WO2005093990A1 - Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle - Google Patents
Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle Download PDFInfo
- Publication number
- WO2005093990A1 WO2005093990A1 PCT/CN2005/000340 CN2005000340W WO2005093990A1 WO 2005093990 A1 WO2005093990 A1 WO 2005093990A1 CN 2005000340 W CN2005000340 W CN 2005000340W WO 2005093990 A1 WO2005093990 A1 WO 2005093990A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- impi
- imsi
- bsf
- hss
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Definitions
- the present invention relates to the field of third-generation wireless communication technology, and particularly to a method for accessing a user's home network server (HSS) in a universal authentication framework.
- HSS home network server
- the common authentication framework is a common structure used by multiple application business entities to complete the verification of user identity.
- the application of the common authentication framework enables inspection and verification of users of application services.
- Identity The above-mentioned multiple application services may be multicast / broadcast services, user certificate services, instant information provision services, etc., or they may be agency services.
- FIG. 1 shows the structure of a general authentication framework.
- the universal authentication framework is generally composed of a user terminal (UE) 101, an entity (BSF) 102 that performs initial check and verification of user identity, a user home network server (HSS) 103, and a network application entity (NAF) 104.
- the BSF 102 is used to mutually verify the identity with the user terminal 101, and simultaneously generate a shared key between the BSF 102 and the user 101.
- the HSS 103 stores a profile file for describing user information, and the Profile includes all information such as user identity Descriptive information related to the user, while HSS 103 also has the function of generating authentication vector information.
- the process for the user to verify the identity with the BSF is:
- the UE sends an authentication request to the BSF, and the authentication
- the request message includes the user ’s IP Multimedia Private User Identity (IMPI).
- IMPI IP Multimedia Private User Identity
- the BSF requests the user's authentication information from the HSS, and the request message also contains the IMPI and HSS of the user terminal.
- the profile of the user is found according to the IMPI of the user terminal, and an authentication vector is generated and returned to the BSF.
- the universal authentication framework supports a wide range of services, not only supporting IP multimedia services, but also other services, such as multicast broadcasting (MBMS) services, user certificate services, etc., while the HSS index itself stores user profiles.
- the file can be processed according to the user's International Mobile Subscriber Identity (IMSI) or IP Multimedia Private Subscriber Identity (IMPI).
- IMSI International Mobile Subscriber Identity
- IMPI IP Multimedia Private Subscriber Identity
- IMSI is a relatively common identifier. Its format is a 15-digit number string. IMPI is customized according to the format of Network Access Identifier (NAI). Its format is usually "user's private identifier @ domain name”. Both IMSI and IMPI are permanent user IDs.
- the communication interface between BSF and HSS is the Cx interface between the network entity and HSS in the reuse of IP multimedia services, and IMSI cannot be carried and identified on the Cx interface, when BSF queries the HSS for profile information through the Cx interface You must use an IMPI customized in the NAI format to identify a user.
- the user terminal when a user needs to use the universal authentication framework, if the user terminal supports IP multimedia services, the user has the IMPI identity, so that when the user terminal sends an authentication request to the BSF, it directly provides its own Just IMPI. If the user terminal does not support IP multimedia services, then the user has only IMSI and no IMPI. At this time, the user equipment side is responsible for converting IMSI to IMPI so that it can be used in authentication communication.
- the disadvantage of the above method is that the work of converting IMSI to IMPI is completed on the user equipment side, but in actual applications, not all user equipments may have this function.
- the earlier-produced user equipment does not have the function of converting IMSI to IMPI, but it can support 3G services and also hopes to use a common authentication framework.
- none of these user terminals can use the universal authentication framework. It can be seen that in practical applications, it is difficult to guarantee All user equipment terminals support the function of converting IMSI to IMPI, so all user terminals that do not have this function will be excluded from the universal authentication framework, and then the widespread application of the universal authentication framework cannot be achieved. Summary of the invention
- an object of the present invention is to provide a method for accessing the HSS, so that user equipment that does not support the conversion of IMSI to IMPI can also use the universal authentication framework.
- a method for accessing a user's home network server HSS is used in a universal authentication framework system. The method includes the following steps:
- the verification entity BSF determines the user identification information in the request after receiving the authentication request from the user.
- IP multimedia private user identity IMPI If it is the IP multimedia private user identity IMPI, it sends a message containing IMPI requesting user description information to the HSS, and directly accesses the user's home network server. If it is an international mobile subscriber identity IMSI, the IMSI is converted to IMPI, and then The HSS sends a message containing IMPI requesting user description information to access the user's home network server; if it is neither IMPI nor IMSI, it returns a failure message to the user with the failure reason value.
- IMSI international mobile subscriber identity
- the method further includes: after the HSS receives a message containing IMPI requesting user description information, determines whether the IMPI includes an IMSI field, and if so, converts the network access identifier back to the IMSI according to the IMSI User description information is indexed; otherwise, user description information is indexed according to IMPI.
- the failure cause value prompts the user to use the user permanent identification.
- the permanent identity of the user is IMPI or IMSI.
- the present invention adds a new operation to the BSF in the universal authentication framework, that is, the type of the user identification information received is judged by the BSF. If it is IMPI, the BSF sends an IMPI to the HSS containing the IMPI Message for requesting user description information, if it is IMSI, after the BSF converts the IMSI to IMPI, it sends a message containing the converted IMPI requesting user description information to the HSS. If it is a temporary identification or re-signature identification, it is sent to the user. Returns a failure message with a reason value.
- a user equipment that does not support the function of converting IMSI to IMPI format can also use the universal authentication framework, and the use range of the universal authentication framework is expanded. The invention is simple to implement and easy to apply. Brief description of the drawings
- Figure 1 shows the structure of a general authentication framework
- FIG. 2 shows a flowchart of a BSF accessing an HSS using the present invention.
- the BSF After receiving the authentication request information from the user, the BSF determines whether the user identification information in the request information is IMPI or IMSI. If it is IMPI, it sends a requesting user description containing IMPI to the HSS through the Cx interface. The information message is directly connected to the user's home network server. If it is IMSI, the IMSI is converted to IMPI, and then a message containing IMPI requesting user description information is sent to the HSS through the Cx interface, and the user is sent to the home network server. Otherwise, The user returns a failure message with a reason value.
- FIG. 2 shows a flowchart of a BSF accessing an HSS using the present invention.
- Step 201 The user sends an authentication request message to the BSF, and prepares to use the universal authentication framework.
- the authentication request message includes user identification information.
- Step 202 The BSF receives an authentication request message including user identification information.
- Step 203 the BSF determines the type of the user identification information received, if it is IMPI, step 206 is performed, if it is IMSI, step 205 is performed, and if it is a temporary identification or re-authentication identification, step 204 is performed;
- Step 204 The BSF returns a failure message to the user, including the failure reason value.
- the reason value is the user identification information error.
- the user is prompted to resend the authentication request message containing the permanent user identification, and the process is ended.
- the authentication identification is a regional identification, and this type of identification is not allocated by the HSS. Therefore, the HSS cannot identify the temporary identification and re-authentication identification.
- the permanent user identification may be IMSI or IMPI;
- Step 205 The BSF converts the IMSI to the IMPI format.
- the specific conversion method is the same as the existing technology.
- the IMSI of a user is: 234150999999999, where 234 is the mobile country code, 15 is the mobile network code, and 0999999999 is the user himself.
- the IDI is converted to the IMPI format, the form is 234150999999999@15.234.IMSI.3gppnetwork.org, and the converted IMPI contains the IMSI field;
- Step 206 The BSF sends a message containing the IMPI requesting user description information to the HSS through the Cx interface.
- Step 207 The HSS performs local indexing according to the received information, and returns the indexed user description information to the BSF. After receiving the user description information returned by the HSS, the BSF interacts with the user to perform a mutual authentication process.
- the method for the HSS to index locally is: first determine whether the received identifier is a true IMPI identifier, that is, determine whether there is an IMSI field in the received user identifier; if it does not exist, it is a true IMPI identifier, otherwise the HSS receives The identity obtained is IMPI converted from IMSI.
- the HSS receives the true IMPI identification, it directly indexes the user's profile through IMPI to generate authentication data, and returns the profile file and authentication data to the user.
- the BSF completes the mutual authentication process with the user, and then the user uses the result of the authentication to communicate with the corresponding service server.
- the HSS performs the opposite conversion process on the received identification, that is, the IMPI is decomposed to obtain the IMSI of the user.
- the specific conversion process is also the same as the existing technology, and then the user profile is indexed according to the IMSI.
- File generate authentication data, return the Profile file and the authentication data to the BSF together, the BSF completes the mutual authentication process with the user, and then the user uses the result of the authentication to communicate with the corresponding business server.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100309098A CN100397942C (zh) | 2004-03-26 | 2004-03-26 | 通用鉴权框架中一种接入用户归属网络服务器的方法 |
CN200410030909.8 | 2004-03-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005093990A1 true WO2005093990A1 (fr) | 2005-10-06 |
Family
ID=35046912
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2005/000340 WO2005093990A1 (fr) | 2004-03-26 | 2005-03-18 | Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN100397942C (fr) |
WO (1) | WO2005093990A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114125836A (zh) * | 2020-08-10 | 2022-03-01 | 中国移动通信有限公司研究院 | 鉴权方法、装置、设备及存储介质 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101022651B (zh) * | 2006-02-13 | 2012-05-02 | 华为技术有限公司 | 一种组合鉴权架构及其实现方法 |
CN100488314C (zh) * | 2007-01-24 | 2009-05-13 | 中兴通讯股份有限公司 | 一种3g网络中对用户端的接入进行限制的方法 |
CN101287096B (zh) * | 2007-04-13 | 2010-09-01 | 中国移动通信集团公司 | 实现标识转换的卡及转换方法 |
CN103095649A (zh) * | 2011-10-31 | 2013-05-08 | 中兴通讯股份有限公司 | 一种ims单点登录的组合鉴权方法及系统 |
CN102833820A (zh) * | 2012-08-20 | 2012-12-19 | 中国联合网络通信集团有限公司 | Ims接入处理方法、通用用户识别模块和终端设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002157040A (ja) * | 2000-11-22 | 2002-05-31 | Nippon Telegr & Teleph Corp <Ntt> | 無線タグを用いたユーザ認証方法およびユーザ認証システム |
US20030046541A1 (en) * | 2001-09-04 | 2003-03-06 | Martin Gerdes | Universal authentication mechanism |
US20030200431A1 (en) * | 2002-04-18 | 2003-10-23 | Nokia Corporation | Method and apparatus for providing peer authentication for a transport layer session |
WO2004006532A1 (fr) * | 2002-07-05 | 2004-01-15 | Nortel Network Limited | Procede et organe pour controler l'acces a un systeme cellulaire de radiocommunication a travers un reseaju local sans fil |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0890282B1 (fr) * | 1996-03-29 | 2003-01-15 | Telecom Securicor Cellular Radio Limited | Systeme de telecommunications |
-
2004
- 2004-03-26 CN CNB2004100309098A patent/CN100397942C/zh not_active Expired - Fee Related
-
2005
- 2005-03-18 WO PCT/CN2005/000340 patent/WO2005093990A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002157040A (ja) * | 2000-11-22 | 2002-05-31 | Nippon Telegr & Teleph Corp <Ntt> | 無線タグを用いたユーザ認証方法およびユーザ認証システム |
US20030046541A1 (en) * | 2001-09-04 | 2003-03-06 | Martin Gerdes | Universal authentication mechanism |
US20030200431A1 (en) * | 2002-04-18 | 2003-10-23 | Nokia Corporation | Method and apparatus for providing peer authentication for a transport layer session |
WO2004006532A1 (fr) * | 2002-07-05 | 2004-01-15 | Nortel Network Limited | Procede et organe pour controler l'acces a un systeme cellulaire de radiocommunication a travers un reseaju local sans fil |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114125836A (zh) * | 2020-08-10 | 2022-03-01 | 中国移动通信有限公司研究院 | 鉴权方法、装置、设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN1674708A (zh) | 2005-09-28 |
CN100397942C (zh) | 2008-06-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1860906B1 (fr) | Forme d'authentification generale et procede pour mettre en place l'authentification | |
JP4767986B2 (ja) | 通信システム及び方法 | |
EP1741268B1 (fr) | Procede de verification d'une premiere et d'une seconde identites d'une entite | |
EP1713289B1 (fr) | Pprocédé d'etablissement d'une association de securité entre l'abonne itinerant et le serveur du réseau visité | |
CN113796111A (zh) | 在无线通信系统中提供移动边缘计算服务的装置和方法 | |
JP2007528650A5 (fr) | ||
WO2005046118A1 (fr) | Procede pour verifier la validite d'un abonne | |
WO2005093990A1 (fr) | Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle | |
WO2005074188A1 (fr) | Procede d'obtention d'une identification utilisateur pour entite d'application du reseau | |
WO2007079698A1 (fr) | Procédé et système d'authentification d'entité, procédé et système d'authentification de bout en bout et centre d'authentification | |
WO2008125062A1 (fr) | Procédé de détermination d'admission et de radiomessagerie d'utilisateur dans un système de communication mobile, système et dispositif apparentés | |
WO2013040957A1 (fr) | Procédé et système d'authentification unique, et procédé et système de traitement d'informations | |
JP2013153466A (ja) | 次世代ネットワークでの有無線端末機のサービスネットワークとアクセスネットワークとの間のバンドル認証方法及びシステム | |
CN112261022A (zh) | 一种基于api网关的安全认证方法 | |
CN100479570C (zh) | 连接建立方法、系统、网络应用实体及用户终端 | |
WO2008122209A1 (fr) | Procédé de commande du suivi d'informations et élément réseau d'un réseau central | |
RU2325774C2 (ru) | Способ распределения паролей | |
CN101399665B (zh) | 以基于身份的密码体制为基础的业务认证方法和系统 | |
WO2010133073A1 (fr) | Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat | |
WO2007003105A1 (fr) | Procede, systeme et appareil pour la mise en relation d'informations associee a l'utilisateur dans un systeme nass | |
WO2007095806A1 (fr) | Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système | |
JP4558387B2 (ja) | 利用者認証システムおよび方法 | |
WO2008055448A1 (fr) | Procédé, appareil et système d'acquisition d'informations d'accès d'un terminal utilisateur | |
CN111464963B (zh) | 无卡终端的注册方法及身份注册服务器 | |
CN113055829B (zh) | 一种网络广播信息的隐私保护方法、装置及可读存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |