WO2007093115A1 - Structure d'authentification combinée et son procédé de réalisation - Google Patents

Structure d'authentification combinée et son procédé de réalisation Download PDF

Info

Publication number
WO2007093115A1
WO2007093115A1 PCT/CN2007/000440 CN2007000440W WO2007093115A1 WO 2007093115 A1 WO2007093115 A1 WO 2007093115A1 CN 2007000440 W CN2007000440 W CN 2007000440W WO 2007093115 A1 WO2007093115 A1 WO 2007093115A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
entity
service
user
identity
Prior art date
Application number
PCT/CN2007/000440
Other languages
English (en)
Chinese (zh)
Inventor
Chengdong He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007093115A1 publication Critical patent/WO2007093115A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Definitions

  • the present invention relates to a scenario for interworking of a scenario of a mobile communication system, and more particularly, to a combination authentication architecture that implements interworking between an identity identity alliance architecture and a universal authentication architecture, and an implementation method thereof.
  • GAA Common Authentication Architecture
  • UE IP Multimedia Services Subsystem User
  • BSF Guided Service Function Entity
  • HSS User Home Network Server.
  • SSF User Location Function Entity
  • NAF Network Service Application Entity
  • the UE and the BSF are connected through the Ub interface; the UE and the NAF are connected through the Ua interface; the BSF and the HSS are connected through the Zh interface, and the NAF is connected through the Zn interface, and is connected to the SLF through the Dz interface.
  • the BSF is used to perform mutual authentication with the UE when performing bootstrapping, and generates a shared key Ks of the BSF and the user; the HSS stores a subscription file for describing user information, and the HSS also has the authentication information.
  • the SLF is used to assist the BSF in finding the corresponding HSS when there are multiple HSSs.
  • NAF is used to provide network services for UEs.
  • Step 1 When the user UE needs to use a certain service, if the user knows that the service needs to go to the BSF for mutual authentication, the direct Send an authentication request to the BSF for mutual authentication. Otherwise, the user first contacts the NAF corresponding to the service. If the NAF uses the GBA universal authentication architecture and finds that the user has not yet reached the BSF for mutual authentication, the AF notifies the UE to the BSF for mutual authentication to verify the identity. Then, the user UE directly sends an authentication request to the BSF for mutual authentication.
  • Step 2 After receiving the authentication request, the BSF first obtains the authentication vector quintuple (AUT, RA D, IK, CK, XRES) of the user and the user subscription data to the HSS; steps 3 ⁇ 6, the BSF adopts HTTP digest AA protocol and user UE for mutual authentication and confidentiality Key negotiation, mutual authentication of the identity between the user UE and the BSF is completed. Step 7. The BSF generates a shared root key Ks. The BSF also defines an expiration date for the shared key Ks so that the Ks can be updated periodically. Step 8: The BSF allocates a boot transaction identifier (B-TID), which is used to identify the current authentication interaction transaction between the BSF and the UE.
  • B-TID boot transaction identifier
  • the BSF associates the B-TID with the root key Ks, the UE's private user identity (IMPI), so that the BSF can later find the corresponding Ks according to the B-TID.
  • the BSF then sends the boot transaction identifier (B-TID) and the expiration date of Ks to the user UE in clear text.
  • Step 9 The UE also generates the same shared root key Ks as the BSF side. After this process is completed, a root key Ks is shared between the UE and the BSF, and the UE can use the formula.
  • Ks_NAF KDF (Ks, "gba-me”, RAND, IMPI, NAF- Id) or
  • Ks— Ext— NAF KDF (Ks, "gba-me”, RAND, IMPI, NAF— Id)
  • Ks_Int_NAF KDF (Ks, "gba-u”, RAND, IMPI, NAF— Id)
  • Ks___(Ext/Int)_NAF Deriving a derived shared key Ks__(Ext/Int)_NAF between the NAF and the NAF to be accessed, wherein the NAF_Id is formed by the NAF to be accessed and the protocol identifier (UalD) on the Ua interface, RAND is a
  • IMPI refers to the private identity of the UE, "gba-me” and "gba-u” represent strings; KDF is an abbreviation for key derivation function.
  • the UE acquires the derived shared key Ks_(Ext/Int)_NAF.
  • the remaining task is how NAF obtains the derived shared key Ks—(Ext/Int)_NAF. Only NAF and UE can obtain Ks_(Ext/Int)_NAF to establish a secure channel for mutual communication.
  • the flow chart of NAF acquisition Ks_(Ext/Int)_NAF is as shown in Fig. 3.
  • the UE first derives the derived shared key Ks_(Ext/Int)_NAF according to the above formula, and then performs step 1, to guide
  • the transaction identifier (B-TID) is the username
  • Ks_(Ext/Int)_NAF is the password to send an application request to the NAF.
  • the link layer security (TLS, TransportLayer Security) link may be established in advance to ensure the communication security of the Ua interface.
  • Step 2 After receiving the application request from the user, the NAF sends an authentication request message to the BSF.
  • Step 3 The BSF retains information such as B-TID, IMPI, Ks, key validity period, start time of mutual authentication between the BSF and the UE, and application related GBA user security setting information (GUSS). If the BSF can find the corresponding Ks according to the B-TID, the authentication of the corresponding user is completed, and then the BSF uses the same formula as the user side.
  • GBA user security setting information GUIS
  • the NAF and the UE share the key Ks derived from Ks (Ext/Int JNAF, so that the two can communicate securely in subsequent communications.
  • ID-FF Identity Federation Framework
  • ID-WSF Identity Web Service Architecture
  • ID-SIS Identity Services Interface Specification
  • ID-SIS Identity Services Interface
  • ID-FF architecture as illustrated in Figure 4: comprises three main entities: UE, the authentication identity provider (IdP, Identity Provider), service provider (SP, Service Provider) 0
  • IdP authentication identity provider
  • SP service provider
  • ID-FF architecture as illustrated in Figure 4: comprises three main entities: UE, the authentication identity provider (IdP, Identity Provider), service provider (SP, Service Provider) 0
  • IdP authentication identity provider
  • SP Service Provider
  • SP Service Provider
  • the terminal UE For the terminal UE, there are two authentication methods: one is that after the UE passes the authentication on the IdP, the IdP will directly return the Assertion of the UE to the UE. The UE then sends the Assertion to the SP. The SP authenticates the terminal by analyzing Assertion. The other is that after the UE authenticates on the IdP, the IdP returns the UE's authentication claim link (Artifact) to ⁇ . The UE then sends the Artifact to the SP. The SP then sends the Artifact to IdP via the SOAP protocol. IdP queries the corresponding Assertion based on the Artifact and returns it to the SP. Finally, the SP authenticates the terminal by analyzing Assertion.
  • the B-TID needs to be the user name, and the Ks_(Ext/Int)-NAF is the password on each NAF. Authentication, in order to access each NAF. This frequent authentication enhances security, but increases Adding the complexity and inconvenience of terminal operations.
  • an identity security alliance is established between each SP and the IdP through the identity alliance function, and a security trust circle is formed. As long as the authentication is passed on the IdP, it is equal to all the SPs in the security trust zone to which the IdP belongs.
  • IdP and NAF are one entity, as shown in FIG.
  • the main features are as follows: 1.
  • the Ub and Zn interfaces of the original universal authentication architecture are basically unchanged.
  • the HP and UE of the identity alliance architecture need to increase the GBA function.
  • the related SP and IdP/NAF form a security trust circle through the identity alliance function.
  • the UE accesses each SP, it first passes the authentication authentication on this IdP (NAF), which is equivalent to the authentication authentication on all related other SPs.
  • the object of the present invention is to provide a combined authentication architecture, and to provide a method for implementing a combined authentication architecture, to implement interworking between the identity association architecture and the universal authentication architecture, and provide a solution to solve the existing solution. How do the UEs and IdPs in the technology know whether it is necessary to perform the GBA process first, and then perform the defects of the SSO process.
  • a combined authentication architecture which implements interworking on the basis of a universal authentication architecture and an identity alliance architecture, where: the boot server function entity and the service authentication provider entity are one real The combined authentication architecture, wherein the interface function between the service authentication provider entity and the home user server entity is implemented by extending the Zh interface.
  • the combined authentication architecture wherein the interface function between the service authentication provider entity and the home user server entity is implemented by newly adding an interface function between the boot server function entity and the home user server entity.
  • the combined authentication architecture wherein the interface function between the IP multimedia service subsystem user and the service authentication provider entity is implemented by extending the Ub interface.
  • the combined authentication architecture wherein the interface function between the IP multimedia service subsystem user and the service authentication provider entity increases the interface function between the IP multimedia service subsystem user and the boot server function entity. achieve.
  • the combined authentication architecture wherein an interface function between the service provider entity and a service authentication provider entity is implemented through an extensive Zn interface.
  • the combined authentication architecture wherein the interface function between the service provider entity and the service authentication provider entity is implemented by newly adding an interface function between the boot server function entity and the service provider entity.
  • the combined authentication architecture wherein the interface function between the IP multimedia service subsystem user and the service provider entity is implemented by extending the Ua interface.
  • the combined authentication architecture wherein the interface function between the IP multimedia service subsystem user and the service provider entity is implemented by adding an interface function between the IP multimedia service subsystem user and the network application function entity.
  • the combined authentication architecture wherein the network application function entity and the service provider entity are an entity or a different entity.
  • a method for implementing a combined authentication architecture wherein a communication process between an IP multimedia service subsystem user and a service provider entity includes a universal authentication architecture authentication process and an identity authentication alliance authentication process;
  • the boot service function entity In the authentication process of the universal authentication architecture, the boot service function entity generates a boot transaction identifier and a root key validity period, and sends it to the IP multimedia service subsystem user, in the boot service. Both the service function entity and the IP multimedia service subsystem generate a root key at both ends;
  • the service authentication provider entity In the identity alliance function authentication process, the service authentication provider entity generates an authentication statement and sends it to the IP multimedia service subsystem user.
  • step A1 the method further includes the following steps:
  • the IP multimedia service subsystem user sends an application request to the service provider entity;
  • the service provider entity sends response information to the IP multimedia service subsystem user, where the response information carries the service authentication provider address and the identity identifier alliance request authentication information.
  • step A1 includes the following steps:
  • the user of the IP multimedia service subsystem sends an identity authentication request message to the service authentication provider, where the identity identification alliance request authentication information is carried;
  • the service authentication provider sends a challenge response message to the IP multimedia service subsystem user, and requires the identity identification information to be carried;
  • the C3, IP multimedia service subsystem user completes the universal authentication architecture guiding process by starting the boot server entity, and the IP multimedia service subsystem user obtains the boot transaction identifier and the root key, and the boot transaction identifier is an identity identifier;
  • the C4 the IP multimedia service subsystem user sends an authentication request message to the startup boot server entity, where the carry-in transaction identifier and the identity identifier alliance request authentication information are carried;
  • the booting boot server entity performs universal authentication framework authentication on the IP multimedia service subsystem user.
  • step C1 further includes the following steps:
  • the startup boot server entity checks that the authentication request identifier carries a valid boot transaction identifier parameter, and the root key is in the validity period, and then directly starts from step C4.
  • the authentication request message of the step C1 further carries an identifier, where the identifier indicates that the IP multimedia service subsystem user supports a universal authentication architecture mechanism.
  • the challenge response message of the step C2 further carries an identifier, where the identifier indicates that the user of the IP multimedia service subsystem needs to perform the universal authentication architecture mechanism authentication.
  • the authentication request message of the step C4 further carries a An identifier, the identifier indicating that the IP multimedia service subsystem user supports a universal authentication architecture mechanism.
  • the implementation method in which the local authentication policy is configured on the service authentication provider entity, and the IP multimedia service subsystem user is required to complete the authentication process of the universal authentication architecture mechanism before performing the identity authentication alliance authentication process.
  • step A2 includes the following steps:
  • the service authentication provider authenticates the identity of the IP multimedia service subsystem user
  • the service authentication provider entity sends an authentication success response message to the IP multimedia service subsystem user;
  • the IP multimedia service subsystem user submits request information to the service provider entity, and carries the above authentication success response information, and the service provider entity completes identity authentication alliance authentication for the IP multimedia service subsystem user.
  • the method further includes the following steps:
  • the service authentication provider entity returns to the IP multimedia service subsystem user whether the identification information of the identity alliance is formed with each service provider;
  • the F2, IP multimedia service subsystem user confirms the information to the service authentication provider entity, and completes an identity identity alliance with the service provider entity.
  • the implementation method wherein the authentication success response information in the step E3 includes the authentication information.
  • step E3 further includes the following steps:
  • the service provider entity sends a request message to the service authentication provider entity, where the authentication claim link information is carried;
  • the service authentication provider entity finds the corresponding authentication claim information according to the authentication claim link information, and sends a response message to the service provider entity, where the authentication claim information is carried.
  • the present invention provides a combined authentication architecture that initiates a boot server functional entity and a service authentication provider entity as an entity, and provides an identity identity alliance.
  • the architecture and the common authentication architecture implement interoperability solutions, and solve the problem that the UE and the IdP existing in the prior art know whether it is necessary to execute the GBA process first, and then execute the SSO process, so the security of the original authentication architecture is maintained.
  • the simplicity of the terminal operation is increased, and the application scenario of the terminal is extended to use various existing WEB services.
  • FIG. 1 is a diagram of a general authentication architecture of the prior art
  • FIG. 2 is a flow chart of a prior art IMS user performing a boot process
  • FIG. 3 is a flow chart of obtaining a derivative shared key by a network application function entity of the prior art
  • FIG. 4 is a schematic diagram of an identity identity alliance structure of the prior art
  • FIG. 5 is a schematic diagram of an interworking scenario in the prior art
  • Figure 6 is a diagram of a combined power structure of the architecture of the present invention:
  • Figure 8 is a flow chart of the method of the present invention.
  • Figure 9 is a flow chart showing an example of a method in accordance with the present invention.
  • Figure 10 is a flow chart of another example of a method in accordance with the present invention.
  • the present invention provides a combined authentication architecture, and provides a method for implementing a combined authentication architecture to implement interworking between an identity association architecture and a universal authentication architecture.
  • the BSF and the IdP are one entity, that is, the IdP function is added to the BSF; the UE adds the identity alliance user function; the interface between the BSF and the SP increases the support for the protocol interface function between the SP and the P; The support of the interface function between the UE and the IdP is to increase the transmission function of the authentication declaration or the authentication declaration link content.
  • the interface function between IdP and HSS is implemented by extending the Zli interface.
  • the interface function between the MP and the HSS is implemented by adding an interface function between the BSF and the HSS.
  • the interface function between the UE and the IdP is implemented by extending the Ub interface.
  • the interface function between the UE and the IdP is implemented by adding an interface function between the UE and the BSF.
  • the interface function between the SP and the IdP is implemented by extending the Zn interface.
  • the interface function between the SP and the IdP is implemented by adding an interface function between the BSF and the SP.
  • the interface function between the UE and the SP is implemented by extending the Ua interface or by adding an interface function between the UE and the NAF.
  • NAF and SP can be an entity. It can also be a different entity.
  • FIG. 6 When the IdP and the BSF are one entity, a combined authentication architecture of the present invention is as shown in FIG. 6. If the SP is regarded as a NAF at this time, another combination authentication architecture of the present invention is attached.
  • Figure ⁇ shows. GBA's BSF needs to increase the SOAP protocol interface with the SP, and the Ub interface needs to increase the transmission of Assertion or Artifact.
  • the related SP and IdP/BSF form a security trust circle through the identity alliance function.
  • the UE accesses each SP, after authenticating the IdP/BSF, it is equivalent to authenticating authentication on all other related SPs.
  • the UE and the BSF/IdP also support the UE-IdP interface function between the ⁇ -IdP.
  • the BSF/IdP and NAF/SP also add support for the SOAP-based interface function between IdP-SPs. The above new features can also be implemented by extending the Ub/Zn interface.
  • a method for implementing a combined authentication architecture includes a universal authentication architecture authentication process and an identity identity alliance authentication process; the steps include: Al, in the general authentication During the right architecture authentication process, the boot service function entity generates a boot transaction identifier and a root key validity period, and sends it to the IP multimedia service subsystem user to generate a root key on both the boot service function entity and the IP multimedia service subsystem user. A2. In the identity alliance function authentication process, the service authentication provider entity generates an authentication statement and sends it to the IP multimedia service subsystem user.
  • the method further includes the following steps: Bl, the UE sends an application request to the SP entity; B2, the SP entity sends a response message to the UE, where the response information carries the IdP address and the identity identifier alliance request authentication information.
  • the UE obtains the information required for authentication.
  • Step A1 includes the following steps: Cl, the UE sends an identity identification alliance authentication request message to the P, where the identity identification alliance request authentication information is carried; C2, IdP sends a challenge response message to the UE, and requires the identity identification information to be carried; C3, UE The UE obtains the boot transaction identifier and the root key, and the boot transaction identifier is an identity identifier. C4. The UE sends an authentication request message to the BSF entity, where the bearer carries the boot transaction identifier and the The identity alliance requests authentication information; C5. The BSF entity performs universal authentication framework authentication on the UE.
  • Step A2 includes the following steps: El, IdP performs identity authentication alliance authentication on the UE; E2, after the authentication succeeds, the IdP entity sends an authentication success response message to the UE; E3, the UE submits request information to the SP entity, and carries the above authentication. Successfully responding to the information, the SP entity completes identity authentication alliance authentication for the UE. _
  • the method further includes the following steps: F1, the IdP entity returns, to the UE, whether to form the identity information of the identity alliance with each SP; F2, the UE confirms the information to the IdP entity, and completes the relationship with the SP entity. Become an identity alliance.
  • the IP multimedia service subsystem user sends an application request to the service provider entity, and the service provider entity sends a response message to the IP multimedia service subsystem user, where the response information carries the service authentication provider address and the identity identifier alliance request authentication.
  • the user of the IP multimedia service subsystem sends an identity authentication request message to the service authentication provider, where the identity identification alliance request authentication information is carried.
  • the service authentication provider sends a challenge response message to the IP multimedia service subsystem user, and requires the identity identification information to be carried;
  • the IP multimedia service subsystem user completes the universal authentication framework guiding process by starting the boot server entity, and the IP multimedia service subsystem user obtains the boot transaction identifier and the root key, and the boot transaction identifier is an identity identifier; the IP multimedia service subsystem The user sends an authentication request message to the startup boot server entity, where the carrying the boot transaction identifier and the identity identifier alliance request authentication information;
  • the booting server entity performs a universal authentication framework authentication on the IP multimedia service subsystem user
  • the service authentication provider performs identity authentication authentication on the IP multimedia service subsystem user; after the authentication succeeds, the service authentication provider entity sends an authentication success response message to the IP multimedia service subsystem user;
  • the IP multimedia service subsystem user submits request information to the service provider entity, where the service success response information is carried, and the service provider entity completes identity authentication alliance authentication for the IP multimedia service subsystem user.
  • FIG. 8 can be further broken down into two cases of FIG. 9 and FIG.
  • FIG. 9 An example of an interworking flow diagram of the present invention is shown in Figure 9 when the authentication response returned by the IdP to the UE directly includes Assertion.
  • TLS secure tunnel is established in advance between the UE and the SP.
  • the establishment of the TLS security tunnel is not within the scope of the present invention and will not be described herein.
  • Step 1 The UE sends an HTTP application request message to the SP.
  • Step 2 The SP finds the address of the IdP.
  • Step 3 The SP sends a response message to the UE, and requests the user to perform authentication on the corresponding IdP, including the address information of the identity authentication request information AutknRequest and IdP.
  • Step 4 The UE sends an HTTP request message to the IdP, where the AuthnRequest obtained in the previous step is carried.
  • Step 5 The IdP sends an HTTP challenge response message to the UE, instructing it to perform the GBA authentication process.
  • Step 6 The UE sends a GBA authentication request message to the BSF, where the information includes a private user identifier.
  • Step 7 The BSF exchanges information with the HSS to obtain an authentication vector, where the vector includes an authentication sequence number AUTN, a random number RAND, a desired result XRES, an integrity key IK:, a confidentiality key CK, that is, an authentication vector quintuple.
  • the vector includes an authentication sequence number AUTN, a random number RAND, a desired result XRES, an integrity key IK:, a confidentiality key CK, that is, an authentication vector quintuple.
  • Step 8 The BSF gives the UE a GBA Challenge Response, which includes AUTN and RAND.
  • Step 9 The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the network, and generates a response result RES. At the same time, IK and CK are generated according to RAND.
  • Step 10 The UE sends a GBA authentication request message to the BSF, where the information includes a private user identifier and an RES.
  • Step 11 The BSF compares the response result RES with the expected result XRES to check the validity of the RES to authenticate the UE.
  • Step 12 The BSF generates Ks according to the keys CK and IK and the key algorithm, and generates a boot transaction identifier B-TID and a Ks validity period.
  • Step 13 The BSF sends a GBA success response message to the UE, where the message includes a B-TID and a Ks validity period.
  • Step 14 The UE saves the B-TID and Ks validity periods, and generates a root key according to CK and IK.
  • Step 16 The UE sends an HTTP authentication request message to the IdP, where the B-TID and the AuthnRequest are carried.
  • Step 17 The IdP/BSF derives the derived shared key Ks_(Ext/Int)_NAF from the NAF to be accessed according to the formula, and completes the GBA authentication process for the UE. Since the IdP and the BSF are one entity, the IdP does not need to obtain Ks_(Ext/Int)-NAF, USS, key validity period, boot time and other information through the Zn interface as in the normal GBA process, but directly obtains it locally; The USS may contain information about some identity alliances. The UE is then authenticated for the GBA process. Similarly, since IdP and BSF are one entity, the BSF always knows "NAF_ID, when calculating Ks_(Ext/Int)_NAF. When this step is executed on the BSF, it can also be placed in step 12 - step 16 The effect is the same.
  • Step 18 The IdP authenticates the UE according to the Authn equest content. After the authentication succeeds, the IdP will tell the UE which SPs can form an identity alliance, and the UE agrees and completes the identity alliance with the SP. In this way, the UE can perform SSO authentication with the corresponding SP.
  • Step 19 The IdP returns an HTTP authentication success response message to the UE, where the AuthnResponse directly carries the corresponding Assertion, and the Assertion includes the digital signature of the IdP.
  • Step 20 The UE re-initiates an HTTP application request message to the SP, where AuthnResponse is the AuthnResponse returned in the previous step, where the corresponding Assertion is carried, and the digital signature of the IdP is included;
  • Step 21 The SP performs corresponding processing on the Assertion, and performs SSO authentication on the UE according to the identity identification alliance information of the IdP.
  • Step 22 The SP finally returns a successful HTTP response message to the UE.
  • the UE and the SP can continue to communicate until the key expires or is about to expire.
  • FIG. 10 An example of an interworking flow diagram of the present invention is shown in FIG. 10 when Artifact is included in the authentication response returned by the IdP to the UE.
  • Steps 1 through 18 are identical to the first example, and are not described herein.
  • Step 19 The IdP generates the corresponding Artifact and Assertion, and saves the relationship between the two, and then the IdP returns an HTTP authentication success response message to the UE, which carries the corresponding Artifact.
  • Step 20 The UE re-initiates an HTTP application request message to the SP, where AuthnResponse is the AuthnResponse returned in the previous step, where the corresponding Artifact is carried, and the link containing the Assertion is included;
  • Step 21 The SP sends an HTTP request message encapsulated by the SOAP protocol to the IdP, where the corresponding Artifact is carried;
  • Step 22 The IdP finds the corresponding Assertion according to the Artifact, and then returns an HTTP response message encapsulated by the SOAP protocol to the SP, where the corresponding Assertion is carried, which includes the digital signature of the IdP;
  • Step 23 The SP processes the Assertion accordingly, and performs SSO authentication on the UE according to the identity information of the IdP and the UE;
  • Step 24 The SP finally returns a successful HTTP response message to the UE.
  • the UE and the SP can continue to communicate until the key expires or is about to expire.
  • IdP may need to perform step 4 - step 15 and then step 16 to ensure that the user ID B-TID is regenerated each time.
  • Step 4 - Step 15 is skipped, and step 16 is directly executed, that is, the HTTP authentication request information sent by the UE to the IdP is The existing user information B-TID and the key information Ks_(Ext/Int)_NAF and the identity alliance information AuthnRequest are carried.
  • step 4-step If no security association is established between the UE and the IdP, you must perform step 4-step first. 15 . Perform a normal GBA boot process to obtain the user information B-TID and the key information Ks_(Ext/Int)_NAF, and then perform step 16.
  • step 4 If the security association has been established between the UE and the IdP, but the key has expired or will expire, step 4 also carries the existing user information B-TID and key information Ks_(Ext/Int)-NAF and identity The federation information AuthnRequest, then the IdP challenges the UE through step 5. The UE performs step 6-step 15, and performs a normal GBA boot process to obtain updated user information B-TID and key information Ks_(Ext/Int)-NAP, and then proceeds to step 16.
  • the UE Since the BSF and the IdP are one entity in the present invention, the UE supports both GBA and SSO mechanisms. Therefore, in the specific implementation process, the following features distinguishing the prior art:
  • step 4 when the UE sends an HTTP request to the IdP, it needs to carry an identifier indicating that the GBA mechanism is supported.
  • the IdP After the UE supports the GBA, the IdP needs to carry an identifier indicating that the UE needs to perform the GBA mechanism in the challenge response sent to the UE, to indicate that the UE performs the GBA operation first.
  • step 16 is directly executed.
  • the user name and password are obtained through the existing SSO mechanism, for example, a dialog box is displayed for the user, and the user name and password are directly input by the user. That is to say, in the case of "otherwise" above, step 4 is equivalent to step 16.
  • the UE receives the challenge response of the IdP, it knows that it is necessary to perform the GBA process first, and then continue the SSO authentication request process, or skip the GBA process and directly perform the SSO authentication request process.
  • step 16 when the UE sends an HTTP request to the MP again, it also needs to carry an identifier indicating that the GB A mechanism is supported. If the IdP finds this flag, it knows that you need to perform step 17 first and then step 18; otherwise, skip to step 18 to execute. That is to say, after receiving the SSO request from the UE, the IdP can already know that it is necessary to first obtain the relevant key and the like through the Zn interface to the BSF, and then perform the SSO authentication response, or directly perform the SSO authentication response.
  • the above functions can also be implemented by configuring the IdP.
  • the UE By configuring the local policy on the IdP entity, the UE is required to complete the authentication process of the universal authentication architecture mechanism before performing the identity label. Know the alliance authentication process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concenre une structure d'authentification combinée dans laquelle les fournisseurs d'authentification de service et la fonction de serveur guide forment une seule entité. Un procédé de réalisation de la structure d'authentification combinée comprend une procédure d'authentification (GBA) fédérée de l'identificateur personnel et une procédure d'authentification de la structure d'authentification lors de la communication entre une unité fournisseur de service et l'utilisateur d'un sous-système IP multimédia de manière à assurer l'interaction entre la procédure d'authentification GBA et la procédure d'authentification fédérée d'identité (ID-FF) dans le but de résoudre le problème de l'état actuel de la technique lié à la détermination par l'équipement utilisateur (UE) et le fournisseur d'identité (IdP) du besoin ou non de réaliser l'authentification (GBA) avant l'authentification unique (SSO). Ainsi, on assure la sécurité de la structure d'authentification précédente tout en simplifiant le fonctionnement du terminal et en élargissant les applications du terminal dans différents services de la Toile.
PCT/CN2007/000440 2006-02-13 2007-02-08 Structure d'authentification combinée et son procédé de réalisation WO2007093115A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610033529.9 2006-02-13
CN2006100335299A CN101022651B (zh) 2006-02-13 2006-02-13 一种组合鉴权架构及其实现方法

Publications (1)

Publication Number Publication Date
WO2007093115A1 true WO2007093115A1 (fr) 2007-08-23

Family

ID=38371181

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000440 WO2007093115A1 (fr) 2006-02-13 2007-02-08 Structure d'authentification combinée et son procédé de réalisation

Country Status (2)

Country Link
CN (1) CN101022651B (fr)
WO (1) WO2007093115A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102869010A (zh) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 单点登录方法及系统

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488880B (zh) * 2008-01-16 2012-03-14 北京航空航天大学 一种提高服务组合可信性的自适应维护方法
UA106642C2 (uk) * 2009-12-11 2014-09-25 Нокіа Корпорейшн Профіль засобу безпеки смарт-картки у сервері абонентських даних
CN101909052A (zh) * 2010-06-28 2010-12-08 中兴通讯股份有限公司 一种家庭网关认证方法和系统
CN102638441A (zh) * 2011-02-15 2012-08-15 中兴通讯股份有限公司 在ims网络中实现单点登录的方法和系统
CN102638440A (zh) * 2011-02-15 2012-08-15 中兴通讯股份有限公司 在ims网络中实现单点登录的方法和系统
JP5865992B2 (ja) * 2011-03-23 2016-02-17 インターデイジタル パテント ホールディングス インコーポレイテッド ネットワーク通信をセキュアにするためのシステムおよび方法
FR2973619A1 (fr) * 2011-03-31 2012-10-05 France Telecom Mise en place d'une association de securite de type gba pour un terminal dans un reseau de telecommunications mobiles
CN102938891B (zh) * 2011-08-16 2018-05-11 中兴通讯股份有限公司 一种mtc设备实现离线触发的方法及系统
US10044713B2 (en) 2011-08-19 2018-08-07 Interdigital Patent Holdings, Inc. OpenID/local openID security
KR20140084100A (ko) 2011-09-29 2014-07-04 인터디지탈 패튼 홀딩스, 인크 방문 네트워크와 통합된 애플리케이션에의 접근을 가능하게 하는 방법 및 장치
CN103095649A (zh) * 2011-10-31 2013-05-08 中兴通讯股份有限公司 一种ims单点登录的组合鉴权方法及系统
CN103297969A (zh) * 2012-03-02 2013-09-11 中兴通讯股份有限公司 一种ims单点登录组合鉴权方法和系统
WO2015035649A1 (fr) * 2013-09-16 2015-03-19 华为终端有限公司 Procédé et système de registre de réseau
CN104918246A (zh) * 2014-03-12 2015-09-16 中兴通讯股份有限公司 一种鉴权认证方法和系统、ProSe功能实体以及UE
CN113840283A (zh) * 2020-06-23 2021-12-24 中兴通讯股份有限公司 引导认证方法、系统、电子设备和可读存储介质

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020791A1 (en) * 2004-07-22 2006-01-26 Pekka Laitinen Entity for use in a generic authentication architecture

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100397942C (zh) * 2004-03-26 2008-06-25 华为技术有限公司 通用鉴权框架中一种接入用户归属网络服务器的方法
CN100355314C (zh) * 2004-06-28 2007-12-12 华为技术有限公司 一种应用通用鉴权框架的方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060020791A1 (en) * 2004-07-22 2006-01-26 Pekka Laitinen Entity for use in a generic authentication architecture

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Liberty Alliance and 3GPP Security Interworking; Interworking of Liberty Alliance ID-FF, ID-WSF and Generic Authentication Architecture (RELEASE 7)", 3GPP TR 33.980 V1.0.0, July 2005 (2005-07-01) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102869010A (zh) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 单点登录方法及系统

Also Published As

Publication number Publication date
CN101022651B (zh) 2012-05-02
CN101022651A (zh) 2007-08-22

Similar Documents

Publication Publication Date Title
WO2007093115A1 (fr) Structure d'authentification combinée et son procédé de réalisation
US8943321B2 (en) User identity management for permitting interworking of a bootstrapping architecture and a shared identity service
JP4824813B2 (ja) アプリケーションの認証
WO2007104245A1 (fr) Système de cadre de référence pour développement des services web et son procédé d'authentification
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
US20110289315A1 (en) Generic Bootstrapping Architecture Usage With WEB Applications And WEB Pages
WO2020093864A1 (fr) Procédé d'agrément de clé, appareil et système associés
TR201819540T4 (tr) Kullanıcı Ekipmanı Kimlik Bilgisi Sistemi
WO2012058896A1 (fr) Procédé et système pour ouverture de session unique
CN109121135A (zh) 基于gba的客户端注册和密钥共享方法、装置及系统
KR20200110345A (ko) 사용자 장치와 애플리케이션 서버 간의 통신을 보안하기 위한 키를 결정하기 위한 방법
JP2016021765A (ja) 認証および鍵合意(AKA)機構に基づくKerberos対応アプリケーションへの認証されたユーザアクセスのための方法および装置
WO2007104248A1 (fr) Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques
Khan et al. AKMA: Delegated authentication system of 5G
Edris et al. The case for federated identity management in 5G communications
WO2013044766A1 (fr) Procédé et dispositif d'accès aux services pour un terminal sans carte
CN101399665B (zh) 以基于身份的密码体制为基础的业务认证方法和系统
WO2013023475A1 (fr) Procédé destiné au partage de données d'utilisateur dans un réseau et serveur fournissant une identité
CN103067345A (zh) 一种变异gba的引导方法及系统
CN102694779A (zh) 组合认证系统及认证方法
Huang et al. Authentication mechanisms in the 5G system
WO2013127342A2 (fr) Signature unique ims sur un procédé et un système d'authentification combinés
TWI755951B (zh) 通訊系統及通訊方法
CN103095649A (zh) 一种ims单点登录的组合鉴权方法及系统
Jønvik et al. Strong authentication using dual SIM

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702312

Country of ref document: EP

Kind code of ref document: A1