WO2005046119A1 - A method of setting up the association between the session transaction identification and the network application entity - Google Patents

A method of setting up the association between the session transaction identification and the network application entity Download PDF

Info

Publication number
WO2005046119A1
WO2005046119A1 PCT/CN2004/001213 CN2004001213W WO2005046119A1 WO 2005046119 A1 WO2005046119 A1 WO 2005046119A1 CN 2004001213 W CN2004001213 W CN 2004001213W WO 2005046119 A1 WO2005046119 A1 WO 2005046119A1
Authority
WO
WIPO (PCT)
Prior art keywords
tid
naf
query
bsf
queried
Prior art date
Application number
PCT/CN2004/001213
Other languages
French (fr)
Chinese (zh)
Inventor
Wenlin Zhang
Yingxin Huang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005046119A1 publication Critical patent/WO2005046119A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J13/00Code division multiplex systems
    • H04J13/10Code generation
    • H04J13/12Generation of orthogonal codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/12Payment architectures specially adapted for electronic shopping systems
    • G06Q20/123Shopping for digital content
    • G06Q20/1235Shopping for digital content with control of digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • G06Q30/0277Online advertisement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0609Buyer or seller confidence or verification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services; Handling legal documents
    • G06Q50/188Electronic negotiation
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F17/00Coin-freed apparatus for hiring articles; Coin-freed facilities or services
    • G07F17/16Coin-freed apparatus for hiring articles; Coin-freed facilities or services for devices exhibiting advertisements, announcements, pictures or the like
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/02Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas
    • H04B7/04Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas
    • H04B7/06Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the transmitting station
    • H04B7/0602Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the transmitting station using antenna switching
    • H04B7/0604Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the transmitting station using antenna switching with predefined switching scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/02Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas
    • H04B7/04Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas
    • H04B7/08Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the receiving station
    • H04B7/0837Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the receiving station using pre-detection combining
    • H04B7/084Equal gain combining, only phase adjustments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/155Ground-based stations
    • H04B7/15528Control of operation parameters of a relay station to exploit the physical medium
    • H04B7/15535Control of relay amplifier gain
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0041Arrangements at the transmitter end
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0045Arrangements at the receiver end
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0064Concatenated codes
    • H04L1/0066Parallel concatenated codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0067Rate matching
    • H04L1/0068Rate matching by puncturing
    • H04L1/0069Puncturing patterns
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0071Use of interleaving
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/02Arrangements for detecting or preventing errors in the information received by diversity reception
    • H04L1/06Arrangements for detecting or preventing errors in the information received by diversity reception using space diversity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/08Arrangements for detecting or preventing errors in the information received by repeating transmission, e.g. Verdan system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1812Hybrid protocols; Hybrid automatic repeat request [HARQ]
    • H04L1/1819Hybrid protocols; Hybrid automatic repeat request [HARQ] with retransmission of additional or different redundancy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1829Arrangements specially adapted for the receiver end
    • H04L1/1835Buffer management
    • H04L1/1841Resequencing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1829Arrangements specially adapted for the receiver end
    • H04L1/1848Time-out mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/28Flow control; Congestion control in relation to timing considerations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/34Flow control; Congestion control ensuring sequence integrity, e.g. using sequence numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/0001Arrangements for dividing the transmission path
    • H04L5/0014Three-dimensional division
    • H04L5/0023Time-frequency-space
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/003Arrangements for allocating sub-channels of the transmission path
    • H04L5/0042Arrangements for allocating sub-channels of the transmission path intra-user or intra-terminal allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/003Arrangements for allocating sub-channels of the transmission path
    • H04L5/0044Arrangements for allocating sub-channels of the transmission path allocation of payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L5/00Arrangements affording multiple use of the transmission path
    • H04L5/003Arrangements for allocating sub-channels of the transmission path
    • H04L5/0078Timing of allocation
    • H04L5/0082Timing of allocation at predetermined intervals
    • H04L5/0083Timing of allocation at predetermined intervals symbol-by-symbol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/10Flow control between communication endpoints
    • H04W28/14Flow control between communication endpoints using intermediate storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/06TPC algorithms
    • H04W52/14Separate analysis of uplink or downlink
    • H04W52/143Downlink power control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/18TPC being performed according to specific parameters
    • H04W52/24TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/18TPC being performed according to specific parameters
    • H04W52/24TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters
    • H04W52/245TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters taking into account received signal strength
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/38TPC being performed in particular situations
    • H04W52/46TPC being performed in particular situations in multi hop networks, e.g. wireless relay networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/02Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas
    • H04B7/04Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas
    • H04B7/08Diversity systems; Multi-antenna system, i.e. transmission or reception using multiple antennas using two or more spaced independent antennas at the receiving station
    • H04B7/0891Space-time diversity
    • H04B7/0894Space-time diversity using different delays between antennas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B7/00Radio transmission systems, i.e. using radiation field
    • H04B7/14Relay systems
    • H04B7/15Active relay systems
    • H04B7/155Ground-based stations
    • H04B7/15507Relay station based processing for cell extension or control of coverage area
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • H04L1/1829Arrangements specially adapted for the receiver end
    • H04L1/1835Buffer management
    • H04L1/1845Combining techniques, e.g. code combining
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L2001/0092Error control systems characterised by the topology of the transmission link
    • H04L2001/0096Channel splitting in point-to-point links
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/18TPC being performed according to specific parameters
    • H04W52/22TPC being performed according to specific parameters taking into account previous information or commands
    • H04W52/225Calculation of statistics, e.g. average, variance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/18TPC being performed according to specific parameters
    • H04W52/24TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters
    • H04W52/241TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters taking into account channel quality metrics, e.g. SIR, SNR, CIR, Eb/lo
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/04TPC
    • H04W52/18TPC being performed according to specific parameters
    • H04W52/24TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters
    • H04W52/242TPC being performed according to specific parameters using SIR [Signal to Interference Ratio] or other wireless path parameters taking into account path loss

Definitions

  • the present invention relates to the field of third-generation wireless communication technology, and particularly to a method for establishing an association between a session transaction identifier (TID) and a network application entity (NAF).
  • TID session transaction identifier
  • NAF network application entity
  • the common authentication framework is a common structure used by multiple application business entities to complete the verification of user identity.
  • the application of the common authentication framework enables inspection and verification of users of application services.
  • Identity The above-mentioned multiple application services may be multicast / broadcast services, user certificate services, instant information provision services, etc., or proxy services, such as multiple services connected to a proxy.
  • This common authentication framework treats the proxy as a kind of The organization structure can be very flexible for processing services.
  • a common authentication framework can also be applied to check and verify the identity of users of application services.
  • FIG. 1 shows the structure of a general authentication framework.
  • the common authentication framework usually consists of a user 101, an entity (BSF) 102 that performs initial user identity verification, a user home network server (HSS) 103, and a network application entity (NAF) 104.
  • the BSF 102 is used to mutually verify the identity with the user 101, assign a TID to the user 101 that has been authenticated, and generate a shared key between the BSF 102 and the user 101;
  • a HSS 103 stores a profile information file for describing user information At the same time, HSS 103 also has the function of generating authentication information.
  • Step 201 The user sends a service application request message to the NAF.
  • Step 202 After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
  • Step 203 The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information;
  • Step 204 After receiving the user's authentication request message, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
  • Step 205 After the BSF obtains the response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA).
  • AKA authentication and key agreement protocol
  • the BSF and the user complete AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
  • Step 206 The BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for more than one NAF at the same time, and sends the assigned TID to the user.
  • TID session transaction identifier
  • the TID is associated with the shared key Ks. of;
  • Step 207 After receiving the TID allocated by the BSF, the user re-sends a service application request message to the NAF, where the request message includes the TID information allocated by the BSF.
  • Step 208 When NAF receives the service application request message containing the TID information sent by the user, it first performs a query locally in NAF. If it is found, step 210 is performed directly. Otherwise, the BSF sends a message containing the NAF local ID to the TSF to the BSF. And execute step 209; step 209, the BSF receives the query message from the NAF and performs the query locally. If the BSF locally has the TID information queried by the NAF, the BSF directly sends a successful query message to the NAF. The message includes the query.
  • step 210 is performed, otherwise the BSF Send a failed query message to the NAF to notify the NAF that the user has no information, and the NAF notifies the user to perform authentication on the BSF, and ends the processing flow;
  • Step 210 The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
  • the authenticated TID and NAF are used for communication in subsequent communications. Since the TID can be reused, if any NAF cannot find the corresponding one locally, When the TID is reached, the BSF will be queried. Therefore, as long as the user obtains a valid TID, the TID can be used to communicate with any NAF.
  • the disadvantage of the prior art is that because the TID assigned by the BSF to the same user is valid for all NAFs, and the BSF does not save the information of the NAF using the TID, when the BSF receives a message from any NAF to query the TID, As long as it can be queried locally in the BSF, the TID is considered valid, and the TID and the key information related to the TID are sent to the NAF applying for the query, that is, the same user and multiple NAFs use the same Key information.
  • the attacker can impersonate the user to apply services on multiple NAFs, so that all user application services of the user will be affected. Threat, which in turn threatens all functional entities of NAF. Summary of the invention
  • an object of the present invention is to provide a method for establishing a user's session transaction identifier and an association between different network application entities to avoid the problem that one NAF is compromised and all NAFs are threatened by the attack.
  • a method for establishing an association between a session transaction identifier and a network application entity which is applicable to In the field of third-generation wireless communications that uses a common authentication framework to authenticate users, the method includes the following steps:
  • step b After the entity BSF that performs the initial check and verification of the user identity receives the query session transaction ID TID request message from the network application entity NAF, it determines whether the TSF information queried by the NAF exists locally in the BSF. If so, step b is performed, otherwise Return a failed query response message to the NAF;
  • the BSF judges whether the TID is valid for the NAF applying for the query according to the attribute information of the TID queried, and if so, saves the changed attribute information of the TID, and the key information related to the TID and the NAF requesting the query. After the information about the corresponding relationship between them is sent, the queried TID and its related key information are sent to the NAF requesting the query; otherwise, the BSF returns a query response message to the NAF requesting the query to which the queried TID is invalid.
  • the BSF receives the request message from the NAF query TID including at least the NAF local identity that applied for the query;
  • the attribute information of the TID in step b includes at least: a letter of whether the TID has been used,
  • the method used by the BSF to determine whether the queried TID is valid for the NAF applied for query in step b is: determining whether the queried TID is marked as unused, and if so, the queried TID is valid for the NAF applied for query, Otherwise, the queried TID is invalid for the NAF applying for the query;
  • At least the changed TID attribute information in step b includes: a letter that the TID has been used.
  • the request message received by the BSF in step a from the NAF query TID further includes a group identifier for applying for the NAF query;
  • the attribute information of the TID in step b further includes: a group associated with the NAF associated with the TID
  • the method for determining whether the inquired TID is valid for the NAF for which the inquiry is requested further includes: BSF judging whether the group ID for the inquired NAF for inquiry and the TID attribute information The group IDs are the same. If the group IDs are the same, the queried TID is valid for the NAF applying for the query, otherwise, the queried TID is invalid for the NAF applying for the query.
  • the changed TID attribute information described in step b further includes: Applying to query the NAF group identifier.
  • the attribute information of the TID in step b further includes: used to record the number of currently connected NAFs and the maximum value of the number of NAFs that can be connected to the TID;
  • the method for determining whether the queried TID is valid for the NAF for application query further includes: judging that the TID is currently connected to the NAF Whether the number is less than or equal to the maximum number of NAFs that can be connected to the TID; if so, the queried TID is valid for the NAF for which the query is applied; otherwise, the queried TID is invalid for the NAF for which the query is applied;
  • the changed TID attribute information in step b further includes: an updated number of currently connected NAFs and a maximum value of the number of NAFs that can be connected by the TID.
  • the request message that the BSF receives from the NAF query TID in step a further includes applying for querying the NAF security level;
  • the TID information queried in step b further includes: the security level information of the TID; if the flag of the queried TID is used, it is determined whether the queried TID is valid for the NAF applying for the query.
  • the method further includes: the BSF judges whether the security level in the queried TID information is the same as the preset security level of the NAF that is applied for query, and if so, the queried TID is valid for the NAF that is applied for query, otherwise , The queried TID is invalid for the NAF applying for the query;
  • the changed TID attribute information in step b further includes: security level information of the TID.
  • the TID information queried in step b further includes: the number of existing associations with NAF ', the identity of the associated NAF, and the maximum number of associations allowed;
  • step b determines that the security level of the queried TID is the same as the preset security level of the NAF applied for query, it further includes: BSF determines whether the number of NAFs associated with the TID in the queried TID information is The maximum allowed value within the security level has been reached. If so, the queried TID is invalid for the NAF for which the query is applied; otherwise, the queried TID is valid for the NAF for which the query is applied;
  • the changed TID attribute information in step b further includes: the updated number of existing NAF associations, the identity of the associated NAF, and the maximum number of associations allowed.
  • the information of the correspondence relationship in step b includes: the correspondence relationship between the queried TID and the identity of the NAF to which the TID is applied, and the security level of the NAF corresponding to the TID.
  • the method further includes: after mutual authentication between the user and the BSF, the BSF allocates a TID to the user, and the BSF and the user share key information related to the TID; the NAF receives the information from the user.
  • the service request information of the TID it is determined whether the TID information exists locally, and if there is, the communication is performed normally with the user; otherwise, after sending a message for querying the TID to the BSF, step a is performed.
  • the method further includes: when the NAF is attacked illegally, prompting the user to the BSF for re-authentication, and updating the TID and corresponding key information.
  • the changed TID attribute information in step b further includes: applying for querying the identification information of NAF.
  • the BSF when the BSF receives the query TID information from the NAF, it first determines whether the TID information exists locally, that is, determines the authenticity of the TID. If the TID information exists locally, that is, the TID is true, the BSF Then determine whether the TID is valid for the NAF applying for query. If it is valid, first save the TID and the key information related to the TID. Correspondence with the NAF applying for inquiry, and then sending the TID and the key information related to the TID to the NAF.
  • a TID is only valid for NAFs of one or the same security level, that is, a TID is bound to a NAF of one or the same security level, so that one NAF is prevented from being broken, and all NAFs are threatened by the attack The problem.
  • the invention limits the threat to the scope of one or the same level of NAF, thereby increasing the security of the system.
  • the NAD considers that the TID used by the user is not secure, such as when the NAF is illegally attacked, the user will be prompted to update the TID.
  • Figure 1 shows the structure of a general authentication framework
  • FIG. 2 is a flow chart of applying a general authentication framework for user identity authentication in the prior art
  • FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied
  • FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied.
  • the idea of the present invention is: after receiving the query TID request message from the NAF, the BSF determines whether the BSF locally has the TID information queried by the NAF, and if not, returns a failed query response message to the NAF; if so, the BSF According to the attribute information of the TID queried, determine whether the TID is valid for the NAF applying for the query, and if so, save the changed attribute information of the TID, and the correspondence between the key information related to the TID and the NAF requesting the query. After the relationship information is sent, the queried TID and its related key information are sent to the NAF requesting the query, otherwise, the BSF returns a query response message to the NAF requesting the query to which the TID is invalid.
  • FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied;
  • Step 301 The user sends a service application request message to the NAF.
  • Step 302 After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
  • Step 303 The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
  • Step 304 After receiving the authentication request message of the user, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
  • Step 305 After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA).
  • AKA authentication and key agreement protocol
  • Step 306 The BSF allocates a session transaction identifier (TID) including the identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user. At this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
  • TID session transaction identifier
  • Step 307 After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF.
  • Step 308 After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, executes step 311; otherwise, the NAF sends a query TID including the local NAF identifier to the BSF. Message and execute step 309;
  • step 309 after receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then BSF returns failure to NAF In response to the message, the NAF notifies the user to the BSF for authentication and ends the processing flow; if the TID information exists locally, it is determined whether the attribute information of the TID stored locally is "unused", and if so, the TID is The "unused" tag is modified to "used", and the correspondence between the TID and the NAF identifier of the application query is stored in the attribute information of the TID.
  • the BSF After binding the TID and the NAF of the application query, perform step 310, Otherwise, the BSF considers that the TID has been bound to other NAFs and cannot be applied by the NAF for the application query, and returns a failure response message to the NAF, indicating that the TID is invalid for the NAF for the application query.
  • the user authenticates to the BSF and ends the processing flow; Step 310, the BSF includes the shared key Ks of the user corresponding to the TID or a key derived from the shared key Ks and sends it to the NAF in a successful response message; NAF and the user also share the key Ks or its derived key, and perform step 31 1;
  • Step 311 The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
  • the NAF in a certain area can be divided into a group, and the group ID is set.
  • the number of groups is determined by the administrator of the NAF.
  • the BSF finds the local TID information for applying for NAF query, and the TID
  • the attribute information is "unused”
  • the "unused” mark of the TID is modified to "used”
  • the correspondence between the TID and the NAF identifier of the application for inquiry is stored in the attribute information of the TID, and the application
  • the group ID of the NAF to be queried that is, to bind the TID to the NAF for which the query is applied, and send the shared key Ks corresponding to the TID or the key derived from the shared key Ks to the NAF in the success response message and send it to NAF. ;
  • the BSF finds that there is local TID information for applying for NAF query, and the attribute information of the TID is "used", the BSF further judges whether the group identifier of the application for querying NAF is the same as the group identifier in the TID attribute information. The same, the TID is considered valid, and the TID corresponds to the user's shared key Ks or a secret derived from the shared key Ks The key is included in the success response message and sent to NAF; otherwise, a failure response message is returned to NAF, indicating that the TID is invalid for the NAF requesting the query, and the NAF is notified to the user to authenticate to the BSF, and the process ends.
  • TID Add a flag for recording the number of currently connected NAFs and the maximum number of NAFs that can be connected to the TID. Value, the TID is valid for the NAF applied for inquiry in the group, otherwise, the TID is invalid for the NAF applied for inquiry in the group, and the NAF for the application inquiry needs to correspond to a new TID.
  • the user When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is secure. When this system reports that NAF has been attacked by a hacker, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
  • FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied.
  • NAFs with different security levels can divide NAFs with different security levels into different groups according to their own needs in terms of security and operation. For example, NAFs with lower security levels are grouped so that they belong to one security domain; NAFs with higher security levels are grouped so that they belong to another security domain; some NAFs with very high security requirements are individually One group, each group is an independent security domain. In this way, a security domain can share a TID and its corresponding key information.
  • Step 401 The user sends a service application request message to the NAF.
  • Step 402 After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
  • Step 403 The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
  • Step 404 After receiving the user's authentication request message, the BSF queries the HSS for the user's authentication information and Profile information, and obtains a response from the HSS.
  • Step 405 After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA).
  • AKA authentication and key agreement protocol
  • the BSF and user complete the AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
  • Step 406 the BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user; at this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
  • TID session transaction identifier
  • Step 407 After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF;
  • Step 408 After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, performs step 411; otherwise, the NAF sends to the BSF the local NAF identifier and the security level. Query the TID message, and perform step 409;
  • Step 409 After receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then The BSF returns a failure response message to the NAF, and the NAF notifies the user to the BSF for authentication, and ends the processing flow;
  • the TID information is available locally, determine whether the attribute information of the TID stored locally is Is "unused”, and if so, modify the TID tag to "used", and save the correspondence between the TID and the NAF identifier requested for inquiry in the attribute information of the TID, and set the security level of the TID
  • the BSF judges whether the security level in the attribute information of the TID is the same as the security level of the NAF applying for inquiry. If the security level is the same, the BSF further judges whether Whether the number of associations with NAF in the attribute information of the TID has reached the maximum value allowed by the security level within the security level. Only one TID may be allowed to be connected to one NAF at the highest security level, and at a relatively low level, Within the security level, one TID can be allowed to connect with more than one NAF. The number of specific connections can be determined according to actual needs.
  • the BSF believes that the number of NAFs connected to the TID has reached saturation and can no longer be applied by the NAF that the application queries. And return a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for the query, and the NAF notifies the re-user to authenticate to the BSF, and ends the processing flow, otherwise, the BSF saves the TID in the attribute information of the TID Correspondence with the NAF identifier for application query and updated information about the number of existing NAF connections , That is, execute step 410 after binding the TID and the NAF for which the query is applied,
  • the BSF If the security levels are different, the BSF considers that the TID has been bound to other NAFs and can no longer be applied by the NAF applying for inquiry. It directly returns a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for inquiry. The NAF notifies the re-user to the B SF for authentication, and ends the processing flow;
  • Step 410 the BSF includes the shared key Ks of the user corresponding to the TID or the key derived from the shared key Ks and sends it to the NAF in the success response message; at this time, the NAF and the user also share the key Ks or its derived secret.
  • Key and execute step 411; Step 411: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
  • the user When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is safe. When this system reports that NAF has been attacked by hackers, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
  • each NAF in the security level will query the BSF. If the BSF query is successful, the attribute information of the TID is saved, and a successful response message is returned to the NAF.
  • the successful response message includes the TID queried by the NAF and the key information corresponding to the TID. At this time, the NAF will save the new TID and the key information related to the TID, and mark the old TID and the key information related to the old TID as disabled or deleted at the same time.
  • NAF can be an application server or a proxy for multiple application servers.
  • NAF is an application server proxy
  • multiple application servers can be connected behind NAF, that is, one NAF represents multiple applications.
  • NAF represents multiple application servers, NAF itself is still an entity.

Abstract

This invention discloses a method of setting up the association between the session transaction ID and the network application entity, the BSF judges the validity of the TID at first when it received the inquire TID information from the NAF, if the TID is valid, the BSF judges again whether the TID is available for the NAF which applies to inquire, if it is available, then stores the TID and the corresponding relation between the key information corresponding to the TID and the NAF which applies to inquire, and sends the TID and the key information corresponding to the TID to the NAF. The usage of this invention can avoid that all the NAF are to be attacked when one of the NAF is attacked by means that one TID is only available for one NAF or the NAFs of the same class. This invention limits the attack in one NAF of the NAFs of the same class, thereby increases the safety of the system. And it can prompt the user to update the TID when the NAF considers that the TID to be used is not safe, for example, when NAF is attacked illegally.

Description

一种建立会话事务标识和网络应用实体之间关联的方法 技术领域  Method for establishing association between session transaction identifier and network application entity
本发明涉及第三代无线通信技术领域, 特别是指一种建立会话事务 标识( TID )和网络应用实体( NAF )之间关联的方法。 发明背景  The present invention relates to the field of third-generation wireless communication technology, and particularly to a method for establishing an association between a session transaction identifier (TID) and a network application entity (NAF). Background of the invention
在第三代无线通信标准中, 通用鉴权框架是多种应用业务实体使用 的一个用于完成对用户身份进行验证的通用结构, 应用通用鉴权框架可 实现对应用业务的用户进行检查和验证身份。 上述多种应用业务可以是 多播 /广播业务、 用户证书业务、 信息即时提供业务等, 也可以是代理业 务, 例如多个服务和一个代理相连, 这个通用鉴权框架把代理也当作一 种业务来处理, 组织结构可以很灵活, 而且, 对于以后新开发的业务也 同样可以应用通用鉴权框架对应用业务的用户进行检查和验证身份。  In the third-generation wireless communication standard, the common authentication framework is a common structure used by multiple application business entities to complete the verification of user identity. The application of the common authentication framework enables inspection and verification of users of application services. Identity. The above-mentioned multiple application services may be multicast / broadcast services, user certificate services, instant information provision services, etc., or proxy services, such as multiple services connected to a proxy. This common authentication framework treats the proxy as a kind of The organization structure can be very flexible for processing services. Moreover, for newly developed services in the future, a common authentication framework can also be applied to check and verify the identity of users of application services.
图 1所示为通用鉴权框架的结构示意图。 通用鉴权框架通常由用户 101、 执行用户身份初始检查验证的实体 (BSF ) 102、 用户归属网络服 务器 (HSS ) 103和网络应用实体(NAF ) 104组成。 BSF 102用于与用 户 101进行互验证身份, 给经过互验证的用户 101分配 TID, 同时生成 BSF 102与用户 101的共享密钥; HSS 103中存储有用于描述用户信息 的描述(Profile )信息文件, 同时 HSS 103还兼有产生鉴权信息的功能。  Figure 1 shows the structure of a general authentication framework. The common authentication framework usually consists of a user 101, an entity (BSF) 102 that performs initial user identity verification, a user home network server (HSS) 103, and a network application entity (NAF) 104. The BSF 102 is used to mutually verify the identity with the user 101, assign a TID to the user 101 that has been authenticated, and generate a shared key between the BSF 102 and the user 101; a HSS 103 stores a profile information file for describing user information At the same time, HSS 103 also has the function of generating authentication information.
用户需要使用某种业务时,如果其知道该业务需要到 BSF进行互鉴 权过程, 则直接到 BSF进行互鉴权, 否则, 用户会首先和某个业务对应 的 NAF联系,如果该 NAF应用通用鉴权框架需要用户到 BSF进行身份 验证, 则通知用户应用通用鉴权框架进行身份验证, 否则进行其它相应 处理。 图。 When a user needs to use a certain service, if he knows that the service needs to go to the BSF for mutual authentication, he will go directly to the BSF for mutual authentication. Otherwise, the user will first contact the NAF corresponding to a service. If the NAF application is common If the authentication framework requires the user to authenticate to the BSF, the user is notified to apply the general authentication framework for authentication, otherwise other corresponding processing is performed. Illustration.
步骤 201, 用户向 NAF发送业务应用请求消息;  Step 201: The user sends a service application request message to the NAF.
步骤 202, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证;  Step 202: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 203 , 用户向 BSF发送初始鉴权认证请求消息 , 该消息中包括 用户自身的标识信息;  Step 203: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information;
步骤 204, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息, 并得到 HSS的响应;  Step 204: After receiving the user's authentication request message, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
步骤 205 , BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议(AKA )进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks;  Step 205: After the BSF obtains the response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and the user complete AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 206, BSF给用户分配只包括标识号的会话事务标识 ( TID ), 且该 TID对一个以上的 NAF同时有效,并将已分配的 TID发送给用户, 该 TID与共享密钥 Ks是相关联的;  Step 206: The BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for more than one NAF at the same time, and sends the assigned TID to the user. The TID is associated with the shared key Ks. of;
步骤 207, 用户收到 BSF分配的 TID后, 重新向 NAF发送业务应 用请求消息, 该请求消息中包含 BSF分配的 TID信息;  Step 207: After receiving the TID allocated by the BSF, the user re-sends a service application request message to the NAF, where the request message includes the TID information allocated by the BSF.
步骤 208 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息时, 首先在 NAF本地进行查询, 如查询到, 则直接执行步骤 210, 否 则,向 BSF发送包含 NAF本地标识的查询 TID的消息,并执行步骤 209; 步骤 209 , BSF接收到来自 NAF的查询消息, 在本地进行查询, 如 果 BSF本地有 NAF所查询的 TID信息,则直接向 NAF发送响应成功的 查询消息,该消息中包括查到的 TID以及该 TID对应用户应用的共享密 钥 Ks, 这时 NAF和用户也共享了密钥 Ks, 并执行步骤 210, 否则 BSF 向 NAF发送响应失败的查询消息, 通知 NAF 没有该用户的信息, 由 NAF通知用户到 BSF上进行鉴权, 并结束该处理流程; Step 208: When NAF receives the service application request message containing the TID information sent by the user, it first performs a query locally in NAF. If it is found, step 210 is performed directly. Otherwise, the BSF sends a message containing the NAF local ID to the TSF to the BSF. And execute step 209; step 209, the BSF receives the query message from the NAF and performs the query locally. If the BSF locally has the TID information queried by the NAF, the BSF directly sends a successful query message to the NAF. The message includes the query. The TID and the shared key Ks corresponding to the user application, the NAF and the user also share the key Ks at this time, and step 210 is performed, otherwise the BSF Send a failed query message to the NAF to notify the NAF that the user has no information, and the NAF notifies the user to perform authentication on the BSF, and ends the processing flow;
步骤 210, NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。  Step 210: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
当用户和某个 NAF的首次通信过程结束后,在以后的通信中都使用 该已经过鉴权的 TID和 NAF进行通信, 由于 TID是可以重复使用的, 任何一个 NAF如果在本地不能找到相应的 TID时, 都将向 BSF进行查 询, 因此, 只要用户取得一个合法的 TID后, 就可以应用该 TID与任何 NAF进行通信。  After the first communication process between the user and a NAF is over, the authenticated TID and NAF are used for communication in subsequent communications. Since the TID can be reused, if any NAF cannot find the corresponding one locally, When the TID is reached, the BSF will be queried. Therefore, as long as the user obtains a valid TID, the TID can be used to communicate with any NAF.
现有技术的缺陷在于:由于 BSF分配给同一用户的 TID是对所有的 NAF有效, 而且 BSF不保存使用了该 TID的 NAF的信息, 在 BSF接 收到来自任一 NAF的查询 TID的消息时,只要能够在 BSF本地查询到, 就认为该 TID有效, 并将该 TID及其与该 TID相关的密钥信息发送给 申请查询的 NAF, 也就是说, 同一用户与多个 NAF之间使用相同的密 钥信息。 在这种情况下, 一旦某个 NAF被攻击者攻破, 即某个 NAF的 Ks被泄露, 则攻击者可以冒充该用户应用多个 NAF上的业务, 这样使 得该用户的所有应用业务都将受到威胁, 进而使得所有 NAF 的功能实 体均受到威胁。 发明内容  The disadvantage of the prior art is that because the TID assigned by the BSF to the same user is valid for all NAFs, and the BSF does not save the information of the NAF using the TID, when the BSF receives a message from any NAF to query the TID, As long as it can be queried locally in the BSF, the TID is considered valid, and the TID and the key information related to the TID are sent to the NAF applying for the query, that is, the same user and multiple NAFs use the same Key information. In this case, once a NAF is breached by an attacker, that is, the Ks of a NAF is leaked, the attacker can impersonate the user to apply services on multiple NAFs, so that all user application services of the user will be affected. Threat, which in turn threatens all functional entities of NAF. Summary of the invention
有鉴于此, 本发明的目的在于提供一种建立用户的会话事务标识和 不同网络应用实体之间关联的方法,避免一个 NAF被攻破,所有的 NAF 均受攻击威胁的问题。  In view of this, an object of the present invention is to provide a method for establishing a user's session transaction identifier and an association between different network application entities to avoid the problem that one NAF is compromised and all NAFs are threatened by the attack.
为到达上述目的, 本发明的技术方案是这样实现的:  To achieve the above object, the technical solution of the present invention is implemented as follows:
一种建立会话事务标识和网络应用实体之间关联的方法, 适用于应 用通用鉴权框架对用户进行身份验证的第三代无线通信领域中, 该方法 包括以下步骤: A method for establishing an association between a session transaction identifier and a network application entity, which is applicable to In the field of third-generation wireless communications that uses a common authentication framework to authenticate users, the method includes the following steps:
a、 执行用户身份初始检查验证的实体 BSF接收到来自网络应用实 体 NAF的查询会话事务标识 TID请求消息后, 判断 BSF本地是否有该 NAF所查询的 TID信息, 如果有, 则执行步骤 b, 否则给该 NAF返回 失败的查询响应消息;  a. After the entity BSF that performs the initial check and verification of the user identity receives the query session transaction ID TID request message from the network application entity NAF, it determines whether the TSF information queried by the NAF exists locally in the BSF. If so, step b is performed, otherwise Return a failed query response message to the NAF;
b、 BSF根据所查询到 TID的属性信息判断该 TID对于申请查询的 NAF是否有效, 如果是, 则保存已更改的该 TID的属性信息, 及该 TID 相关的密钥信息与请求查询的 NAF之间的对应关系的信息后, 将查询 到的 TID及其相关的密钥信息发送给请求查询的 NAF,否则, BSF给请 求查询的 NAF返回所查询 TID无效的查询响应消息。  b. The BSF judges whether the TID is valid for the NAF applying for the query according to the attribute information of the TID queried, and if so, saves the changed attribute information of the TID, and the key information related to the TID and the NAF requesting the query. After the information about the corresponding relationship between them is sent, the queried TID and its related key information are sent to the NAF requesting the query; otherwise, the BSF returns a query response message to the NAF requesting the query to which the queried TID is invalid.
较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 至少包括申请查询的 NAF本地标识;  Preferably, in step a, the BSF receives the request message from the NAF query TID including at least the NAF local identity that applied for the query;
步骤 b所述 TID的属性信息中至少包括: 该 TID是否已被使用的信 ,  The attribute information of the TID in step b includes at least: a letter of whether the TID has been used,
步骤 b所述 BSF判断所查询到的 TID对于申请查询的 NAF是否有 效的方法为: 判断所查询到的 TID是否标记为未使用, 如果是, 则所查 询到的 TID对于申请查询的 NAF有效, 否则, 所查询到的 TID对于申 请查询的 NAF无效;  The method used by the BSF to determine whether the queried TID is valid for the NAF applied for query in step b is: determining whether the queried TID is marked as unused, and if so, the queried TID is valid for the NAF applied for query, Otherwise, the queried TID is invalid for the NAF applying for the query;
步骤 b所述更改的 TID属性信息中至少包括: 该 TID已被使用的信 较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 还包括申请查询 NAF的组标识;  At least the changed TID attribute information in step b includes: a letter that the TID has been used. Preferably, the request message received by the BSF in step a from the NAF query TID further includes a group identifier for applying for the NAF query;
步骤 b所述 TID的属性信息中还包括: 与该 TID所关联 NAF的组 步骤 b所述如果所查询到的 TID的标记为已使用时, 判断所查询到 的 TID对于申请查询的 NAF是否有效的方法进一步包括: BSF判断该 申请查询 NAF的组标识是否与该 TID属性信息中的组标识相同, 如果 相同, 则所查询到的 TID对于申请查询的 NAF有效, 否则, 所查询到 的 TID对于申请查询的 NAF无效; The attribute information of the TID in step b further includes: a group associated with the NAF associated with the TID In step b, if the inquired TID is marked as used, the method for determining whether the inquired TID is valid for the NAF for which the inquiry is requested further includes: BSF judging whether the group ID for the inquired NAF for inquiry and the TID attribute information The group IDs are the same. If the group IDs are the same, the queried TID is valid for the NAF applying for the query, otherwise, the queried TID is invalid for the NAF applying for the query.
步骤 b所述更改的 TID属性信息中还包括: 申请查询 NAF的组标 识。  The changed TID attribute information described in step b further includes: Applying to query the NAF group identifier.
较佳地, 步骤 b所述 TID的属性信息中还包括: 用于记录当前已连 接 NAF的数目和该 TID所能连接 NAF数目的最大值;  Preferably, the attribute information of the TID in step b further includes: used to record the number of currently connected NAFs and the maximum value of the number of NAFs that can be connected to the TID;
步骤 b所述 BSF判断该申请查询 NAF的组标识与该 TID属性信息 中的组标识相同时, 判断所查询到的 TID对于申请查询的 NAF是否有 效的方法进一步包括: 判断当前该 TID已连接 NAF的数目是否小于等 于该 TID所能连接 NAF数目的最大值, 如果是, 则所查询到的 TID对 于申请查询的 NAF有效, 否则, 所查询到的 TID对于申请查询的 NAF 无效;  When the BSF in step b judges that the group ID of the NAF for application query is the same as the group ID in the TID attribute information, the method for determining whether the queried TID is valid for the NAF for application query further includes: judging that the TID is currently connected to the NAF Whether the number is less than or equal to the maximum number of NAFs that can be connected to the TID; if so, the queried TID is valid for the NAF for which the query is applied; otherwise, the queried TID is invalid for the NAF for which the query is applied;
步骤 b 所述更改的 TID属性信息中还包括: 已更新的当前已连接 NAF的数目和该 TID所能连接 NAF数目的最大值。  The changed TID attribute information in step b further includes: an updated number of currently connected NAFs and a maximum value of the number of NAFs that can be connected by the TID.
较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 还包括申请查询 NAF的安全级别;  Preferably, the request message that the BSF receives from the NAF query TID in step a further includes applying for querying the NAF security level;
步骤 b所述所查询到的 TID信息中还包括:该 TID的安全级别信息; 步骤 b所述如果所查询到的 TID的标记为已使用, 判断所查询到的 TID对于申请查询的 NAF是否有效的方法进一步包括: BSF再判断所查 询到的 TID信息中的安全级别与预先设定的申请查询的 NAF的安全级 别是否相同, 如果是, 则所查询到的 TID对于申请查询的 NAF有效, 否则 , 所查询到的 TID对于申请查询的 NAF无效; 步骤 b所述更改的 TID属性信息中还包括:该 TID的安全级别信息。 较佳地, 步骤 b所述所查询到的 TID信息中还包括: 现有与 NAF ' 的关联数目、 所关联的 NAF的标识以及允许的最大关联数目; The TID information queried in step b further includes: the security level information of the TID; if the flag of the queried TID is used, it is determined whether the queried TID is valid for the NAF applying for the query. The method further includes: the BSF judges whether the security level in the queried TID information is the same as the preset security level of the NAF that is applied for query, and if so, the queried TID is valid for the NAF that is applied for query, otherwise , The queried TID is invalid for the NAF applying for the query; The changed TID attribute information in step b further includes: security level information of the TID. Preferably, the TID information queried in step b further includes: the number of existing associations with NAF ', the identity of the associated NAF, and the maximum number of associations allowed;
步骤 b所述 BSF判断所查询到的 TID的安全级别与预先设定的申请 查询的 NAF的安全级别相同之后, 进一步包括: BSF判断所查询到的 TID信息中的与该 TID关联的 NAF数目是否已经达到该安全级别内允 许的最大值, 如果是, 则所查询到的 TID对于申请查询的 NAF无效, 否则, 所查询到的 TID对于申请查询的 NAF有效;  After the BSF in step b determines that the security level of the queried TID is the same as the preset security level of the NAF applied for query, it further includes: BSF determines whether the number of NAFs associated with the TID in the queried TID information is The maximum allowed value within the security level has been reached. If so, the queried TID is invalid for the NAF for which the query is applied; otherwise, the queried TID is valid for the NAF for which the query is applied;
步骤 b所述更改的 TID属性信息中还包括: 已更新的现有与 NAF 的关联数目、 所关联的 NAF的标识以及允许的最大关联数目。  The changed TID attribute information in step b further includes: the updated number of existing NAF associations, the identity of the associated NAF, and the maximum number of associations allowed.
较佳地, 步骤 b所述对应关系的信息包括: 查询到的 TID与应用该 TID的 NAF的标识的对应关系,以及该 TID所对应的 NAF的安全级别。  Preferably, the information of the correspondence relationship in step b includes: the correspondence relationship between the queried TID and the identity of the NAF to which the TID is applied, and the security level of the NAF corresponding to the TID.
较佳地, 所述步骤 a执行之前, 进一步包括: 用户与 BSF经过互认 证后, 由 BSF给用户分配 TID, 且 BSF和该用户共享了与 TID相关的 密钥信息; NAF接收到来自用户的包括 TID的业务请求信息时,判断本 地是否有该 TID信息, 如果有, 则与用户进行正常的通信, 否则, 向 BSF发送查询 TID的消息后, 再执行步骤 a。  Preferably, before step a is performed, the method further includes: after mutual authentication between the user and the BSF, the BSF allocates a TID to the user, and the BSF and the user share key information related to the TID; the NAF receives the information from the user. When the service request information of the TID is included, it is determined whether the TID information exists locally, and if there is, the communication is performed normally with the user; otherwise, after sending a message for querying the TID to the BSF, step a is performed.
较佳地, 该方法进一步包括: 在 NAF受到非法攻击时, 提示用户到 BSF进行重认证, 更新 TID及对应的密钥信息。  Preferably, the method further includes: when the NAF is attacked illegally, prompting the user to the BSF for re-authentication, and updating the TID and corresponding key information.
较佳地, 步骤 b所述更改的 TID属性信息中还包括: 申请查询 NAF 的标识信息。  Preferably, the changed TID attribute information in step b further includes: applying for querying the identification information of NAF.
应用本发明, 在 BSF接收到来自 NAF的查询 TID信息时, 首先判 断本地是否有该 TID的信息, 即判断该 TID的真实性, 如果本地有该 TID信息, 即该 TID是真实的, 则 BSF再判断该 TID是否对申请查询 的 NAF有效, 如果有效, 则首先保存该 TID及该 TID相关的密钥信息 与申请查询的 NAF之间的对应关系, 然后再将该 TID及该 TID相关的 密钥信息发送给 NAF。应用本发明, 使一个 TID只针对一个或同一安全 级别的 NAF有效, 即将一个 TID与一个或同一安全级别的 NAF进行绑 定, 从而避免了一个 NAF被攻破, 而使所有的 NAF均受攻击威胁的问 题。 本发明将威胁限定在一个或同一级别的 NAF 的范围之内, 从而增 加了系统的安全性。 而且, 当 NAF认为该用户使用的 TID已不安全时, 如 NAF受到非法攻击时, 将提示用户更新 TID。 Applying the present invention, when the BSF receives the query TID information from the NAF, it first determines whether the TID information exists locally, that is, determines the authenticity of the TID. If the TID information exists locally, that is, the TID is true, the BSF Then determine whether the TID is valid for the NAF applying for query. If it is valid, first save the TID and the key information related to the TID. Correspondence with the NAF applying for inquiry, and then sending the TID and the key information related to the TID to the NAF. By applying the present invention, a TID is only valid for NAFs of one or the same security level, that is, a TID is bound to a NAF of one or the same security level, so that one NAF is prevented from being broken, and all NAFs are threatened by the attack The problem. The invention limits the threat to the scope of one or the same level of NAF, thereby increasing the security of the system. Moreover, when the NAD considers that the TID used by the user is not secure, such as when the NAF is illegally attacked, the user will be prompted to update the TID.
附图简要说明 Brief description of the drawings
图 1所示为通用鉴权框架的结构示意图;  Figure 1 shows the structure of a general authentication framework;
图 2所示为现有技术的应用通用鉴权框架进行用户身份认证的流程 图;  FIG. 2 is a flow chart of applying a general authentication framework for user identity authentication in the prior art; FIG.
图 3所示为应用本发明的实施例一的流程图;  FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied;
图 4所示为应用本发明的实施例二的流程图。 实施本发明的方式  FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied. Mode of Carrying Out the Invention
'下面结合附图对本发明进行详细描述。  'The invention is described in detail below with reference to the drawings.
本发明的思路是: BSF接收到来自 NAF的查询 TID请求消息后, 判断 BSF本地是否有该 NAF所查询的 TID信息,如果没有,则给该 NAF 返回失败的查询响应消息; 如果有, 则 BSF根据所查询到 TID的属性信 息判断该 TID对于申请查询的 NAF是否有效, 如果是, 则保存已更改 的该 TID的属性信息, 及该 TID相关的密钥信息与请求查询的 NAF之 间的对应关系的信息后, 将查询到的 TID及其相关的密钥信息发送给请 求查询的 NAF, 否则 , BSF给请求查询的 NAF返回所查询 TID无效的 查询响应消息。 图 3所示为应用本发明的实施例一的流程图; The idea of the present invention is: after receiving the query TID request message from the NAF, the BSF determines whether the BSF locally has the TID information queried by the NAF, and if not, returns a failed query response message to the NAF; if so, the BSF According to the attribute information of the TID queried, determine whether the TID is valid for the NAF applying for the query, and if so, save the changed attribute information of the TID, and the correspondence between the key information related to the TID and the NAF requesting the query. After the relationship information is sent, the queried TID and its related key information are sent to the NAF requesting the query, otherwise, the BSF returns a query response message to the NAF requesting the query to which the TID is invalid. FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied;
步骤 301 , 用户向 NAF发送业务应用请求消息;  Step 301: The user sends a service application request message to the NAF.
步骤 302, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证;  Step 302: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 303, 用户向 BSF发送初始鉴权认证请求消息, 该消息中包括 用户自身的标识信息;  Step 303: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
步骤 304, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息, 并得到 HSS的响应;  Step 304: After receiving the authentication request message of the user, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
步骤 305 , BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议 (AKA ) 进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks;  Step 305: After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and user complete the AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 306, BSF给用户分配只包括标识号的会话事务标识 (TID ), 且该 TID对所有的 NAF同时有效, 并将已分配的 TID发送给用户; 此时, 由于该 TID是对任何 NAF有效的, 因此用户可应用其申请 到的 TID向任何一个 NAF发起应用请求;  Step 306: The BSF allocates a session transaction identifier (TID) including the identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user. At this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
步骤 307, 用户收到 BSF分配的 TID后, 向其选定的 NAF发送业 务应用请求消息, 该请求消息中包含 BSF分配的 TID信息;  Step 307: After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF.
步骤 308 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息后,首先判断 NAF本地是否有该 TID信息,如果有,则执行步骤 311 , 否则, NAF向 BSF发送包括本地 NAF标识的查询 TID的消息, 并执行 步骤 309;  Step 308: After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, executes step 311; otherwise, the NAF sends a query TID including the local NAF identifier to the BSF. Message and execute step 309;
步骤 309, BSF接收到 NAF的查询 TID的消息后, 首先查询 BSF 本地是否有该 TID信息, 即检查 NAF所查询的 TID的真实性, 如果本 地没有该 TID信息, 即该 TID是非法的, 则 BSF给 NAF返回失败的响 应消息, 由 NAF通知用户到 BSF进行鉴权, 并结束该处理流程; 如果本地有该 TID信息,则判断本地保存的该 TID的属性信息是否 为 "未使用", 如果是, 则将该 TID的 "未使用"标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和申请查询的 NAF标识的对应关 系, 即将该 TID和申请查询的 NAF绑定后 , 执行步骤 310, 否则, BSF 认为该 TID已经和其它的 NAF进行了绑定,不能再被该申请查询的 NAF 所应用,则给 NAF返回失败的响应消息,表明该 TID对申请查询的 NAF 无效, 由 NAF通知重新用户到 BSF进行鉴权, 并结束该处理流程; 步骤 310, BSF将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF; 这时 NAF和用户也 共享了密钥 Ks或其衍生密钥, 并执行步骤 31 1 ; In step 309, after receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then BSF returns failure to NAF In response to the message, the NAF notifies the user to the BSF for authentication and ends the processing flow; if the TID information exists locally, it is determined whether the attribute information of the TID stored locally is "unused", and if so, the TID is The "unused" tag is modified to "used", and the correspondence between the TID and the NAF identifier of the application query is stored in the attribute information of the TID. That is, after binding the TID and the NAF of the application query, perform step 310, Otherwise, the BSF considers that the TID has been bound to other NAFs and cannot be applied by the NAF for the application query, and returns a failure response message to the NAF, indicating that the TID is invalid for the NAF for the application query. The user authenticates to the BSF and ends the processing flow; Step 310, the BSF includes the shared key Ks of the user corresponding to the TID or a key derived from the shared key Ks and sends it to the NAF in a successful response message; NAF and the user also share the key Ks or its derived key, and perform step 31 1;
步骤 311, NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。  Step 311: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
对于上述实施例,可将某个地区内的 NAF划分为一组,并设置组标 识,组的数目由 NAF的管理者确定,当 BSF查询到本地有申请查询 NAF 的 TID信息, 且该 TID的属性信息是 "未使用" 时, 则将该 TID的 "未 使用" 标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和 申请查询的 NAF标识的对应关系, 以及该申请查询的 NAF所在的组标 识, 即将该 TID和申请查询的 NAF绑定后, 将该 TID对应用户的共享 密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF;  For the above embodiment, the NAF in a certain area can be divided into a group, and the group ID is set. The number of groups is determined by the administrator of the NAF. When the BSF finds the local TID information for applying for NAF query, and the TID When the attribute information is "unused", the "unused" mark of the TID is modified to "used", and the correspondence between the TID and the NAF identifier of the application for inquiry is stored in the attribute information of the TID, and the application The group ID of the NAF to be queried, that is, to bind the TID to the NAF for which the query is applied, and send the shared key Ks corresponding to the TID or the key derived from the shared key Ks to the NAF in the success response message and send it to NAF. ;
如果 BSF查询到本地有申请查询 NAF的 TID信息, 且该 TID的属 性信息是 "已使用" 时, 则 BSF进一步判断该申请查询 NAF的组标识 是否与该 TID属性信息中的组标识相同, 如果相同, 则认为该 TID是有 效的,并将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密 钥包含在成功响应消息里发送给 NAF; 否则给 NAF返回失败的响应消 息, 表明该 TID对申请查询的 NAF无效, 由 NAF通知重新用户到 BSF 进行鉴权, 并结束该处理流程。 If the BSF finds that there is local TID information for applying for NAF query, and the attribute information of the TID is "used", the BSF further judges whether the group identifier of the application for querying NAF is the same as the group identifier in the TID attribute information. The same, the TID is considered valid, and the TID corresponds to the user's shared key Ks or a secret derived from the shared key Ks The key is included in the success response message and sent to NAF; otherwise, a failure response message is returned to NAF, indicating that the TID is invalid for the NAF requesting the query, and the NAF is notified to the user to authenticate to the BSF, and the process ends.
上述为同组内的所有 NAF使用同一个 TID。 当然, 也可以令一个 TID对应一定个数的 NAF有效, 具体的实现方法为:  The above uses the same TID for all NAFs in the same group. Of course, it is also possible to make a TID correspond to a certain number of NAFs. The specific implementation method is:
在 TID的标识中增加用于记录当前已连接 NAF的数目和该 TID所 能连接 NAF数目的最大值的标识位,如果当前该 TID已连接 NAF的数 目小于等于该 TID所能连接 NAF数目的最大值, 则该 TID对于该组内 申请查询的 NAF有效,否则,该 TID对于该组内申请查询的 NAF无效, 该申请查询的 NAF需对应一个新的 TID。  Add a flag for recording the number of currently connected NAFs and the maximum number of NAFs that can be connected to the TID. Value, the TID is valid for the NAF applied for inquiry in the group, otherwise, the TID is invalid for the NAF applied for inquiry in the group, and the NAF for the application inquiry needs to correspond to a new TID.
当用户再次使用已应用过的 NAF上的业务时,仍然可以使用已分配 的 TID向 NAF发出请求,只有当 NAF认为该用户使用的 TID已经不安 全时, 如 NAF受到非法攻击并且认为用户的 TID及该 TID对应的密钥 有可能已经被盗时, 将提示用户更新 TID。 例如, NAF本身安装了一个 用于检测自身是否安全的入侵检测系统, 当这个系统报告 NAF遭到了 黑客的攻击时, NAF处理完自身的安全问题后将通知用户更新 TID及该 TID对应的密钥。  When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is secure. When this system reports that NAF has been attacked by a hacker, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
图 4所示为应用本发明的实施例二的流程图。  FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied.
运营商可以从安全及操作等多方面考虑, 根据自己的需要, 将不同 安全级别的 NAF划分为不同的组。 例如, 将安全级别低的 NAF划分为 一组, 令它们属于一个安全域; 将安全级别高的 NAF 划分一组, 令它 们属于另外一个安全域; 使某些安全要求非常高的 NAF 自己单独为一 组,每组即为一个独立的安全域。这样,可使得一个安全域共享一个 TID 及其相应的密钥信息。  Operators can divide NAFs with different security levels into different groups according to their own needs in terms of security and operation. For example, NAFs with lower security levels are grouped so that they belong to one security domain; NAFs with higher security levels are grouped so that they belong to another security domain; some NAFs with very high security requirements are individually One group, each group is an independent security domain. In this way, a security domain can share a TID and its corresponding key information.
步骤 401 , 用户向 NAF发送业务应用请求消息; 步骤 402, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证; Step 401: The user sends a service application request message to the NAF. Step 402: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 403 , 用户向 BSF发送初始鉴权认证请求消息, 该消息中包括 用户自身的标识信息;  Step 403: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
步骤 404, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息 , 并得到 HSS的响应;  Step 404: After receiving the user's authentication request message, the BSF queries the HSS for the user's authentication information and Profile information, and obtains a response from the HSS.
步骤 405, BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议(AKA )进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks;  Step 405: After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and user complete the AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 406, BSF给用户分配只包括标识号的会话事务标识 (TID ), 且该 TID对所有的 NAF同时有效, 并将已分配的 TID发送给用户; 此时, 由于该 TID是对任何 NAF有效的, 因此用户可应用其申请 到的 TID向任何一个 NAF发起应用请求;  Step 406, the BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user; at this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
步骤 407, 用户收到 BSF分配的 TID后, 向其选定的 NAF发送业 务应用请求消息, 该请求消息中包含 BSF分配的 TID信息;  Step 407: After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF;
步骤 408 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息后,首先判断 NAF本地是否有该 TID信息,如果有,则执行步骤 411 , 否则, NAF向 BSF发送包括本地 NAF标识及安全级别的查询 TID的消 息, 并执行步骤 409;  Step 408: After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, performs step 411; otherwise, the NAF sends to the BSF the local NAF identifier and the security level. Query the TID message, and perform step 409;
步骤 409, BSF接收到 NAF的查询 TID的消息后, 首先查询 BSF 本地是否有该 TID信息, 即检查 NAF所查询的 TID的真实性, 如果本 地没有该 TID信息, 即该 TID是非法的, 则 BSF给 NAF返回失败的响 应消息, 由 NAF通知用户到 BSF进行鉴权, 并结束该处理流程;  Step 409: After receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then The BSF returns a failure response message to the NAF, and the NAF notifies the user to the BSF for authentication, and ends the processing flow;
如果本地有该 TID信息,则判断本地保存的该 TID的属性信息是否 为 "未使用", 如果是, 则将该 TID 的标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和申请查询的 NAF标识的对应关系, 同 时设置该 TID的安全级别为该申请查询的 NAF的安全级别, 以及该安 全级别 TID所允许连接的最大数目, 和已更新的现有连接 NAF数目信 息, 即将该 TID和申请查询的 NAF绑定后, 执行步骤 410, If the TID information is available locally, determine whether the attribute information of the TID stored locally is Is "unused", and if so, modify the TID tag to "used", and save the correspondence between the TID and the NAF identifier requested for inquiry in the attribute information of the TID, and set the security level of the TID The security level of the NAF queried for the application, the maximum number of connections allowed by the security level TID, and the updated information of the number of existing connection NAFs, that is, after the TID is bound to the NAF of the queried application, perform step 410.
如果 BSF本地保存的该 TID的属性信息标识为 "已使用 ", 则 BSF 判断该 TID的属性信息中的安全级别是否与申请查询的 NAF的安全级 别相同, 如果安全级别相同, 则 BSF 进一步判断在该安全级别内, 该 TID的属性信息中的与 NAF 的关联数目是否已到达该安全级别能够允 许的最大值,在最高安全级别内可能只允许一个 TID与一个 NAF连接, 而在相对较低的安全级别内, 可允许一个 TID与一个以上的 NAF连接, 具体连接的数目可根据实际需要确定, 如果是, BSF认为该 TID连接的 NAF数目已达到饱和 , 不能再被该申请查询的 NAF所应用, 并给 NAF 返回失败的响应消息, 表明该 TID对申请查询的 NAF无效, 由 NAF通 知重新用户到 BSF进行鉴权, 并结束该处理流程, 否则, BSF在该 TID 的属性信息中保存该 TID和申请查询的 NAF标识的对应关系及已更新 的现有连接 NAF数目信息, 即将该 TID和申请查询的 NAF绑定后执行 步骤 410,  If the attribute information of the TID stored locally by the BSF is identified as "used", the BSF judges whether the security level in the attribute information of the TID is the same as the security level of the NAF applying for inquiry. If the security level is the same, the BSF further judges whether Whether the number of associations with NAF in the attribute information of the TID has reached the maximum value allowed by the security level within the security level. Only one TID may be allowed to be connected to one NAF at the highest security level, and at a relatively low level, Within the security level, one TID can be allowed to connect with more than one NAF. The number of specific connections can be determined according to actual needs. If so, the BSF believes that the number of NAFs connected to the TID has reached saturation and can no longer be applied by the NAF that the application queries. And return a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for the query, and the NAF notifies the re-user to authenticate to the BSF, and ends the processing flow, otherwise, the BSF saves the TID in the attribute information of the TID Correspondence with the NAF identifier for application query and updated information about the number of existing NAF connections , That is, execute step 410 after binding the TID and the NAF for which the query is applied,
如果安全级别不同, 则 BSF认为该 TID已经和其它的 NAF进行了 绑定, 不能再被该申请查询的 NAF所应用, 直接给 NAF返回失败的响 应消息, 表明该 TID对申请查询的 NAF无效, 由 NAF通知重新用户到 B SF进行鉴权, 并结束该处理流程;  If the security levels are different, the BSF considers that the TID has been bound to other NAFs and can no longer be applied by the NAF applying for inquiry. It directly returns a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for inquiry. The NAF notifies the re-user to the B SF for authentication, and ends the processing flow;
步骤 410, BSF将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF; 这时 NAF和用户也 共享了密钥 Ks或其衍生密钥, 并执行步骤 411 ; 步骤 411 , NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。 Step 410, the BSF includes the shared key Ks of the user corresponding to the TID or the key derived from the shared key Ks and sends it to the NAF in the success response message; at this time, the NAF and the user also share the key Ks or its derived secret. Key, and execute step 411; Step 411: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
当用户再次使用已应用过的 NAF上的业务时,仍然可以使用已分配 的 TID向 NAF发出请求,只有当 NAF认为该用户使用的 TID已经不安 全时, 如 NAF受到非法攻击并且认为用户的 TID及该 TID对应的密钥 有可能已经被盗时, 将提示用户更新 TID。 例如, NAF本身安装了一个 用于检测自身是否安全的入侵检测系统, 当这个系统报告 NAF 遭到了 黑客的攻击时, NAF处理完自身的安全问题后将通知用户更新 TID及该 TID对应的密钥。  When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is safe. When this system reports that NAF has been attacked by hackers, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
对于同一安全级别的 NAF而言, 当一个 NAF认为某个用户使用的 TID已经不安全时, 将提示该用户更新 TID, 该安全级别内的每个 NAF 收到新 T1D后, 都会到 BSF进行查询, 如 BSF查询成功, 则保存该 TID 的属性信息, 并给 N AF 返回成功的响应消息, 该成功的响应消息中包 括 NAF所查询的 TID、 以及该 TID所对应的密钥信息。 此时, NAF将 保存该新的 TID 以及与该 TID相关的密钥信息, 同时将本地保存的旧 TID以及与旧 TID相关的密钥信息标为禁用, 或删除。  For NAF of the same security level, when a NAF considers that the TID used by a user is no longer secure, the user will be prompted to update the TID. After receiving a new T1D, each NAF in the security level will query the BSF. If the BSF query is successful, the attribute information of the TID is saved, and a successful response message is returned to the NAF. The successful response message includes the TID queried by the NAF and the key information corresponding to the TID. At this time, the NAF will save the new TID and the key information related to the TID, and mark the old TID and the key information related to the old TID as disabled or deleted at the same time.
NAF可以是一个应用服务器, 也可以是多个应用服务器的代理。 当 NAF 是应用服务器代理时, NAF 后面可以连接多个应用服务器, 即一 个 NAF代表多个应用, 这时 NAF 虽然代表多个应用服务器, 但 NAF 自身仍是一个实体。  NAF can be an application server or a proxy for multiple application servers. When NAF is an application server proxy, multiple application servers can be connected behind NAF, that is, one NAF represents multiple applications. At this time, although NAF represents multiple application servers, NAF itself is still an entity.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。  The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall be included in the present invention. Within the scope of protection.

Claims

权利要求书 Claim
1、 一种建立会话事务标识和网络应用实体之间关联的方法, 适用 于应用通用鉴权框架对用户进行身份验证的第三代无线通信领域中, 其 特征在于, 该方法包括以下步骤:  1. A method for establishing an association between a session transaction identifier and a network application entity, which is applicable to the third-generation wireless communication field that uses a common authentication framework to authenticate a user, and is characterized in that the method includes the following steps:
a、 执行用户身份初始检查验证的实体 BSF接收到来自网络应用实 体 NAF的查询会话事务标识 TID请求消息后 , 判断 BSF本地是否有该 NAF所查询的 TID信息, 如果有, 则执行步骤 b, 否则给该 NAF返回 失败的查询响应消息;  a. After the entity BSF that performs the initial check and verification of the user identity receives the query session transaction ID TID request message from the network application entity NAF, it determines whether the BSF locally has the TID information queried by the NAF. If so, step b is performed, otherwise Return a failed query response message to the NAF;
b、 BSF根据所查询到 TID的属性信息判断该 TID对于申请查询的 NAF是否有效, 如果是, 则保存已更改的该 TID的属性信息, 及该 TID 相关的密钥信息与请求查询的 NAF之间的对应关系的信息后, 将查询 到的 TID及其相关的密钥信息发送给请求查询的 NAF, 否则, BSF给请 求查询的 N AF返回所查询 TID无效的查询响应消息。  b. The BSF judges whether the TID is valid for the NAF applying for the query according to the attribute information of the TID queried, and if so, saves the changed attribute information of the TID, and the key information related to the TID and the NAF requesting the query. After the information about the corresponding relationship between them is sent, the queried TID and its related key information are sent to the NAF requesting the query, otherwise, the BSF returns a query response message to the NAF requesting the query that the TID that is queried is invalid.
2、 根据权利要求 1所述的方法, 其特征在于,  2. The method according to claim 1, wherein:
步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中至少包括 申请查询的 NAF本地标识;  In step a, the BSF receives the request message from the NAF query TID including at least the NAF local identifier for the query;
步骤 b所述 TID的属性信息中至少包括:该 TID是否已被使用的信 自- .  The attribute information of the TID in step b includes at least: whether the TID has been used.
步骤 b所述 BSF判断所查询到的 TID对于申请查询的 NAF是否有 效的方法为: 判断所查询到的 TID是否标记为未使用, 如果是, 则所查 询到的 TID对于申请查询的 NAF有效, 否则, 所查询到的 TID对于申 请查询的 NAF无效;  The method used by the BSF to determine whether the queried TID is valid for the NAF applied for query in step b is: determining whether the queried TID is marked as unused, and if so, the queried TID is valid for the NAF applied for query, Otherwise, the queried TID is invalid for the NAF applying for the query;
步骤 b所述更改的 TID属性信息中至少包括:该 TID已被使用的信 白、、 The changed TID attribute information in step b includes at least: the letter used by the TID,
3、 根据权利要求 2所述的方法, 其特征在于, 3. The method according to claim 2, characterized in that:
步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中还包括申 请查询 NAF的组标识;  The request message that the BSF receives from the NAF query TID in step a further includes a group identifier for applying for a NAF query;
步骤 b所述 TID的属性信息中还包括: 与该 TID所关联 NAF的组 The attribute information of the TID in step b further includes: a group associated with the NAF associated with the TID
5 标识; 5 identification;
步骤 b所述如果所查询到的 TID的标记为已使用时, 判断所查询到 的 TID对于申请查询的 NAF是否有效的方法进一步包括: BSF判断该 申请查询 NAF的组标识是否与该 TID属性信息中的组标识相同, 如果 相同, 则所查询到的 TID对于申请查询的 NAF有效, 否则, 所查询到 10 的 TID对于申请查询的 NAF无效; .  In step b, if the inquired TID is marked as used, the method for determining whether the inquired TID is valid for the NAF for which the inquiry is requested further includes: BSF judging whether the group ID of the NAF for which the inquiry is applied is related to the TID attribute information The group ID is the same. If they are the same, the queried TID is valid for the NAF applying for query, otherwise, the queried TID of 10 is invalid for the NAF applying for query.
步骤 b所述更改的 TID属性信息中还包括: 申请查询 NAF的组标 识。  The changed TID attribute information described in step b further includes: Applying to query the NAF group identifier.
4、 根据权利要求 3所述的方法, 其特征在于,  4. The method according to claim 3, wherein:
步骤 b所述 TID的属性信息中还包括: 用于记录当前已连接 NAF i s 的数目和该 TID所能连接 NAF数目的最大值;  The attribute information of the TID in step b further includes: for recording the number of currently connected NAF i s and the maximum value of the number of NAFs that the TID can connect;
. 步骤 b所述 BSF判断该申请查询 NAF的组标识与该 TID属性信息 中的组标识相同时, 判断所查询到的 TID对于申请查询的 NAF是否有 效的方法进一步包括: 判断当前该 TID已连接 NAF的数目是否小于等 于该 TID所能连接 NAF数目的最大值, 如果是, 则所查询到的 TID对 0 于申请查询的 NAF有效, 否则, 所查询到的 TID对于申请查询的 NAF 无效;  When the BSF in step b determines that the group ID of the NAF for application query is the same as the group ID in the TID attribute information, the method for determining whether the queried TID is valid for the NAF for application query further includes: judging that the TID is currently connected Whether the number of NAFs is less than or equal to the maximum number of NAFs that can be connected to the TID; if so, the queried TID is valid for the NAF for which the query is applied; otherwise, the queried TID is invalid for the NAF for which the query is applied;
步骤 b所述更改的 TID属性信息中还包括: 已更新的当前已连接 NAF的数目和该 TID所能连接 NAF数目的最大值。  The changed TID attribute information described in step b further includes: the updated number of currently connected NAFs and the maximum number of NAFs that can be connected by the TID.
5、 根据权利要求 2所述的方法, 其特征在于, 5. The method according to claim 2, wherein:
5 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中还包括申  5 In step a, the BSF receives the request message from the NAF query TID.
!5 请查询 NAF的安全级别; ! 5 Please check the NAF security level;
步骤 b所述所查询到的 TID信息中还包括:该 TID的安全级别信息; 步骤 b所述如果所查询到的 TID的标记为已使用, 判断所查询到的 The TID information inquired in step b further includes: the security level information of the TID; if the inquired TID is marked as used in step b, it is judged that the inquired
TID对于申请查询的 NAF是否有效的方法进一步包括: BSF再判断所查 询到的 TID信息中的安全级别与预先设定的申请查询的 NAF的安全级 别是否相同, 如果是, 则所查询到的 TID对于申请查询的 NAF有效, 否则, 所查询到的 TID对于申请查询的 NAF无效; The method for whether the TID is valid for the NAF to be applied for querying further includes: The BSF judges whether the security level in the queried TID information is the same as the preset security level for the NAF to be applied for query. If so, the queried TID It is valid for the NAF applying for inquiry, otherwise, the queried TID is invalid for the NAF applying for inquiry;
步骤 b所述更改的 TID属性信息中还包括:该 TID的安全级别信息。 The changed TID attribute information in step b further includes: security level information of the TID.
6、 根据权利要求 5所述的方法, 其特征在于, 6. The method according to claim 5, wherein:
步骤 b所述所查询到的 TID信息中还包括: 现有与 NAF的关联数 目、 所关联的 NAF的标识以及允许的最大关联数目;  The TID information queried in step b further includes: the number of existing associations with the NAF, the identity of the associated NAF, and the maximum number of associations allowed;
步骤 b所述 BSF判断所查询到的 TID的安全级别与预先设定的申请 查询的 NAF的安全级别相同之后, 进一步包括: BSF判断所查询到的 TID信息中的与该 TID关联的 NAF数目是否已经达到该安全级别内允 许的最大值, 如果是, 则所查询到的 TID对于申请查询的 NAF无效, 否则, 所查询到的 TID对于申请查询的 NAF有效;  After the BSF in step b determines that the security level of the queried TID is the same as the preset security level of the NAF applied for query, it further includes: BSF determines whether the number of NAFs associated with the TID in the queried TID information is The maximum allowed value within the security level has been reached. If so, the queried TID is invalid for the NAF for which the query is applied; otherwise, the queried TID is valid for the NAF for which the query is applied;
步骤 b所述更改的 TID属性信息中还包括: 已更新的现有与 NAF 的关联数目、 所关联的 NAF的标识以及允许的最大关联数目。  The changed TID attribute information in step b further includes: the updated number of existing NAF associations, the identity of the associated NAF, and the maximum number of associations allowed.
7、 根据权利要求 1所述的方法, 其特征在于, 步骤 b所述对应关 系的信息包 4舌:查询到的 TID与应用该 TID的 NAF的标识的对应关系, 以及该 TID所对应的 NAF的安全级别。  7. The method according to claim 1, characterized in that the information packet of the correspondence relationship in step b is: the correspondence between the queried TID and the identity of the NAF to which the TID is applied, and the NAF corresponding to the TID Security level.
8、根据权利要求 1所述的方法,其特征在于,所述步骤 a执行之前, 进一步包括: 用户与 BSF经过互认证后, 由 BSF给用户分配 TID, 且 BSF和该用户共享了与 TID相关的密钥信息; NAF接收到来自用户的包 括 TID的业务请求信息时, 判断本地是否有该 TID信息, 如果有, 则与 用户进行正常的通信, 否则, 向 BSF发送查询 TID的消息后, 再执行步 骤&。 8. The method according to claim 1, wherein before performing step a, further comprising: after the user and the BSF are mutually authenticated, the BSF allocates a TID to the user, and the BSF and the user share the TID-related Key information; when NAF receives service request information including TID from the user, it determines whether the TID information is available locally, and The user performs normal communication; otherwise, after sending a TID query message to the BSF, step & is performed.
9、 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 在 NAF受到非法攻击时, 提示用户到 BSF进行重认证, 更新 TID及对 应的密钥信息  9. The method according to claim 1, further comprising: when the NAF is illegally attacked, prompting the user to perform re-authentication to the BSF, and updating the TID and corresponding key information
10、 根据权利要求 2〜6所述的方法, 其特征在于, 步骤 b所述更改 的 TID属性信息中还包括: 申请查询 NAF的标识信息。  10. The method according to claim 2 to 6, wherein the changed TID attribute information in step b further comprises: applying for querying NAF identification information.
PCT/CN2004/001213 2003-11-11 2004-10-26 A method of setting up the association between the session transaction identification and the network application entity WO2005046119A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200310114069.9 2003-11-11
CNB2003101140699A CN100466515C (en) 2003-11-11 2003-11-11 Method for establishing interaction between conversation business mark and network application entity

Publications (1)

Publication Number Publication Date
WO2005046119A1 true WO2005046119A1 (en) 2005-05-19

Family

ID=34558466

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001213 WO2005046119A1 (en) 2003-11-11 2004-10-26 A method of setting up the association between the session transaction identification and the network application entity

Country Status (2)

Country Link
CN (1) CN100466515C (en)
WO (1) WO2005046119A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1315268C (en) 2003-11-07 2007-05-09 华为技术有限公司 Method for authenticating users
CN100563154C (en) * 2004-11-05 2009-11-25 华为技术有限公司 A kind of method that ensures user identity mark secret
CN102238000B (en) * 2010-04-21 2015-01-21 华为技术有限公司 Encrypted communication method, device and system
US20190020643A1 (en) * 2016-02-12 2019-01-17 Telefonaktiebolaget Lm Ericsson (Publ) Securing an interface and a process for establishing a secure communication link

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1319966A (en) * 2001-03-20 2001-10-31 杨大成 Small amount payment system design scheme for electronic business of cellular mobile telecommunication network
CN1379343A (en) * 2002-04-30 2002-11-13 北京信源咨讯信息技术有限公司 Entrance guard method and system using blue tooth technique in wireless authentication and data transmitting/receiving
WO2003088578A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method, system and device for service selection via a wireless local area network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1319966A (en) * 2001-03-20 2001-10-31 杨大成 Small amount payment system design scheme for electronic business of cellular mobile telecommunication network
WO2003088578A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method, system and device for service selection via a wireless local area network
CN1379343A (en) * 2002-04-30 2002-11-13 北京信源咨讯信息技术有限公司 Entrance guard method and system using blue tooth technique in wireless authentication and data transmitting/receiving

Also Published As

Publication number Publication date
CN100466515C (en) 2009-03-04
CN1617494A (en) 2005-05-18

Similar Documents

Publication Publication Date Title
CN111212095B (en) Authentication method, server, client and system for identity information
CA2578186C (en) System and method for access control
US8024488B2 (en) Methods and apparatus to validate configuration of computerized devices
US8826378B2 (en) Techniques for authenticated posture reporting and associated enforcement of network access
US10764264B2 (en) Technique for authenticating network users
US20140223178A1 (en) Securing Communication over a Network Using User Identity Verification
EP3850510B1 (en) Infrastructure device enrolment
WO2013056674A1 (en) Centralized security management method and system for third party application and corresponding communication system
KR20160127167A (en) Multi-factor certificate authority
JP6079394B2 (en) Certificate generation method, certificate generation apparatus, information processing apparatus, communication device, and program
WO2006024216A1 (en) A method for implementing certificating and a system thereof
US10873497B2 (en) Systems and methods for maintaining communication links
CN101039181B (en) Method for preventing service function entity of general authentication framework from attack
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
CN115118489A (en) Network access authentication system and method for binding user, equipment and IPv6 network address
KR20090054774A (en) Method of integrated security management in distribution network
CN110771087B (en) Private key update
WO2017210914A1 (en) Method and apparatus for transmitting information
CN100456671C (en) Method for distributing session affairs identifier
KR102062851B1 (en) Single sign on service authentication method and system using token management demon
JPH11161618A (en) Mobile computer management device, mobile computer device, and mobile computer registering method
CN113992387B (en) Resource management method, device, system, electronic equipment and readable storage medium
WO2005046119A1 (en) A method of setting up the association between the session transaction identification and the network application entity
WO2017219886A1 (en) Simple network protocol authentication method and device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase