一种实现用户认证的方法 技术领域 Method for implementing user authentication
本发明涉及用户与网络间的认证技术, 特别是指至少包括 The present invention relates to authentication technology between a user and a network, and in particular, it includes at least
IS95/CDMA2000 lx网络的多模网络中, 利用 IS95/CDMA2000 lx网络 对多模网络中的非 IS95/CDMA2000 lx网絡进行用户认证的方法。 发明背景 In a multimode network of an IS95 / CDMA2000 lx network, a method for performing user authentication on a non-IS95 / CDMA2000 lx network in a multimode network using the IS95 / CDMA2000 lx network. Background of the invention
RFC2284文档中定义了一种点对点 (PPP )协议的扩展认证协议, 即扩展认证(EAP )协议。 该协议可以在 EAP协议基础上进行扩充, 承 载其他的认证机制, 并且提供端到端的认证方式, 中间设备不需要采用 具体的认证机制。 详细的说, 就是在认证客户端和认证服务器之间进行 认证时,可以采取双方承载在 EAP协议之上的认证机制, 不需要中间设 备来支持。 根据不同的承载类型, EAP认证协议定义不同。 比如, EAP 认证协议承载在 PPP协议上, 称为 EAPoPPP; EAP认证协议承载在远 端接入拨号用户服务(RADIUS )协议上, 称为 EAPoRadius; EAP认证 协议用在 802. lx协议上, 称为 EAPoL。 The RFC2284 document defines an extended authentication protocol for the point-to-point (PPP) protocol, namely the extended authentication (EAP) protocol. This protocol can be extended on the basis of the EAP protocol to support other authentication mechanisms and provide end-to-end authentication methods. The intermediate device does not need to adopt a specific authentication mechanism. In detail, when the authentication is performed between the authentication client and the authentication server, the authentication mechanism carried by both parties on the EAP protocol can be adopted, and no intermediate device is required to support it. The EAP authentication protocol is defined differently according to different bearer types. For example, the EAP authentication protocol is carried on the PPP protocol, called EAPoPPP; the EAP authentication protocol is carried on the Remote Access Dial-In User Service (RADIUS) protocol, called EAPoRadius; the EAP authentication protocol is used on the 802.1x protocol, called EAPoL.
如图 1 所示, EAP 认证协议报文包括报文代码 (Code )、 标识符 ( Identifier )、 长度(Length ) 、 数据 ( Data ) 、 类型(Type )四个域。 其中 Data域又包括类型 (Type )和数据类型 (TypeData )两部分, 传输 时各域从左到右依次传输。 As shown in FIG. 1, the EAP authentication protocol message includes four fields: a code, a code, an identifier, a length, a data, and a type. The Data field includes two types: Type and TypeData. Each field is transmitted from left to right during transmission.
Code域占一个字节, 用于标识 EAP报文的类型。 如表 1所示, 该 域有四种取值, 取 1表示请求( Request )域, 取 2表示回应( Response ) 域, 取 3表示成功 (Success )域, 取 4表示失败 ( Failure )域。
类型值 含义 The Code field occupies one byte and is used to identify the type of the EAP packet. As shown in Table 1, this domain has four types of values, where 1 represents the Request domain, 2 represents the Response domain, 3 represents the Success domain, and 4 represents the Failure domain. Type value meaning
1 Request 1 Request
2 Response 2 Response
3 Success 3 Success
Identifier域占一个字节 , 用来匹配 Request报文和 Response报文。 Length域占两个字节, 用于表示 EAP报文的长度, 其包括 Code、 Identifier、 Length和 Data四个域。 The Identifier field occupies one byte and is used to match the Request message and the Response message. The Length field occupies two bytes and is used to indicate the length of the EAP packet. It includes four fields: Code, Identifier, Length, and Data.
Data域占用零个或多个字节, 该域采用与 Code域类型值相关的格 式。 The Data field occupies zero or more bytes. This field uses a format related to the Code field type value.
Type域占一个字节,主要定义了各种认证机制。 Type域只在 Request 和 Response报文中出现。 在 RFC 2284中, Type可以为标识( Identity ), 通知( Notification )、 拒绝 (Nak:)、 MD5 ( MD5 -Challenge ), 一次 性密码( One-Time Password )、 智能卡( Generic Token Card )六种类型。 The Type field occupies one byte and mainly defines various authentication mechanisms. The Type field appears only in Request and Response messages. In RFC 2284, Type can be six types: Identity, Notification, Nak :, MD5 (MD5 -Challenge), One-Time Password, and Smart Card (Generic Token Card). .
参见表 2 所示, 类型值取为 1 表示 Identity; 类型值为 2 表示 Notification; 类型值为 3表示 Nak; 类型值为 4表示 MD5-Challenge; 类型值为 5表示 One-Time Password; 类型值为 6表示 Generic Token Card。 并且, 类型值 1、 2、 4、 5、 6适用于 Requset和 Respone 4艮文, 类型值 3只适用于 Response报文。 As shown in Table 2, the type value is 1 for Identity; the type value is 2 for Notification; the type value is 3 for Nak; the type value is 4 for MD5-Challenge; the type value is 5 for One-Time Password; the type value is 6 means Generic Token Card. In addition, the type values of 1, 2, 4, 5, and 6 are applicable to Requset and Respone, and the type value of 3 is only applicable to Response messages.
Identity用于查询用户的身份, 每一个 Identity类型的 Request请求 才艮文必须对应一个 Identity类型的 Response响应 艮文。 Identity is used to query the identity of the user. Each Request request of the Identity type must correspond to a Response response of the Identity type.
Notification用于由设备端向客户端发送一条可显示的消息。 客户端 应该将这条消息显示给用户, 如果无法显示, 则记入日志。 每一个
Notification类型的 Request请求艮文必须对应一个 Notification类型的 Response响应才艮文。 Notification is used by the device to send a displayable message to the client. The client should display this message to the user, and if it cannot display it, log it. Every A Notification request message must correspond to a Notification response message.
Nak仅适用于 Response响应报文。 当 Request请求报文中期望的认 证机制不被接受时, 应该发送 Nak类型的 Response响应报文。 Nak is only applicable to Response packets. When the expected authentication mechanism in the Request message is not accepted, a Nak-type Response message should be sent.
MD5-Challenge与 CHAP协议中的 MD5类似。 MD5-Challenge类型 的 Request请求报文中包含了 Challenge 消息。每一个 MD5 -Challenge类 型的 Request请求报文必须对应一个 MD5-Challenge类型或者 Nak类型 的 Response响应报文。 MD5-Challenge is similar to MD5 in CHAP protocol. The MD5-Challenge type Request request message includes a Challenge message. Each MD5-Challenge type Request request message must correspond to a MD5-Challenge type or Nak type Response response message.
One-Time Password 类型的 Request 请求 艮文包含一个 OTP Challenge每一个 One-Time Password类型的 Request请求^ =艮文必须对应 一个 One-Time Password类型或者 ak类型的 Response响应报文。 One-Time Password type Request request contains one OTP Challenge request request. One = One-Time Password type response message must correspond to one One-Time Password type or ak type.
Generic Token Card类型是为要求用户输入各种 Token Card信息而 定义的。 Generic Token Card类型的 Request请求报文中包含一条 ASCII 文本消息, 对应的 Generic Token Card类型的 Response响应报文中包含 认证所必需的相关 Token Card.信息。通常这些信息由用户从 Token Card 设备读取并以 ACSII文本进行输入。 The Generic Token Card type is defined to require users to enter various Token Card information. The Generic Token Card type Request request message contains an ASCII text message, and the corresponding Generic Token Card type Response response message contains the relevant Token Card information required for authentication. This information is usually read by the user from the Token Card device and entered in ACSII text.
表 2 Table 2
TypeData,该域占用零个或多个字节,采用与 Type域的类型值相关
的格式。 TypeData, this field occupies zero or more bytes, and is related to the type value of the Type field Format.
对于 CDMA IS95/CDMA 2000 lx网络中的用户,客户端与认证点之 间是网络侧的移动交换中心(MSC ) /拜访位置寄存器( VLR )和介质访 问寄存器( HLR ) /鉴权中心( AC )共同完成认证。共享秘密数据 ( SSD ) 作为认证输入参数之一保存在终端和 HLR/AC中,在终端和 HLR/AC中 保存相同的(密码) A-key, 专用于更新 SSD。 当需要认证时, 以 SSD、 随机数、 电子串号(ESN )、 移动台识别号(MIN )等参数通过蜂窝认证 和语音加密( CAVE )算法计算出认证结果, 并由 MSC/VLR或 HLR/AC 比较认证结果是否一致, 如果不一致, 系统将会发起 SSD更新, 在 SSD 更新成功之后, 即终端侧和网络侧的 SSD保持一致, 下次接入时, 用户 终端使用 SSD计算出的认证结果应与 HLR/AC中计算出来的认证结果 一致, 认证才能成功。 For users in a CDMA IS95 / CDMA 2000 lx network, the client and the authentication point are the mobile switching center (MSC) / visit location register (VLR) and medium access register (HLR) / authentication center (AC) on the network side. Complete certification together. The shared secret data (SSD) is stored in the terminal and HLR / AC as one of the authentication input parameters, and the same (password) A-key is stored in the terminal and HLR / AC, which is used to update the SSD. When authentication is required, the authentication result is calculated by using the parameters such as SSD, random number, electronic serial number (ESN), and mobile station identification number (MIN) through the cellular authentication and voice encryption (CAVE) algorithm, and the MSC / VLR or HLR / The AC compares whether the authentication results are consistent. If they are not consistent, the system will initiate an SSD update. After the SSD update is successful, that is, the SSDs on the terminal side and the network side remain consistent. The next time the user accesses, the authentication result calculated by the user terminal using the SSD should be Consistent with the authentication results calculated in HLR / AC, authentication can be successful.
目前, 随着市场经济以及科学技术的发展, 越来越多的运营商需要 同时经营多种网络。 比如, 具有 IS95/CDMA2000 lx网络的运营商想继 续将自己的业务扩展到 CDMA2000 lxDO网络, WLAN 网络的运营商 也想将业务扩展到 CDMA2000 lxDO网络。而在 CDMA2000 lxDO网络 中, 要建立专门的 AN认证、 授权和计费服务器(AAA )进行认证。 这 种认证方式, 对于同时拥有多种码分多址(CDMA ) 网络的用户, 需要 在 HLR和 AN AAA两个地方开户, 认证方式不统一, 维护不方便, 不 利于统一运营;而且,还需要再组建 AN AAA的全国专用网络进行认证, 建网成本高。 发明内容 Currently, with the development of market economy and science and technology, more and more operators need to operate multiple networks at the same time. For example, operators with IS95 / CDMA2000 lx networks want to continue to expand their services to CDMA2000 lxDO networks, and operators of WLAN networks also want to expand their services to CDMA2000 lxDO networks. In a CDMA2000 lxDO network, a special AN authentication, authorization, and accounting server (AAA) must be established for authentication. This authentication method requires users who have multiple code division multiple access (CDMA) networks to open accounts in two places, HLR and AN AAA. The authentication methods are not unified, maintenance is not convenient, and it is not conducive to unified operation. Then a national private network of AN AAA is set up for authentication, and the network construction cost is high. Summary of the Invention
有鉴于此, 本发明的目的是提 ^一种实现用户认证的方法, 使其在 至少包括 IS95/CDMA2000 lx网络的多模网络中实现对用户的认证, 且
成本低、 维护方便。 In view of this, an object of the present invention is to provide a method for implementing user authentication, so as to implement user authentication in a multi-mode network including at least an IS95 / CDMA2000 lx network, and Low cost and easy maintenance.
一种实现用户认证的方法, 应用于至少包括 IS95/CDMA2000 lx网 络的多模网絡中, 该方法包括: A method for implementing user authentication is applied to a multi-mode network including at least an IS95 / CDMA2000 lx network, and the method includes:
A. 预先设置支持客户端与认证点使用用户身份标识模块( UIM ) 进行认证的 EAP协议, 所述认证点为多模网络中的非 IS95/CDMA2000 lx网络; A. Pre-set EAP protocol that supports client and authentication point to use user identity module (UIM) for authentication, the authentication point is a non-IS95 / CDMA2000 lx network in a multi-mode network;
B. 客户端利用 UIM中的用户信息作为用户身份标识, 与所述认证 点进行 EAP-UIM认证。 B. The client uses the user information in the UIM as the user identity, and performs EAP-UIM authentication with the authentication point.
步骤 A中所述 EAP协议设置为报文代码( Code )、标识符( Identifier )、 长度(Length ) 、 数据(Data ) , 所述 Data又进一步包括类型( Type ) 和数据类型 (TypeData )。 The EAP protocol described in step A is set to a message code (Code), an identifier (Identifier), a length (Length), and data (Data), and the Data further includes a type (Type) and a data type (TypeData).
所述 Type设置为包括 Identity、 Notification Nak、 MD5 -Challenge、 One-Time Password、 Generic Token Card、 UIM七种类型。 The Type is set to seven types including Identity, Notification Nak, MD5-Challenge, One-Time Password, Generic Token Card, and UIM.
利用 1 ~ 6取值分别与设置的 Type类型相对应, Type类型为 UIM, 取值为大于 6的任意值。 The values from 1 to 6 correspond to the set Type. The Type is UIM, and the value can be any value greater than 6.
所述 TypeData设置为包括 Type、 Length和 Data三个域。 The TypeData is set to include three fields: Type, Length, and Data.
所述的 Type、 Length和 Data大于等于 1小于等于 255的值,且 Type、 Length和 Data取值不相等。 The Type, Length, and Data values are greater than or equal to 1 and less than or equal to 255, and the Type, Length, and Data values are not equal.
所述步骤 B进一步包括: The step B further includes:
Bl、 客户端将用户身份标识发送至认证点; Bl. The client sends the user identity to the authentication point.
B2、 认证点根据用户身份标识产生一个对客户端进行认证的随机 数, 并且根据该随机数及认证点含有的共享秘密数据 ( SSD )计算出对 应的第一鉴权数, 形成一个鉴权集; B2. The authentication point generates a random number for authenticating the client according to the user identity, and calculates a corresponding first authentication number according to the random number and the shared secret data (SSD) contained in the authentication point to form an authentication set. ;
B3、客户端根据所述随机数及客户端的 SSD计算出对应的第二鉴权 数;
B4、 认证点比较笫一鉴权数与第二鉴权数是否一致, 如果一致, 则 认证成功, 否则, 认证失败。 B3. The client calculates a corresponding second authentication number according to the random number and the SSD of the client. B4. The authentication point compares whether the first authentication number is consistent with the second authentication number. If they are the same, the authentication succeeds; otherwise, the authentication fails.
步骤 B1进一步包括: Step B1 further includes:
B11、 认证点向客户 端发送客户 端请求用户 身份标识 ( EAP-Request/Identity )报文, 要求客户端送上自己的身份标识; B11. The authentication point sends a client request user identity (EAP-Request / Identity) message to the client, asking the client to send its own identity;
B12、客户端将用户身份标识通过标识回应( EAP-Response/Identity ) 寺艮文发送给认证点; B12. The client sends the user identity to the authentication point through an identity response (EAP-Response / Identity).
B13 > 认证点收到 EAP-Response/Identity才艮文后, 向客户端发送 EAP-UIM认证协议开始请求(EAP-Request/UIM/Start )报文, 开始进 行 EAP-UIM认证; B13> After receiving the EAP-Response / Identity message, the authentication point sends an EAP-Request / UIM / Start message to the client to start EAP-UIM authentication.
B14, 客户端收到 EAP-Request/UIM/Start才艮文后, 给认证点发送 EAP-UIM认证协议开始回应 ( EAP-Response/UIM/Start )报文。 B14. After receiving the EAP-Request / UIM / Start message, the client sends an EAP-UIM authentication protocol start response (EAP-Response / UIM / Start) message to the authentication point.
步骤 B14进一步包括: Step B14 further includes:
认证点收到 EAP-Response/UIM/Start 4艮文后, 向客户端发送 EAP-UIM认证协议认证请求(EAP-Request/UIM/Challenge )报文, 把 从认证服务器获得的随机数发送给客户端。 After receiving the EAP-Response / UIM / Start message, the authentication point sends an EAP-UIM authentication protocol authentication request (EAP-Request / UIM / Challenge) message to the client, and sends the random number obtained from the authentication server to the client. end.
步骤 B3 进一步包括: 客户端将自身计算出的第二鉴权数通过 EAP-UIM认证协议认证回应( EAP-Response/UIM/Challenge )报文发送 给认证点。 Step B3 further includes: the client sends the second authentication number calculated by itself to the authentication point through an EAP-UIM authentication protocol authentication response (EAP-Response / UIM / Challenge) message.
在认证失败后, 该方法进一步包括: After the authentication fails, the method further includes:
E. 更新客户端与认证服务器中的 SSD, 保证两端 SSD相等, 然后 再返回步骤 B执行。 E. Update the SSDs in the client and the authentication server to ensure that the SSDs at both ends are equal, and then return to step B for execution.
本发明通过扩展 EAP认证协议,实现利用 IS95/CDMA2000 lx网络 对非 IS95/CDMA2000 lx网络对用户进行认证, 该方法可以减少成本投 资、 认证安全、 维护方便。
4 / ϋ 0 0 附图简要说明 The invention implements the IS95 / CDMA2000 lx network to authenticate users using the IS95 / CDMA2000 lx network by expanding the EAP authentication protocol. This method can reduce cost investment, authentication security, and convenient maintenance. 4 / ϋ 0 0 Brief description of the drawings
图 1 现有技术中 ΕΑΡ协议报文格式示意图; FIG. 1 is a schematic diagram of an EAP protocol message format in the prior art;
图 2为实现本发明方法的流程示意图; FIG. 2 is a schematic flowchart of implementing the method of the present invention;
图 3为本发明进行首次认证的具体实施例的流程示意图; FIG. 3 is a schematic flowchart of a specific embodiment of performing first authentication according to the present invention; FIG.
图 4为本发明进行一次认证的具体实施例的流程示意图。 实施本发明的方式 FIG. 4 is a schematic flowchart of a specific embodiment for performing an authentication according to the present invention. Mode of Carrying Out the Invention
本发明的核心内容是: 通过进一步扩展 ΕΑΡ 认证协议, 利用 IS95/CDMA2000 lx 网络中的用户身份识别模块 ( UIM ) 对非 IS95/CDMA2000 lx网络用户进行认证。 UIM不仅用在 CDMA IS95和 CDMA 2000 lx网络中,还可以用在其他网络中,如 WLAN网络、 CDMA EVDO网络中。 当其用在这些网络中时, 需要有一种认证协议能够承载 它的认证机制。 The core content of the present invention is: By further expanding the EAP authentication protocol, a user identity recognition module (UIM) in an IS95 / CDMA2000 lx network is used to authenticate non-IS95 / CDMA2000 lx network users. UIM is not only used in CDMA IS95 and CDMA 2000 lx networks, but also in other networks, such as WLAN networks and CDMA EVDO networks. When it is used in these networks, an authentication protocol is needed to carry its authentication mechanism.
实现本发明的组网结构包括客户端、 认证点和认证服务器。 认证服 务器表示在网络侧能够终结 EAP协议和认证点之间通过 AAA协议进行 通讯, 如通过 Radius协议进行通讯。 并且, 认证服务器能够与 CDMA 网络之间进行通讯, 能够从 CDMA网络的 HLR中获取鉴权集; 认证点 和认证服务器之间可以通过现有的 AAA通讯协议, 如 Radius协议, 进 行通讯; 客户端是指包含了 UIM模块的终端, 其包括两种情况, 一种是 终端和 UIM模块不分离, 即通常的机卡不分离的情况; 另一种是指终端 和 UIM模块分离, 两者之间通过相关接口进行通讯, 即通常的机卡分离 状态。 The networking structure for implementing the present invention includes a client, an authentication point, and an authentication server. The authentication server indicates that the network can terminate the communication between the EAP protocol and the authentication point through the AAA protocol, such as the communication through the Radius protocol. In addition, the authentication server can communicate with the CDMA network and can obtain the authentication set from the HLR of the CDMA network; the authentication point and the authentication server can communicate through the existing AAA communication protocol, such as the Radius protocol; the client Refers to the terminal that contains the UIM module. It includes two cases. One is that the terminal and the UIM module are not separated, that is, the case where the machine card is not separated. The other is that the terminal and the UIM module are separated. Communication through the relevant interface, that is, the normal machine-card separation state.
参见图 2所示, 实现本发明的方法包括以下步骤: Referring to FIG. 2, the method for implementing the present invention includes the following steps:
步骤 201:预先设置支持客户端与认证点使用 UIM进行认证的 EAP 协议;
步骤 202: 客户端利用 UIM中的用户信息作为用户身份标识, 与认 证点开始进行 EAP-UIM认证; Step 201: preset an EAP protocol supporting the client and the authentication point to use UIM for authentication; Step 202: The client uses the user information in the UIM as the user identity, and starts EAP-UIM authentication with the authentication point.
步驟 203: 认证点根据用户身份标识产生一个对用户终端进行认证 的随机数,并且根据该随机数及认证点含有的 SSD计算出对应的第一鉴 权数, 形成一个鉴权集; Step 203: The authentication point generates a random number for authenticating the user terminal according to the user identity, and calculates a corresponding first authentication number according to the random number and the SSD contained in the authentication point to form an authentication set.
步骤 204: 客户端根据所述随机数及客户端的 SSD计算出对应的第 二鉴权数; Step 204: The client calculates a corresponding second authentication number according to the random number and the SSD of the client.
步骤 205: 认证点比较第一鉴权数与第二鉴权数是否一致, 如果一 致, 则认证成功, 否则, 认证失败。 Step 205: The authentication point compares whether the first authentication number and the second authentication number are consistent. If they are the same, the authentication succeeds; otherwise, the authentication fails.
下面结合附图和具体实施例详细说明本发明的技术方案。 The technical solution of the present invention will be described in detail below with reference to the drawings and specific embodiments.
本发明是在 EAP 认证协议上进行扩展, 生成一种新的认证协议 EAP-UIM。 本发明的认证协议格式包括 Code、 Identifier, Length 、 Data 四部分, 其中, Data包括 Type和 TypeData两部分, 这与现有技术相 同。 但是其中 Type参数和 TypeData参数与现有技术不同。 The invention is extended on the EAP authentication protocol to generate a new authentication protocol EAP-UIM. The authentication protocol format of the present invention includes four parts: Code, Identifier, Length, and Data, where Data includes two types: Type and TypeData, which is the same as the prior art. However, the Type parameter and TypeData parameter are different from the prior art.
进一步的说, 就是在现有技术中 EAP协议的 TYPE域中, 进一步增 加一种新类型 UIM,其值可以为大于 6的值,该类型可以适用于 Requset 和 Respone报文。 比如, 定义 TYPE域为 31 , 表示采用 EAP-UIM协议 的报文类型。 Furthermore, a new type of UIM is further added in the TYPE field of the EAP protocol in the prior art, and the value can be a value greater than 6, which can be applied to Requset and Respone messages. For example, if the TYPE field is defined as 31, it indicates that the packet type adopts the EAP-UIM protocol.
TYPE-DATA域包括 Type 、 Lengths Value三部分。 TYPE域用于 表示 EAP-UIM协议的报文类型, 该域可以在 1到 255之间任意取值。 参见表 3 所示, 本实施例中规定为三种类型值; Length域用于说明 EAP-UIM报文的长度, 具体包括 Type、 Length和 Data域的长度; Value 域采用与 Type域的类型值相关的格式。
取值 The TYPE-DATA field includes three types: Type and Lengths Value. The TYPE field is used to indicate the message type of the EAP-UIM protocol. As shown in Table 3, three types of values are specified in this embodiment; the Length field is used to describe the length of the EAP-UIM message, and specifically includes the length of the Type, Length, and Data fields; the Value field uses the type value of the Type field Related formats. Value
11 Start 11 Start
12 Challenge 12 Challenge
13 Update 表 3 13 Update Table 3
利用 UIM 来对用户进行认证的方式, 与现有技术中 CDMA IS95/CDMA 2000 lx网络中用户进行认证的方式一样, 首次认证中第一 次认证会出现失败,这主要由于用户终端侧与网络侧中的 SSD不一致导 致, 所以在认证失败后, 需要进行 SSD更新操作, 以使两端的 SSD— 致。 The method of using UIM to authenticate users is the same as the method of user authentication in CDMA IS95 / CDMA 2000 lx networks in the prior art. The first authentication fails in the first authentication, mainly due to the user terminal side and the network side. Due to inconsistent SSDs, after an authentication failure, an SSD update operation needs to be performed to make the SSDs at both ends consistent.
参见图 3所示, 用户进行首次认证的具体过程如下: As shown in Figure 3, the specific process of the user's first authentication is as follows:
步骤 301 : 认证点向客户端发送客户端请求用户身份标识 ( EAP-Request/Identity )报文, 要求客户端送上自己的身份标识; Step 301: The authentication point sends a client request user identity (EAP-Request / Identity) message to the client, and requires the client to send its own identity;
步驟 302: 客户端获取 UIM里保存的身份信息, 将该身份信息作为 用户身份标识, 并通过回应用户身份标识( EAP-Response/Identity )报文 将所述用户身份标识发送给认证点; Step 302: The client obtains the identity information stored in the UIM, uses the identity information as the user identity, and sends the user identity to the authentication point in response to a user identity (EAP-Response / Identity) message.
步骤 303: 认证点收到 EAP-Response Identity报文后, 向客户端发 送 EAP-UIM认证协议开始请求(EAP-Request/UIM/Start )报文, 开始 进行 EAP-UIM认证协议的过程; 这里, 认证点采用扩展后的协议请求 得到用户标识, 以下步骤中, 也将采用扩展后的协议中的 TYPE、 TYPEDATE参数来传送客户端与认证点之间 EAP-UIM认证信息。 Step 303: After receiving the EAP-Response Identity message, the authentication point sends an EAP-UIM authentication protocol start request (EAP-Request / UIM / Start) message to the client to start the EAP-UIM authentication protocol process. Here, The authentication point uses the extended protocol request to obtain the user identity. In the following steps, the TYPE and TYPEDATE parameters in the extended protocol will also be used to transmit the EAP-UIM authentication information between the client and the authentication point.
步骤 304: 客户端收到 EAP-Request/UIM/Start报文后, 给认证点回 一个 EAP-UIM认证协议开始回应 ( EAP-Response/UIM/Start )报文; 步骤 305'. 认证点收到 EAP-Response/UIM/Start后, 通过与认证服
W 务器交换得到一个随机数 ( rand )及其对应的第二鉴权数 ( AUTH2 )的 鉴权集, 然后向客户端发送 EAP-UIM 认证协议认证请求 ( EAP-Request/UIM/Challenge )报文, 其中含有随机数; 这里, 认证服 务器得到一个鉴权集的过程是这样: 根据用户身份标识产生一个随机 数, 并根据网络侧保存的 SSD进行计算得出对应的第二鉴权数; Step 304: After receiving the EAP-Request / UIM / Start message, the client returns an EAP-UIM authentication protocol start response (EAP-Response / UIM / Start) message to the authentication point; step 305 '. The authentication point receives After EAP-Response / UIM / Start, it passes the authentication service The W server exchanges to obtain an authentication set of a random number (rand) and its corresponding second authentication number (AUTH2), and then sends an EAP-UIM authentication protocol authentication request (EAP-Request / UIM / Challenge) report to the client. The document contains a random number. Here, the process by which the authentication server obtains an authentication set is as follows: a random number is generated according to the user identity, and the corresponding second authentication number is calculated according to the SSD stored on the network side;
步骤 306:客户端收到 EAP-Request/UIM/Challenge报文后,将 Rand 和 UIM里保存的 SSD进行加密后, 得到第一鉴权数 ( AUTH1 ), 再通 过 EAP-UIM认证协议更新回应报文( EAP-Response UIM/Challenge )发 送给认证点, 报文中携带 AUTH1; Step 306: After receiving the EAP-Request / UIM / Challenge message, the client encrypts the SSD stored in Rand and UIM to obtain the first authentication number (AUTH1), and then updates the response message through the EAP-UIM authentication protocol. The text (EAP-Response UIM / Challenge) is sent to the authentication point, and the message carries AUTH1;
步驟 307: 认证点收到 EAP-Response/UIM/Challenge报文后, 将接 认证月 务器对 AUTH1和自己保存的 AUTH2进行比较, 如果一致, 则 通知认证点成功,否则 ,认证失败,然后认证点判断是否需要进行 Update 流程, 如果需要, 则开始进行 Update流程, 更新 SSD, 执行步骤 308, 否则, 认证失败, 跳出; Step 307: After receiving the EAP-Response / UIM / Challenge message, the authentication point will compare the authentication server with AUTH1 and the AUTH2 saved by itself. If they are the same, the authentication point will notify the authentication point of success, otherwise, the authentication will fail and then authenticate. Click to determine whether the Update process is required. If necessary, start the Update process, update the SSD, and perform step 308; otherwise, the authentication fails and the process exits.
步驟 308: 认证点获取 SSD认证随机数 ( RANDSSD )及其对应的 鉴权数, 该鉴权数为根据网络侧和 RANDSSD计算出, 然后认证点向客 户端发送 EAP-UIM认证协议更新回应 ^艮文( EAP-Request/UIM/Update ) 报文, 其中含有 SSD认证随机数( RANDSSD ); Step 308: The authentication point obtains an SSD authentication random number (RANDSSD) and its corresponding authentication number. The authentication number is calculated according to the network side and the RANDSSD, and then the authentication point sends an EAP-UIM authentication protocol update response to the client. Text (EAP-Request / UIM / Update) message, which contains an SSD authentication random number (RANDSSD);
步骤 309: 客户端在收到 EAP-Request UIM/Update报文后, 根据 RANDSSD和客户端保存的 SSD计算得出对应的鉴权数,向认证点发送 EAP-UIM认证协议认证回应 ( EAP-Respnse/UIM/Challenge )报文, 其 中含有客户端计算得出鉴权数; Step 309: After receiving the EAP-Request UIM / Update message, the client calculates the corresponding authentication number according to the RANDSSD and the SSD saved by the client, and sends an EAP-UIM authentication protocol authentication response (EAP-Respnse) to the authentication point. / UIM / Challenge) packet, which contains the authentication number calculated by the client;
步骤 310: 认证点收到 EAP-Respnse/UIM/Challenge报文后, 判断网 络侧与客户端计算出的鉴权数是否一致, 如果一致, 则给客户端回一个
EAP-UTM认证协议认证请求( EAP-Request/UIM/Challenge 艮文,否则, SSD更新失败; Step 310: After receiving the EAP-Respnse / UIM / Challenge message, the authentication point determines whether the authentication numbers calculated by the network side and the client are the same. If they are the same, the client returns a EAP-UTM authentication protocol authentication request (EAP-Request / UIM / Challenge), otherwise, the SSD update fails;
步骤 311: 客户端收到 EAP-Request/UIM/Challenge后, 更新自身的 SSD,将计算出的 SSD通过 EAP-Response/UIM/Update报文发送给认证 点; Step 311: After receiving the EAP-Request / UIM / Challenge, the client updates its SSD, and sends the calculated SSD to the authentication point through an EAP-Response / UIM / Update message.
步骤 312: 认证点收到 EAP-Response/UIM/Update后, 更新网络侧 的 SSD, 判断 SSD是否更新完毕, 如果更新完毕, 结束 Update流程, 向客户端发送 EAP-Request/UIM/Challenge报文, 重新进行认证; Step 312: After receiving the EAP-Response / UIM / Update, the authentication point updates the SSD on the network side to determine whether the SSD is updated. If the update is completed, the Update process is ended, and an EAP-Request / UIM / Challenge message is sent to the client. Re-certify;
步骤 313: 客户端收到 EAP-Request/UIM/Challenge报文后, 给认证 点回一个 EAP-Response/UIM/Challenge报文; Step 313: After receiving the EAP-Request / UIM / Challenge message, the client returns an EAP-Response / UIM / Challenge message to the authentication point.
步骤 314: 认证点根据 EAP-Response/UIM/Challenge判断认证成功 后, 给客户端发送 EAP-Success报文; Step 314: After the authentication point judges that the authentication is successful according to the EAP-Response / UIM / Challenge, it sends an EAP-Success message to the client;
在首次认证进行 SSD更新后,由于已确保了客户端和认证点的 SSD 一致, 所以之后的认证过程就只有认证流程。 参见图 4所示, 非首次认 证的认证过程如下: After the SSD is certified for the first time, since the SSDs of the client and the authentication point are consistent, the subsequent certification process is only the certification process. As shown in Figure 4, the certification process for non-first certification is as follows:
步驟 401: 认证点向客户端发送 EAP-Request/Identity报文, 要求客 户端送上自己的身份标识; Step 401: The authentication point sends an EAP-Request / Identity message to the client, requesting the client to send its own identity;
步骤 402:客户端收到 EAP-Request/Identity报文后,将 UIM里保存 的身份信息作为用户身份标识, 并通过 EAP-Response/Identity报文将用 户身份标识发送给认证点; Step 402: After receiving the EAP-Request / Identity message, the client uses the identity information stored in the UIM as the user identity, and sends the user identity to the authentication point through the EAP-Response / Identity message;
步骤 403: 认证点收到 EAP-Response/Identity报文后, 向客户端发 送 EAP-Request/UIM/Start报文, 开始进行 EAP-UIM认证协议的过程; 步骤 404: 客户端收到 EAP-Request/UIM/Start报文后, 给认证点回 一个 EAP-Response/UIM/Start 艮文; Step 403: After receiving the EAP-Response / Identity message, the authentication point sends an EAP-Request / UIM / Start message to the client to start the EAP-UIM authentication protocol. Step 404: The client receives the EAP-Request After the / UIM / Start message, an EAP-Response / UIM / Start message is returned to the authentication point;
步骤 405: 认证点收到 EAP-Response/UIM/Start报文后, 从认证服
务器处获得的 Rand 及对应的第二鉴权数 (AUTH2 ) , 然后通过 EAP-Request/UIM/Challenge报文将 Rand发送给客户端; 这里第二鉴权 数是根据随机数及网络侧保存的 SSD进行计算获得; Step 405: After the authentication point receives the EAP-Response / UIM / Start message, it sends a message from the authentication server. The Rand obtained by the server and the corresponding second authentication number (AUTH2), and then sends the Rand to the client through the EAP-Request / UIM / Challenge message; the second authentication number is based on the random number and saved on the network side. Calculated by the SSD;
步骤 406:客户端收到 EAP-Request/UIM/Challenge报文后,将 Rand 和 UIM 里保存的密码进行加密后, 得到 AUTH1 , 客户端再通过 EAP-Response/UIM/Challenge 报文发送给认证点, 其中报文中携带 AUTH1 ; Step 406: After receiving the EAP-Request / UIM / Challenge message, the client encrypts the password stored in Rand and UIM to obtain AUTH1, and the client sends the EAP-Response / UIM / Challenge message to the authentication point. Where the message carries AUTH1;
步骤 407: 认证点收到 EAP-Response/UIM/Challenge报文后, 将接 收到的报文通过和认证服务器之间的 AAA通讯协议发送至认证服务器, 认证服务器对 AUTH1和自己保存的 AUTH2进行比较, 如果一致, 则 通知认证点成功, 然后认证点再向客户端发送 EAP-Success报文, 通知 客户端认证成功。 Step 407: After receiving the EAP-Response / UIM / Challenge message, the authentication point sends the received message to the authentication server through the AAA communication protocol with the authentication server. The authentication server compares AUTH1 with AUTH2 stored by itself. If they are consistent, the authentication point is notified of success, and then the authentication point sends an EAP-Success message to the client to notify the client of successful authentication.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。
The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall be included in the present invention. Within the scope of protection.