fails because the SSDs stored on the system side and the AT side are inconsistent. Therefore, after the first authentication fails, an SSD update is performed, that is, the RANDSSD is issued through the EAP-REQUEST / UIM / Update message, and the new SSD is calculated through the same SSD generation algorithm through the RANDSSD, ESN, and A-key in the AT and HLR. SSD. Since the above information on the AT and HLR sides is the same and the algorithm is the same, the output SSD is also the same. After the SSD is updated, secondary authentication is performed. At this time, since it is ensured that the SSDs on the AT and HLR sides are the same, under normal circumstances, the secondary authentication will succeed. For the user who restarts the system, the SSDs on the system side and the AT side are the same. In the future, there is no need to go through SSD update and secondary authentication. One authentication will succeed.

Referring to Figure 8 below, the communication between the user terminal and the access network is described using the CHAP protocol as an example. The specific process is as follows:

Step 801: An HRPD session is established between the AT and the AN, and the AT is ready to exchange data on the access stream. Step 802: The AT and AN initiate PPP and LCP negotiation for access authentication.

Step 803: The AN initiates a Random Challenge and sends it to the AT through a CHAP Challenge message.

Step 804: The AT performs CAVE-based authentication and sends a CHAP Response. Step 805: The AN sends an A12-Access Request message to U-AAA.

Step 806: The U-AAA constructs a message according to the content of the A12-Access Request message.

AUTHREQ message and send it to HLR / AuC.

Step 807: The HLR / AuC executes a CAVE-based authentication process. If the authentication passes,

The HLR / AuC will send an authentication response return result (authreq) message to the U-AAA, and it contains

SSD parameters.

Step 808: The U-AAA stores the SSD allocated by the HLR / AuC.

Step 809: The U-AAA sends an A12-Access Accept message to the AN.

Step 810: The AN returns a CHAP authentication success message (CHAP Authentication) to the AT.

Success).

Step 811: The AT and AN then perform subsequent processing.

The technical solution of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.

As shown in FIG. 5, when the user terminal is in a non-first power-on state, the specific process of implementing authentication is as follows:

Step 501: A physical connection is established between the WLAN MS and the WLAN.

Step 502: The WLAN MS initiates an authentication request to the WLAN, that is, the WLAN MS sends an EAPoL-Start message to the network.

Step 503: The WLAN sends a request for a username (EAP-Request / Identity) message to the WLAN MS, starts authentication, and requests the WLAN MS to send the user identity. Step 504: After receiving the EAP-Request / Identity message, the WLAN MS reads out the information stored in the UIM card through the corresponding interface as its own user identity, and responds to the user name (EAP-Response / Identity). The text is sent to the WLAN.

Step 505: After receiving the EAP-Response / Identity message, the WLAN initiates an authentication request to the U-AAA through an Access-Request message in the Radius protocol, and the EAP-Response / Identity message.

Step 506: After receiving the Access-Request message sent by the WLAN, the U-AAA takes out the user identity carried in the U-AAA, and then judges the type of the user identity according to its related configuration information. If it is a UIM type, it is accessing A query (Access-Challenge) message is encapsulated in an EAP-UIM authentication start (EAP-Request / UIM / Start) message, and then sent to the WLAN; otherwise, it is not processed.

Step 507: After receiving the Access-Challenge message, the WLAN strips the EAP-Request / UIM / Start message, and then sends the stripped message to the WLAN MS.

Step 508: After the WLAN MS receives the EAP-Request / UIM / Start message sent by the WLAN, the WLAN MS includes a random number Nonce_MT generated by itself, and includes it in the attribute AT_NONCE_MT, and then sends to the WLAN The random number of the EAP-Response / UIM / Start message indicates that the EAP-UIM authentication protocol is agreed to be used.

Step 509: After receiving the EAP-Response / UIM / Start message from the WLAN MS, the WLAN encapsulates the EAP-Response / UIM / Start message in an Access-Request message, and then sends the Access-Request message to U-AAA. .

Step 510: After receiving the Access-Request message sent by the LAN, the U-AAA determines to adopt a unique query method, that is, the U-AAA generates a random number (RANDU) -the second random number for authenticating the WLAN MS, and according to itself, The saved SSD calculates the second authentication number (AUTHU2) corresponding to the random number, thereby forming an authentication set.

Step 511: U-AAA encapsulates RANDU in EAP-Request / UIM / Challenge In the message, the RANDU and MAC are then sent to the LAN through the Access-Challenge message; here, the MAC is generated by U-AAA according to the received random number Nonce_MT and the EAP-Request message to be issued.

Step 512: After the WLAN receives the Access-Challenge message sent by the U-AAA, it strips the EAP-Request UIM / Challenge from the Access-Challenge message, and sends the stripped message to the WLAN MS.

Step 513: When the WLAN MS receives the EAP-Request / UIM / Challenge message, it first verifies that the MAC in the received EAP message is correct. If it is wrong, the WLAN MS sends an error message to the network and terminates the process. Otherwise, the RANDU and WLAN MS are taken out, and the first authentication number (AUTHU1) is calculated according to the RANDU and the ESN, SSD, and MIN obtained from the UIM.

Step 514: The WLAN MS AUTHU1 ESN, MIN, and the recalculated MAC are sent to the WLAN through an EAP-Response / UIM / Challenge message.

Step 515: The WLAN encapsulates the received EAP-Response UIM / Challeng message in an access request (Access-Request) message of the Radius protocol, and sends the encapsulated Access-Request message to U-AAA.

Step 516: After receiving the Access-Request packet sent by the WLAN, U-AAA parses AUTHU1 and judges whether AUTHU1 is consistent with AUTHU2 calculated by itself. If they are consistent, U-AAA passes the WLAN MS authentication. Otherwise, the authentication process fails.

Step 517: U-AAA sends an Access-Accept message containing the EAP-Success message to the WLAN network side (authentication is successful); or U-AAA sends an Access-Reject 4 message containing the EAP-Failure 4 message to the WLAN ( Authentication failed).

Step 518: After the WLAN receives the Access-Accept message sent by the U-AAA, it strips out the EAP-Success message and sends the EAP-Success message to the WLAN. The MS notifies the WLAN MS that the authentication is successful. If the Access-Reject message is received, the EAP-Failure message is stripped out, and each WLAN MS is sent to notify the WLAN MS of the authentication failure.

As shown in Figure 6, when the AT is in the first power-on state, the specific process of performing authentication is as follows:

Steps 601 to 615 are the same as steps 501-515 in FIG. 5.

Steps 616 to 617: The U-AAA device compares AUTHU1 with AUTHU1 stored in the local machine. If they are the same, it means that the client is authenticated and sends an EAP-Success message to the WLAN MS via WLAN. Otherwise, it responds to the HLR with authentication failure. After receiving the response from the HLR, the HLR randomly generates two random numbers, RANDSSD and RANDU, and calculates the corresponding AUTHU according to the RANDU, and then sends the ANDSSD RANDU / AUTHU to U-AAA to start the process of updating the SSD.

Step 618: U-AAA sends an Access-Challenge message to the WLAN, which contains an EAP-Request / UIM / Update message carrying a RADNSSD random number.

Step 619: The WLAN sends an EAP-Request UIM / Update message to the WLAN. Step 620: After receiving the EAP-Request / UIM / Update message sent by the WLAN, the WLAN MS parses out the RANDSSD and calculates its new value. An SSD, and randomly generates a random number RANDBS, calculates a corresponding authentication number AUTHBS according to the new SSD, and then sends the RANDBS to the WLAN through an EAP-Response / UIM / Challenge message, and starts to authenticate U-AAA.

Step 621: The WLAN sends the EAP-Response / UIM / Challenge to the authentication server U-AAA in the EAP Over RADIUS message format.

Step 622: After receiving the EAP-Response / UIM / Challenge, the U-AAA passes and The HLR interacts to obtain the base station query random number (RANDBS) and its corresponding query authentication result (AUTHBS). Here, the HLR randomly generates RANDBS, and calculates AUTHBS according to the random number and the SSD saved by itself.

Step 623: The U-AAA sends an Access-Challenge message to the WLAN, which contains an EAP-Request UIM / Challenge message carrying the AUTHBS authentication number.

Step 624: After receiving the EAP-Request / UIM / Challenge message, the WLAN sends the message to the WLAN MS.

Step 625: After receiving the EAP-Request / UTM / Challenge message sent by the WLAN, the WLAN MS parses out the AUTHBS in the EAP-Request / UTM / Challenge message, and then compares whether the parsed AUTHBS is consistent with the AUTHBS calculated by the WLAN MS. The AAA authentication is passed, and then an EAP-Response / UIM / success message is sent to the WLAN.

Step 626: After receiving the message, the WLAN sends the EAP-Response UIM / success to the authentication server U-AAA in the format of an Access-Request message with the relevant RADIUS attributes, indicating that the SSD update process is over.

Step 627: After receiving the Access-Request message sent by the WLAN, U-AAA determines the unique query method based on the RANDU and AUTHU received from the HLR in step 616; Steps 628-Step 635 are the same as 511 in FIG. 5 ~ Step 518.

In step 632, the U-AAA simultaneously notifies the HLR / AuC to update the SSD stored in the AuC, and the AuC updates the local SSD according to the received notification message.

The technical solution of the present invention will be described in detail below with reference to the drawings and specific embodiment 2.

As shown in FIG. 7, in this embodiment, a global authentication method is used, and the process of authenticating a WLAN MS is as follows:

Step 701: A physical connection is established between the WLAN MS and the WLAN.

Step 702: the WLAN MS requests authentication from the network, that is, the WLAN MS requests the network Send an EAPoL-Start message.

Step 703: The WLAN sends a request username (EAP-Request / Identity) message to the WLAN MS to start authentication, and requests the WLAN MS to send the user identity.

Step 704: After receiving the EAP-Request / Identity message, the WLAN MS reads out the information stored in the UIM card through the corresponding interface as its own user identity, and responds to the user name (EAP-Response / Identity). 4 The text is sent to the WLAN.

Step 705: After receiving the EAP-Response Identity message, the WLAN initiates an authentication request to the U-AAA through an Access-Request message in the Radius protocol, and the message encapsulates an EAP-Response / Identity message.

Step 706: After receiving the Access-Request message sent by the WLAN, the U-AAA extracts the user ID carried in the Access-Request packet, and then judges the type of the user ID according to its related configuration information. If it is a UIM type, it queries the access. The (Access-Challenge) message encapsulates a request for EAP-UIM authentication start (EAP-Request UIM / Start) message, and then sends it to the WLAN, otherwise, it is not processed.

Step 707: After receiving the Access-Challenge message, the WLAN strips out the EAP-Request / UIM / Start message, and then sends the stripped message to the WLAN MS. Step 708: The WLAN MS receives the After the EAP-Request / UIM / Start message, it sends an EAP-Response / UIM / Start message to the WLAN, indicating that it agrees to use the EAP-UIM authentication protocol.

Step 709: After receiving the EAP-Response UIM / Start message from the WLAN MS, the WLAN encapsulates the EAP-Response / UIM / Start message in an Access-Request message, and then sends the Access-Request message to U-AAA.

Step 710: After receiving the Access-Request message sent by the WLAN, the U-AAA determines that the global authentication method is adopted, that is, the U-AAA generates an authentication method for the WLAN MS. Random number (RAND) —a second random number, and a second authentication number (AUTHR2) corresponding to the random number is calculated according to the SSD saved by the self to form an authentication set, and U-AAA uses a certain algorithm to calculate Corresponding message authentication code (MAC).

Step 711: U-AAA encapsulates the RAND and MAC in the EAP-Request / UIM / Challenge message, and then sends it to the WLAN through the Access-Challenge message.

Step 712: After the WLAN receives the Access-Challenge message sent by the U-AAA, it strips out the EAP-Request / UIM / Challenge from the Access-Challenge message, and sends the stripped message to the WLAN MS.

Step 713: After the WLAN MS receives the EAP-Request / UIM / Challenge message, it takes out the RAND in it, and the WLAN MS calculates the first authentication number (AUTHR1) according to the RAND and the password read from the UIM card.

Step 714: 1 ^^] \ 48 sends 81111¾1, £ 8> 1,] ^ 1 ^] \ ^^, and RANDC to the WLAN through the EAP-Response UIM / Challenge message. Here, the RA DC is derived by the WLAN MS according to the received RAND.

Step 715: The WLAN encapsulates the received EAP-Response / UIM / Challeng message in an Radius protocol Access-Request message, and sends the encapsulated Access-Request message to U-AAA. .

Step 716: After receiving the Access-Request message sent by the WLAN, the U-AAA determines the corresponding RAND according to the RANDC in the U-AAA; then the U-AAA judges whether the user's SSD has been obtained, and if so, parses out the AUTHR1 among them. Whether AUTHR1 is consistent with the AUTHR2 of the user terminal stored by itself. If they are the same, the U-AAA authentication of the WLAN MS is passed; otherwise, the authentication process fails.

Step 717: U-AAA sends an Authentication Success (Access-Accept) message to the WLAN containing the EAP-Success and MAC values; or U-AAA sends EAP-Failure message and MAC-value authentication failure (Access-Reject) message.

Step 718: After the WLAN receives the Access-Accept message sent by the U-AAA, it strips out the EAP-Success message and sends the EAP-Success message to the WLAN MS to notify the WLAN MS that the authentication is successful. After the Access-Reject message, the EAP-Failure message is stripped out, and each WLAN MS is sent to notify the WLAN MS of the authentication failure. When the WLAN MS first checks the MAC, it only confirms that the EAP-request message is correct when the received MAC value matches the locally calculated MAC.

It can be seen from the above embodiments that when a user needs to access the WLAN-3GPP2 interworking network, or when the network needs to re-authenticate a WLAN user who has been authenticated, this process is started.

The first embodiment is a unique query process, and the second embodiment is a global authentication process. The two processes are basically the same, except that when the U-AAA authenticates the WLAN MS, the types of random numbers generated are different, and WLAN MS and U-AAA are different. The parameters carried in the authentication message vary from time to time.

The main differences between the first embodiment and the second embodiment:

(1) The types of random numbers generated are different. For unique query methods, U-AAA generates RANDU and AUTHU; for global authentication methods, U-AAA generates RAND and AUTHR.

(2) For the unique query method, when U-AAA sends the generated RANDU to the WLAN MS, the WLAN MS uses the CAVE algorithm and uses RANDU, A-key, MIN, and ESN as input parameters to generate AUTHU; for global authentication, when When U-AAA sends the generated RAND to the WLAN MS, the WLAN MS generates the AUTHR by using the CAVE algorithm with RAND, A-key, MIN, and ESN as input parameters.

(3) For a unique query, the LAN MS sends the parameter to U-AAA after calculating AUTHU; for global authentication, the WLAN MS sends U-AAA to U-AAA after calculating AUTHR Send this parameter and send RANDC parameter to U-AAA at the same time, this parameter is derived according to RAND.

The same points as in the first embodiment and the second embodiment:

(1) After calculating the AUTHU or AUTHR, the WLAN MS sends a response message to the U-AAA. The response message includes the electronic serial number (ESN) and mobile subscriber identification number (MIN) of the WLAN MS.

(2) After receiving the UIM authentication start message (EAP-request / UIM / Start) sent by U-AAA, the WLAN MS internally generates a random number

AT—NONCE—MT, and sends the random number to U-AAA through the message EAP-response / UIM / Start as the terminal-to-network authentication parameter.

(3) After U-AAA receives the AT_NONCE_MT sent by the WLAN MS, it calculates the response MAC through an algorithm, and sends the MAC to the WLAN MS through a subsequent EAP-request message. The WLAN MS first checks the MAC. Only when the received MAC parameters match the locally calculated MACs, it is confirmed that the EAP-request message is correct.

In short, the above descriptions are merely preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims

Claim

1. A method for implementing high-rate packet data service authentication, characterized in that the method includes the following steps:

B. The authentication entity obtains, according to the user identity, a second random number that authenticates the user terminal and a second authentication number corresponding to the second random number, where the second authentication number is stored according to the network Calculated by the shared secret data SSD of the user terminal;

C. The user terminal calculates the first authentication number according to the second random number and the SSD saved by the user terminal, and the authentication entity compares the first authentication number with the second authentication number. If the authentication number is the same, the authentication entity performs authentication on the user. The terminal authentication succeeded, otherwise, the authentication failed.

2. The method according to claim 1, wherein the authentication entity is a preset authentication server or an authentication center in a wireless mobile communication system.

3. The method according to claim 2, characterized in that when the authentication entity is an authentication center in a wireless mobile communication system, the authentication center in the second random number wireless mobile communication system is generated, and the The SSD is stored in the home location register HLR / authentication center AuC on the network side.

4. The method according to claim 2, wherein, when the authentication entity is a preset authentication server, the second random number is generated in the authentication server, and the SSD is stored in a network-side HLR / AuC, or the authentication server.

5. The method according to claim 1, further comprising: after the authentication in step C fails, further comprising:

The authentication entity notifies the HLR on the network side of the authentication result, and the HLR determines whether the authentication This is the first authentication. If it is the first authentication, update the SSD, and then perform step C. Otherwise, the authentication fails.

6. The method according to claim 1, further comprising: after the authentication fails in step 0, further comprising:

Update the SSD before performing step (3.

7. The method according to claim 5 or 6, wherein the process of updating the SSD comprises:

8. The method according to claim 7, wherein step D1 further comprises: D11, the HLR sends an SSD update random number (RADNSSD) and its corresponding authentication number to the authentication entity;

D12. The authenticating entity sends an Access-Challenge message to the access network, which carries an EAP-Request UIM / Update message of RADNSSD;

D13. The access network sends an EAP-Request / UIM / Update message to the user terminal.

9. The method according to claim 8, wherein step D2 comprises: D21. After receiving the EAP-Request / UIM Update message sent by the access network, the user terminal uses the RANDSSD to calculate a new SSD, and randomly selects the new SSD. Generate a random number RANDBS, and then calculate the authentication number AUTHBS corresponding to the RANDBS according to the new SSD, and then send the RANDBS to the access network through EAP-Response / UIM / Challenge ^; D22. The access network sends the EAP-Response / UIM / Challenge message to the authentication entity. The authentication entity obtains the base station query random number RANDBS and its corresponding query authentication number AUTHBS by interacting with the HLR. The AUTHBS is stored according to RANDBS and itself. Calculated by the SSD;

D23. The authentication entity sends an Access-Challenge message to the access network, which carries an EAP-Request UIM / Challenge message with an authentication number of AUTHBS. After the access network receives the message, it sends it to the user terminal.

10. The method according to claim 8, wherein step D3 comprises: D31. After receiving the EAP-Request / UIM / Challenge message, the user terminal compares whether the AUTHBS therein is consistent with the AUTHBS calculated by itself. Consistently, update the SSD on the user terminal side, the user terminal authenticates the authentication entity, and sends the EAP-Response / UIM / success message to the access network;

D32. After receiving the message, the access network sends EAP-Response / UIM / success to the authentication entity, which carries the relevant RADIUS attributes. After receiving the message, the authentication entity updates the user's SSD.

11. The method according to claim 7, wherein the SSD in step D2 is calculated according to the SSD update random number, electronic serial number, mobile user identification, and password.

12. The method according to claim 1, wherein the step A comprises: Al. The access network sends an authentication request to the user terminal;

A2. After receiving the authentication request, the user terminal reads the user information stored in the user identification module, and uses the user information as its own user identity, and then sends the user identity to the authentication entity through the access network.

13. The method according to claim 11, wherein the access network communicates with a user terminal through an EAP protocol or a CHAP protocol.

14. The method according to claim 12, wherein when the authentication request is sent through the EAP protocol, the access network sends the authentication request to the user terminal in step A1 through an EAP-Request / Identity message;

Step A2 includes:

A21: The user terminal sends the user identity to the access network through an EAP-Response / Identity message;

15. The method according to claim 1, wherein step B further comprises: U-AAA sending the second random number obtained by authenticating the user terminal to the user terminal through the access network.

16. The method according to claim 15, wherein the step of sending to the user terminal through the access network in step B comprises:

B2. After receiving the Access-Challenge message sent by the authentication entity, the access network strips the EAP-Request / UIM / Challenge from the Access-Challenge message, and sends the stripped message to the user terminal.

17. The method according to claim 1, wherein step C further comprises: after the user terminal calculates the first authentication number, the user terminal sends the first authentication number to the authentication entity through the access network.

18. The method according to claim 17, wherein the step of the user terminal sending the first authentication number to the authentication entity through the access network in step C comprises:

C 1. The user terminal sends the first authentication number to the access network through an EAP-Response / UIM / Challenge message; C2. The access network encapsulates the received EAP-Response / UIM / Challeng message in the Access-Request message and sends the encapsulated Access-Request message to the authentication entity.

19. The method according to claim 1, wherein, when step C is performed, further comprising:

20. The method according to claim 5, wherein the authentication entity communicates with a home location register through an ANSI-41D protocol.

21. The method according to claim 1, wherein the access network is a wireless office or a network.