WO2005093990A1 - Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle - Google Patents

Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle Download PDF

Info

Publication number
WO2005093990A1
WO2005093990A1 PCT/CN2005/000340 CN2005000340W WO2005093990A1 WO 2005093990 A1 WO2005093990 A1 WO 2005093990A1 CN 2005000340 W CN2005000340 W CN 2005000340W WO 2005093990 A1 WO2005093990 A1 WO 2005093990A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
impi
imsi
bsf
hss
Prior art date
Application number
PCT/CN2005/000340
Other languages
English (en)
Chinese (zh)
Inventor
Yingxin Huang
Wenlin Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005093990A1 publication Critical patent/WO2005093990A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of third-generation wireless communication technology, and particularly to a method for accessing a user's home network server (HSS) in a universal authentication framework.
  • HSS home network server
  • the common authentication framework is a common structure used by multiple application business entities to complete the verification of user identity.
  • the application of the common authentication framework enables inspection and verification of users of application services.
  • Identity The above-mentioned multiple application services may be multicast / broadcast services, user certificate services, instant information provision services, etc., or they may be agency services.
  • FIG. 1 shows the structure of a general authentication framework.
  • the universal authentication framework is generally composed of a user terminal (UE) 101, an entity (BSF) 102 that performs initial check and verification of user identity, a user home network server (HSS) 103, and a network application entity (NAF) 104.
  • the BSF 102 is used to mutually verify the identity with the user terminal 101, and simultaneously generate a shared key between the BSF 102 and the user 101.
  • the HSS 103 stores a profile file for describing user information, and the Profile includes all information such as user identity Descriptive information related to the user, while HSS 103 also has the function of generating authentication vector information.
  • the process for the user to verify the identity with the BSF is:
  • the UE sends an authentication request to the BSF, and the authentication
  • the request message includes the user ’s IP Multimedia Private User Identity (IMPI).
  • IMPI IP Multimedia Private User Identity
  • the BSF requests the user's authentication information from the HSS, and the request message also contains the IMPI and HSS of the user terminal.
  • the profile of the user is found according to the IMPI of the user terminal, and an authentication vector is generated and returned to the BSF.
  • the universal authentication framework supports a wide range of services, not only supporting IP multimedia services, but also other services, such as multicast broadcasting (MBMS) services, user certificate services, etc., while the HSS index itself stores user profiles.
  • the file can be processed according to the user's International Mobile Subscriber Identity (IMSI) or IP Multimedia Private Subscriber Identity (IMPI).
  • IMSI International Mobile Subscriber Identity
  • IMPI IP Multimedia Private Subscriber Identity
  • IMSI is a relatively common identifier. Its format is a 15-digit number string. IMPI is customized according to the format of Network Access Identifier (NAI). Its format is usually "user's private identifier @ domain name”. Both IMSI and IMPI are permanent user IDs.
  • the communication interface between BSF and HSS is the Cx interface between the network entity and HSS in the reuse of IP multimedia services, and IMSI cannot be carried and identified on the Cx interface, when BSF queries the HSS for profile information through the Cx interface You must use an IMPI customized in the NAI format to identify a user.
  • the user terminal when a user needs to use the universal authentication framework, if the user terminal supports IP multimedia services, the user has the IMPI identity, so that when the user terminal sends an authentication request to the BSF, it directly provides its own Just IMPI. If the user terminal does not support IP multimedia services, then the user has only IMSI and no IMPI. At this time, the user equipment side is responsible for converting IMSI to IMPI so that it can be used in authentication communication.
  • the disadvantage of the above method is that the work of converting IMSI to IMPI is completed on the user equipment side, but in actual applications, not all user equipments may have this function.
  • the earlier-produced user equipment does not have the function of converting IMSI to IMPI, but it can support 3G services and also hopes to use a common authentication framework.
  • none of these user terminals can use the universal authentication framework. It can be seen that in practical applications, it is difficult to guarantee All user equipment terminals support the function of converting IMSI to IMPI, so all user terminals that do not have this function will be excluded from the universal authentication framework, and then the widespread application of the universal authentication framework cannot be achieved. Summary of the invention
  • an object of the present invention is to provide a method for accessing the HSS, so that user equipment that does not support the conversion of IMSI to IMPI can also use the universal authentication framework.
  • a method for accessing a user's home network server HSS is used in a universal authentication framework system. The method includes the following steps:
  • the verification entity BSF determines the user identification information in the request after receiving the authentication request from the user.
  • IP multimedia private user identity IMPI If it is the IP multimedia private user identity IMPI, it sends a message containing IMPI requesting user description information to the HSS, and directly accesses the user's home network server. If it is an international mobile subscriber identity IMSI, the IMSI is converted to IMPI, and then The HSS sends a message containing IMPI requesting user description information to access the user's home network server; if it is neither IMPI nor IMSI, it returns a failure message to the user with the failure reason value.
  • IMSI international mobile subscriber identity
  • the method further includes: after the HSS receives a message containing IMPI requesting user description information, determines whether the IMPI includes an IMSI field, and if so, converts the network access identifier back to the IMSI according to the IMSI User description information is indexed; otherwise, user description information is indexed according to IMPI.
  • the failure cause value prompts the user to use the user permanent identification.
  • the permanent identity of the user is IMPI or IMSI.
  • the present invention adds a new operation to the BSF in the universal authentication framework, that is, the type of the user identification information received is judged by the BSF. If it is IMPI, the BSF sends an IMPI to the HSS containing the IMPI Message for requesting user description information, if it is IMSI, after the BSF converts the IMSI to IMPI, it sends a message containing the converted IMPI requesting user description information to the HSS. If it is a temporary identification or re-signature identification, it is sent to the user. Returns a failure message with a reason value.
  • a user equipment that does not support the function of converting IMSI to IMPI format can also use the universal authentication framework, and the use range of the universal authentication framework is expanded. The invention is simple to implement and easy to apply. Brief description of the drawings
  • Figure 1 shows the structure of a general authentication framework
  • FIG. 2 shows a flowchart of a BSF accessing an HSS using the present invention.
  • the BSF After receiving the authentication request information from the user, the BSF determines whether the user identification information in the request information is IMPI or IMSI. If it is IMPI, it sends a requesting user description containing IMPI to the HSS through the Cx interface. The information message is directly connected to the user's home network server. If it is IMSI, the IMSI is converted to IMPI, and then a message containing IMPI requesting user description information is sent to the HSS through the Cx interface, and the user is sent to the home network server. Otherwise, The user returns a failure message with a reason value.
  • FIG. 2 shows a flowchart of a BSF accessing an HSS using the present invention.
  • Step 201 The user sends an authentication request message to the BSF, and prepares to use the universal authentication framework.
  • the authentication request message includes user identification information.
  • Step 202 The BSF receives an authentication request message including user identification information.
  • Step 203 the BSF determines the type of the user identification information received, if it is IMPI, step 206 is performed, if it is IMSI, step 205 is performed, and if it is a temporary identification or re-authentication identification, step 204 is performed;
  • Step 204 The BSF returns a failure message to the user, including the failure reason value.
  • the reason value is the user identification information error.
  • the user is prompted to resend the authentication request message containing the permanent user identification, and the process is ended.
  • the authentication identification is a regional identification, and this type of identification is not allocated by the HSS. Therefore, the HSS cannot identify the temporary identification and re-authentication identification.
  • the permanent user identification may be IMSI or IMPI;
  • Step 205 The BSF converts the IMSI to the IMPI format.
  • the specific conversion method is the same as the existing technology.
  • the IMSI of a user is: 234150999999999, where 234 is the mobile country code, 15 is the mobile network code, and 0999999999 is the user himself.
  • the IDI is converted to the IMPI format, the form is 234150999999999@15.234.IMSI.3gppnetwork.org, and the converted IMPI contains the IMSI field;
  • Step 206 The BSF sends a message containing the IMPI requesting user description information to the HSS through the Cx interface.
  • Step 207 The HSS performs local indexing according to the received information, and returns the indexed user description information to the BSF. After receiving the user description information returned by the HSS, the BSF interacts with the user to perform a mutual authentication process.
  • the method for the HSS to index locally is: first determine whether the received identifier is a true IMPI identifier, that is, determine whether there is an IMSI field in the received user identifier; if it does not exist, it is a true IMPI identifier, otherwise the HSS receives The identity obtained is IMPI converted from IMSI.
  • the HSS receives the true IMPI identification, it directly indexes the user's profile through IMPI to generate authentication data, and returns the profile file and authentication data to the user.
  • the BSF completes the mutual authentication process with the user, and then the user uses the result of the authentication to communicate with the corresponding service server.
  • the HSS performs the opposite conversion process on the received identification, that is, the IMPI is decomposed to obtain the IMSI of the user.
  • the specific conversion process is also the same as the existing technology, and then the user profile is indexed according to the IMSI.
  • File generate authentication data, return the Profile file and the authentication data to the BSF together, the BSF completes the mutual authentication process with the user, and then the user uses the result of the authentication to communicate with the corresponding business server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé permettant d'accéder au serveur d'abonné domestique dans une infrastructure d'authentification universelle. Il s'agit d'ajouter une nouvelle opération sur BSF dans l'infrastructure d'authentification universelle, telle que BSF détermine le type des informations d'identification utilisateur reçues. S'il s'agit de IMPI, BSF transmet un message renfermant IMPI d'informations de description d'abonné demandeur ; s'il s'agit d'IMSI, BSF transforme IMSI en IMPI, puis transmet un message renfermant l'IMPI transformé d'informations de description d'abonné demandeur ; s'il s'agit d'une identification temporaire ou d'une identification de réauthentification, BSF renvoie un message d'échec comprenant une valeur de raison à l'utilisateur. Le procédé selon l'invention permet à un équipement utilisateur ne possédant pas de fonction permettant de transformer IMSI en IMPI d'utiliser également une infrastructure d'authentification universelle, étendant ainsi la gamme d'application de l'infrastructure d'authentification universelle. Le procédé selon l'invention est facile à créer et à mettre en oeuvre.
PCT/CN2005/000340 2004-03-26 2005-03-18 Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle WO2005093990A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2004100309098A CN100397942C (zh) 2004-03-26 2004-03-26 通用鉴权框架中一种接入用户归属网络服务器的方法
CN200410030909.8 2004-03-26

Publications (1)

Publication Number Publication Date
WO2005093990A1 true WO2005093990A1 (fr) 2005-10-06

Family

ID=35046912

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/000340 WO2005093990A1 (fr) 2004-03-26 2005-03-18 Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle

Country Status (2)

Country Link
CN (1) CN100397942C (fr)
WO (1) WO2005093990A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114125836A (zh) * 2020-08-10 2022-03-01 中国移动通信有限公司研究院 鉴权方法、装置、设备及存储介质

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022651B (zh) * 2006-02-13 2012-05-02 华为技术有限公司 一种组合鉴权架构及其实现方法
CN100488314C (zh) * 2007-01-24 2009-05-13 中兴通讯股份有限公司 一种3g网络中对用户端的接入进行限制的方法
CN101287096B (zh) * 2007-04-13 2010-09-01 中国移动通信集团公司 实现标识转换的卡及转换方法
CN103095649A (zh) * 2011-10-31 2013-05-08 中兴通讯股份有限公司 一种ims单点登录的组合鉴权方法及系统
CN102833820A (zh) * 2012-08-20 2012-12-19 中国联合网络通信集团有限公司 Ims接入处理方法、通用用户识别模块和终端设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002157040A (ja) * 2000-11-22 2002-05-31 Nippon Telegr & Teleph Corp <Ntt> 無線タグを用いたユーザ認証方法およびユーザ認証システム
US20030046541A1 (en) * 2001-09-04 2003-03-06 Martin Gerdes Universal authentication mechanism
US20030200431A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method and apparatus for providing peer authentication for a transport layer session
WO2004006532A1 (fr) * 2002-07-05 2004-01-15 Nortel Network Limited Procede et organe pour controler l'acces a un systeme cellulaire de radiocommunication a travers un reseaju local sans fil

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0890282B1 (fr) * 1996-03-29 2003-01-15 Telecom Securicor Cellular Radio Limited Systeme de telecommunications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002157040A (ja) * 2000-11-22 2002-05-31 Nippon Telegr & Teleph Corp <Ntt> 無線タグを用いたユーザ認証方法およびユーザ認証システム
US20030046541A1 (en) * 2001-09-04 2003-03-06 Martin Gerdes Universal authentication mechanism
US20030200431A1 (en) * 2002-04-18 2003-10-23 Nokia Corporation Method and apparatus for providing peer authentication for a transport layer session
WO2004006532A1 (fr) * 2002-07-05 2004-01-15 Nortel Network Limited Procede et organe pour controler l'acces a un systeme cellulaire de radiocommunication a travers un reseaju local sans fil

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114125836A (zh) * 2020-08-10 2022-03-01 中国移动通信有限公司研究院 鉴权方法、装置、设备及存储介质

Also Published As

Publication number Publication date
CN1674708A (zh) 2005-09-28
CN100397942C (zh) 2008-06-25

Similar Documents

Publication Publication Date Title
EP1860906B1 (fr) Forme d&#39;authentification generale et procede pour mettre en place l&#39;authentification
JP4767986B2 (ja) 通信システム及び方法
EP1741268B1 (fr) Procede de verification d&#39;une premiere et d&#39;une seconde identites d&#39;une entite
EP1713289B1 (fr) Pprocédé d&#39;etablissement d&#39;une association de securité entre l&#39;abonne itinerant et le serveur du réseau visité
CN113796111A (zh) 在无线通信系统中提供移动边缘计算服务的装置和方法
JP2007528650A5 (fr)
WO2005046118A1 (fr) Procede pour verifier la validite d&#39;un abonne
WO2005093990A1 (fr) Procede d&#39;acces a un serveur d&#39;abonne domestique dans une infrastructure d&#39;authentification universelle
WO2005074188A1 (fr) Procede d&#39;obtention d&#39;une identification utilisateur pour entite d&#39;application du reseau
WO2007079698A1 (fr) Procédé et système d&#39;authentification d&#39;entité, procédé et système d&#39;authentification de bout en bout et centre d&#39;authentification
WO2008125062A1 (fr) Procédé de détermination d&#39;admission et de radiomessagerie d&#39;utilisateur dans un système de communication mobile, système et dispositif apparentés
WO2013040957A1 (fr) Procédé et système d&#39;authentification unique, et procédé et système de traitement d&#39;informations
JP2013153466A (ja) 次世代ネットワークでの有無線端末機のサービスネットワークとアクセスネットワークとの間のバンドル認証方法及びシステム
CN112261022A (zh) 一种基于api网关的安全认证方法
CN100479570C (zh) 连接建立方法、系统、网络应用实体及用户终端
WO2008122209A1 (fr) Procédé de commande du suivi d&#39;informations et élément réseau d&#39;un réseau central
RU2325774C2 (ru) Способ распределения паролей
CN101399665B (zh) 以基于身份的密码体制为基础的业务认证方法和系统
WO2010133073A1 (fr) Procédé d&#39;obtention d&#39;informations d&#39;état de certificat et système de gestion d&#39;état de certificat
WO2007003105A1 (fr) Procede, systeme et appareil pour la mise en relation d&#39;informations associee a l&#39;utilisateur dans un systeme nass
WO2007095806A1 (fr) Système d&#39;authentification générale et procédé d&#39;accès à la fonction d&#39;application de réseau du système
JP4558387B2 (ja) 利用者認証システムおよび方法
WO2008055448A1 (fr) Procédé, appareil et système d&#39;acquisition d&#39;informations d&#39;accès d&#39;un terminal utilisateur
CN111464963B (zh) 无卡终端的注册方法及身份注册服务器
CN113055829B (zh) 一种网络广播信息的隐私保护方法、装置及可读存储介质

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase