WO2007095806A1 - A general authentication system and a method for accessing the network application facility of the system - Google Patents

A general authentication system and a method for accessing the network application facility of the system Download PDF

Info

Publication number
WO2007095806A1
WO2007095806A1 PCT/CN2006/003153 CN2006003153W WO2007095806A1 WO 2007095806 A1 WO2007095806 A1 WO 2007095806A1 CN 2006003153 W CN2006003153 W CN 2006003153W WO 2007095806 A1 WO2007095806 A1 WO 2007095806A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
roaming
bsf
user
authentication
Prior art date
Application number
PCT/CN2006/003153
Other languages
French (fr)
Chinese (zh)
Inventor
Yanmei Yang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007095806A1 publication Critical patent/WO2007095806A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access, e.g. scheduled or random access

Definitions

  • the present invention relates to general authentication techniques, and more particularly to a universal authentication system and a method of accessing a network service application (NAF) in a roaming network.
  • NAF network service application
  • the universal authentication system also known as the Common Authentication Framework (GAA)
  • GAA Common Authentication Framework
  • the foregoing multiple application services may be a multicast/broadcast service, a user certificate service, an information immediate service, or a proxy service.
  • FIG. 1 is a schematic structural diagram of a general authentication framework of the prior art.
  • a universal authentication framework is generally performed by a user, a Bootstrapping Service Function (BSF) entity that performs initial authentication of a user identity, a Home Subscriber Server (HSS), and a network.
  • BSF Bootstrapping Service Function
  • HSS Home Subscriber Server
  • NAP Business Application
  • the BSF entity cartridge is referred to as a BSF
  • the NAF entity is simply referred to as a NAF.
  • the BSF is used to perform mutual authentication with the user, that is, mutually authenticate the identity, and simultaneously generate a shared key between the BSF and the user.
  • This process is also called a Bootstrapping process or a GBA process, and the user who can implement the GBA process with the BSF has the GBA.
  • the interface between the entities is as shown in Figure 1.
  • the BSF and the NAF are connected through the Zn interface.
  • the user connects to the BSF or NA through the user terminal (UE), and the UE and the BSF are connected through the Ub interface.
  • the UE and the NAF are connected through the Ua interface.
  • the user needs to use a certain service to access the NAF corresponding to the service, if the user knows that the service needs to be authenticated to the BSF for mutual authentication, the user directly performs the Bootstrapping process to the BSF through the UE; otherwise, the user first initiates the NAF corresponding to the service.
  • the connection request if the NAF supports the GAA function using the common authentication framework, and finds that the user who initiated the connection request has not yet authenticated to the BSF, the user initiating the connection request is notified to the BSF to perform the Bootstrapping process.
  • the user performs mutual authentication by performing a Bootstrapping process between the UE and the BSF.
  • the UE and the BSF mutually authenticate the identity and generate a shared key Ks.
  • the BSF defines an expiration date for the shared key Ks. (Key-lifetime) and assign a session transaction identifier (B-TID) to the user; the BSF and the UE respectively save the shared key Ks, B-TID and validity period.
  • the connection request is sent to the NAF, and the B-TID is carried in the request message, and the user calculates the derived key NAF specific key according to the shared key Ks by using a preset derivative algorithm.
  • the NAF After the NAF receives the connection request, if the NAF cannot query the B-TID locally, the NAF sends a request query message carrying its own identity and the B-TID to the BSF for query. If the BSF cannot query the B-TID locally, the NAF is notified that there is no information about the user. At this time, the NAF will notify the user to perform mutual authentication to the BSF. If the BSF queries the B-TID, the same as the user side is used. The derivative algorithm calculates the derived key of the shared key Ks, and then sends a success response message to the NAF, where the successful response carries the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. .
  • the NAF After receiving the success response message of the BSF, the NAF considers that the user is a legitimate user who has passed the BSF authentication, and the NAF shares the derived key calculated by the shared key Ks, and the generated key is shared with the user.
  • the key Ks is calculated to be consistent with the derived key.
  • the user uses the derived key to protect the second in the subsequent access to NAJF. Communication between people.
  • the user When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
  • the process of the user accessing the NAF is applicable to the case where the NAF is located in the user's home network.
  • the prior art processing is: the BSF that performs mutual authentication with the user is also the BSF of the home network, and the NAF of the roaming network needs to pass through a D-proxy and the home network.
  • the BSF is connected, and the derived key is obtained from the BSF of the home network, and then the derived key is used to communicate with the user. This situation is the case where both the home network and the roaming network support GAA.
  • the home network where a GBA-enabled UE is located does not support GAA, and when the UE roams to a GAA-enabled roaming network, according to the currently provided universal authentication architecture and access to the NAF through the universal authentication architecture.
  • the BSF that is mutually authenticated by the user is the BSF of the home network, and the home network to which the UE belongs does not support the GAA. Therefore, the UE cannot use the NAF service provided by the roaming network.
  • the main object of the present invention is to provide a universal authentication system that enables roaming users to access NAF services in a roaming network.
  • Another object of the present invention is to provide a method for accessing a network service application in the universal authentication system, so that a roaming user can access the NAF service in the roaming network.
  • a universal authentication system includes: a roaming user, a roaming network service application V-NAF entity, and a universal authentication entity for implementing mutual authentication with the roaming user, where The roaming user initiates a mutual authentication request to the universal authentication entity; the universal authentication entity receives a mutual authentication request from the roaming user, obtains authentication information from the home network of the roaming user, and performs mutual authentication with the roaming user. ;
  • the roaming user uses the mutual authentication result to protect the communication between the roaming user and the V-NAJF entity.
  • the system specifically includes:
  • the roaming user sends a connection request to the V-NA entity; if the V-NAF requires a GBA signing or receives a mutual authentication notification from the V-NAF entity, sending a mutual authentication request to the universal authentication entity,
  • the universal authentication entity implements mutual authentication and generates a derivative key; and communicates with the V-NAF entity by using the generated derivative key;
  • the universal authentication entity receives the mutual authentication request from the roaming user, and obtains the mutual authentication between the universal authentication entity and the roaming user by connecting with the home network to which the roaming user belongs.
  • the required authentication information, and mutual authentication with the roaming user receiving a query request from the V-NAF entity, generating a derivative key and transmitting the key to the V-NAF.
  • the universal authentication entity is: a Bootstrapping service function V-BSF entity that performs initial user authentication verification in the roaming network.
  • the home network to which the roaming user belongs includes a subscription database as a home subscriber server HSS, and the V-BSF entity and the HSS are connected by using a Zh interface using a Diameter protocol;
  • the subscription database of the home network to which the user belongs is the home location register HLR, and the V-BSF entity is connected to the HLR through the Gr interface. Or other types of HLR/HSS external interfaces.
  • the home network to which the roaming user belongs includes an authentication proxy that authenticates the V-BSF entity, and the V-BSF entity is connected to the HSS through an authentication proxy;
  • the universal authentication entity includes: a serving GPRS support node SGSN located in the roaming network, and a Bootstrapping service function V-BSF entity performing user identity initial check verification.
  • the subscription database of the home network to which the roaming user belongs is an HSS/HLR, and the SGSN is connected to the HLR/HSS through a Gr interface, and the V-BSF entity and the SGSN are connected through a Zx interface.
  • the V-BSF entity is two or more.
  • the universal authentication entity further includes: a B-agent B-pmxy for connecting all V-BSF entities and a home network to which the roaming user belongs.
  • Each V-BSF entity is connected to the B-proxy through a Zx interface
  • the subscription database of the home network to which the roaming user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR, and the B-proxy and the HLR are Connected via the Gr interface.
  • the B-proxy is an independent entity or a functional module of any V-BSF entity in all V-BSF entities.
  • the V-BSF entity is two or more, and one V-BSF entity in all V-BSF entities is a main V-BSF entity;
  • the primary V-BSF entity includes a B-proxy B-proxy for connecting the V-BSF entity to the home network to which the roaming user belongs.
  • the primary V-BSF is connected to the remaining V-BSF through a Zx interface
  • the subscription database of the home network to which the user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR.
  • the B-proxy and the HLR are connected by a Gr interface.
  • the V-BSF entity is connected to the V-NAF entity through a Zn interface, and the roaming user is connected to the V-BSF entity through a Ub interface and to the V-NAF entity through a Ua interface.
  • a method for accessing a network service application NAF entity in a universal authentication system comprising: a roaming user, a roaming network service application V-NAF entity, and a mutual authentication and a V-
  • the NAF entity provides a generic authentication entity that derives the key, and the method includes the following steps:
  • the roaming user initiates a mutual authentication request to the universal authentication entity
  • the universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
  • the roaming user accesses the network service application V-NAF.
  • the method further includes:
  • the roaming user carries a flag indicating that the roaming user is a roaming user in the connection request sent to the V-NAF entity, and the V-NAF entity learns that the current user is a roaming user and determines that the roaming user does not perform mutual authentication.
  • the mutual authentication address of the universal authentication entity in the roaming network is carried in the GBA indication and returned to the roaming user.
  • the universal authentication entity is a V-BSF, and the step C specifically includes:
  • the roaming user and the V-BSF entity mutually authenticate the identity and generate a shared key Ks, the V-BSF entity defines an expiration date for the shared key Ks and allocates a B-TID, the V-BSF The entity and the roaming user respectively have the shared key Ks, B-TID and Save the validity period;
  • the roaming user carries the B-TID to the V-NAF entity, and the roaming user calculates the derivative key according to the shared key Ks by using a preset derivative algorithm;
  • the V-NAF entity according to the receiving the connection request, if the B-TID cannot be queried locally, the self-identification and the B-TID are carried in the request query message and sent to the V- BSF entity;
  • V-BSF entity queries the B-TID, and uses the same derivative algorithm as the user side to calculate the derived key of the shared key Ks, and the generated B-TID, and the generated derived key And being carried in the success response message and sent to the V-NAF entity, where the roaming user and the V-NAF entity use the derived key to communicate.
  • step C4 if the V-BSF entity cannot query the B-TID locally, the V-BSF entity notifies the V-NAF entity that the information of the roaming user is not queried; The NAF entity notifies the roaming user to return to step A again.
  • step C3 if the V-BSF entity is two or more, the V-NAF entity sends a request query message carrying its own identifier and the B-TID to all V-BSF entities for query.
  • the subscription database of the home network to which the roaming user belongs is an HSS/HLR.
  • the method further includes:
  • the UE When the roaming user leaves the roaming network, the UE deletes the shared key Ks, the derived key, and the B-TID assigned to the roaming user.
  • the method further includes:
  • the roaming user moves to another roaming network, and if the NAF entity in another roaming network requests the roaming network for the secure communication information of the roaming user, the V-BSF entity in the roaming network refuses to The derived key of the roaming user is returned to another roaming network The NAF entity in .
  • the method further includes:
  • the authentication is done by the home network HLR/HSS or by a specially configured authentication agent.
  • the universal authentication system of the present invention includes a roaming user, a universal authentication entity located in the roaming network for implementing mutual authentication with the roaming user and providing a derived key to the V-NAF, and a network service application.
  • the method for accessing the network service application in the universal authentication system has the GBA function for the roaming user, and the home network to which the roaming user belongs does not support the GAA.
  • the roaming user is in the roaming network supporting the GAA, the method is implemented.
  • the roaming user completes the mutual authentication process in the roaming network, thereby realizing access to the NAF service in the roaming network.
  • FIG. 1 is a schematic structural diagram of a prior art universal authentication framework
  • FIG. 2 is a schematic structural diagram of a universal authentication system of the present invention
  • Embodiment 1 of a universal authentication entity of the present invention is a schematic structural diagram of Embodiment 1 of a universal authentication entity of the present invention.
  • Figure 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention.
  • Embodiment 1 is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention
  • Embodiment 2 is a schematic structural diagram of Embodiment 2 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention
  • Figure 5 is a flow chart of a method for accessing NAF of the present invention.
  • FIG. 6 is a flowchart of Embodiment 1 of the present invention for accessing a NAF
  • FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing a NAF. Mode for carrying out the invention
  • the core idea of the present invention is: in a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a roaming network service application, after the roaming user receives the mutual authentication notification from the network service application,
  • the universal authentication entity in the roaming network initiates a mutual authentication request;
  • the universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
  • the authentication entity and the user perform mutual authentication according to the obtained authentication information and generate a derivative key, and the roaming user accesses the network service application by using the derivative key.
  • the present invention is particularly applicable to a roaming user having a GBA function, the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA; and the roaming network and the home network have signed a corresponding service agreement to enable attribution.
  • the network opens an interface for the roaming network to implement the mutual authentication process, so that the roaming network can access the home network through the relevant interface and obtain the required authentication data from the home network.
  • the universal fattening system of the present invention includes a roaming user, a universal authentication entity located in a roaming network, and a roaming NAF (V-NAF), each entity
  • the interface between the common authentication entity and the NAF is connected through the Zn interface.
  • the universal authentication entity is connected to the subscription database in the home network of the roaming user through the relevant interface.
  • FIG. 4a and FIG. 4b The description of FIG. 4a and FIG. 4b; the roaming user is connected to the universal answering entity and the V-NAF through the UE, the UE and the universal authentication entity are connected through the Ub interface, and the V-NAF is connected through the Ua interface.
  • V-NAF can represent different network business application entities, users need to achieve some kind of In the case of a service, the NAF corresponding to the service must be accessed and communicated with the NAF.
  • the V-NAF receives the connection request from the user, and if it is determined that the user does not perform mutual authentication, notifies the user to perform mutual authentication; if it is determined that the user has performed mutual authentication and is a roaming user, the general authentication entity is queried to the roaming user. Deriving a key; receiving a derived key from the universal authentication entity, and using the derived key to communicate with the roaming user to implement the service requested by the roaming user;
  • the roaming user sends a connection request to the V-NAF to request to implement the service; receives the mutual authentication notification from the V-NAF, sends a mutual authentication request to the universal authentication entity, implements mutual authentication with the universal authentication entity, and generates a derivative key; Communicating with the V-NAF by using the generated derivative key to implement the service requested by the roaming user;
  • the universal authentication entity receives the mutual authentication request from the roaming user, and obtains the authentication information required for the mutual authentication between the universal authentication entity and the roaming user through the connection with the subscription database of the home network to which the roaming user belongs, and implements the authentication information.
  • Mutual authentication of the roaming user receiving the query request from the V-NAF, generating the derived key and providing it to the V-NAF.
  • the functions of the universal authentication entity include: implementing mutual authentication with the roaming user and providing derivative to the V-NAF Key.
  • the authentication information includes user subscription data identifying the service of the user subscription application, and an authentication vector identifying the identity of the user.
  • Figures 3a and 3b are implementations of two general-purpose rights-enhancing entities, which are described in detail below.
  • Figure 3a is a schematic structural diagram of Embodiment 1 of the universal authentication entity of the present invention.
  • the universal authentication entity includes a BSF in the roaming network, that is, a roaming BSF (V-BSF), and if the authentication information of the roaming user is stored in In the home network HSS (including the case where the HLR is upgraded to the HSS), the V-BSF can obtain the authentication information of the roaming user from the HSS by using the Diameter protocol through the Zh interface, and the subscription database is the HSS;
  • the authentication information is stored in the home location register (HLR) of the home network (the HLR has not been upgraded to the HSS), and the V-BSF can obtain the authentication of the roaming user from the HLR through the Gr interface.
  • HLR home location register
  • the contract database is the HLR.
  • the interface between the universal authentication entity and the other entities of the universal authentication system is as follows: V-BSF and V-NAF are connected through the Zn interface, roaming users are connected to the V-BSF through the Ub interface, and through the Ua interface. V-NAF connection.
  • the V-BSF receives the mutual authentication request from the roaming user, and obtains the mutual authentication entity and the roaming user for mutual authentication by connecting with the subscription database of the home network to which the roaming user belongs. Authentication information, and mutual authentication with the roaming user; receiving a query request from the V-NAF, generating a derivative key and providing it to the V-NAF.
  • FIG. 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention.
  • the universal authentication entity includes a Serving GPRS Support Node (SGSN) and a V-BSF in a roaming network, and an SGSN in the roaming network.
  • the HL/HSS of the home network is connected through the Gr interface, and the V-BSF and the SGSN are connected through the Zx interface.
  • the SGSN accesses the HLR/HSS of the home network to obtain the authentication information and the GPRS subscription information.
  • the subscription database is the HLR/HSS.
  • the interface between the universal authentication entity shown in Figure 3b and other entities of the universal authentication system is:
  • the V-BSF and the V-NAF in the universal authentication entity are connected through the Zn interface, and the roaming user passes the Ub interface and the V-BSF.
  • the V-BSF receives the mutual authentication request from the roaming user, connects the SGSN with the subscription database of the home network to which the roaming user belongs, and obtains the mutual authentication entity and the roaming user for mutual authentication.
  • the required authentication information the V-BSF implements mutual authentication with the roaming user; the V-BSF receives the query request from the V-NAF, generates a birth key and provides it to the V-NAF.
  • the V-BSF can also obtain the user's GUSS data from the HLR/HSS: if the user's home network register is the HLR, the HLR outputs the GUSS to the BSF by outputting the GPRS subscription data to the SGSN. Or GUSS as part of the GPRS subscription data, sent along with the GPRS subscription data output by the HLR to the BSF To the BSF; if the user's home network register is an HSS, the HSS can obtain authentication and GUSS data from the user's HSS via the Zn interface protocol in an existing manner.
  • all BSFs may authenticate roaming users, or only one or several BSFs may be used to authenticate roaming users, and the remaining BSFs may only authenticate local users.
  • the BSF of the authentication roaming user and the BSF of the authentication local user can be distinguished by using different domain names.
  • the domain name of the BSF used for authenticating the local user can be set to: BSF bsf.mnc ⁇ MNC>.mcc ⁇ MCC> .3gppnetwork.org
  • the domain name of the BSF used to authenticate roaming users can be set to VBSF bsf.mnc ⁇ MNC>.mcc ⁇ MCC>.3 gppnetwork.org
  • ⁇ MNC> is filled with mobile network code (MNC)
  • MCC> Mobile Country Code
  • the BSF is enabled to access the subscription database of the home network through a unified interface.
  • the present invention is implemented by setting a B-proxy (B-proxy) for connecting the V-BSF to the unified interface of the home network of the roaming user.
  • B-proxy may be a functional module in a BSF in the BSF for authenticating the roaming user, or may be a separate entity.
  • B-proxy may not be needed.
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention.
  • V-BSFs for authenticating roaming users in the roaming network. That is, V-BSF1 ⁇ V-BSFn, n is a positive integer greater than 1.
  • V-BSF1 ⁇ V-BSFn are connected to V-NAF through Zn interface, respectively, through Zx interface and B-proxy Connected; B-proxy is connected to the subscription database in the home network through Gr/Zh, so that V-BSF1 ⁇ V-BSFn accesses the subscription database of the home network through a unified Gr/Zh interface; each V-BSF Both provide an Ub interface connected to the roaming user, and the roaming user connects to the V-NAF through the Ua interface.
  • FIG. 4b is a schematic structural diagram of Embodiment 2 of a universal authentication entity when multiple BSFs exist in a roaming network according to the present invention.
  • V-BSF1 there are n V-BSFs for authenticating roaming users in the supporting roaming network.
  • V-BSF1 ⁇ V-BSFn, where n is a positive integer greater than one.
  • V-BSF1 is the primary V-BSF with B-proxy function at the same time.
  • the primary V-BSF has two domain names, one is the domain name of B-proxy, and the other is the domain name of V-BSF, which can be implemented by pre-setting.
  • V-BSF2 ⁇ V-BSFn are connected to the V-NAF through the Zn interface, respectively, and connected to the main V-BSF through the Zx interface; the B-proxy in the main V-BSF passes the Gr/Zh, the interface and the subscription database in the home network.
  • V-BSF1 ⁇ V-BSFn access the subscription database of the home network through a unified Gr/Zh interface; each V-BSF provides an Ub interface connected with the roaming user, and the roaming user passes the Ua interface and the V -NAF is connected.
  • HLR/HSS external interfaces such as the Sh interface can also be accessed.
  • the V-BSF can be further authenticated.
  • the authentication can be implemented by the HLR/HSS itself, or an authentication proxy can be set up between the V-BSF and the HLR/HSS for authentication.
  • FIG. 5 is a flowchart of the method for accessing the NAF according to the present invention.
  • a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a network service application, it is assumed that the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA.
  • the method of the invention comprises the following steps: Step 500: After the roaming user receives the mutual authentication notification from the network service application, since the roaming user home network does not support the GAA, the roaming user initiates the mutual authentication request by using the universal authentication entity of the universal authentication system in the roaming network. .
  • the roaming user requests to implement the service by sending a connection request to the V-NAF. If the V-NAF finds that the roaming user that initiated the connection request does not perform mutual authentication, the robin user may issue a GB A indication to the roaming user. The roaming user is notified to perform the mutual authentication process, that is, the Bootstrapping process.
  • the roaming user since the home network of the roaming user does not support the GAA, according to the pre-signed service agreement between the roaming network and the home network, the roaming user performs mutual authentication through the universal authentication entity of the universal authentication system in the roaming network.
  • the roaming user moves to the roaming network
  • the mobile country code and the mobile network code of the network are known to the roaming user.
  • the specific implementation method is well known to those skilled in the art, and details are not described herein.
  • the roaming user only needs to add the VBSF prefix to the MCC code and the MNC code of the roaming network according to the domain name of the V-BSF used for authenticating the roaming user.
  • the 3gppnetwork.org suffix gives the address of the V-BSF, the mutual authentication address of the universal authentication entity.
  • the roaming user can carry the identifier in the connection request to indicate that the current user is a roaming user, so that the NAF knows that the current user is a roaming user, so that the NAF in the GBA indication will be the general authentication entity in the universal authentication system in the roaming network.
  • the mutual authentication address returns to the roaming user.
  • Step 501 The universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request.
  • the V-BSF After receiving the authentication request of the roaming user, the V-BSF determines the user information, such as the identity identifier, carried in the authentication request. If the identity identifier does not belong to the network, the identity identifier determines the home network subscription database of the user requesting the authentication. Such as the address of HSS/HLR, and pass The Zh/Gr interface obtains the authentication information of the roaming user from the home network subscription database.
  • Step 502 The universal authentication entity performs mutual authentication with the user according to the authentication information, and generates a derivative key, and the roaming user uses the derived key to access a network service application in the current roaming network.
  • the roaming user performs mutual authentication by performing a Bootstrapping process with the V-BSF corresponding to the mutual authentication address. After the Bootstrapping process is successfully completed, the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks.
  • the V-BSF is the same.
  • the shared key Ks defines an expiration date and assigns a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, the B-TID and the validity period.
  • the connection request is re-issued to the V-NAF, and the B-TID is carried in the request message, and the roaming user calculates the derived key according to the shared key Ks by using a preset derivative algorithm.
  • the types of B-TIDs of the two types of users can be distinguished.
  • the B-TID assigned to the local user can be similar to base64encode(RAND)@B SF_servers_domain_name and assigned to roaming users.
  • the B-TID can be indicated by adding a string, such as base64encode(RAND)- Visited@BSF_servers_domain_ name in the "- Visited" string to identify the user as a roaming user.
  • the V-NAF After the V-NAF receives the connection request, if the V-NAF cannot query the B-TID locally, the V-BSF sends a request query message carrying the self-identity and the B-TID to the V-BSF for querying. A plurality of V-BSFs in the roaming network can authenticate the roaming user. Then, the V-NAF can send a request query message carrying the self identifier and the B-TID to all V-BSFs that can authenticate the roaming user. Inquire. If the V-BSF cannot locally query the B-TID, the V-NAF is notified that the V-NAF does not have the information of the roaming user.
  • the V-NAF notifies the roaming user to perform mutual authentication, that is, returns to step 500 to re-execute the method flow; If the V-BSF queries the B-TID, the shared algorithm is calculated using the same derivative algorithm as the user side. The derived key of the key Ks is then sent to the V-NAF with a success response message carrying the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. After receiving the success response message from the V-BSF, the V-NAF considers that the roaming user is a legitimate user who has performed mutual authentication, and the V-NAF shares the derived key calculated by the shared key Ks. The derivative key is consistent with the roaming user calculating the derived key according to the shared key Ks. The user uses the derived key to protect communication between the two in subsequent access V-NAF.
  • the user When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
  • the current roaming network is referred to as a first roaming network
  • the other roaming network is referred to as a second roaming network.
  • the method of the present invention may further include: when the user leaves the first roaming network, the UE deletes the shared key Ks allocated by the V-BSF in the first roaming network to the user, the generated "generated key" and the B-TID; Of course, if the NAF of the second roaming network requests the first roaming network for the secure communication information of the user, the V-BSF of the first roaming network does not return the secure communication information such as the derived key of the user to the NAF. .
  • FIG. 6 is a flowchart of Embodiment 1 of the present invention for accessing NAF.
  • the general authentication entity in Embodiment 1 is composed of V-BSF. It is assumed that the roaming user does not perform mutual authentication before the UE sends the first connection request to the V-NAF.
  • the embodiment specifically includes the following steps:
  • Steps 600 to 601 After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process.
  • the specific implementation of this step is completely consistent with the prior art, and details are not described herein again.
  • Step 602 to step 604 The UE sends an authentication request carrying the user information to the V-BSF in the roaming network, and the V-BSF determines the home network subscription database address to which the UE belongs according to the user information, and obtains the UE from the user subscription database. Authentication information.
  • Step 605 - Step 606 The mutual authentication and key agreement process between the UE and the V-BSF is a mutual authentication process, and the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks, where the V-BSF is The shared key Ks defines an expiration date and allocates a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, B-TID and the validity period; the UE adopts a preset derivation algorithm according to the shared key Ks. Calculate the derived key and save it.
  • the types of the two user B-TIDs can also be distinguished.
  • the B-TID assigned to the local user can be similar to base64encode(RAND)@BSF_server_domain_name, and the B-TID for the roaming user can be indicated by adding a string, such as base64encode(RAND)
  • the "- Visited" string is added to the Visited@BSF_servers-domain-name to identify the user as a roaming user.
  • Step 607 - Step 609 The UE carries the obtained B-TID in the connection request, and initiates a service request to the V-NAF.
  • the V-NAF sends the V-NAF ID and the B-TID to the V-BSF.
  • the derived derivative algorithm is calculated by the same preset derivative algorithm as the user side.
  • the V-NAF is notified that there is no authentication information of the UE.
  • the V-NAJF initiates a request query message to the V-BSF. Otherwise, the request query message may be omitted, which is consistent with the prior art.
  • Step 610 to step 611 The V-BSF carries the generated derivative key, the B-TID, and the validity period stored in association with the B-TID in the request query response message, and returns it to the V-NAF.
  • the derived key is obtained for secure communication.
  • FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing NAF.
  • the general authentication entity in Embodiment 2 is composed of V-BSF and SGSN, compared with Embodiment 1 shown in FIG.
  • the embodiment specifically includes the following steps:
  • Step 700 - Step 701 After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process.
  • the UE carries a flag indicating that the user is a roaming user in the connection request. Therefore, after the NAF learns that the UE is a roaming user, the mutual authentication address of the universal authentication entity in the universal authentication system is carried in the UE. Returned to the UE in the GBA indication.
  • Step 702 Step 704: The UE sends an authentication request carrying the user information to the V-BSF corresponding to the obtained mutual authentication address, and the V-BSF determines the user subscription database address of the home network to which the UE belongs according to the user information, and signs the subscription from the user through the SGSN.
  • the authentication information of the UE is obtained in the database.

Abstract

A general authentication system includes a raoming client, a general authentication entity in the roaming network and a network application facility. A method for accessing the network application facility of the said general authentication system enables the roaming client to have the GBA function. The home network of the roaming client doesn't support the general authentication architecture (GAA), but the roaming network supports the situation of GAA of the roaming network in which the roaming client locates. The method realizes that the roaming client performs the mutual authentication operation in the roaming network,thereby accessing the NAF service of the roaming network is implemented.

Description

通用鉴权系统及访问该系统中网络业务应用的方法 技术领域  Universal authentication system and method for accessing network service application in the system
本发明涉及通用鉴权技术, 尤指在漫游网络中, 一种通用鉴权系统 及访问该系统中网络业务应用 (NAF ) 的方法。 发明背景  The present invention relates to general authentication techniques, and more particularly to a universal authentication system and a method of accessing a network service application (NAF) in a roaming network. Background of the invention
在第三代无线通信标准中, 通用鉴权系统也称为通用鉴权框架 ( GAA ), 是多种应用业务实体使用的一个用于完成对用户身份进行 验证的通用结构,应用通用鉴权框架可实现对应用业务的用户进行检 查和验证身份。 上述多种应用业务可以是多播 /广播业务、 用户证书 业务、 信息即时提供业务等, 也可以是代理业务。  In the third generation wireless communication standard, the universal authentication system, also known as the Common Authentication Framework (GAA), is a general structure used by various application service entities to complete the verification of user identity, applying a universal authentication framework. It can check and verify the identity of users of the application service. The foregoing multiple application services may be a multicast/broadcast service, a user certificate service, an information immediate service, or a proxy service.
图 1为现有技术通用鉴权框架结构示意图, 如图 1所示, 通用鉴权 框架通常由用户、执行用户身份初始检查验证的 Bootstrapping服务功能 ( BSF ) 实体、 归属用户服务器 (HSS )和网络业务应用 (NAP ) 实体 组成。 下文中将 BSF实体筒称为 BSF,将 NAF实体简称为 NAF。其中, BSF用于与用户进行互认证即互相验证身份,同时生成 BSF与用户的共 享密钥的过程, 该过程也称为 Bootstrapping过程或 GBA过程, 称能够 与 BSF实现 GBA过程的用户为具备 GBA功能的用户; HSS中存储用 于描述用户信息的描述(Profile )文件, 同时 HSS还兼有产生鉴权信息 的功能; NAF可以代表不同的网络业务应用实体, 用户要实现某种业务 时, 必须访问该业务对应的 NAF并与该 NAP进行通信。 各个实体之间 的接口如图 1所示, BSF与 NAF之间通过 Zn接口连接; 用户通过用户 终端 ( UE )与 BSF或 NA 连接, UE与 BSF之间通过 Ub接口连接, UE与 NAF之间通过 Ua接口连接。 FIG. 1 is a schematic structural diagram of a general authentication framework of the prior art. As shown in FIG. 1 , a universal authentication framework is generally performed by a user, a Bootstrapping Service Function (BSF) entity that performs initial authentication of a user identity, a Home Subscriber Server (HSS), and a network. Business Application (NAP) entity composition. Hereinafter, the BSF entity cartridge is referred to as a BSF, and the NAF entity is simply referred to as a NAF. The BSF is used to perform mutual authentication with the user, that is, mutually authenticate the identity, and simultaneously generate a shared key between the BSF and the user. This process is also called a Bootstrapping process or a GBA process, and the user who can implement the GBA process with the BSF has the GBA. User of the function; the HSS stores a profile file for describing user information, and the HSS also has the function of generating authentication information; NAF can represent different network service application entities, and when the user wants to implement a certain service, Accessing the NAF corresponding to the service and communicating with the NAP. The interface between the entities is as shown in Figure 1. The BSF and the NAF are connected through the Zn interface. The user connects to the BSF or NA through the user terminal (UE), and the UE and the BSF are connected through the Ub interface. The UE and the NAF are connected through the Ua interface.
用户需要使用某种业务即访问该业务对应的 NAF 时, 如果用户知 道该业务需要到 BSF进行互认证, 则用户通过 UE 直接到 BSF执行 Bootstrapping过程; 否则,用户会首先向该业务对应的 NAF发起连接请 求, 如果该 NAF使用通用鉴杈框架即支持 GAA功能, 并且发现发起连 接请求的用户还未到 BSF进行互认证, 则通知发起连接请求的用户到 BSF执行 Bootstrapping过程。  If the user needs to use a certain service to access the NAF corresponding to the service, if the user knows that the service needs to be authenticated to the BSF for mutual authentication, the user directly performs the Bootstrapping process to the BSF through the UE; otherwise, the user first initiates the NAF corresponding to the service. The connection request, if the NAF supports the GAA function using the common authentication framework, and finds that the user who initiated the connection request has not yet authenticated to the BSF, the user initiating the connection request is notified to the BSF to perform the Bootstrapping process.
接下来用户通过 UE与 BSF之间执行 Bootstrapping过程进行互认 证, 该 Bootstrapping过程成功完成后, UE和 BSF之间互相验证了身份 并且生成共享密钥 Ks , BSF 为该共享密钥 Ks 定义了一个有效期 ( Key-lifetime )并分配一个会话事务标识( B-TID )给用户; BSF和 UE 分別将共享密钥 Ks, B-TID以及有效期关联保存。 当用户要与 NAF通 信时, 重新向 NAF发出连接请求, 且请求消息中携带该 B-TID, 同时用 户根据该共享密钥 Ks采用预设衍生算法计算出衍生密钥 NAF specific key。  Then, the user performs mutual authentication by performing a Bootstrapping process between the UE and the BSF. After the Bootstrapping process is successfully completed, the UE and the BSF mutually authenticate the identity and generate a shared key Ks. The BSF defines an expiration date for the shared key Ks. (Key-lifetime) and assign a session transaction identifier (B-TID) to the user; the BSF and the UE respectively save the shared key Ks, B-TID and validity period. When the user wants to communicate with the NAF, the connection request is sent to the NAF, and the B-TID is carried in the request message, and the user calculates the derived key NAF specific key according to the shared key Ks by using a preset derivative algorithm.
NAF收到连接请求后, 如果 NAF不能在本地查询到该 B-TID, 则 向 BSF发送携带自身标识和该 B-TID的请求查询消息进行查询。 如果 BSF不能在本地查询到该 B-TID,则通知 NAF没有该用户的信息,此时, NAF将通知用户到 BSF进行互认证; 如果 BSF查询到该 B-TID, 则使 用与用户侧相同的衍生算法计算共享密钥 Ks的衍生密钥, 然后向 NAF 发送成功响应消息, 该成功响应中携带有所述 B-TID, 与该 B- TID对应 的衍生密钥, 以及共享密钥 Ks的有效期。 NAF收到 BSF的成功响应消 息后, 认为该用户是经过 BSF认证的合法用户, 同时 NAF共享了由共 享密钥 Ks计算得到的衍生密钥, 该^^生密钥与用户^^据该共享密钥 Ks 计算出衍生密钥一致。 用户在后续访问 NAJF 中利用该衍生密钥保护二 者之间的通信。 After the NAF receives the connection request, if the NAF cannot query the B-TID locally, the NAF sends a request query message carrying its own identity and the B-TID to the BSF for query. If the BSF cannot query the B-TID locally, the NAF is notified that there is no information about the user. At this time, the NAF will notify the user to perform mutual authentication to the BSF. If the BSF queries the B-TID, the same as the user side is used. The derivative algorithm calculates the derived key of the shared key Ks, and then sends a success response message to the NAF, where the successful response carries the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. . After receiving the success response message of the BSF, the NAF considers that the user is a legitimate user who has passed the BSF authentication, and the NAF shares the derived key calculated by the shared key Ks, and the generated key is shared with the user. The key Ks is calculated to be consistent with the derived key. The user uses the derived key to protect the second in the subsequent access to NAJF. Communication between people.
当用户发现共享密钥 Ks即将过期, 或 NAF要求用户重新到 BSF 进行互认证时, 用户重复上述的互认证步骤重新到 BSF进行互认证, 以 得到新的共享密钥 Ks及 B-TID。  When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
以上描述的在 GAA中, 用户访问 NAF的过程适用于 NAF位于 用户的归属网络中的情况。 对于用户访问位于漫游网络中的 NAF的 情况, 现有技术的处理是: 与用户进行互认证的 BSF还是归属网络 的 BSF , 而漫游网络的 NAF需要通过一个 D代理(D-proxy )与归属 网絡的 BSF连接, 并且从归属网络的 BSF处取得衍生密钥, 然后利 用该衍生密钥与用户进行通信。这种情况属于归属网络和漫游网络都 支持 GAA的情况。  In the GAA described above, the process of the user accessing the NAF is applicable to the case where the NAF is located in the user's home network. For the case where the user accesses the NAF located in the roaming network, the prior art processing is: the BSF that performs mutual authentication with the user is also the BSF of the home network, and the NAF of the roaming network needs to pass through a D-proxy and the home network. The BSF is connected, and the derived key is obtained from the BSF of the home network, and then the derived key is used to communicate with the user. This situation is the case where both the home network and the roaming network support GAA.
但是,如果一个具备 GBA功能的 UE所在的归属网络不支持 GAA, 而当该 UE漫游到一个支持 GAA的漫游网络时, 按照目前提供的通用 鉴权架构和通过该通用鉴权架构访问 NAF 的处理方法, 由于与用户进 行互认证的 BSF是归属网络的 BSF ,而该 UE所属归属网络不支持 GAA, 因此, 该 UE是不能使用漫游网络提供的 NAF业务的。 发明内容  However, if the home network where a GBA-enabled UE is located does not support GAA, and when the UE roams to a GAA-enabled roaming network, according to the currently provided universal authentication architecture and access to the NAF through the universal authentication architecture. In the method, the BSF that is mutually authenticated by the user is the BSF of the home network, and the home network to which the UE belongs does not support the GAA. Therefore, the UE cannot use the NAF service provided by the roaming network. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种通用鉴权系统, 使漫游 用户能够访问漫游网络中的 NAF业务。  In view of this, the main object of the present invention is to provide a universal authentication system that enables roaming users to access NAF services in a roaming network.
本发明的另一目的在于提供一种访问所述通用鉴权系统中网络业务 应用的方法, 使漫游用户能够访问漫游网络中的 NAF业务。  Another object of the present invention is to provide a method for accessing a network service application in the universal authentication system, so that a roaming user can access the NAF service in the roaming network.
为达到上述目的, 本发明的技术方案具体是这样实现的:  In order to achieve the above object, the technical solution of the present invention is specifically implemented as follows:
一种通用鉴权系统, 该系统包括: 漫游用户、 漫游网络业务应用 V-NAF实体、 及用于实现与漫游用户的互认证的通用鉴权实体, 其中, 所述漫游用户向所述通用鉴权实体发起互认证请求; 所述通用鉴权实体接收来自漫游用户的互认证请求, 从该漫游用户 的归属网络获得认证信息, 并与该漫游用户进行互认证; A universal authentication system, the system includes: a roaming user, a roaming network service application V-NAF entity, and a universal authentication entity for implementing mutual authentication with the roaming user, where The roaming user initiates a mutual authentication request to the universal authentication entity; the universal authentication entity receives a mutual authentication request from the roaming user, obtains authentication information from the home network of the roaming user, and performs mutual authentication with the roaming user. ;
漫游用户利用互认证结果保护漫游用户与 V-NAJF实体之间的通信。 该系统具体包括:  The roaming user uses the mutual authentication result to protect the communication between the roaming user and the V-NAJF entity. The system specifically includes:
所述 V-NAF 实体, 接收来自漫游用户的连接请求, 通知该漫游用 户进行互认证或者向所述通用鉴权实体查询该漫游用户的衍生密钥; 接 收来自所述通用鉴权实体的衍生密钥, 并利用该衍生密钥与所述漫游用 户进行通信;  Receiving, by the V-NAF entity, a connection request from a roaming user, notifying the roaming user to perform mutual authentication or querying the universal authentication entity for a derived key of the roaming user; receiving a derived secret from the universal authentication entity Key, and using the derived key to communicate with the roaming user;
所述漫游用户, 向所述 V-NA 实体发送连接请求; 若 V-NAF需要 GBA签权或者接收来自 V-NAF实体的互认证通知, 向所述通用鉴权实 体发送互认证请求, 与所述通用鉴权实体实现互认证并生成衍生密钥; 利用生成的衍生密钥与所述 V-NAF实体进行通信;  The roaming user sends a connection request to the V-NA entity; if the V-NAF requires a GBA signing or receives a mutual authentication notification from the V-NAF entity, sending a mutual authentication request to the universal authentication entity, The universal authentication entity implements mutual authentication and generates a derivative key; and communicates with the V-NAF entity by using the generated derivative key;
所述通用鉴权实体, 接收来自所述漫游用户的互认证请求, 通过自 身与漫游用户所属归属网络连接 , 从漫游用户的签约数据库获取所述通 用鉴权实体与所述漫游用户进行互认证所需的鉴权信息, 并实现与该漫 游用户的互认证; 接收来自所述 V-NAF 实体的查询请求, 生成衍生密 钥并发送给所述 V-NAF。  The universal authentication entity receives the mutual authentication request from the roaming user, and obtains the mutual authentication between the universal authentication entity and the roaming user by connecting with the home network to which the roaming user belongs. The required authentication information, and mutual authentication with the roaming user; receiving a query request from the V-NAF entity, generating a derivative key and transmitting the key to the V-NAF.
所述通用鉴权实体为: 位于所述漫游网络中的执行用户身份初始检 查验证的 Bootstrapping服务功能 V-BSF实体。  The universal authentication entity is: a Bootstrapping service function V-BSF entity that performs initial user authentication verification in the roaming network.
所述漫游用户所属归属网络包括签约数据库为归属用户服务器 HSS,所述 V-BSF实体与所述 HSS间通过 Zh接口采用 Diameter协议连 接;  The home network to which the roaming user belongs includes a subscription database as a home subscriber server HSS, and the V-BSF entity and the HSS are connected by using a Zh interface using a Diameter protocol;
或用户所属归属网络的签约数据库为归属位置寄存器 HLR, 所述 V-BSF实体与所述 HLR间通过 Gr接口连接。 或者是其它类型的 HLR/HSS对外接口。 Or the subscription database of the home network to which the user belongs is the home location register HLR, and the V-BSF entity is connected to the HLR through the Gr interface. Or other types of HLR/HSS external interfaces.
所述漫游用户所属归属网络包括签约数据库为归属用户服务器 HSS,对所述 V- BSF实体进行认证的认证代理, 所述 V-BSF实体与所述 HSS间通过认证代理连接;  The home network to which the roaming user belongs includes an authentication proxy that authenticates the V-BSF entity, and the V-BSF entity is connected to the HSS through an authentication proxy;
所述通用鉴权实体包括: 位于所述漫游网络中的服务 GPRS支持节 点 SGSN, 及执行用户身份初始检查验证的 Bootstrapping 服务功能 V-BSF实体。  The universal authentication entity includes: a serving GPRS support node SGSN located in the roaming network, and a Bootstrapping service function V-BSF entity performing user identity initial check verification.
所述漫游用户所属归属网络的签约数据库为 HSS/HLR,所述 SGSN 与所述 HLR/HSS间通过 Gr接口连接, 所述 V-BSF实体与所述 SGSN 间通过 Zx接口连接。  The subscription database of the home network to which the roaming user belongs is an HSS/HLR, and the SGSN is connected to the HLR/HSS through a Gr interface, and the V-BSF entity and the SGSN are connected through a Zx interface.
所述 V-BSF实体为两个或两个以上, 所述通用鉴权实体还包括: 用 于连接所有 V-BSF实体与漫游用户所属归属网络的 B代理 B-pmxy。  The V-BSF entity is two or more. The universal authentication entity further includes: a B-agent B-pmxy for connecting all V-BSF entities and a home network to which the roaming user belongs.
所述各 V-BSF实体与所述 B-proxy间通过 Zx接口连接;  Each V-BSF entity is connected to the B-proxy through a Zx interface;
所述漫游用户所属归属网络的签约数据库为 HSS, 所述 B-proxy与 所述 HSS 间通过 Zh,接口连接; 或用户所属归属网络的签约数据库为 HLR, 所述 B-proxy与所述 HLR间通过 Gr接口连接。  The subscription database of the home network to which the roaming user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR, and the B-proxy and the HLR are Connected via the Gr interface.
所述 B-proxy为独立实体,或为所有 V-BSF实体中任一 V-BSF实体 中的一个功能模块。  The B-proxy is an independent entity or a functional module of any V-BSF entity in all V-BSF entities.
所述 V-BSF实体为两个或两个以上, 所有 V-BSF实体中指定一个 V-BSF实体为主 V-BSF实体;  The V-BSF entity is two or more, and one V-BSF entity in all V-BSF entities is a main V-BSF entity;
所述主 V-BSF实体包括用于连接 V-BSF实体与漫游用户所属归属 网络的 B代理 B-proxy。  The primary V-BSF entity includes a B-proxy B-proxy for connecting the V-BSF entity to the home network to which the roaming user belongs.
所述主 V-BSF与所述剩余 V-BSF间通过 Zx接口连接;  The primary V-BSF is connected to the remaining V-BSF through a Zx interface;
所述用户所属归属网絡的签约数据库为 HSS, 所述 B-proxy与所述 HSS间通过 Zh,接口连接; 或用户所属归属网络的签约数据库为 HLR, 所述 B-proxy与所述 HLR间通过 Gr接口连接。 The subscription database of the home network to which the user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR. The B-proxy and the HLR are connected by a Gr interface.
所述 V-BSF实体与所述 V-NAF实体通过 Zn接口连接,所述漫游用 户通过 Ub接口与所述 V-BSF实体连接、 通过 Ua接口与所述 V-NAF实 体连接。  The V-BSF entity is connected to the V-NAF entity through a Zn interface, and the roaming user is connected to the V-BSF entity through a Ub interface and to the V-NAF entity through a Ua interface.
一种访问通用鉴权系统中网络业务应用 NAF 实体的方法, 所述通 用鉴权系统包括: 漫游用户、 漫游网络业务应用 V-NAF 实体、 及用于 实现与漫游用户的互认证和向 V-NAF 实体提供衍生密钥的通用鉴权实 体, 该方法包括以下步骤:  A method for accessing a network service application NAF entity in a universal authentication system, the universal authentication system comprising: a roaming user, a roaming network service application V-NAF entity, and a mutual authentication and a V- The NAF entity provides a generic authentication entity that derives the key, and the method includes the following steps:
A. 所述漫游用户向所述通用鉴权实体发起互认证请求;  A. The roaming user initiates a mutual authentication request to the universal authentication entity;
B. 所述通用鉴权实体根据所述互认证请求中携带的用户信息,从该 漫游用户所属归属网络的签约数据库获取鉴权信息;  The universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
C. 所述通用鉴权实体与该漫游用户根据所述鉴权信息进行互认证 后, 该漫游用户访问所述网络业务应用 V-NAF。  After the universal authentication entity and the roaming user perform mutual authentication according to the authentication information, the roaming user accesses the network service application V-NAF.
步驟 A中所述漫游用户向通用鉴权实体发起互认证请求之前,该方 法进一步包括:  Before the roaming user initiates the mutual authentication request to the universal authentication entity in step A, the method further includes:
所述漫游用户通过已获知的所述漫游网絡的移动国家码和移动网 络码获取通用鉴权实体的互认证地址;  And obtaining, by the roaming user, a mutual authentication address of the universal authentication entity by using the mobile country code and the mobile network code of the roaming network that are known;
或者所述漫游用户在发送给所述 V-NAF 实体的连接请求中携带标 识自身是漫游用户的标志, 所述 V-NAF 实体获知当前用户为漫游用户 且判定该漫游用户未进行互认证后, 将漫游网络中通用鉴权实体的互认 证地址携带在 GBA指示中返回给所述漫游用户。  Or the roaming user carries a flag indicating that the roaming user is a roaming user in the connection request sent to the V-NAF entity, and the V-NAF entity learns that the current user is a roaming user and determines that the roaming user does not perform mutual authentication. The mutual authentication address of the universal authentication entity in the roaming network is carried in the GBA indication and returned to the roaming user.
所述通用鉴权实体为 V-BSF, 步骤 C具体包括:  The universal authentication entity is a V-BSF, and the step C specifically includes:
C 1. 所述漫游用户与所述 V-BSF实体间互相验证身份并生成共享密 钥 Ks, 所述 V-BSF实体为该共享密钥 Ks定义有效期并分配 B-TID, 所 述 V-BSF实体和所述漫游用户分别将所述共享密钥 Ks, B-TID以及有 效期关联保存; C. The roaming user and the V-BSF entity mutually authenticate the identity and generate a shared key Ks, the V-BSF entity defines an expiration date for the shared key Ks and allocates a B-TID, the V-BSF The entity and the roaming user respectively have the shared key Ks, B-TID and Save the validity period;
C2. 所述漫游用户将所述 B-TID 携带连接请求中并发送给所述 V-NAF实体, 同时所述漫游用户根据该共享密钥 Ks采用预设衍生算法 计算出衍生密钥;  C2. The roaming user carries the B-TID to the V-NAF entity, and the roaming user calculates the derivative key according to the shared key Ks by using a preset derivative algorithm;
C3. 所述 V-NAF实体根据接收到连接请求,若自身不能在本地查询 到所述 B-TID, 则将自身标识和所述 B-TID携带在请求查询消息中并发 送给所述 V-BSF实体;  C3. The V-NAF entity, according to the receiving the connection request, if the B-TID cannot be queried locally, the self-identification and the B-TID are carried in the request query message and sent to the V- BSF entity;
C4. 若所述 V-BSF实体查询到所述 B-TID, 并使用与用户侧相同的 衍生算法计算共享密钥 Ks的衍生密钥, 并将所述 B-TID, 及生成的衍 生密钥携带在成功响应消息中并发送给所述 V-NAF 实体, 所述漫游用 户与所述 V-NAF实体间采用所述衍生密钥进行通信。  C4. If the V-BSF entity queries the B-TID, and uses the same derivative algorithm as the user side to calculate the derived key of the shared key Ks, and the generated B-TID, and the generated derived key And being carried in the success response message and sent to the V-NAF entity, where the roaming user and the V-NAF entity use the derived key to communicate.
步骤 C4中, 若所述 V-BSF实体不能在本地查询到所述 B-TID, 则 所述 V-BSF实体通知所述 V-NAF实体未查询到所述漫游用户的信息; 所述 V-NAF实体通知所述漫游用户返回重新执行步骤 A。  In step C4, if the V-BSF entity cannot query the B-TID locally, the V-BSF entity notifies the V-NAF entity that the information of the roaming user is not queried; The NAF entity notifies the roaming user to return to step A again.
步骤 C3中, 若所述 V-BSF实体为两个或两个以上, 则所述 V-NAF 实体向所有 V-BSF实体发送携带自身标识和所述 B- TID的请求查询消息 进行查询。  In step C3, if the V-BSF entity is two or more, the V-NAF entity sends a request query message carrying its own identifier and the B-TID to all V-BSF entities for query.
所述漫游用户所属归属网络的签约数据库为 HSS/HLR。  The subscription database of the home network to which the roaming user belongs is an HSS/HLR.
该方法进一步包括:  The method further includes:
所述漫游用户离开所述漫游网絡时, 所述 UE删除分配给该漫游用 户的共享密钥 Ks、 所迷衍生密钥及 B-TID。  When the roaming user leaves the roaming network, the UE deletes the shared key Ks, the derived key, and the B-TID assigned to the roaming user.
该方法进一步包括:  The method further includes:
所述漫游用户移动至另一漫游网络中, 若另一漫游网络中的 NAF 实体向所述漫游网络请求所述漫游用户的安全通信用信息, 所述漫游网 络中的 V-BSF 实体拒绝将该漫游用户的衍生密钥返回给另一漫游网络 中的 NAF实体。 The roaming user moves to another roaming network, and if the NAF entity in another roaming network requests the roaming network for the secure communication information of the roaming user, the V-BSF entity in the roaming network refuses to The derived key of the roaming user is returned to another roaming network The NAF entity in .
步骤 B中所述归属网络收到来自漫游网络的请求之后,该方法进一 步包括:  After the home network receives the request from the roaming network in step B, the method further includes:
对多多户 V-BSF进行认证;  Certification of many multi-family V-BSFs;
所述认证由归属网络 HLR/HSS来完成, 或由专门设置的认证代理 来实现。  The authentication is done by the home network HLR/HSS or by a specially configured authentication agent.
由上述技术方案可见, 本发明通用鉴权系统包括漫游用户、 位于漫 游网络中的用于实现与漫游用户的互认证和向 V-NAF提供衍生密钥的 通用鉴权实体, 以及网络业务应用。 本发明访问所述通用鉴权系统中的 网络业务应用的方法, 对于漫游用户具备 GBA功能, 而该漫游用户所 属归属网络不支持 GAA , 当该漫游用户处于支持 GAA的漫游网络时, 该方法实现了漫游用户在漫游网络中完成互认证过程, 从而实现了访问 漫游网络中的 NAF服务。 附图简要说明  As can be seen from the above technical solutions, the universal authentication system of the present invention includes a roaming user, a universal authentication entity located in the roaming network for implementing mutual authentication with the roaming user and providing a derived key to the V-NAF, and a network service application. The method for accessing the network service application in the universal authentication system has the GBA function for the roaming user, and the home network to which the roaming user belongs does not support the GAA. When the roaming user is in the roaming network supporting the GAA, the method is implemented. The roaming user completes the mutual authentication process in the roaming network, thereby realizing access to the NAF service in the roaming network. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是现有技术通用鉴权框架结构示意图;  1 is a schematic structural diagram of a prior art universal authentication framework;
图 2是本发明通用鉴权系统结构示意图;  2 is a schematic structural diagram of a universal authentication system of the present invention;
图 3a是本发明通用鉴权实体实施例一的结构示意图;  3a is a schematic structural diagram of Embodiment 1 of a universal authentication entity of the present invention;
图 3b是本发明通用鉴权实体实施例二的结构示意图;  Figure 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention;
图 4a是本发明漫游网络中存在多个 BSF时, 通用鉴权实体实施例 一的结构示意图;  4a is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention;
图 4b是本发明漫游网络中存在多个 BSF时, 通用鉴权实体实施例 二的结构示意图;  4b is a schematic structural diagram of Embodiment 2 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention;
图 5是本发明访问 NAF的方法的流程图;  Figure 5 is a flow chart of a method for accessing NAF of the present invention;
图 6是本发明访问 NAF的实施例一的流程图; 图 7是本发明访问 NAF的实施例二的流程图。 实施本发明的方式 6 is a flowchart of Embodiment 1 of the present invention for accessing a NAF; FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing a NAF. Mode for carrying out the invention
本发明的核心思想是: 在由漫游用户、 位于漫游网络中的通用鉴权 实体和漫游网络业务应用组成的通用鉴权系统中, 漫游用户接收到来自 网络业务应用的互认证通知后 , 向所处漫游网络中的通用鉴权实体发起 互认证请求; 所述通用鉴权实体根据所述互认证请求中携带的用户信 息, 从该漫游用户所属归属网络的签约数据库获取鉴权信息; 所述通用 鉴权实体与该用户根据获得的鉴权信息进行互认证并生成衍生密钥, 该 漫游用户利用该衍生密钥访问所述网络业务应用。  The core idea of the present invention is: in a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a roaming network service application, after the roaming user receives the mutual authentication notification from the network service application, The universal authentication entity in the roaming network initiates a mutual authentication request; the universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request; The authentication entity and the user perform mutual authentication according to the obtained authentication information and generate a derivative key, and the roaming user accesses the network service application by using the derivative key.
为使本发明的目的、 技术方案及优点更加清楚明白, 以下参照附图 并举较佳实施例, 对本发明进一步详细说明。  The present invention will be further described in detail below with reference to the accompanying drawings and preferred embodiments.
本发明尤其适用于漫游用户具备 GBA功能, 该漫游用户所属归属 网絡不支持 GAA, 而该漫游用户所处漫游网络支持 GAA; 且所述漫游 网络与归属网络间已签订相应的服务协议, 使归属网络对漫游网络开放 用于实现互认证过程的相关接口, 这样, 漫游网络可以通过所述相关接 口访问归属网络并从归属网络获得所需的鉴权用数据。  The present invention is particularly applicable to a roaming user having a GBA function, the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA; and the roaming network and the home network have signed a corresponding service agreement to enable attribution. The network opens an interface for the roaming network to implement the mutual authentication process, so that the roaming network can access the home network through the relevant interface and obtain the required authentication data from the home network.
图 2是本发明通用鉴权系统结构示意图, 如图 2所示, 本发明的通 用養权系统包括漫游用户、位于漫游网络中的通用鉴权实体和漫游 NAF ( V-NAF ), 各个实体之间的接口如图 2所示, 通用鉴权实体与 NAF之 间通过 Zn接口连接; 通用鉴权实体通过相关接口与漫游用户的归属网 络中的签约数据库连接, 具体实现可参见图 3a、 图 3b、 图 4a及图 4b 的描述; 漫游用户通过 UE与通用答权实体及 V- NAF连接, UE与通用 鉴权实体之间通过 Ub接口连接, ΌΈ与 V-NAF之间通过 Ua接口连接。  2 is a schematic structural diagram of a universal authentication system of the present invention. As shown in FIG. 2, the universal fattening system of the present invention includes a roaming user, a universal authentication entity located in a roaming network, and a roaming NAF (V-NAF), each entity The interface between the common authentication entity and the NAF is connected through the Zn interface. The universal authentication entity is connected to the subscription database in the home network of the roaming user through the relevant interface. For details, see Figure 3a and Figure 3b. The description of FIG. 4a and FIG. 4b; the roaming user is connected to the universal answering entity and the V-NAF through the UE, the UE and the universal authentication entity are connected through the Ub interface, and the V-NAF is connected through the Ua interface.
其中, V-NAF可以代表不同的网络业务应用实体, 用户要实现某种 业务时, 必须访问该业务对应的 NAF并与该 NAF进行通信。 V-NAF接 收来自用户的连接请求, 若判定该用户未进行互认证, 则通知该用户进 行互认证; 若判定该用户已进行互认证且为漫游用户, 则向通用鉴权实 体查询该漫游用户的衍生密钥; 接收来自通用鉴权实体的衍生密钥, 并 利用该衍生密钥与所述漫游用户进行通信, 以实现该漫游用户请求的业 务; Among them, V-NAF can represent different network business application entities, users need to achieve some kind of In the case of a service, the NAF corresponding to the service must be accessed and communicated with the NAF. The V-NAF receives the connection request from the user, and if it is determined that the user does not perform mutual authentication, notifies the user to perform mutual authentication; if it is determined that the user has performed mutual authentication and is a roaming user, the general authentication entity is queried to the roaming user. Deriving a key; receiving a derived key from the universal authentication entity, and using the derived key to communicate with the roaming user to implement the service requested by the roaming user;
漫游用户, 向 V-NAF发送连接请求, 以请求实现业务; 接收来自 V-NAF的互认证通知, 向通用鉴权实体发送互认证请求, 与通用鉴权实 体实现互认证并生成衍生密钥; 利用生成的衍生密钥与 V-NAF进行通 信, 以实现该漫游用户请求的业务;  The roaming user sends a connection request to the V-NAF to request to implement the service; receives the mutual authentication notification from the V-NAF, sends a mutual authentication request to the universal authentication entity, implements mutual authentication with the universal authentication entity, and generates a derivative key; Communicating with the V-NAF by using the generated derivative key to implement the service requested by the roaming user;
通用鉴权实体, 接收来自漫游用户的互认证请求, 通过自身与漫游 用户所属归属网络的签约数据库的连接, 获取通用鉴权实体与漫游用户 进行互认证所需的鉴权信息, 并实现与该漫游用户的互认证; 接收来自 V-NAF的查询请求,生成衍生密钥并提供给 V-NAF.该通用鉴权实体的 功能包括: 实现与该漫游用户的互认证和向 V-NAF提供衍生密钥。 所 述鉴权信息包括标识用户签约申请的业务的用户签约数据, 及标识用户 身份的鉴权向量等。  The universal authentication entity receives the mutual authentication request from the roaming user, and obtains the authentication information required for the mutual authentication between the universal authentication entity and the roaming user through the connection with the subscription database of the home network to which the roaming user belongs, and implements the authentication information. Mutual authentication of the roaming user; receiving the query request from the V-NAF, generating the derived key and providing it to the V-NAF. The functions of the universal authentication entity include: implementing mutual authentication with the roaming user and providing derivative to the V-NAF Key. The authentication information includes user subscription data identifying the service of the user subscription application, and an authentication vector identifying the identity of the user.
图 3a和图 3b是两种通用養权实体的实现方式, 下面分别进行详细 描述。 图 3a是本发明通用鉴权实体实施例一的结构示意图, 如图 3a所 示, 通用鉴权实体包括漫游网络中的 BSF即漫游 BSF ( V-BSF ), 若漫 游用户的鉴权信息存储在归属网络 HSS中(包括 HLR升级到 HSS的情 况), 则 V-BSF可以通过 Zh接口采用 Diameter协议从所述 HSS中获得 该漫游用户的鉴权信息, 此时签约数据库就是 HSS; 若漫游用户的鉴权 信息存储在归属网络的归属位置寄存器(HLR )中 (HLR还没有升级到 HSS ), 则 V-BSF可以通过 Gr接口从所述 HLR获得该漫游用户的鉴权 信息, 此时签约数据库就是 HLR。 图 3a所示的通用鉴权实体与通用鉴 权系统的其它实体之间的接口为: V-BSF与 V-NAF通过 Zn接口连接, 漫游用户通过 Ub接口与 V-BSF连接、 通过 Ua接口与 V-NAF连接。 Figures 3a and 3b are implementations of two general-purpose rights-enhancing entities, which are described in detail below. Figure 3a is a schematic structural diagram of Embodiment 1 of the universal authentication entity of the present invention. As shown in Figure 3a, the universal authentication entity includes a BSF in the roaming network, that is, a roaming BSF (V-BSF), and if the authentication information of the roaming user is stored in In the home network HSS (including the case where the HLR is upgraded to the HSS), the V-BSF can obtain the authentication information of the roaming user from the HSS by using the Diameter protocol through the Zh interface, and the subscription database is the HSS; The authentication information is stored in the home location register (HLR) of the home network (the HLR has not been upgraded to the HSS), and the V-BSF can obtain the authentication of the roaming user from the HLR through the Gr interface. Information, at this point the contract database is the HLR. The interface between the universal authentication entity and the other entities of the universal authentication system is as follows: V-BSF and V-NAF are connected through the Zn interface, roaming users are connected to the V-BSF through the Ub interface, and through the Ua interface. V-NAF connection.
图 3a所示的通用鉴权实体中, V-BSF接收来自漫游用户的互认证请 求, 通过自身与漫游用户所属归属网络的签约数据库的连接, 获取通用 鉴权实体与漫游用户进行互认证所需的鉴权信息, 并实现与该漫游用户 的互认证;接收来自 V-NAF的查询请求,生成衍生密钥并提供给 V-NAF。  In the universal authentication entity shown in FIG. 3a, the V-BSF receives the mutual authentication request from the roaming user, and obtains the mutual authentication entity and the roaming user for mutual authentication by connecting with the subscription database of the home network to which the roaming user belongs. Authentication information, and mutual authentication with the roaming user; receiving a query request from the V-NAF, generating a derivative key and providing it to the V-NAF.
图 3b是本发明通用鉴权实体实施例二的结构示意图,如图 3b所示, 通用鉴权实体包括位于漫游网络中的服务 GPRS 支持节点 (SGSN )和 V-BSF, 漫游网络中的 SGSN与归属网络的 HL /HSS间通过 Gr接口连 接, V-BSF与 SGSN之间通过 Zx接口连接。 V-BSF需要获取用户的鉴 权信息时, 通过 SGSN访问归属网络的 HLR/HSS, 以获取鉴权信息及 GPRS签约信息, 此时签约数据库就是 HLR/HSS。 图 3b所示的通用鉴 权实体与通用鉴权系统的其它实体之间的接口为: 通用鉴权实体中的 V-BSF与 V-NAF通过 Zn接口连接, 漫游用户通过 Ub接口与 V-BSF连 接、 通过 Ua接口与 V-NAF连接。  FIG. 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention. As shown in FIG. 3b, the universal authentication entity includes a Serving GPRS Support Node (SGSN) and a V-BSF in a roaming network, and an SGSN in the roaming network. The HL/HSS of the home network is connected through the Gr interface, and the V-BSF and the SGSN are connected through the Zx interface. When the V-BSF needs to obtain the user's authentication information, the SGSN accesses the HLR/HSS of the home network to obtain the authentication information and the GPRS subscription information. The subscription database is the HLR/HSS. The interface between the universal authentication entity shown in Figure 3b and other entities of the universal authentication system is: The V-BSF and the V-NAF in the universal authentication entity are connected through the Zn interface, and the roaming user passes the Ub interface and the V-BSF. Connect, connect to V-NAF through Ua interface.
图 3b所示的通用鉴权实体中, V-BSF接收来自漫游用户的互认证 请求, 通过 SGSN与漫游用户所属归属网络的签约数据库的连接, 并获 取通用鉴权实体与漫游用户进行互认证所需的鉴权信息, V-BSF实现与 该漫游用户的互认证; V-BSF接收来自 V-NAF的查询请求,生成 生密 钥并提供给 V-NAF。  In the universal authentication entity shown in Figure 3b, the V-BSF receives the mutual authentication request from the roaming user, connects the SGSN with the subscription database of the home network to which the roaming user belongs, and obtains the mutual authentication entity and the roaming user for mutual authentication. The required authentication information, the V-BSF implements mutual authentication with the roaming user; the V-BSF receives the query request from the V-NAF, generates a birth key and provides it to the V-NAF.
需要说明的是, 本发明中 V-BSF还可以从 HLR/HSS 获得用户的 GUSS数据:如果用户的归属网络寄存器是 HLR,那么 HLR通过向 SGSN 输出 GPRS签约数据的方式,向 BSF输出 GUSS。或者 GUSS作为 GPRS 签约数据的一部分, 随着 HLR向 BSF输出的 GPRS签约数据一起发送 给 BSF;如果用户的归属网络寄存器是 HSS,那么 HSS可以按照现有方 式通过 Zn接口协议从用户的 HSS中获得鉴权和 GUSS数据。 It should be noted that, in the present invention, the V-BSF can also obtain the user's GUSS data from the HLR/HSS: if the user's home network register is the HLR, the HLR outputs the GUSS to the BSF by outputting the GPRS subscription data to the SGSN. Or GUSS as part of the GPRS subscription data, sent along with the GPRS subscription data output by the HLR to the BSF To the BSF; if the user's home network register is an HSS, the HSS can obtain authentication and GUSS data from the user's HSS via the Zn interface protocol in an existing manner.
在漫游网络中, 若存在多个 BSF, 可能所有 BSF都可以对漫游用户 进行鉴权, 也可能只有其中某个或者几个 BSF用于鉴权漫游用户, 而剩 余的 BSF只能鉴权本地用户 ,鉴权漫游用户的 BSF与鉴权本地用户的 BSF 可以采用不同的域名加以区别, 比如, 用于鉴权本地用户的 BSF的域名 可以设置为: BSF bsf.mnc<MNC>.mcc<MCC>.3gppnetwork.org, 用于鉴 权 漫 游 用 户 的 BSF 的 域 名 可 以 设 置 为 VBSF bsf.mnc<MNC>.mcc<MCC>.3 gppnetwork.org ,其中 <MNC>中填入的是移 动网络码 ( MNC ) , <MCC>中填入的是移动国家码(MCC )。 如果 BSF 既可以用于鉴权本地用户又可以用于鉴权漫游用户, 那么可以为该 BSF 设置上述两种域名。  In a roaming network, if there are multiple BSFs, all BSFs may authenticate roaming users, or only one or several BSFs may be used to authenticate roaming users, and the remaining BSFs may only authenticate local users. The BSF of the authentication roaming user and the BSF of the authentication local user can be distinguished by using different domain names. For example, the domain name of the BSF used for authenticating the local user can be set to: BSF bsf.mnc<MNC>.mcc<MCC> .3gppnetwork.org, the domain name of the BSF used to authenticate roaming users can be set to VBSF bsf.mnc<MNC>.mcc<MCC>.3 gppnetwork.org , where <MNC> is filled with mobile network code (MNC) ), <MCC> is filled with the Mobile Country Code (MCC). If the BSF can be used both for authenticating local users and for authenticating roaming users, then the above two domain names can be set for the BSF.
无论是所有 BSF都可以对漫游用户进行鉴权, 还是只有其中某个或 者几个 BSF用于鉴权漫游用户, 只要漫游网络中存在两个或两个以上用 于鉴权漫游用户的 BSF, 为了使这些 BSF能够通过一个统一的接口访问 归属网络的签约数据库, 本发明通过设置一个用于连接所述 V-BSF与漫 游用户的归属网络的统一接口的 B代理 (B-proxy ) 来实现。 该 B-proxy 可以是用于鉴权漫游用户的 BSF中的一个 BSF中的一个功能模块 , 也可 以是一独立实体。 当然, 如果归属网络中的签约数据库支持与多个 BSF 相连, 且每个用于鉴权漫游用户的 BSF均单独与归属网络中的签约数据 库连接, 那么, 可以不需要 B-proxy。 '  Whether all BSFs can authenticate roaming users, or only one or several BSFs are used to authenticate roaming users, as long as there are two or more BSFs for authenticating roaming users in the roaming network, The BSF is enabled to access the subscription database of the home network through a unified interface. The present invention is implemented by setting a B-proxy (B-proxy) for connecting the V-BSF to the unified interface of the home network of the roaming user. The B-proxy may be a functional module in a BSF in the BSF for authenticating the roaming user, or may be a separate entity. Of course, if the subscription database in the home network supports connection with multiple BSFs, and each BSF for authenticating roaming users is separately connected to the subscription database in the home network, then B-proxy may not be needed. '
图 4a是本发明漫游网络中存在多个 BSF时, 通用鉴权实体实施例 一的结构示意图,如图 4a所示, 4艮设漫游网络中存在 n个用于鉴权漫游 用户的 V-BSF即 V-BSF1 ~ V-BSFn, n为大于 1 的正整数。 V-BSF1 ~ V-BSFn分别通过 Zn接口与 V-NAF相连、 分别通过 Zx接口与 B-proxy 相连; B-proxy通过 Gr/Zh,接口与归属网络中的签约数据库相连, 这样, V-BSFl ~ V-BSFn通过一个统一的 Gr/Zh,接口访问归属网络的签约数据 库;每个 V-BSF均提供与漫游用户相连接的 Ub接口, 漫游用户通过 Ua 接口与 V-NAF相连接。 FIG. 4 is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention. As shown in FIG. 4a, there are n V-BSFs for authenticating roaming users in the roaming network. That is, V-BSF1 ~ V-BSFn, n is a positive integer greater than 1. V-BSF1 ~ V-BSFn are connected to V-NAF through Zn interface, respectively, through Zx interface and B-proxy Connected; B-proxy is connected to the subscription database in the home network through Gr/Zh, so that V-BSF1 ~ V-BSFn accesses the subscription database of the home network through a unified Gr/Zh interface; each V-BSF Both provide an Ub interface connected to the roaming user, and the roaming user connects to the V-NAF through the Ua interface.
图 4b是本发明漫游网络中存在多个 BSF时, 通用鉴权实体实施例 二的结构示意图, 如图 4b所示, 支设漫游网络中存在 n个用于鉴权漫 游用户的 V-BSF即 V-BSF1 ~ V-BSFn, n为大于 1的正整数。 V-BSF1是 同时具有 B-proxy作用的主 V-BSF, 主 V-BSF具有两个域名, 一个是 B-proxy的域名, 另一个是 V- BSF的域名, 可以通过预先设置来实现。 V-BSF2 ~ V-BSFn分别通过 Zn接口与 V-NAF相连、分别通过 Zx接口与 主 V-BSF相连;主 V-BSF中的 B-proxy通过 Gr/Zh,接口与归属网络中的 签约数据库相连, 这样, V-BSF1 ~ V-BSFn通过一个统一的 Gr/Zh,接口 访问归属网络的签约数据库; 每个 V-BSF 均提供与漫游用户相连接的 Ub接口, 漫游用户通过 Ua接口与 V-NAF相连接。  FIG. 4b is a schematic structural diagram of Embodiment 2 of a universal authentication entity when multiple BSFs exist in a roaming network according to the present invention. As shown in FIG. 4b, there are n V-BSFs for authenticating roaming users in the supporting roaming network. V-BSF1 ~ V-BSFn, where n is a positive integer greater than one. V-BSF1 is the primary V-BSF with B-proxy function at the same time. The primary V-BSF has two domain names, one is the domain name of B-proxy, and the other is the domain name of V-BSF, which can be implemented by pre-setting. V-BSF2 ~ V-BSFn are connected to the V-NAF through the Zn interface, respectively, and connected to the main V-BSF through the Zx interface; the B-proxy in the main V-BSF passes the Gr/Zh, the interface and the subscription database in the home network. Connected, in this way, V-BSF1 ~ V-BSFn access the subscription database of the home network through a unified Gr/Zh interface; each V-BSF provides an Ub interface connected with the roaming user, and the roaming user passes the Ua interface and the V -NAF is connected.
除了通过图 3a和 3b两种接口来实现 V-BSF与归属网络签约数据库 的访问以外,也可以通过其它类型的 HLR/HSS对外接口如 Sh接口来访 问。 同时归属网络向 V-BSF提供数据之前, 可以进一步对 V-BSF进行 认证, 认证可以由 HLR/HSS自身来实现, 也可以在 V-BSF与 HLR/HSS 之间专门设置一个认证代理进行认证。  In addition to accessing the V-BSF and the home network subscription database through the interfaces of Figures 3a and 3b, other types of HLR/HSS external interfaces such as the Sh interface can also be accessed. At the same time, before the home network provides data to the V-BSF, the V-BSF can be further authenticated. The authentication can be implemented by the HLR/HSS itself, or an authentication proxy can be set up between the V-BSF and the HLR/HSS for authentication.
以上对本发明通用鉴权系统的结构组成进行了介绍, 下面结合图 2 和图 5, 进一步介绍本发明访问该通用鉴权系统中的 NAF的方法, 图 5 是本发明访问 NAF 的方法的流程图, 在由漫游用户、 位于漫游网络中 的通用鉴权实体和网络业务应用組成的通用鉴权系统中, 假设漫游用户 所属归属网络不支持 GAA, 而该漫游用户所处漫游网絡支持 GAA。 本 发明方法包括以下步骤: 步骤 500: 漫游用户接收到来自网络业务应用的互认证通知后, 由 于漫游用户归属网络不支持 GAA,则漫游用户通过向所处漫游网络中的 通用鉴权系统的通用鉴权实体发起互认证请求。 The structural composition of the universal authentication system of the present invention is described above. Referring to FIG. 2 and FIG. 5, the method for accessing the NAF in the universal authentication system is further described. FIG. 5 is a flowchart of the method for accessing the NAF according to the present invention. In a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a network service application, it is assumed that the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA. The method of the invention comprises the following steps: Step 500: After the roaming user receives the mutual authentication notification from the network service application, since the roaming user home network does not support the GAA, the roaming user initiates the mutual authentication request by using the universal authentication entity of the universal authentication system in the roaming network. .
与现有技术一致, 漫游用户通过向 V-NAF发送连接请求, 以请求实 现业务, 如果该 V-NAF发现发起连接请求的漫游用户未进行互认证, 则 可以通过向该漫游用户发出 GB A指示, 通知该漫游用户执行互认证过程 即 Bootstrapping过程。  In accordance with the prior art, the roaming user requests to implement the service by sending a connection request to the V-NAF. If the V-NAF finds that the roaming user that initiated the connection request does not perform mutual authentication, the robin user may issue a GB A indication to the roaming user. The roaming user is notified to perform the mutual authentication process, that is, the Bootstrapping process.
本发明中, 由于漫游用户的归属网络不支持 GAA, 按照漫游网络与 归属网络间预先签订的服务协议, 漫游用户通过漫游网络中通用鉴权系 统的通用鉴权实体进行互认证。  In the present invention, since the home network of the roaming user does not support the GAA, according to the pre-signed service agreement between the roaming network and the home network, the roaming user performs mutual authentication through the universal authentication entity of the universal authentication system in the roaming network.
当漫游用户移动至漫游网络时 , 网络的移动国家码和移动网络码是 漫游用户所能获知的, 具体实现方法为本领域技术人员公知技术, 这里 不再赘述。本发明中, 漫游用户只需根据用于鉴权漫游用户的 V-BSF的 域名, 将漫游网络的 MCC码和 MNC码加上 VBSF前缀和  When the roaming user moves to the roaming network, the mobile country code and the mobile network code of the network are known to the roaming user. The specific implementation method is well known to those skilled in the art, and details are not described herein. In the present invention, the roaming user only needs to add the VBSF prefix to the MCC code and the MNC code of the roaming network according to the domain name of the V-BSF used for authenticating the roaming user.
3gppnetwork.org后缀,便得到 V-BSF的地址即通用鉴权实体的互认证地 址。 The 3gppnetwork.org suffix gives the address of the V-BSF, the mutual authentication address of the universal authentication entity.
另外, 漫游用户可以通过在连接请求中携带标识自身是漫游用户的 标志, 使 NAF获知当前用户为漫游用户, 这样, NAF在 GBA指示中, 将漫游网络中通用鉴权系统中通用鉴权实体的互认证地址返回漫游用 户。  In addition, the roaming user can carry the identifier in the connection request to indicate that the current user is a roaming user, so that the NAF knows that the current user is a roaming user, so that the NAF in the GBA indication will be the general authentication entity in the universal authentication system in the roaming network. The mutual authentication address returns to the roaming user.
步骤 501 : 所述通用鉴权实体根据所述互认证请求中携带的用户信 息, 从该漫游用户所属归属网络的签约数据库获取鉴权信息。  Step 501: The universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request.
当 V-BSF收到漫游用户的认证请求后,根据该认证请求中携带的用 户信息如身份标识, 若该身份标识不属于本网络, 则 居该身份标识确 定请求认证的用户的归属网络签约数据库如 HSS/HLR的地址, 并且通 过 Zh/Gr接口从所述归属网絡签约数据库获取该漫游用户的鉴权信息。 步骤 502: 所述通用鉴权实体与该用户根据所述鉴权信息进行互认 证并生成衍生密钥, 该漫游用户利用该衍生密钥访问当前所处漫游网络 中的网络业务应用。 After receiving the authentication request of the roaming user, the V-BSF determines the user information, such as the identity identifier, carried in the authentication request. If the identity identifier does not belong to the network, the identity identifier determines the home network subscription database of the user requesting the authentication. Such as the address of HSS/HLR, and pass The Zh/Gr interface obtains the authentication information of the roaming user from the home network subscription database. Step 502: The universal authentication entity performs mutual authentication with the user according to the authentication information, and generates a derivative key, and the roaming user uses the derived key to access a network service application in the current roaming network.
漫游用户通过 UE与互认证地址对应的 V-BSF执行 Bootstrapping过 程进行互认证 , 该 Bootstrapping过程成功完成后, UE和 V-BSF之间互 相验证了身份并且生成共享密钥 Ks, V-BSF为该共享密钥 Ks定义了一 个有效期并分配一个 B-TID给漫游用户; V-BSF和 UE分别将共享密钥 Ks, B-TID以及有效期关联保存。 当漫游用户要与 V-NAF通信时, 重 新向 V-NAF发出连接请求,且请求消息中携带该 B-TID, 同时漫游用户 根据该共享密钥 Ks采用预设衍生算法计算出衍生密钥。  The roaming user performs mutual authentication by performing a Bootstrapping process with the V-BSF corresponding to the mutual authentication address. After the Bootstrapping process is successfully completed, the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks. The V-BSF is the same. The shared key Ks defines an expiration date and assigns a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, the B-TID and the validity period. When the roaming user wants to communicate with the V-NAF, the connection request is re-issued to the V-NAF, and the B-TID is carried in the request message, and the roaming user calculates the derived key according to the shared key Ks by using a preset derivative algorithm.
另外为了便于区分漫游用户和本地用户, 两种用户 B-TID的类型也 可有所区分, 比如向本地用户分配的 B-TID 可以是类似于 base64encode(RAND)@B SF_servers_domain_name ,而对漫游用户分配的 B-TID 则可以通过增加字符串来指示, 如 base64encode(RAND)- Visited@BSF—servers— domain— name中增力口 "- Visited" 字符串来标识用 户为漫游用户。  In addition, in order to distinguish between roaming users and local users, the types of B-TIDs of the two types of users can be distinguished. For example, the B-TID assigned to the local user can be similar to base64encode(RAND)@B SF_servers_domain_name and assigned to roaming users. The B-TID can be indicated by adding a string, such as base64encode(RAND)- Visited@BSF_servers_domain_ name in the "- Visited" string to identify the user as a roaming user.
V-NAF收到连接请求后, 如果 V-NAF不能在本地查询到该 B- TID, 则向 V-BSF发送携带自身标识和该 B-TID的请求查询消息进行查询,需 要说明的是, 如果漫游网络中存在多个 V-BSF可以对漫游用户进行鉴 权,那么, V-NAF可 向所有能对漫游用户进行鉴权的 V-BSF发送携带 自身标识和该 B- TID的请求查询消息进行查询。如果 V-BSF不能在本地 查询到该 B-TID, 则通知 V-NAF没有该漫游用户的信息, 此时, V-NAF 将通知漫游用户进行互认证, 即返回步骤 500重新执行本方法流程; 如 果 V-BSF查询到该 B-TID,则使用与用户侧相同的衍生算法计算共享密 钥 Ks的衍生密钥, 然后向 V-NAF发送成功响应消息, 该成功响应中携 带有所述 B-TID, 与该 B-TID对应的衍生密钥, 以及共享密钥 Ks的有 效期。 V-NAF收到来自 V-BSF的成功响应消息后,认为该漫游用户是执 行过互认证的合法用户, 同时 V-NAF共享了由共享密钥 Ks计算得到的 衍生密钥, 该衍生密钥与漫游用户根据该共享密钥 Ks计算出衍生密钥 一致。 用户在后续访问 V-NAF中利用该衍生密钥保护二者之间的通信。 After the V-NAF receives the connection request, if the V-NAF cannot query the B-TID locally, the V-BSF sends a request query message carrying the self-identity and the B-TID to the V-BSF for querying. A plurality of V-BSFs in the roaming network can authenticate the roaming user. Then, the V-NAF can send a request query message carrying the self identifier and the B-TID to all V-BSFs that can authenticate the roaming user. Inquire. If the V-BSF cannot locally query the B-TID, the V-NAF is notified that the V-NAF does not have the information of the roaming user. At this time, the V-NAF notifies the roaming user to perform mutual authentication, that is, returns to step 500 to re-execute the method flow; If the V-BSF queries the B-TID, the shared algorithm is calculated using the same derivative algorithm as the user side. The derived key of the key Ks is then sent to the V-NAF with a success response message carrying the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. After receiving the success response message from the V-BSF, the V-NAF considers that the roaming user is a legitimate user who has performed mutual authentication, and the V-NAF shares the derived key calculated by the shared key Ks. The derivative key is consistent with the roaming user calculating the derived key according to the shared key Ks. The user uses the derived key to protect communication between the two in subsequent access V-NAF.
当用户发现共享密钥 Ks即将过期, 或 NAF要求用户重新到 BSF 进行互认证时, 用户重复上述的互认证步骤重新到 BSF进行互认证, 以 得到新的共享密钥 Ks及 B-TID„  When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
除此之外, 为了保证用户不会利用在当前所处漫游网络分配的共享 密钥 Ks、 生成的衍生密钥和 B-TID等安全通信用信息去访问另一个漫 游网络中的 NAF, 为了描述方便, 将当前所处的漫游网络称为第一漫游 网络, 将另一个漫游网络称为第二漫游网络。 本发明方法还可以进一步 包括: 用户在离开第一漫游网络时, UE删除第一漫游网络中的 V-BSF 分配给该用户的共享密钥 Ks、 生成的 ^"生密钥和 B-TID; 当然, 如果第 二漫游网络的 NAF 向第一漫游网络请求该用户的安全通信用信息时, 第一漫游网络的 V-BSF也不会将该用户的衍生密钥等安全通信信息返 回给该 NAF。  In addition, in order to ensure that the user does not use the shared communication key, such as the shared key Ks, the generated derived key, and the B-TID, which are currently allocated in the roaming network, to access the NAF in another roaming network, in order to describe Conveniently, the current roaming network is referred to as a first roaming network, and the other roaming network is referred to as a second roaming network. The method of the present invention may further include: when the user leaves the first roaming network, the UE deletes the shared key Ks allocated by the V-BSF in the first roaming network to the user, the generated "generated key" and the B-TID; Of course, if the NAF of the second roaming network requests the first roaming network for the secure communication information of the user, the V-BSF of the first roaming network does not return the secure communication information such as the derived key of the user to the NAF. .
下面结合实施例具体描述本发明方法的实现过程, 图 6是本发明访 问 NAF的实施例一的流程图, 结合图 3a, 实施例一中通用鉴权实体由 V-BSF组成。假设漫游用户通过 UE在向 V-NAF发出首次连接请求之前, 还未进行互认证, 本实施例具体包括以下步骤:  The implementation process of the method of the present invention is specifically described below with reference to the embodiments. FIG. 6 is a flowchart of Embodiment 1 of the present invention for accessing NAF. Referring to FIG. 3a, the general authentication entity in Embodiment 1 is composed of V-BSF. It is assumed that the roaming user does not perform mutual authentication before the UE sends the first connection request to the V-NAF. The embodiment specifically includes the following steps:
步驟 600 ~步骤 601 : 漫游网络中的 V-NAF接收到来自漫游用户通 过 UE发送的连接请求后, V-NAF发现该 UE还未进行互认证, 则向该 UE发出 GBA指示, 通知该 UE执行互认证过程即 Bootstrapping过程。 本步驟的具体实现与现有技术完全一致, 这里不再赘述。 Steps 600 to 601: After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process. The specific implementation of this step is completely consistent with the prior art, and details are not described herein again.
步骤 602 ~步骤 604: UE向漫游网络中的 V-BSF发送携带用户信息 的认证请求, V-BSF根据用户信息, 确定该 UE所属归属网络签约数据 库地址, 并从用户签约数据库中获取该 UE的鉴权信息。  Step 602 to step 604: The UE sends an authentication request carrying the user information to the V-BSF in the roaming network, and the V-BSF determines the home network subscription database address to which the UE belongs according to the user information, and obtains the UE from the user subscription database. Authentication information.
本步骤中, 假设漫游用户已获知漫游网络的 MCC码和 MNC码, 而且根据用于鉴权漫游用户的 V-BSF的域名, 将漫游网络的 MCC码和 MNC码加上 VBSF前缀和 "3gppnetwork.org" 后缀。  In this step, it is assumed that the roaming user has learned the MCC code and the MNC code of the roaming network, and according to the domain name of the V-BSF used for authenticating the roaming user, the MCC code and the MNC code of the roaming network are added with the VBSF prefix and "3gppnetwork. The org" suffix.
步骤 605 -步骤 606: UE与 V-BSF之间进行互鉴权和密钥协商过程 即互认证过程, UE和 V-BSF之间互相验证了身份并且生成共享密钥 Ks, V-BSF为该共享密钥 Ks定义了一个有效期并分配一个 B-TID给漫游用 户; V-BSF和 UE分别将共享密钥 Ks, B-TID以及有效期关联保存; UE 根据该共享密钥 Ks采用预设衍生算法计算出衍生密钥并保存。  Step 605 - Step 606: The mutual authentication and key agreement process between the UE and the V-BSF is a mutual authentication process, and the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks, where the V-BSF is The shared key Ks defines an expiration date and allocates a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, B-TID and the validity period; the UE adopts a preset derivation algorithm according to the shared key Ks. Calculate the derived key and save it.
如果需要区分本地用户和漫游用户,那么两种用户 B-TID的类型也 可有所区分。 比如向本地用户分配的 B-TID 可以是类似于 base64encode(RAND)@BSF— servers— domain— name,而对漫游用户分酉己的 B-TID 则可以通过增加字符串来指示, 如 base64encode(RAND Visited@BSF— servers— domain— name中增加 "- Visited" 字符串来标识用 户为漫游用户。  If you need to distinguish between local users and roaming users, the types of the two user B-TIDs can also be distinguished. For example, the B-TID assigned to the local user can be similar to base64encode(RAND)@BSF_server_domain_name, and the B-TID for the roaming user can be indicated by adding a string, such as base64encode(RAND) The "- Visited" string is added to the Visited@BSF_servers-domain-name to identify the user as a roaming user.
步骤 607 -步骤 609: UE将获得的 B-TID携带在连接请求中, 向 V-NAF发起业务请求; V-NAF向 V- BSF发送携带自身标识( V-NAF ID ) 和该 B-TID的请求查询消息查询该 UE的衍生密钥; V- BSF根据请求查 询消息中携带的 B-TID, 若自身存在与该 B-TID 关联存储的共享密钥 Ks, 则根据该共享密钥 Ks, 采用与用户侧相同的预设衍生算法计算出 衍生密钥。  Step 607 - Step 609: The UE carries the obtained B-TID in the connection request, and initiates a service request to the V-NAF. The V-NAF sends the V-NAF ID and the B-TID to the V-BSF. Requesting a query message to query the derived key of the UE; the V-BSF queries the B-TID carried in the message according to the request, and if there is a shared key Ks stored in association with the B-TID, according to the shared key Ks, The derived derivative algorithm is calculated by the same preset derivative algorithm as the user side.
本步骤中,若 V-BSF中不存在与该 B-TID关联存储的共享密钥 Ks, 则通知 V-NAF没有该 UE的认证信息。 In this step, if the shared key Ks stored in association with the B-TID does not exist in the V-BSF, Then, the V-NAF is notified that there is no authentication information of the UE.
另外,本步骤中,假设 V-NAF不能在本地查询到该 B-TID,则 V-NAJF 向 V-BSF发起请求查询消息, 否则, 可以省略请求查询消息, 这点与现 有技术一致。  In addition, in this step, if the V-NAF cannot locally query the B-TID, the V-NAJF initiates a request query message to the V-BSF. Otherwise, the request query message may be omitted, which is consistent with the prior art.
步骤 610 ~步骤 611: V-BSF将生成的衍生密钥、 所述 B-TID及与 该 B-TID关联存储的有效期携带在请求查询响应消息中返回给 V-NAF; V-NAF采用各自已获得的衍生密钥进行安全通信。  Step 610 to step 611: The V-BSF carries the generated derivative key, the B-TID, and the validity period stored in association with the B-TID in the request query response message, and returns it to the V-NAF. The derived key is obtained for secure communication.
图 7是本发明访问 NAF的实施例二的流程图, 结合图 3b, 实施例 二中通用鉴权实体由 V-BSF和 SGSN组成,与图 6所示的实施例一相比, 实施例二有两个处理不同, 一是 UE获取通用鉴权系统中的互认证地址 的方法不同; 二是通用鉴权系统中通用鉴权实体的组成不同。 假设漫游 用户通过 UE在向 V-NAF发出首次连接请求之前, 还未进行互认证, 本 实施例具体包括以下步骤:  FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing NAF. Referring to FIG. 3b, the general authentication entity in Embodiment 2 is composed of V-BSF and SGSN, compared with Embodiment 1 shown in FIG. There are two different processes. One is that the UE acquires the mutual authentication address in the universal authentication system differently; the other is that the composition of the general authentication entity in the universal authentication system is different. It is assumed that the roaming user has not performed mutual authentication before the first connection request is sent to the V-NAF by the UE. The embodiment specifically includes the following steps:
步骤 700 -步骤 701: 漫游网络中的 V-NAF接收到来自漫游用户通 过 UE发送的连接请求后 , V-NAF发现该 UE还未进行互认证, 则向该 UE发出 GBA指示, 通知该 UE执行互认证过程即 Bootstrapping过程。  Step 700 - Step 701: After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process.
本步骤中, 假设 UE在连接请求中携带有标识自身是漫游用户的标 志, 因此, 在 NAF获知该 UE为漫游用.户后, 将通用鉴权系统中通用鉴 权实体的互认证地址携带在 GBA指示中返回给 UE。  In this step, it is assumed that the UE carries a flag indicating that the user is a roaming user in the connection request. Therefore, after the NAF learns that the UE is a roaming user, the mutual authentication address of the universal authentication entity in the universal authentication system is carried in the UE. Returned to the UE in the GBA indication.
步骤 702 步驟 704: UE向获得的互认证地址对应的 V-BSF发送携 带用户信息的认证请求, V-BSF根据用户信息, 确定该 UE所属归属网 络的用户签约数据库地址, 并通过 SGSN从用户签约数据库中获取该 UE的鉴权信息。  Step 702: Step 704: The UE sends an authentication request carrying the user information to the V-BSF corresponding to the obtained mutual authentication address, and the V-BSF determines the user subscription database address of the home network to which the UE belongs according to the user information, and signs the subscription from the user through the SGSN. The authentication information of the UE is obtained in the database.
步骤 705〜步骤 711 的具体实现与实施例一中步骤 605 ~步骤 611 完全一致, 这里不再重述。 以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围, 凡在本发明的精神和原则之内所做的任何修改、 等同替换、 改进等, 均应包舍在本发明的保护范围之内。 The specific implementation of the steps 705 to 711 is the same as the steps 605 to 611 in the first embodiment, and will not be repeated here. The above is only the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention should be included. It is within the scope of the present invention.

Claims

权利要求书 Claim
1. 一种通用鉴权系统, 其特征在于, 该系统包括: 漫游用户、 漫 游网络业务应用 V-NAF 实体、 及用于实现与漫游用户的互认证的通用 鉴权实体, 其中, A universal authentication system, the system comprising: a roaming user, a roaming network service application V-NAF entity, and a universal authentication entity for implementing mutual authentication with the roaming user, where
所述漫游用户向所述通用鉴权实体发起互认证请求;  The roaming user initiates a mutual authentication request to the universal authentication entity;
所述通用鉴权实体接收来自漫游用户的互认证请求, 从该漫游用户 的归属网络获得认证信息, 并与该漫游用户进行互认证;  Receiving, by the universal authentication entity, a mutual authentication request from the roaming user, obtaining authentication information from the home network of the roaming user, and performing mutual authentication with the roaming user;
漫游用户利用互认证结果保护漫游用户与 V-NAF实体之间的通信。 The roaming user uses the mutual authentication result to protect the communication between the roaming user and the V-NAF entity.
2. 才 据权利要求 1所述的系统, 其特征在于, 该系统具体包括: 所述 V- NAF 实体, 接收来自漫游用户的连接请求, 通知该漫游用 户进行互认证或者向所述通用鉴权实体查询该漫游用户的衍生密钥; 接 收来自所述通用鉴权实体的衍生密钥, 并利用该衍生密钥与所述漫游用 户进行通信; 2. The system according to claim 1, wherein the system specifically comprises: the V-NAF entity receiving a connection request from a roaming user, notifying the roaming user of mutual authentication or authenticating to the universal authentication Entity querying a derived key of the roaming user; receiving a derived key from the universal authentication entity, and using the derived key to communicate with the roaming user;
所述漫游用户, 向所述 V-NAF实体发送连接请求; 若 V-NAF需要 GBA签权或者接收来自 V-NAF实体的互认证通知, 向所述通用鉴权实 体发送互认证请求, 与所述通用鉴权实体实现互认证并生成衍生密钥; 利用生成的汙生密钥与所述 V-NAF实体进行通信;  Sending, by the roaming user, a connection request to the V-NAF entity; if the V-NAF requires a GBA signing or receiving a mutual authentication notification from the V-NAF entity, sending a mutual authentication request to the universal authentication entity, The universal authentication entity implements mutual authentication and generates a derived key; communicates with the V-NAF entity by using the generated dirty key;
所述通用鉴权实体, 接收来自所述漫游用户的互认证请求, 通过自 身与漫游用户所属归属网络连接, 从漫游用户的签约数据库获取所述通 用鉴权实体与所述漫游用户进行互认证所需的鉴权信息, 并实现与该漫 游用户的互认证; 接收来自所述 V-NAF 实体的查询请求, 生成衍生密 钥并发送给所述 V- NAF。  The universal authentication entity receives the mutual authentication request from the roaming user, and obtains the mutual authentication between the universal authentication entity and the roaming user by connecting with the home network to which the roaming user belongs. The required authentication information, and mutual authentication with the roaming user; receiving a query request from the V-NAF entity, generating a derivative key and transmitting the key to the V-NAF.
3. 根据权利要求 2所述的系统, 其特征在于, 所述通用鉴权实体 为: 位于所述漫游网络中的执行用户身份初始检查验证的 Bootstrapping 服务功能 V- BSF实体。 The system according to claim 2, wherein the universal authentication entity is: Bootstrapping for performing initial identity verification of a user identity in the roaming network Service function V-BSF entity.
4. 根据权利要求 3 所述的系统, 其特征在于, 所述漫游用户所属 归属网络包括签约数据库为归属用户服务器 HSS,所述 V-BSF实体与所 述 HSS间通过 Zh接口采用 Diameter协议连接;  The system according to claim 3, wherein the home network to which the roaming user belongs includes a subscription database as a home subscriber server HSS, and the V-BSF entity and the HSS are connected by using a Diameter protocol through a Zh interface;
或用户所属归属网络的签约数据库为归属位置寄存器 HLR, 所述 V-BSF实体与所述 HLR间通过 Gr接口连接。  Or the subscription database of the home network to which the user belongs is the home location register HLR, and the V-BSF entity is connected to the HLR through the Gr interface.
或者是其它类型的 HLR/HSS对外接口。  Or other types of HLR/HSS external interfaces.
5. 根据权利要求 3 所述的系统, 其特征在于, 所述漫游用户所属 归属网络包括签约数据库为归属用户服务器 HSS,对所述 V-BSF实体进 行认证的认证代理, 所述 V-BSF实体与所述 HSS间通过认证代理连接; The system according to claim 3, wherein the home network to which the roaming user belongs includes a subscription database as a home subscriber server HSS, an authentication proxy that authenticates the V-BSF entity, and the V-BSF entity Connected to the HSS through an authentication agent;
6. 根据权利要求 2所述的系统, 其特征在于, 所述通用鉴权实体 包括: 位于所述漫游网络中的服务 GPRS支持节点 SGSN, 及执行用户 身份初始检查验证的 Bootstrapping服务功能 V-BSF实体。 The system according to claim 2, wherein the universal authentication entity comprises: a serving GPRS support node SGSN located in the roaming network, and a Bootstrapping service function V-BSF for performing initial identity verification of a user identity entity.
7. 根据权利要求 6所述的系统, 其特征在于, 所述漫游用户所属 归属网络的签约数据库为 HSS/HLR, 所述 SGSN与所述 HLR/HSS间通 过 Gr接口连接, 所述 V-BSF实体与所述 SGSN间通过 Zx接口连接。  The system according to claim 6, wherein the subscription database of the home network to which the roaming user belongs is an HSS/HLR, and the SGSN and the HLR/HSS are connected by a Gr interface, the V-BSF The entity is connected to the SGSN through a Zx interface.
8. 根据权利要求 3所述的系统, 其特征在于, 所述 V-BSF实体为 两个或两个以上, 所述通用鉴权实体还包括: 用于连接所有 V-BSF实体 与漫游用户所属归属网络的 B代理 B-proxy。  The system according to claim 3, wherein the V-BSF entity is two or more, and the universal authentication entity further includes: used to connect all V-BSF entities and roaming users B-proxy B-proxy of the home network.
9. 根据权利要求 8所述的系统, 其特征在于, 所述各 V-BSF实体 与所述 B-proxy间通过 Zx接口连接;  The system according to claim 8, wherein each of the V-BSF entities and the B-proxy are connected through a Zx interface;
所述漫游用户所属归属网络的签约数据库为 HSS , 所述 B-proxy与 所述 HSS 间通过 Zh,接口连接; 或用户所属归属网络的签约数据库为 HLR, 所述 B-proxy与所述 HLR间通过 Gr接口连接。  The subscription database of the home network to which the roaming user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR, and the B-proxy and the HLR are Connected via the Gr interface.
10. 根据权利要求 8所述的系统,其特征在于,所述 B-proxy为独 立实体, 或为所有 V-BSF实体中任一 V-BSF实体中的一个功能模块。10. The system of claim 8 wherein the B-proxy is independent An entity, or a functional module in any of the V-BSF entities.
11. 根据权利要求 3所述的系统, 其特征在于, 所述 V-BSF实体 为两个或两个以上,所有 V-BSF实体中指定一个 V-BSF实体为主 V-BSF 实体; The system according to claim 3, wherein the V-BSF entity is two or more, and one V-BSF entity is designated as a main V-BSF entity among all V-BSF entities;
所述主 V-BSF实体包括用于连接 V-BSF实体与漫游用户所属归属 网络的 B代理 B-proxy。  The primary V-BSF entity includes a B-proxy B-proxy for connecting the V-BSF entity to the home network to which the roaming user belongs.
12. 根据权利要求 11所述的系统, 其特征在于, 所述主 V-BSF与 所述剩余 V-BSF间通过 Zx接口连接;  The system according to claim 11, wherein the primary V-BSF and the remaining V-BSF are connected by a Zx interface;
所述用户所属归属网络的签约数据库为 HSS , 所述 B-proxy与所述 HSS间通过 Zh,接口连接; 或用户所属归属网络的签约数据库为 HLR, 所述 B-proxy与所述 HLR间通过 Gr接口连接。  The subscription database of the home network to which the user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR, and the B-proxy and the HLR pass through Gr interface connection.
13. 根据权利要求 4、 7、 9或 12所述的系统, 其特征在于, 所述 V-BSF实体与所述 V-NAF实体通过 Zn接口连接, 所述漫游用户通过 Ub接口与所述 V-BSF实体连接、通过 Ua接口与所述 V- NAF实体连接。  The system according to claim 4, 7, 9 or 12, wherein the V-BSF entity is connected to the V-NAF entity through a Zn interface, and the roaming user passes the Ub interface with the V - The BSF entity is connected to the V-NAF entity via a Ua interface.
14. 一种访问通用鉴权系统中网络业务应用 NAF实体的方法, 所 述通用鉴权系统包括: 漫游用户、 漫游网络业务症用 V-NAF 实体、 及 用于实现与漫游用户的互认证和向 V-NAF 实体提供衍生密钥的通用鉴 权实体, 其特征在于, 该方法包括以下步驟:  14. A method for accessing a network service application NAF entity in a universal authentication system, the universal authentication system comprising: a roaming user, a V-NAF entity for roaming network service, and a mutual authentication and roaming user A universal authentication entity that provides a derived key to a V-NAF entity, the method comprising the steps of:
A. 所述漫游用户向所述通用鉴权实体发起互认证请求;  A. The roaming user initiates a mutual authentication request to the universal authentication entity;
B. 所述通用鉴权实体根据所述互认证请求中携带的用户信息,从该 漫游用户所属归属网络的签约数据库获取鉴权信息;  The universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
C. 所述通用鉴权实体与该漫游用户根据所述鉴权信息进行互认证 后, 该漫游用户访问所述网络业务应用 V-NAF。  After the universal authentication entity and the roaming user perform mutual authentication according to the authentication information, the roaming user accesses the network service application V-NAF.
15. 根据权利要求 14所述的方法, 其特征在于, 步驟 A中所述漫 游用户向通用鉴权实体发起互认证请求之前, 该方法进一步包括: 所述漫游用户通过已获知的所述漫游网络的移动国家码和移动网 絡码获取通用鉴权实体的互认证地址; The method according to claim 14, wherein before the roaming user initiates a mutual authentication request to the universal authentication entity, the method further includes: Obtaining, by the roaming user, a mutual authentication address of the universal authentication entity by using the mobile country code and the mobile network code of the roaming network that are known;
或者所述漫游用户在发送给所述 V-NAF 实体的连接请求中携带标 识自身是漫游用户的标志 , 所述 V-NAF 实体获知当前用户为漫游用户 且判定该漫游用户未进行互认证后, 将漫游网络中通用鉴权实体的互认 证地址携带在 GBA指示中返回给所述漫游用户。  Or the roaming user carries a flag indicating that the roaming user is a roaming user in the connection request sent to the V-NAF entity, and the V-NAF entity learns that the current user is a roaming user and determines that the roaming user does not perform mutual authentication. The mutual authentication address of the universal authentication entity in the roaming network is carried in the GBA indication and returned to the roaming user.
16. 根据权利要求 14所述的方法, 其特征在于, 所述通用鉴权实 体为 V-BSF, 步骤 C具体包括:  The method according to claim 14, wherein the universal authentication entity is a V-BSF, and the step C specifically includes:
C1. 所述漫游用户与所述 V-BSF实体间互相验证身份并生成共享密 钥 Ks, 所迷 V-BSF实体为该共享密钥 Ks定义有效期并分配 B- TID, 所 述 V-BSF实体和所述漫游用户分別将所迷共享密钥 Ks, B-TID以及有 效期关联保存;  C1. The roaming user and the V-BSF entity mutually authenticate each other and generate a shared key Ks, and the V-BSF entity defines an expiration date for the shared key Ks and allocates a B-TID, the V-BSF entity And the roaming user separately saves the shared key Ks, B-TID and the validity period;
C2. 所述漫游用户将所述 B-TID携带连接请求中并发送给所述 V-NAF实体, 同时所述漫游用户根据该共享密钥 Ks采用预设衍生算法 计算出衍生密钥;  The roaming user carries the B-TID in the connection request and sends the connection request to the V-NAF entity, and the roaming user calculates the derivative key according to the shared key Ks by using a preset derivative algorithm;
C3. 所述 V-NAJF实体根据接收到连接请求,若自身不能在本地查询 到所述 B-TID, 则将自身标识和所述 B-TID携带在请求查询消息中并发 送给所述 V-BSF实体;  C3. The V-NAJF entity, if it is unable to locally query the B-TID according to the receiving connection request, carries the self identifier and the B-TID in the request query message and sends the message to the V- BSF entity;
C4. 若所述 V-BSF实体查询到所述 B-TID, 并使用与用户侧相同的 衍生算法计算共享密钥 Ks的衍生密钥, 并将所述 B-TID, 及生成的衍 生密钥携带在成功响应消息中并发送给所述 V-NAF 实体, 所述漫游用 户与所述 V-NAF实体间采用所述衍生密钥进行通信。  C4. If the V-BSF entity queries the B-TID, and uses the same derivative algorithm as the user side to calculate the derived key of the shared key Ks, and the generated B-TID, and the generated derived key And being carried in the success response message and sent to the V-NAF entity, where the roaming user and the V-NAF entity use the derived key to communicate.
17. 根据权利要求 16所述的方法, 其特征在于: 步骤 C4中, 若 所述 V-BSF实体不能在本地查询到所述 B-TID,则所述 V- BSF实体通知 所述 V-NAF实体未查询到所述漫游用户的信息; 所述 V-NAF实体通知 所述漫游用户返回重新执行步骤 A。 The method according to claim 16, wherein: in step C4, if the V-BSF entity cannot locally query the B-TID, the V-BSF entity notifies the V-NAF The entity does not query the information of the roaming user; the V-NAF entity notification The roaming user returns to perform step A again.
18. 才艮据权利要求 16所述的方法, 其特征在于: 步據 C3中, 若 所述 V-BSF实体为两个或两个以上, 则所述 V-NAF实体向所有 V-BSF 实体发送携带自身标识和所述 B-TID的请求查询消息进行查询。  18. The method according to claim 16, wherein: according to C3, if the V-BSF entity is two or more, the V-NAF entity is to all V-BSF entities. Sending a request query message carrying its own identity and the B-TID for querying.
19. 根据权利要求 14所述的方法, 其特征在于, 所述漫游用户所 属归属网络的签约数据库为 HSS/HLR。  The method according to claim 14, wherein the subscription database of the home network to which the roaming user belongs is an HSS/HLR.
20. 根据权利要求 14所述的方法, 其特征在于, 该方法进一步包 括:  20. The method of claim 14, wherein the method further comprises:
所述漫游用户离开所述漫游网络时, 所述 UE删除分配给该漫游用 户的共享密钥 Ks、 所述衍生密钥及 B-TID。  When the roaming user leaves the roaming network, the UE deletes the shared key Ks, the derived key, and the B-TID assigned to the roaming user.
21. 根据权利要求 14所述的方法, 其特征在于, 该方法进一步包 括:  21. The method of claim 14, wherein the method further comprises:
所述漫游用户移动至另一漫游网絡中, 若另一漫游网络中的 NAF 实体向所述漫游网络请求所述漫游用户的安全通信用信息, 所述漫游网 络中的 V-BSF 实体拒绝将该漫游用户的衍生密钥返回给另一漫游网络 中的 NAF实体。  The roaming user moves to another roaming network, and if the NAF entity in another roaming network requests the roaming network for the secure communication information of the roaming user, the V-BSF entity in the roaming network refuses to The derived key of the roaming user is returned to the NAF entity in the other roaming network.
22. 根据权利要求 14所述的方法, 其特征在于, 步骤 B中所迷归 属网络收到来自漫游网络的请求之后, 该方法进一步包括:  The method according to claim 14, wherein after the home network in step B receives the request from the roaming network, the method further includes:
对多多户 V-BSF进行认证;  Certification of many multi-family V-BSFs;
所述认证由归属网络 HLR/HSS来完成, 或由专门设置的认证代理 来实现。  The authentication is done by the home network HLR/HSS or by a specially configured authentication agent.
PCT/CN2006/003153 2006-02-23 2006-11-23 A general authentication system and a method for accessing the network application facility of the system WO2007095806A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2006100080406A CN100563159C (en) 2006-02-23 2006-02-23 Generic authentication system and visit the method that Network in this system is used
CN200610008040.6 2006-02-23

Publications (1)

Publication Number Publication Date
WO2007095806A1 true WO2007095806A1 (en) 2007-08-30

Family

ID=38436922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/003153 WO2007095806A1 (en) 2006-02-23 2006-11-23 A general authentication system and a method for accessing the network application facility of the system

Country Status (2)

Country Link
CN (1) CN100563159C (en)
WO (1) WO2007095806A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729998A (en) * 2008-10-29 2010-06-09 华为技术有限公司 Information transmission, common guide architecture, and authentication method, system and device
CN102196438A (en) 2010-03-16 2011-09-21 高通股份有限公司 Communication terminal identifier management methods and device
US9112905B2 (en) * 2010-10-22 2015-08-18 Qualcomm Incorporated Authentication of access terminal identities in roaming networks
US9668128B2 (en) 2011-03-09 2017-05-30 Qualcomm Incorporated Method for authentication of a remote station using a secure element

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (en) * 1998-05-07 2000-07-12 朗迅科技公司 Method and device used for secret in communication system
WO2004091176A2 (en) * 2003-04-02 2004-10-21 Qualcomm Incorporated Ciphering between a cdma network and a gsm network
CN1553610A (en) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ Authentication for roaming between CDMA to GSM
CN1717096A (en) * 2004-06-28 2006-01-04 华为技术有限公司 Method for realizing management of connecting visit network using general weight discrimination frame

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (en) * 1998-05-07 2000-07-12 朗迅科技公司 Method and device used for secret in communication system
WO2004091176A2 (en) * 2003-04-02 2004-10-21 Qualcomm Incorporated Ciphering between a cdma network and a gsm network
CN1553610A (en) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ Authentication for roaming between CDMA to GSM
CN1717096A (en) * 2004-06-28 2006-01-04 华为技术有限公司 Method for realizing management of connecting visit network using general weight discrimination frame

Also Published As

Publication number Publication date
CN100563159C (en) 2009-11-25
CN101026453A (en) 2007-08-29

Similar Documents

Publication Publication Date Title
US7882346B2 (en) Method and apparatus for providing authentication, authorization and accounting to roaming nodes
KR100985869B1 (en) A method for verifying a first identity and a second identity of an entity
US7941121B2 (en) Method for verifying the validity of a user
US20080160959A1 (en) Method for Roaming User to Establish Security Association With Visited Network Application Server
US20030079124A1 (en) Secure method for getting on-line status, authentication, verification, authorization, communication and transaction services for web-enabled hardware and software, based on uniform telephone address
CA2552917C (en) A method of obtaining the user identification for the network application entity
WO2007036104A1 (en) A method for transmitting session requests
WO2006000152A1 (en) A method for managing the user equipment accessed to the network by using the generic authentication architecture
WO2006097041A1 (en) A general authentication former and a method for implementing the authentication
WO2008006306A1 (en) Method and device for deriving local interface key
WO2014183260A1 (en) Method, device and system for processing data service under roaming scenario
WO2008125062A1 (en) Method of admittance judgment and paging user in mobile communication system, system and device thereof
TWI516151B (en) Telecommunication method and telecommunication system
WO2007079698A1 (en) An entity authentication method and system, an authentication method and system of end to end and an authentication center
JP2013153466A (en) Method and system for bundle authentication of wired or wireless terminal between service network and access network in next generation network
WO2013040957A1 (en) Single sign-on method and system, and information processing method and system
WO2008009232A1 (en) A method system and device for determining the mobile ip key and notifying the mobile ip type
KR20220128993A (en) Method, device, and system for generating and managing anchor keys in a communication network for encrypted communication with service applications
TW201706893A (en) A network system, method and mobile device based on remote user authentication
WO2007095806A1 (en) A general authentication system and a method for accessing the network application facility of the system
WO2015089969A1 (en) Accessibility management method and device for m2m terminal/terminal peripheral
WO2007003105A1 (en) A method system and apparatus for relating the information associated with user in nass
WO2005093990A1 (en) A method for accessing home subscriber server in universal authentication infrastructure
WO2011017921A1 (en) System and method for visiting a visited service provider
WO2014047923A1 (en) Method and device for accessing network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06817882

Country of ref document: EP

Kind code of ref document: A1