一种建立会话事务标识和网络应用实体之间关联的方法 技术领域 Method for establishing association between session transaction identifier and network application entity
本发明涉及第三代无线通信技术领域, 特别是指一种建立会话事务 标识( TID )和网络应用实体( NAF )之间关联的方法。 发明背景 The present invention relates to the field of third-generation wireless communication technology, and particularly to a method for establishing an association between a session transaction identifier (TID) and a network application entity (NAF). Background of the invention
在第三代无线通信标准中, 通用鉴权框架是多种应用业务实体使用 的一个用于完成对用户身份进行验证的通用结构, 应用通用鉴权框架可 实现对应用业务的用户进行检查和验证身份。 上述多种应用业务可以是 多播 /广播业务、 用户证书业务、 信息即时提供业务等, 也可以是代理业 务, 例如多个服务和一个代理相连, 这个通用鉴权框架把代理也当作一 种业务来处理, 组织结构可以很灵活, 而且, 对于以后新开发的业务也 同样可以应用通用鉴权框架对应用业务的用户进行检查和验证身份。 In the third-generation wireless communication standard, the common authentication framework is a common structure used by multiple application business entities to complete the verification of user identity. The application of the common authentication framework enables inspection and verification of users of application services. Identity. The above-mentioned multiple application services may be multicast / broadcast services, user certificate services, instant information provision services, etc., or proxy services, such as multiple services connected to a proxy. This common authentication framework treats the proxy as a kind of The organization structure can be very flexible for processing services. Moreover, for newly developed services in the future, a common authentication framework can also be applied to check and verify the identity of users of application services.
图 1所示为通用鉴权框架的结构示意图。 通用鉴权框架通常由用户 101、 执行用户身份初始检查验证的实体 (BSF ) 102、 用户归属网络服 务器 (HSS ) 103和网络应用实体(NAF ) 104组成。 BSF 102用于与用 户 101进行互验证身份, 给经过互验证的用户 101分配 TID, 同时生成 BSF 102与用户 101的共享密钥; HSS 103中存储有用于描述用户信息 的描述(Profile )信息文件, 同时 HSS 103还兼有产生鉴权信息的功能。 Figure 1 shows the structure of a general authentication framework. The common authentication framework usually consists of a user 101, an entity (BSF) 102 that performs initial user identity verification, a user home network server (HSS) 103, and a network application entity (NAF) 104. The BSF 102 is used to mutually verify the identity with the user 101, assign a TID to the user 101 that has been authenticated, and generate a shared key between the BSF 102 and the user 101; a HSS 103 stores a profile information file for describing user information At the same time, HSS 103 also has the function of generating authentication information.
用户需要使用某种业务时,如果其知道该业务需要到 BSF进行互鉴 权过程, 则直接到 BSF进行互鉴权, 否则, 用户会首先和某个业务对应 的 NAF联系,如果该 NAF应用通用鉴权框架需要用户到 BSF进行身份 验证, 则通知用户应用通用鉴权框架进行身份验证, 否则进行其它相应 处理。
图。 When a user needs to use a certain service, if he knows that the service needs to go to the BSF for mutual authentication, he will go directly to the BSF for mutual authentication. Otherwise, the user will first contact the NAF corresponding to a service. If the NAF application is common If the authentication framework requires the user to authenticate to the BSF, the user is notified to apply the general authentication framework for authentication, otherwise other corresponding processing is performed. Illustration.
步骤 201, 用户向 NAF发送业务应用请求消息; Step 201: The user sends a service application request message to the NAF.
步骤 202, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证; Step 202: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 203 , 用户向 BSF发送初始鉴权认证请求消息 , 该消息中包括 用户自身的标识信息; Step 203: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information;
步骤 204, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息, 并得到 HSS的响应; Step 204: After receiving the user's authentication request message, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
步骤 205 , BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议(AKA )进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks; Step 205: After the BSF obtains the response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and the user complete AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 206, BSF给用户分配只包括标识号的会话事务标识 ( TID ), 且该 TID对一个以上的 NAF同时有效,并将已分配的 TID发送给用户, 该 TID与共享密钥 Ks是相关联的; Step 206: The BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for more than one NAF at the same time, and sends the assigned TID to the user. The TID is associated with the shared key Ks. of;
步骤 207, 用户收到 BSF分配的 TID后, 重新向 NAF发送业务应 用请求消息, 该请求消息中包含 BSF分配的 TID信息; Step 207: After receiving the TID allocated by the BSF, the user re-sends a service application request message to the NAF, where the request message includes the TID information allocated by the BSF.
步骤 208 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息时, 首先在 NAF本地进行查询, 如查询到, 则直接执行步骤 210, 否 则,向 BSF发送包含 NAF本地标识的查询 TID的消息,并执行步骤 209; 步骤 209 , BSF接收到来自 NAF的查询消息, 在本地进行查询, 如 果 BSF本地有 NAF所查询的 TID信息,则直接向 NAF发送响应成功的 查询消息,该消息中包括查到的 TID以及该 TID对应用户应用的共享密 钥 Ks, 这时 NAF和用户也共享了密钥 Ks, 并执行步骤 210, 否则 BSF
向 NAF发送响应失败的查询消息, 通知 NAF 没有该用户的信息, 由 NAF通知用户到 BSF上进行鉴权, 并结束该处理流程; Step 208: When NAF receives the service application request message containing the TID information sent by the user, it first performs a query locally in NAF. If it is found, step 210 is performed directly. Otherwise, the BSF sends a message containing the NAF local ID to the TSF to the BSF. And execute step 209; step 209, the BSF receives the query message from the NAF and performs the query locally. If the BSF locally has the TID information queried by the NAF, the BSF directly sends a successful query message to the NAF. The message includes the query. The TID and the shared key Ks corresponding to the user application, the NAF and the user also share the key Ks at this time, and step 210 is performed, otherwise the BSF Send a failed query message to the NAF to notify the NAF that the user has no information, and the NAF notifies the user to perform authentication on the BSF, and ends the processing flow;
步骤 210, NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。 Step 210: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
当用户和某个 NAF的首次通信过程结束后,在以后的通信中都使用 该已经过鉴权的 TID和 NAF进行通信, 由于 TID是可以重复使用的, 任何一个 NAF如果在本地不能找到相应的 TID时, 都将向 BSF进行查 询, 因此, 只要用户取得一个合法的 TID后, 就可以应用该 TID与任何 NAF进行通信。 After the first communication process between the user and a NAF is over, the authenticated TID and NAF are used for communication in subsequent communications. Since the TID can be reused, if any NAF cannot find the corresponding one locally, When the TID is reached, the BSF will be queried. Therefore, as long as the user obtains a valid TID, the TID can be used to communicate with any NAF.
现有技术的缺陷在于:由于 BSF分配给同一用户的 TID是对所有的 NAF有效, 而且 BSF不保存使用了该 TID的 NAF的信息, 在 BSF接 收到来自任一 NAF的查询 TID的消息时,只要能够在 BSF本地查询到, 就认为该 TID有效, 并将该 TID及其与该 TID相关的密钥信息发送给 申请查询的 NAF, 也就是说, 同一用户与多个 NAF之间使用相同的密 钥信息。 在这种情况下, 一旦某个 NAF被攻击者攻破, 即某个 NAF的 Ks被泄露, 则攻击者可以冒充该用户应用多个 NAF上的业务, 这样使 得该用户的所有应用业务都将受到威胁, 进而使得所有 NAF 的功能实 体均受到威胁。 发明内容 The disadvantage of the prior art is that because the TID assigned by the BSF to the same user is valid for all NAFs, and the BSF does not save the information of the NAF using the TID, when the BSF receives a message from any NAF to query the TID, As long as it can be queried locally in the BSF, the TID is considered valid, and the TID and the key information related to the TID are sent to the NAF applying for the query, that is, the same user and multiple NAFs use the same Key information. In this case, once a NAF is breached by an attacker, that is, the Ks of a NAF is leaked, the attacker can impersonate the user to apply services on multiple NAFs, so that all user application services of the user will be affected. Threat, which in turn threatens all functional entities of NAF. Summary of the invention
有鉴于此, 本发明的目的在于提供一种建立用户的会话事务标识和 不同网络应用实体之间关联的方法,避免一个 NAF被攻破,所有的 NAF 均受攻击威胁的问题。 In view of this, an object of the present invention is to provide a method for establishing a user's session transaction identifier and an association between different network application entities to avoid the problem that one NAF is compromised and all NAFs are threatened by the attack.
为到达上述目的, 本发明的技术方案是这样实现的: To achieve the above object, the technical solution of the present invention is implemented as follows:
一种建立会话事务标识和网络应用实体之间关联的方法, 适用于应
用通用鉴权框架对用户进行身份验证的第三代无线通信领域中, 该方法 包括以下步骤: A method for establishing an association between a session transaction identifier and a network application entity, which is applicable to In the field of third-generation wireless communications that uses a common authentication framework to authenticate users, the method includes the following steps:
a、 执行用户身份初始检查验证的实体 BSF接收到来自网络应用实 体 NAF的查询会话事务标识 TID请求消息后, 判断 BSF本地是否有该 NAF所查询的 TID信息, 如果有, 则执行步骤 b, 否则给该 NAF返回 失败的查询响应消息; a. After the entity BSF that performs the initial check and verification of the user identity receives the query session transaction ID TID request message from the network application entity NAF, it determines whether the TSF information queried by the NAF exists locally in the BSF. If so, step b is performed, otherwise Return a failed query response message to the NAF;
b、 BSF根据所查询到 TID的属性信息判断该 TID对于申请查询的 NAF是否有效, 如果是, 则保存已更改的该 TID的属性信息, 及该 TID 相关的密钥信息与请求查询的 NAF之间的对应关系的信息后, 将查询 到的 TID及其相关的密钥信息发送给请求查询的 NAF,否则, BSF给请 求查询的 NAF返回所查询 TID无效的查询响应消息。 b. The BSF judges whether the TID is valid for the NAF applying for the query according to the attribute information of the TID queried, and if so, saves the changed attribute information of the TID, and the key information related to the TID and the NAF requesting the query. After the information about the corresponding relationship between them is sent, the queried TID and its related key information are sent to the NAF requesting the query; otherwise, the BSF returns a query response message to the NAF requesting the query to which the queried TID is invalid.
较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 至少包括申请查询的 NAF本地标识; Preferably, in step a, the BSF receives the request message from the NAF query TID including at least the NAF local identity that applied for the query;
步骤 b所述 TID的属性信息中至少包括: 该 TID是否已被使用的信 , The attribute information of the TID in step b includes at least: a letter of whether the TID has been used,
步骤 b所述 BSF判断所查询到的 TID对于申请查询的 NAF是否有 效的方法为: 判断所查询到的 TID是否标记为未使用, 如果是, 则所查 询到的 TID对于申请查询的 NAF有效, 否则, 所查询到的 TID对于申 请查询的 NAF无效; The method used by the BSF to determine whether the queried TID is valid for the NAF applied for query in step b is: determining whether the queried TID is marked as unused, and if so, the queried TID is valid for the NAF applied for query, Otherwise, the queried TID is invalid for the NAF applying for the query;
步骤 b所述更改的 TID属性信息中至少包括: 该 TID已被使用的信 较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 还包括申请查询 NAF的组标识; At least the changed TID attribute information in step b includes: a letter that the TID has been used. Preferably, the request message received by the BSF in step a from the NAF query TID further includes a group identifier for applying for the NAF query;
步骤 b所述 TID的属性信息中还包括: 与该 TID所关联 NAF的组
步骤 b所述如果所查询到的 TID的标记为已使用时, 判断所查询到 的 TID对于申请查询的 NAF是否有效的方法进一步包括: BSF判断该 申请查询 NAF的组标识是否与该 TID属性信息中的组标识相同, 如果 相同, 则所查询到的 TID对于申请查询的 NAF有效, 否则, 所查询到 的 TID对于申请查询的 NAF无效; The attribute information of the TID in step b further includes: a group associated with the NAF associated with the TID In step b, if the inquired TID is marked as used, the method for determining whether the inquired TID is valid for the NAF for which the inquiry is requested further includes: BSF judging whether the group ID for the inquired NAF for inquiry and the TID attribute information The group IDs are the same. If the group IDs are the same, the queried TID is valid for the NAF applying for the query, otherwise, the queried TID is invalid for the NAF applying for the query.
步骤 b所述更改的 TID属性信息中还包括: 申请查询 NAF的组标 识。 The changed TID attribute information described in step b further includes: Applying to query the NAF group identifier.
较佳地, 步骤 b所述 TID的属性信息中还包括: 用于记录当前已连 接 NAF的数目和该 TID所能连接 NAF数目的最大值; Preferably, the attribute information of the TID in step b further includes: used to record the number of currently connected NAFs and the maximum value of the number of NAFs that can be connected to the TID;
步骤 b所述 BSF判断该申请查询 NAF的组标识与该 TID属性信息 中的组标识相同时, 判断所查询到的 TID对于申请查询的 NAF是否有 效的方法进一步包括: 判断当前该 TID已连接 NAF的数目是否小于等 于该 TID所能连接 NAF数目的最大值, 如果是, 则所查询到的 TID对 于申请查询的 NAF有效, 否则, 所查询到的 TID对于申请查询的 NAF 无效; When the BSF in step b judges that the group ID of the NAF for application query is the same as the group ID in the TID attribute information, the method for determining whether the queried TID is valid for the NAF for application query further includes: judging that the TID is currently connected to the NAF Whether the number is less than or equal to the maximum number of NAFs that can be connected to the TID; if so, the queried TID is valid for the NAF for which the query is applied; otherwise, the queried TID is invalid for the NAF for which the query is applied;
步骤 b 所述更改的 TID属性信息中还包括: 已更新的当前已连接 NAF的数目和该 TID所能连接 NAF数目的最大值。 The changed TID attribute information in step b further includes: an updated number of currently connected NAFs and a maximum value of the number of NAFs that can be connected by the TID.
较佳地, 步骤 a所述 BSF接收到来自 NAF查询 TID的请求消息中 还包括申请查询 NAF的安全级别; Preferably, the request message that the BSF receives from the NAF query TID in step a further includes applying for querying the NAF security level;
步骤 b所述所查询到的 TID信息中还包括:该 TID的安全级别信息; 步骤 b所述如果所查询到的 TID的标记为已使用, 判断所查询到的 TID对于申请查询的 NAF是否有效的方法进一步包括: BSF再判断所查 询到的 TID信息中的安全级别与预先设定的申请查询的 NAF的安全级 别是否相同, 如果是, 则所查询到的 TID对于申请查询的 NAF有效, 否则 , 所查询到的 TID对于申请查询的 NAF无效;
步骤 b所述更改的 TID属性信息中还包括:该 TID的安全级别信息。 较佳地, 步骤 b所述所查询到的 TID信息中还包括: 现有与 NAF ' 的关联数目、 所关联的 NAF的标识以及允许的最大关联数目; The TID information queried in step b further includes: the security level information of the TID; if the flag of the queried TID is used, it is determined whether the queried TID is valid for the NAF applying for the query. The method further includes: the BSF judges whether the security level in the queried TID information is the same as the preset security level of the NAF that is applied for query, and if so, the queried TID is valid for the NAF that is applied for query, otherwise , The queried TID is invalid for the NAF applying for the query; The changed TID attribute information in step b further includes: security level information of the TID. Preferably, the TID information queried in step b further includes: the number of existing associations with NAF ', the identity of the associated NAF, and the maximum number of associations allowed;
步骤 b所述 BSF判断所查询到的 TID的安全级别与预先设定的申请 查询的 NAF的安全级别相同之后, 进一步包括: BSF判断所查询到的 TID信息中的与该 TID关联的 NAF数目是否已经达到该安全级别内允 许的最大值, 如果是, 则所查询到的 TID对于申请查询的 NAF无效, 否则, 所查询到的 TID对于申请查询的 NAF有效; After the BSF in step b determines that the security level of the queried TID is the same as the preset security level of the NAF applied for query, it further includes: BSF determines whether the number of NAFs associated with the TID in the queried TID information is The maximum allowed value within the security level has been reached. If so, the queried TID is invalid for the NAF for which the query is applied; otherwise, the queried TID is valid for the NAF for which the query is applied;
步骤 b所述更改的 TID属性信息中还包括: 已更新的现有与 NAF 的关联数目、 所关联的 NAF的标识以及允许的最大关联数目。 The changed TID attribute information in step b further includes: the updated number of existing NAF associations, the identity of the associated NAF, and the maximum number of associations allowed.
较佳地, 步骤 b所述对应关系的信息包括: 查询到的 TID与应用该 TID的 NAF的标识的对应关系,以及该 TID所对应的 NAF的安全级别。 Preferably, the information of the correspondence relationship in step b includes: the correspondence relationship between the queried TID and the identity of the NAF to which the TID is applied, and the security level of the NAF corresponding to the TID.
较佳地, 所述步骤 a执行之前, 进一步包括: 用户与 BSF经过互认 证后, 由 BSF给用户分配 TID, 且 BSF和该用户共享了与 TID相关的 密钥信息; NAF接收到来自用户的包括 TID的业务请求信息时,判断本 地是否有该 TID信息, 如果有, 则与用户进行正常的通信, 否则, 向 BSF发送查询 TID的消息后, 再执行步骤 a。 Preferably, before step a is performed, the method further includes: after mutual authentication between the user and the BSF, the BSF allocates a TID to the user, and the BSF and the user share key information related to the TID; the NAF receives the information from the user. When the service request information of the TID is included, it is determined whether the TID information exists locally, and if there is, the communication is performed normally with the user; otherwise, after sending a message for querying the TID to the BSF, step a is performed.
较佳地, 该方法进一步包括: 在 NAF受到非法攻击时, 提示用户到 BSF进行重认证, 更新 TID及对应的密钥信息。 Preferably, the method further includes: when the NAF is attacked illegally, prompting the user to the BSF for re-authentication, and updating the TID and corresponding key information.
较佳地, 步骤 b所述更改的 TID属性信息中还包括: 申请查询 NAF 的标识信息。 Preferably, the changed TID attribute information in step b further includes: applying for querying the identification information of NAF.
应用本发明, 在 BSF接收到来自 NAF的查询 TID信息时, 首先判 断本地是否有该 TID的信息, 即判断该 TID的真实性, 如果本地有该 TID信息, 即该 TID是真实的, 则 BSF再判断该 TID是否对申请查询 的 NAF有效, 如果有效, 则首先保存该 TID及该 TID相关的密钥信息
与申请查询的 NAF之间的对应关系, 然后再将该 TID及该 TID相关的 密钥信息发送给 NAF。应用本发明, 使一个 TID只针对一个或同一安全 级别的 NAF有效, 即将一个 TID与一个或同一安全级别的 NAF进行绑 定, 从而避免了一个 NAF被攻破, 而使所有的 NAF均受攻击威胁的问 题。 本发明将威胁限定在一个或同一级别的 NAF 的范围之内, 从而增 加了系统的安全性。 而且, 当 NAF认为该用户使用的 TID已不安全时, 如 NAF受到非法攻击时, 将提示用户更新 TID。 Applying the present invention, when the BSF receives the query TID information from the NAF, it first determines whether the TID information exists locally, that is, determines the authenticity of the TID. If the TID information exists locally, that is, the TID is true, the BSF Then determine whether the TID is valid for the NAF applying for query. If it is valid, first save the TID and the key information related to the TID. Correspondence with the NAF applying for inquiry, and then sending the TID and the key information related to the TID to the NAF. By applying the present invention, a TID is only valid for NAFs of one or the same security level, that is, a TID is bound to a NAF of one or the same security level, so that one NAF is prevented from being broken, and all NAFs are threatened by the attack The problem. The invention limits the threat to the scope of one or the same level of NAF, thereby increasing the security of the system. Moreover, when the NAD considers that the TID used by the user is not secure, such as when the NAF is illegally attacked, the user will be prompted to update the TID.
附图简要说明 Brief description of the drawings
图 1所示为通用鉴权框架的结构示意图; Figure 1 shows the structure of a general authentication framework;
图 2所示为现有技术的应用通用鉴权框架进行用户身份认证的流程 图; FIG. 2 is a flow chart of applying a general authentication framework for user identity authentication in the prior art; FIG.
图 3所示为应用本发明的实施例一的流程图; FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied;
图 4所示为应用本发明的实施例二的流程图。 实施本发明的方式 FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied. Mode of Carrying Out the Invention
'下面结合附图对本发明进行详细描述。 'The invention is described in detail below with reference to the drawings.
本发明的思路是: BSF接收到来自 NAF的查询 TID请求消息后, 判断 BSF本地是否有该 NAF所查询的 TID信息,如果没有,则给该 NAF 返回失败的查询响应消息; 如果有, 则 BSF根据所查询到 TID的属性信 息判断该 TID对于申请查询的 NAF是否有效, 如果是, 则保存已更改 的该 TID的属性信息, 及该 TID相关的密钥信息与请求查询的 NAF之 间的对应关系的信息后, 将查询到的 TID及其相关的密钥信息发送给请 求查询的 NAF, 否则 , BSF给请求查询的 NAF返回所查询 TID无效的 查询响应消息。
图 3所示为应用本发明的实施例一的流程图; The idea of the present invention is: after receiving the query TID request message from the NAF, the BSF determines whether the BSF locally has the TID information queried by the NAF, and if not, returns a failed query response message to the NAF; if so, the BSF According to the attribute information of the TID queried, determine whether the TID is valid for the NAF applying for the query, and if so, save the changed attribute information of the TID, and the correspondence between the key information related to the TID and the NAF requesting the query. After the relationship information is sent, the queried TID and its related key information are sent to the NAF requesting the query, otherwise, the BSF returns a query response message to the NAF requesting the query to which the TID is invalid. FIG. 3 shows a flowchart of Embodiment 1 to which the present invention is applied;
步骤 301 , 用户向 NAF发送业务应用请求消息; Step 301: The user sends a service application request message to the NAF.
步骤 302, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证; Step 302: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 303, 用户向 BSF发送初始鉴权认证请求消息, 该消息中包括 用户自身的标识信息; Step 303: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
步骤 304, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息, 并得到 HSS的响应; Step 304: After receiving the authentication request message of the user, the BSF queries the HSS for authentication information and profile information of the user, and obtains a response from the HSS.
步骤 305 , BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议 (AKA ) 进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks; Step 305: After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and user complete the AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 306, BSF给用户分配只包括标识号的会话事务标识 (TID ), 且该 TID对所有的 NAF同时有效, 并将已分配的 TID发送给用户; 此时, 由于该 TID是对任何 NAF有效的, 因此用户可应用其申请 到的 TID向任何一个 NAF发起应用请求; Step 306: The BSF allocates a session transaction identifier (TID) including the identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user. At this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
步骤 307, 用户收到 BSF分配的 TID后, 向其选定的 NAF发送业 务应用请求消息, 该请求消息中包含 BSF分配的 TID信息; Step 307: After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF.
步骤 308 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息后,首先判断 NAF本地是否有该 TID信息,如果有,则执行步骤 311 , 否则, NAF向 BSF发送包括本地 NAF标识的查询 TID的消息, 并执行 步骤 309; Step 308: After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, executes step 311; otherwise, the NAF sends a query TID including the local NAF identifier to the BSF. Message and execute step 309;
步骤 309, BSF接收到 NAF的查询 TID的消息后, 首先查询 BSF 本地是否有该 TID信息, 即检查 NAF所查询的 TID的真实性, 如果本 地没有该 TID信息, 即该 TID是非法的, 则 BSF给 NAF返回失败的响
应消息, 由 NAF通知用户到 BSF进行鉴权, 并结束该处理流程; 如果本地有该 TID信息,则判断本地保存的该 TID的属性信息是否 为 "未使用", 如果是, 则将该 TID的 "未使用"标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和申请查询的 NAF标识的对应关 系, 即将该 TID和申请查询的 NAF绑定后 , 执行步骤 310, 否则, BSF 认为该 TID已经和其它的 NAF进行了绑定,不能再被该申请查询的 NAF 所应用,则给 NAF返回失败的响应消息,表明该 TID对申请查询的 NAF 无效, 由 NAF通知重新用户到 BSF进行鉴权, 并结束该处理流程; 步骤 310, BSF将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF; 这时 NAF和用户也 共享了密钥 Ks或其衍生密钥, 并执行步骤 31 1 ; In step 309, after receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then BSF returns failure to NAF In response to the message, the NAF notifies the user to the BSF for authentication and ends the processing flow; if the TID information exists locally, it is determined whether the attribute information of the TID stored locally is "unused", and if so, the TID is The "unused" tag is modified to "used", and the correspondence between the TID and the NAF identifier of the application query is stored in the attribute information of the TID. That is, after binding the TID and the NAF of the application query, perform step 310, Otherwise, the BSF considers that the TID has been bound to other NAFs and cannot be applied by the NAF for the application query, and returns a failure response message to the NAF, indicating that the TID is invalid for the NAF for the application query. The user authenticates to the BSF and ends the processing flow; Step 310, the BSF includes the shared key Ks of the user corresponding to the TID or a key derived from the shared key Ks and sends it to the NAF in a successful response message; NAF and the user also share the key Ks or its derived key, and perform step 31 1;
步骤 311, NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。 Step 311: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
对于上述实施例,可将某个地区内的 NAF划分为一组,并设置组标 识,组的数目由 NAF的管理者确定,当 BSF查询到本地有申请查询 NAF 的 TID信息, 且该 TID的属性信息是 "未使用" 时, 则将该 TID的 "未 使用" 标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和 申请查询的 NAF标识的对应关系, 以及该申请查询的 NAF所在的组标 识, 即将该 TID和申请查询的 NAF绑定后, 将该 TID对应用户的共享 密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF; For the above embodiment, the NAF in a certain area can be divided into a group, and the group ID is set. The number of groups is determined by the administrator of the NAF. When the BSF finds the local TID information for applying for NAF query, and the TID When the attribute information is "unused", the "unused" mark of the TID is modified to "used", and the correspondence between the TID and the NAF identifier of the application for inquiry is stored in the attribute information of the TID, and the application The group ID of the NAF to be queried, that is, to bind the TID to the NAF for which the query is applied, and send the shared key Ks corresponding to the TID or the key derived from the shared key Ks to the NAF in the success response message and send it to NAF. ;
如果 BSF查询到本地有申请查询 NAF的 TID信息, 且该 TID的属 性信息是 "已使用" 时, 则 BSF进一步判断该申请查询 NAF的组标识 是否与该 TID属性信息中的组标识相同, 如果相同, 则认为该 TID是有 效的,并将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密
钥包含在成功响应消息里发送给 NAF; 否则给 NAF返回失败的响应消 息, 表明该 TID对申请查询的 NAF无效, 由 NAF通知重新用户到 BSF 进行鉴权, 并结束该处理流程。 If the BSF finds that there is local TID information for applying for NAF query, and the attribute information of the TID is "used", the BSF further judges whether the group identifier of the application for querying NAF is the same as the group identifier in the TID attribute information. The same, the TID is considered valid, and the TID corresponds to the user's shared key Ks or a secret derived from the shared key Ks The key is included in the success response message and sent to NAF; otherwise, a failure response message is returned to NAF, indicating that the TID is invalid for the NAF requesting the query, and the NAF is notified to the user to authenticate to the BSF, and the process ends.
上述为同组内的所有 NAF使用同一个 TID。 当然, 也可以令一个 TID对应一定个数的 NAF有效, 具体的实现方法为: The above uses the same TID for all NAFs in the same group. Of course, it is also possible to make a TID correspond to a certain number of NAFs. The specific implementation method is:
在 TID的标识中增加用于记录当前已连接 NAF的数目和该 TID所 能连接 NAF数目的最大值的标识位,如果当前该 TID已连接 NAF的数 目小于等于该 TID所能连接 NAF数目的最大值, 则该 TID对于该组内 申请查询的 NAF有效,否则,该 TID对于该组内申请查询的 NAF无效, 该申请查询的 NAF需对应一个新的 TID。 Add a flag for recording the number of currently connected NAFs and the maximum number of NAFs that can be connected to the TID. Value, the TID is valid for the NAF applied for inquiry in the group, otherwise, the TID is invalid for the NAF applied for inquiry in the group, and the NAF for the application inquiry needs to correspond to a new TID.
当用户再次使用已应用过的 NAF上的业务时,仍然可以使用已分配 的 TID向 NAF发出请求,只有当 NAF认为该用户使用的 TID已经不安 全时, 如 NAF受到非法攻击并且认为用户的 TID及该 TID对应的密钥 有可能已经被盗时, 将提示用户更新 TID。 例如, NAF本身安装了一个 用于检测自身是否安全的入侵检测系统, 当这个系统报告 NAF遭到了 黑客的攻击时, NAF处理完自身的安全问题后将通知用户更新 TID及该 TID对应的密钥。 When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is secure. When this system reports that NAF has been attacked by a hacker, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
图 4所示为应用本发明的实施例二的流程图。 FIG. 4 shows a flowchart of a second embodiment to which the present invention is applied.
运营商可以从安全及操作等多方面考虑, 根据自己的需要, 将不同 安全级别的 NAF划分为不同的组。 例如, 将安全级别低的 NAF划分为 一组, 令它们属于一个安全域; 将安全级别高的 NAF 划分一组, 令它 们属于另外一个安全域; 使某些安全要求非常高的 NAF 自己单独为一 组,每组即为一个独立的安全域。这样,可使得一个安全域共享一个 TID 及其相应的密钥信息。 Operators can divide NAFs with different security levels into different groups according to their own needs in terms of security and operation. For example, NAFs with lower security levels are grouped so that they belong to one security domain; NAFs with higher security levels are grouped so that they belong to another security domain; some NAFs with very high security requirements are individually One group, each group is an independent security domain. In this way, a security domain can share a TID and its corresponding key information.
步骤 401 , 用户向 NAF发送业务应用请求消息;
步骤 402, NAF收到该消息后,发现该用户还未到 BSF进行互认证, 通知该用户首先到 BSF进行初始鉴权认证; Step 401: The user sends a service application request message to the NAF. Step 402: After receiving the message, the NAF finds that the user has not yet performed mutual authentication with the BSF, and notifies the user to first perform initial authentication with the BSF;
步骤 403 , 用户向 BSF发送初始鉴权认证请求消息, 该消息中包括 用户自身的标识信息; Step 403: The user sends an initial authentication request message to the BSF, where the message includes the user's own identification information.
步骤 404, BSF接收到用户的鉴权请求消息后, 向 HSS查询该用户 的鉴权信息以及 Profile信息 , 并得到 HSS的响应; Step 404: After receiving the user's authentication request message, the BSF queries the HSS for the user's authentication information and Profile information, and obtains a response from the HSS.
步骤 405, BSF得到 HSS发送的包含其所查信息的响应消息后, 应 用所查到的信息与用户执行鉴权和密钥协商协议(AKA )进行互鉴权, 当 BSF与用户完成 AKA互鉴权, 即相互认证了身份后, BSF与用户之 间就拥有了共享密钥 Ks; Step 405: After the BSF obtains a response message containing the information it has searched, the BSF uses the information found to perform mutual authentication with the user to perform authentication and key agreement protocol (AKA). When the BSF and user complete the AKA mutual authentication Rights, that is, after mutual identity authentication, the BSF and the user have a shared key Ks;
步骤 406, BSF给用户分配只包括标识号的会话事务标识 (TID ), 且该 TID对所有的 NAF同时有效, 并将已分配的 TID发送给用户; 此时, 由于该 TID是对任何 NAF有效的, 因此用户可应用其申请 到的 TID向任何一个 NAF发起应用请求; Step 406, the BSF allocates a session transaction identifier (TID) including only an identification number to the user, and the TID is valid for all NAFs at the same time, and sends the assigned TID to the user; at this time, because the TID is valid for any NAF Therefore, the user can apply the TID he applied for to initiate an application request to any NAF;
步骤 407, 用户收到 BSF分配的 TID后, 向其选定的 NAF发送业 务应用请求消息, 该请求消息中包含 BSF分配的 TID信息; Step 407: After receiving the TID allocated by the BSF, the user sends a service application request message to the NAF selected by the user, where the request message includes the TID information allocated by the BSF;
步骤 408 , NAF接收到用户发送的包含 TID信息的业务应用请求消 息后,首先判断 NAF本地是否有该 TID信息,如果有,则执行步骤 411 , 否则, NAF向 BSF发送包括本地 NAF标识及安全级别的查询 TID的消 息, 并执行步骤 409; Step 408: After receiving the service application request message containing the TID information sent by the user, the NAF first determines whether the NAF has the TID information locally, and if so, performs step 411; otherwise, the NAF sends to the BSF the local NAF identifier and the security level. Query the TID message, and perform step 409;
步骤 409, BSF接收到 NAF的查询 TID的消息后, 首先查询 BSF 本地是否有该 TID信息, 即检查 NAF所查询的 TID的真实性, 如果本 地没有该 TID信息, 即该 TID是非法的, 则 BSF给 NAF返回失败的响 应消息, 由 NAF通知用户到 BSF进行鉴权, 并结束该处理流程; Step 409: After receiving the NAF query message from the NAF, the BSF first queries the BSF locally for the TID information, that is, checks the authenticity of the TID queried by the NAF. If the TID information is not available locally, that is, the TID is illegal, then The BSF returns a failure response message to the NAF, and the NAF notifies the user to the BSF for authentication, and ends the processing flow;
如果本地有该 TID信息,则判断本地保存的该 TID的属性信息是否
为 "未使用", 如果是, 则将该 TID 的标记修改为 "已使用", 并在该 TID的属性信息中保存该 TID和申请查询的 NAF标识的对应关系, 同 时设置该 TID的安全级别为该申请查询的 NAF的安全级别, 以及该安 全级别 TID所允许连接的最大数目, 和已更新的现有连接 NAF数目信 息, 即将该 TID和申请查询的 NAF绑定后, 执行步骤 410, If the TID information is available locally, determine whether the attribute information of the TID stored locally is Is "unused", and if so, modify the TID tag to "used", and save the correspondence between the TID and the NAF identifier requested for inquiry in the attribute information of the TID, and set the security level of the TID The security level of the NAF queried for the application, the maximum number of connections allowed by the security level TID, and the updated information of the number of existing connection NAFs, that is, after the TID is bound to the NAF of the queried application, perform step 410.
如果 BSF本地保存的该 TID的属性信息标识为 "已使用 ", 则 BSF 判断该 TID的属性信息中的安全级别是否与申请查询的 NAF的安全级 别相同, 如果安全级别相同, 则 BSF 进一步判断在该安全级别内, 该 TID的属性信息中的与 NAF 的关联数目是否已到达该安全级别能够允 许的最大值,在最高安全级别内可能只允许一个 TID与一个 NAF连接, 而在相对较低的安全级别内, 可允许一个 TID与一个以上的 NAF连接, 具体连接的数目可根据实际需要确定, 如果是, BSF认为该 TID连接的 NAF数目已达到饱和 , 不能再被该申请查询的 NAF所应用, 并给 NAF 返回失败的响应消息, 表明该 TID对申请查询的 NAF无效, 由 NAF通 知重新用户到 BSF进行鉴权, 并结束该处理流程, 否则, BSF在该 TID 的属性信息中保存该 TID和申请查询的 NAF标识的对应关系及已更新 的现有连接 NAF数目信息, 即将该 TID和申请查询的 NAF绑定后执行 步骤 410, If the attribute information of the TID stored locally by the BSF is identified as "used", the BSF judges whether the security level in the attribute information of the TID is the same as the security level of the NAF applying for inquiry. If the security level is the same, the BSF further judges whether Whether the number of associations with NAF in the attribute information of the TID has reached the maximum value allowed by the security level within the security level. Only one TID may be allowed to be connected to one NAF at the highest security level, and at a relatively low level, Within the security level, one TID can be allowed to connect with more than one NAF. The number of specific connections can be determined according to actual needs. If so, the BSF believes that the number of NAFs connected to the TID has reached saturation and can no longer be applied by the NAF that the application queries. And return a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for the query, and the NAF notifies the re-user to authenticate to the BSF, and ends the processing flow, otherwise, the BSF saves the TID in the attribute information of the TID Correspondence with the NAF identifier for application query and updated information about the number of existing NAF connections , That is, execute step 410 after binding the TID and the NAF for which the query is applied,
如果安全级别不同, 则 BSF认为该 TID已经和其它的 NAF进行了 绑定, 不能再被该申请查询的 NAF所应用, 直接给 NAF返回失败的响 应消息, 表明该 TID对申请查询的 NAF无效, 由 NAF通知重新用户到 B SF进行鉴权, 并结束该处理流程; If the security levels are different, the BSF considers that the TID has been bound to other NAFs and can no longer be applied by the NAF applying for inquiry. It directly returns a failure response message to the NAF, indicating that the TID is invalid for the NAF applying for inquiry. The NAF notifies the re-user to the B SF for authentication, and ends the processing flow;
步骤 410, BSF将该 TID对应用户的共享密钥 Ks或由该共享密钥 Ks衍生的密钥包含在成功响应消息里发送给 NAF; 这时 NAF和用户也 共享了密钥 Ks或其衍生密钥, 并执行步骤 411 ;
步骤 411 , NAF与用户进行正常的通信, 并应用共享密钥 Ks或由 该共享密钥 Ks衍生的密钥对以后的通信进行保护。 Step 410, the BSF includes the shared key Ks of the user corresponding to the TID or the key derived from the shared key Ks and sends it to the NAF in the success response message; at this time, the NAF and the user also share the key Ks or its derived secret. Key, and execute step 411; Step 411: The NAF performs normal communication with the user, and applies a shared key Ks or a key derived from the shared key Ks to protect future communications.
当用户再次使用已应用过的 NAF上的业务时,仍然可以使用已分配 的 TID向 NAF发出请求,只有当 NAF认为该用户使用的 TID已经不安 全时, 如 NAF受到非法攻击并且认为用户的 TID及该 TID对应的密钥 有可能已经被盗时, 将提示用户更新 TID。 例如, NAF本身安装了一个 用于检测自身是否安全的入侵检测系统, 当这个系统报告 NAF 遭到了 黑客的攻击时, NAF处理完自身的安全问题后将通知用户更新 TID及该 TID对应的密钥。 When the user re-uses the services on the NAF that has been applied, he can still use the assigned TID to make a request to the NAF. Only when NAF believes that the TID used by the user is not secure, such as when NAF is illegally attacked and the user's TID When the key corresponding to the TID may be stolen, the user will be prompted to update the TID. For example, NAF itself installs an intrusion detection system to detect whether it is safe. When this system reports that NAF has been attacked by hackers, NAF will notify the user to update the TID and the key corresponding to the TID after handling its own security issues. .
对于同一安全级别的 NAF而言, 当一个 NAF认为某个用户使用的 TID已经不安全时, 将提示该用户更新 TID, 该安全级别内的每个 NAF 收到新 T1D后, 都会到 BSF进行查询, 如 BSF查询成功, 则保存该 TID 的属性信息, 并给 N AF 返回成功的响应消息, 该成功的响应消息中包 括 NAF所查询的 TID、 以及该 TID所对应的密钥信息。 此时, NAF将 保存该新的 TID 以及与该 TID相关的密钥信息, 同时将本地保存的旧 TID以及与旧 TID相关的密钥信息标为禁用, 或删除。 For NAF of the same security level, when a NAF considers that the TID used by a user is no longer secure, the user will be prompted to update the TID. After receiving a new T1D, each NAF in the security level will query the BSF. If the BSF query is successful, the attribute information of the TID is saved, and a successful response message is returned to the NAF. The successful response message includes the TID queried by the NAF and the key information corresponding to the TID. At this time, the NAF will save the new TID and the key information related to the TID, and mark the old TID and the key information related to the old TID as disabled or deleted at the same time.
NAF可以是一个应用服务器, 也可以是多个应用服务器的代理。 当 NAF 是应用服务器代理时, NAF 后面可以连接多个应用服务器, 即一 个 NAF代表多个应用, 这时 NAF 虽然代表多个应用服务器, 但 NAF 自身仍是一个实体。 NAF can be an application server or a proxy for multiple application servers. When NAF is an application server proxy, multiple application servers can be connected behind NAF, that is, one NAF represents multiple applications. At this time, although NAF represents multiple application servers, NAF itself is still an entity.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均 应包含在本发明的保护范围之内。
The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall be included in the present invention. Within the scope of protection.