WO2007095806A1 - Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système - Google Patents

Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système Download PDF

Info

Publication number
WO2007095806A1
WO2007095806A1 PCT/CN2006/003153 CN2006003153W WO2007095806A1 WO 2007095806 A1 WO2007095806 A1 WO 2007095806A1 CN 2006003153 W CN2006003153 W CN 2006003153W WO 2007095806 A1 WO2007095806 A1 WO 2007095806A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
roaming
bsf
user
authentication
Prior art date
Application number
PCT/CN2006/003153
Other languages
English (en)
Chinese (zh)
Inventor
Yanmei Yang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007095806A1 publication Critical patent/WO2007095806A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access

Definitions

  • the present invention relates to general authentication techniques, and more particularly to a universal authentication system and a method of accessing a network service application (NAF) in a roaming network.
  • NAF network service application
  • the universal authentication system also known as the Common Authentication Framework (GAA)
  • GAA Common Authentication Framework
  • the foregoing multiple application services may be a multicast/broadcast service, a user certificate service, an information immediate service, or a proxy service.
  • FIG. 1 is a schematic structural diagram of a general authentication framework of the prior art.
  • a universal authentication framework is generally performed by a user, a Bootstrapping Service Function (BSF) entity that performs initial authentication of a user identity, a Home Subscriber Server (HSS), and a network.
  • BSF Bootstrapping Service Function
  • HSS Home Subscriber Server
  • NAP Business Application
  • the BSF entity cartridge is referred to as a BSF
  • the NAF entity is simply referred to as a NAF.
  • the BSF is used to perform mutual authentication with the user, that is, mutually authenticate the identity, and simultaneously generate a shared key between the BSF and the user.
  • This process is also called a Bootstrapping process or a GBA process, and the user who can implement the GBA process with the BSF has the GBA.
  • the interface between the entities is as shown in Figure 1.
  • the BSF and the NAF are connected through the Zn interface.
  • the user connects to the BSF or NA through the user terminal (UE), and the UE and the BSF are connected through the Ub interface.
  • the UE and the NAF are connected through the Ua interface.
  • the user needs to use a certain service to access the NAF corresponding to the service, if the user knows that the service needs to be authenticated to the BSF for mutual authentication, the user directly performs the Bootstrapping process to the BSF through the UE; otherwise, the user first initiates the NAF corresponding to the service.
  • the connection request if the NAF supports the GAA function using the common authentication framework, and finds that the user who initiated the connection request has not yet authenticated to the BSF, the user initiating the connection request is notified to the BSF to perform the Bootstrapping process.
  • the user performs mutual authentication by performing a Bootstrapping process between the UE and the BSF.
  • the UE and the BSF mutually authenticate the identity and generate a shared key Ks.
  • the BSF defines an expiration date for the shared key Ks. (Key-lifetime) and assign a session transaction identifier (B-TID) to the user; the BSF and the UE respectively save the shared key Ks, B-TID and validity period.
  • the connection request is sent to the NAF, and the B-TID is carried in the request message, and the user calculates the derived key NAF specific key according to the shared key Ks by using a preset derivative algorithm.
  • the NAF After the NAF receives the connection request, if the NAF cannot query the B-TID locally, the NAF sends a request query message carrying its own identity and the B-TID to the BSF for query. If the BSF cannot query the B-TID locally, the NAF is notified that there is no information about the user. At this time, the NAF will notify the user to perform mutual authentication to the BSF. If the BSF queries the B-TID, the same as the user side is used. The derivative algorithm calculates the derived key of the shared key Ks, and then sends a success response message to the NAF, where the successful response carries the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. .
  • the NAF After receiving the success response message of the BSF, the NAF considers that the user is a legitimate user who has passed the BSF authentication, and the NAF shares the derived key calculated by the shared key Ks, and the generated key is shared with the user.
  • the key Ks is calculated to be consistent with the derived key.
  • the user uses the derived key to protect the second in the subsequent access to NAJF. Communication between people.
  • the user When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
  • the process of the user accessing the NAF is applicable to the case where the NAF is located in the user's home network.
  • the prior art processing is: the BSF that performs mutual authentication with the user is also the BSF of the home network, and the NAF of the roaming network needs to pass through a D-proxy and the home network.
  • the BSF is connected, and the derived key is obtained from the BSF of the home network, and then the derived key is used to communicate with the user. This situation is the case where both the home network and the roaming network support GAA.
  • the home network where a GBA-enabled UE is located does not support GAA, and when the UE roams to a GAA-enabled roaming network, according to the currently provided universal authentication architecture and access to the NAF through the universal authentication architecture.
  • the BSF that is mutually authenticated by the user is the BSF of the home network, and the home network to which the UE belongs does not support the GAA. Therefore, the UE cannot use the NAF service provided by the roaming network.
  • the main object of the present invention is to provide a universal authentication system that enables roaming users to access NAF services in a roaming network.
  • Another object of the present invention is to provide a method for accessing a network service application in the universal authentication system, so that a roaming user can access the NAF service in the roaming network.
  • a universal authentication system includes: a roaming user, a roaming network service application V-NAF entity, and a universal authentication entity for implementing mutual authentication with the roaming user, where The roaming user initiates a mutual authentication request to the universal authentication entity; the universal authentication entity receives a mutual authentication request from the roaming user, obtains authentication information from the home network of the roaming user, and performs mutual authentication with the roaming user. ;
  • the roaming user uses the mutual authentication result to protect the communication between the roaming user and the V-NAJF entity.
  • the system specifically includes:
  • the roaming user sends a connection request to the V-NA entity; if the V-NAF requires a GBA signing or receives a mutual authentication notification from the V-NAF entity, sending a mutual authentication request to the universal authentication entity,
  • the universal authentication entity implements mutual authentication and generates a derivative key; and communicates with the V-NAF entity by using the generated derivative key;
  • the universal authentication entity receives the mutual authentication request from the roaming user, and obtains the mutual authentication between the universal authentication entity and the roaming user by connecting with the home network to which the roaming user belongs.
  • the required authentication information, and mutual authentication with the roaming user receiving a query request from the V-NAF entity, generating a derivative key and transmitting the key to the V-NAF.
  • the universal authentication entity is: a Bootstrapping service function V-BSF entity that performs initial user authentication verification in the roaming network.
  • the home network to which the roaming user belongs includes a subscription database as a home subscriber server HSS, and the V-BSF entity and the HSS are connected by using a Zh interface using a Diameter protocol;
  • the subscription database of the home network to which the user belongs is the home location register HLR, and the V-BSF entity is connected to the HLR through the Gr interface. Or other types of HLR/HSS external interfaces.
  • the home network to which the roaming user belongs includes an authentication proxy that authenticates the V-BSF entity, and the V-BSF entity is connected to the HSS through an authentication proxy;
  • the universal authentication entity includes: a serving GPRS support node SGSN located in the roaming network, and a Bootstrapping service function V-BSF entity performing user identity initial check verification.
  • the subscription database of the home network to which the roaming user belongs is an HSS/HLR, and the SGSN is connected to the HLR/HSS through a Gr interface, and the V-BSF entity and the SGSN are connected through a Zx interface.
  • the V-BSF entity is two or more.
  • the universal authentication entity further includes: a B-agent B-pmxy for connecting all V-BSF entities and a home network to which the roaming user belongs.
  • Each V-BSF entity is connected to the B-proxy through a Zx interface
  • the subscription database of the home network to which the roaming user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR, and the B-proxy and the HLR are Connected via the Gr interface.
  • the B-proxy is an independent entity or a functional module of any V-BSF entity in all V-BSF entities.
  • the V-BSF entity is two or more, and one V-BSF entity in all V-BSF entities is a main V-BSF entity;
  • the primary V-BSF entity includes a B-proxy B-proxy for connecting the V-BSF entity to the home network to which the roaming user belongs.
  • the primary V-BSF is connected to the remaining V-BSF through a Zx interface
  • the subscription database of the home network to which the user belongs is an HSS, and the B-proxy and the HSS are connected through an interface of Zh; or the subscription database of the home network to which the user belongs is an HLR.
  • the B-proxy and the HLR are connected by a Gr interface.
  • the V-BSF entity is connected to the V-NAF entity through a Zn interface, and the roaming user is connected to the V-BSF entity through a Ub interface and to the V-NAF entity through a Ua interface.
  • a method for accessing a network service application NAF entity in a universal authentication system comprising: a roaming user, a roaming network service application V-NAF entity, and a mutual authentication and a V-
  • the NAF entity provides a generic authentication entity that derives the key, and the method includes the following steps:
  • the roaming user initiates a mutual authentication request to the universal authentication entity
  • the universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
  • the roaming user accesses the network service application V-NAF.
  • the method further includes:
  • the roaming user carries a flag indicating that the roaming user is a roaming user in the connection request sent to the V-NAF entity, and the V-NAF entity learns that the current user is a roaming user and determines that the roaming user does not perform mutual authentication.
  • the mutual authentication address of the universal authentication entity in the roaming network is carried in the GBA indication and returned to the roaming user.
  • the universal authentication entity is a V-BSF, and the step C specifically includes:
  • the roaming user and the V-BSF entity mutually authenticate the identity and generate a shared key Ks, the V-BSF entity defines an expiration date for the shared key Ks and allocates a B-TID, the V-BSF The entity and the roaming user respectively have the shared key Ks, B-TID and Save the validity period;
  • the roaming user carries the B-TID to the V-NAF entity, and the roaming user calculates the derivative key according to the shared key Ks by using a preset derivative algorithm;
  • the V-NAF entity according to the receiving the connection request, if the B-TID cannot be queried locally, the self-identification and the B-TID are carried in the request query message and sent to the V- BSF entity;
  • V-BSF entity queries the B-TID, and uses the same derivative algorithm as the user side to calculate the derived key of the shared key Ks, and the generated B-TID, and the generated derived key And being carried in the success response message and sent to the V-NAF entity, where the roaming user and the V-NAF entity use the derived key to communicate.
  • step C4 if the V-BSF entity cannot query the B-TID locally, the V-BSF entity notifies the V-NAF entity that the information of the roaming user is not queried; The NAF entity notifies the roaming user to return to step A again.
  • step C3 if the V-BSF entity is two or more, the V-NAF entity sends a request query message carrying its own identifier and the B-TID to all V-BSF entities for query.
  • the subscription database of the home network to which the roaming user belongs is an HSS/HLR.
  • the method further includes:
  • the UE When the roaming user leaves the roaming network, the UE deletes the shared key Ks, the derived key, and the B-TID assigned to the roaming user.
  • the method further includes:
  • the roaming user moves to another roaming network, and if the NAF entity in another roaming network requests the roaming network for the secure communication information of the roaming user, the V-BSF entity in the roaming network refuses to The derived key of the roaming user is returned to another roaming network The NAF entity in .
  • the method further includes:
  • the authentication is done by the home network HLR/HSS or by a specially configured authentication agent.
  • the universal authentication system of the present invention includes a roaming user, a universal authentication entity located in the roaming network for implementing mutual authentication with the roaming user and providing a derived key to the V-NAF, and a network service application.
  • the method for accessing the network service application in the universal authentication system has the GBA function for the roaming user, and the home network to which the roaming user belongs does not support the GAA.
  • the roaming user is in the roaming network supporting the GAA, the method is implemented.
  • the roaming user completes the mutual authentication process in the roaming network, thereby realizing access to the NAF service in the roaming network.
  • FIG. 1 is a schematic structural diagram of a prior art universal authentication framework
  • FIG. 2 is a schematic structural diagram of a universal authentication system of the present invention
  • Embodiment 1 of a universal authentication entity of the present invention is a schematic structural diagram of Embodiment 1 of a universal authentication entity of the present invention.
  • Figure 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention.
  • Embodiment 1 is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention
  • Embodiment 2 is a schematic structural diagram of Embodiment 2 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention
  • Figure 5 is a flow chart of a method for accessing NAF of the present invention.
  • FIG. 6 is a flowchart of Embodiment 1 of the present invention for accessing a NAF
  • FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing a NAF. Mode for carrying out the invention
  • the core idea of the present invention is: in a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a roaming network service application, after the roaming user receives the mutual authentication notification from the network service application,
  • the universal authentication entity in the roaming network initiates a mutual authentication request;
  • the universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request;
  • the authentication entity and the user perform mutual authentication according to the obtained authentication information and generate a derivative key, and the roaming user accesses the network service application by using the derivative key.
  • the present invention is particularly applicable to a roaming user having a GBA function, the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA; and the roaming network and the home network have signed a corresponding service agreement to enable attribution.
  • the network opens an interface for the roaming network to implement the mutual authentication process, so that the roaming network can access the home network through the relevant interface and obtain the required authentication data from the home network.
  • the universal fattening system of the present invention includes a roaming user, a universal authentication entity located in a roaming network, and a roaming NAF (V-NAF), each entity
  • the interface between the common authentication entity and the NAF is connected through the Zn interface.
  • the universal authentication entity is connected to the subscription database in the home network of the roaming user through the relevant interface.
  • FIG. 4a and FIG. 4b The description of FIG. 4a and FIG. 4b; the roaming user is connected to the universal answering entity and the V-NAF through the UE, the UE and the universal authentication entity are connected through the Ub interface, and the V-NAF is connected through the Ua interface.
  • V-NAF can represent different network business application entities, users need to achieve some kind of In the case of a service, the NAF corresponding to the service must be accessed and communicated with the NAF.
  • the V-NAF receives the connection request from the user, and if it is determined that the user does not perform mutual authentication, notifies the user to perform mutual authentication; if it is determined that the user has performed mutual authentication and is a roaming user, the general authentication entity is queried to the roaming user. Deriving a key; receiving a derived key from the universal authentication entity, and using the derived key to communicate with the roaming user to implement the service requested by the roaming user;
  • the roaming user sends a connection request to the V-NAF to request to implement the service; receives the mutual authentication notification from the V-NAF, sends a mutual authentication request to the universal authentication entity, implements mutual authentication with the universal authentication entity, and generates a derivative key; Communicating with the V-NAF by using the generated derivative key to implement the service requested by the roaming user;
  • the universal authentication entity receives the mutual authentication request from the roaming user, and obtains the authentication information required for the mutual authentication between the universal authentication entity and the roaming user through the connection with the subscription database of the home network to which the roaming user belongs, and implements the authentication information.
  • Mutual authentication of the roaming user receiving the query request from the V-NAF, generating the derived key and providing it to the V-NAF.
  • the functions of the universal authentication entity include: implementing mutual authentication with the roaming user and providing derivative to the V-NAF Key.
  • the authentication information includes user subscription data identifying the service of the user subscription application, and an authentication vector identifying the identity of the user.
  • Figures 3a and 3b are implementations of two general-purpose rights-enhancing entities, which are described in detail below.
  • Figure 3a is a schematic structural diagram of Embodiment 1 of the universal authentication entity of the present invention.
  • the universal authentication entity includes a BSF in the roaming network, that is, a roaming BSF (V-BSF), and if the authentication information of the roaming user is stored in In the home network HSS (including the case where the HLR is upgraded to the HSS), the V-BSF can obtain the authentication information of the roaming user from the HSS by using the Diameter protocol through the Zh interface, and the subscription database is the HSS;
  • the authentication information is stored in the home location register (HLR) of the home network (the HLR has not been upgraded to the HSS), and the V-BSF can obtain the authentication of the roaming user from the HLR through the Gr interface.
  • HLR home location register
  • the contract database is the HLR.
  • the interface between the universal authentication entity and the other entities of the universal authentication system is as follows: V-BSF and V-NAF are connected through the Zn interface, roaming users are connected to the V-BSF through the Ub interface, and through the Ua interface. V-NAF connection.
  • the V-BSF receives the mutual authentication request from the roaming user, and obtains the mutual authentication entity and the roaming user for mutual authentication by connecting with the subscription database of the home network to which the roaming user belongs. Authentication information, and mutual authentication with the roaming user; receiving a query request from the V-NAF, generating a derivative key and providing it to the V-NAF.
  • FIG. 3b is a schematic structural diagram of Embodiment 2 of the universal authentication entity of the present invention.
  • the universal authentication entity includes a Serving GPRS Support Node (SGSN) and a V-BSF in a roaming network, and an SGSN in the roaming network.
  • the HL/HSS of the home network is connected through the Gr interface, and the V-BSF and the SGSN are connected through the Zx interface.
  • the SGSN accesses the HLR/HSS of the home network to obtain the authentication information and the GPRS subscription information.
  • the subscription database is the HLR/HSS.
  • the interface between the universal authentication entity shown in Figure 3b and other entities of the universal authentication system is:
  • the V-BSF and the V-NAF in the universal authentication entity are connected through the Zn interface, and the roaming user passes the Ub interface and the V-BSF.
  • the V-BSF receives the mutual authentication request from the roaming user, connects the SGSN with the subscription database of the home network to which the roaming user belongs, and obtains the mutual authentication entity and the roaming user for mutual authentication.
  • the required authentication information the V-BSF implements mutual authentication with the roaming user; the V-BSF receives the query request from the V-NAF, generates a birth key and provides it to the V-NAF.
  • the V-BSF can also obtain the user's GUSS data from the HLR/HSS: if the user's home network register is the HLR, the HLR outputs the GUSS to the BSF by outputting the GPRS subscription data to the SGSN. Or GUSS as part of the GPRS subscription data, sent along with the GPRS subscription data output by the HLR to the BSF To the BSF; if the user's home network register is an HSS, the HSS can obtain authentication and GUSS data from the user's HSS via the Zn interface protocol in an existing manner.
  • all BSFs may authenticate roaming users, or only one or several BSFs may be used to authenticate roaming users, and the remaining BSFs may only authenticate local users.
  • the BSF of the authentication roaming user and the BSF of the authentication local user can be distinguished by using different domain names.
  • the domain name of the BSF used for authenticating the local user can be set to: BSF bsf.mnc ⁇ MNC>.mcc ⁇ MCC> .3gppnetwork.org
  • the domain name of the BSF used to authenticate roaming users can be set to VBSF bsf.mnc ⁇ MNC>.mcc ⁇ MCC>.3 gppnetwork.org
  • ⁇ MNC> is filled with mobile network code (MNC)
  • MCC> Mobile Country Code
  • the BSF is enabled to access the subscription database of the home network through a unified interface.
  • the present invention is implemented by setting a B-proxy (B-proxy) for connecting the V-BSF to the unified interface of the home network of the roaming user.
  • B-proxy may be a functional module in a BSF in the BSF for authenticating the roaming user, or may be a separate entity.
  • B-proxy may not be needed.
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a general authentication entity when multiple BSFs exist in a roaming network according to the present invention.
  • V-BSFs for authenticating roaming users in the roaming network. That is, V-BSF1 ⁇ V-BSFn, n is a positive integer greater than 1.
  • V-BSF1 ⁇ V-BSFn are connected to V-NAF through Zn interface, respectively, through Zx interface and B-proxy Connected; B-proxy is connected to the subscription database in the home network through Gr/Zh, so that V-BSF1 ⁇ V-BSFn accesses the subscription database of the home network through a unified Gr/Zh interface; each V-BSF Both provide an Ub interface connected to the roaming user, and the roaming user connects to the V-NAF through the Ua interface.
  • FIG. 4b is a schematic structural diagram of Embodiment 2 of a universal authentication entity when multiple BSFs exist in a roaming network according to the present invention.
  • V-BSF1 there are n V-BSFs for authenticating roaming users in the supporting roaming network.
  • V-BSF1 ⁇ V-BSFn, where n is a positive integer greater than one.
  • V-BSF1 is the primary V-BSF with B-proxy function at the same time.
  • the primary V-BSF has two domain names, one is the domain name of B-proxy, and the other is the domain name of V-BSF, which can be implemented by pre-setting.
  • V-BSF2 ⁇ V-BSFn are connected to the V-NAF through the Zn interface, respectively, and connected to the main V-BSF through the Zx interface; the B-proxy in the main V-BSF passes the Gr/Zh, the interface and the subscription database in the home network.
  • V-BSF1 ⁇ V-BSFn access the subscription database of the home network through a unified Gr/Zh interface; each V-BSF provides an Ub interface connected with the roaming user, and the roaming user passes the Ua interface and the V -NAF is connected.
  • HLR/HSS external interfaces such as the Sh interface can also be accessed.
  • the V-BSF can be further authenticated.
  • the authentication can be implemented by the HLR/HSS itself, or an authentication proxy can be set up between the V-BSF and the HLR/HSS for authentication.
  • FIG. 5 is a flowchart of the method for accessing the NAF according to the present invention.
  • a general authentication system consisting of a roaming user, a universal authentication entity located in a roaming network, and a network service application, it is assumed that the home network to which the roaming user belongs does not support GAA, and the roaming network in which the roaming user is located supports GAA.
  • the method of the invention comprises the following steps: Step 500: After the roaming user receives the mutual authentication notification from the network service application, since the roaming user home network does not support the GAA, the roaming user initiates the mutual authentication request by using the universal authentication entity of the universal authentication system in the roaming network. .
  • the roaming user requests to implement the service by sending a connection request to the V-NAF. If the V-NAF finds that the roaming user that initiated the connection request does not perform mutual authentication, the robin user may issue a GB A indication to the roaming user. The roaming user is notified to perform the mutual authentication process, that is, the Bootstrapping process.
  • the roaming user since the home network of the roaming user does not support the GAA, according to the pre-signed service agreement between the roaming network and the home network, the roaming user performs mutual authentication through the universal authentication entity of the universal authentication system in the roaming network.
  • the roaming user moves to the roaming network
  • the mobile country code and the mobile network code of the network are known to the roaming user.
  • the specific implementation method is well known to those skilled in the art, and details are not described herein.
  • the roaming user only needs to add the VBSF prefix to the MCC code and the MNC code of the roaming network according to the domain name of the V-BSF used for authenticating the roaming user.
  • the 3gppnetwork.org suffix gives the address of the V-BSF, the mutual authentication address of the universal authentication entity.
  • the roaming user can carry the identifier in the connection request to indicate that the current user is a roaming user, so that the NAF knows that the current user is a roaming user, so that the NAF in the GBA indication will be the general authentication entity in the universal authentication system in the roaming network.
  • the mutual authentication address returns to the roaming user.
  • Step 501 The universal authentication entity obtains the authentication information from the subscription database of the home network to which the roaming user belongs according to the user information carried in the mutual authentication request.
  • the V-BSF After receiving the authentication request of the roaming user, the V-BSF determines the user information, such as the identity identifier, carried in the authentication request. If the identity identifier does not belong to the network, the identity identifier determines the home network subscription database of the user requesting the authentication. Such as the address of HSS/HLR, and pass The Zh/Gr interface obtains the authentication information of the roaming user from the home network subscription database.
  • Step 502 The universal authentication entity performs mutual authentication with the user according to the authentication information, and generates a derivative key, and the roaming user uses the derived key to access a network service application in the current roaming network.
  • the roaming user performs mutual authentication by performing a Bootstrapping process with the V-BSF corresponding to the mutual authentication address. After the Bootstrapping process is successfully completed, the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks.
  • the V-BSF is the same.
  • the shared key Ks defines an expiration date and assigns a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, the B-TID and the validity period.
  • the connection request is re-issued to the V-NAF, and the B-TID is carried in the request message, and the roaming user calculates the derived key according to the shared key Ks by using a preset derivative algorithm.
  • the types of B-TIDs of the two types of users can be distinguished.
  • the B-TID assigned to the local user can be similar to base64encode(RAND)@B SF_servers_domain_name and assigned to roaming users.
  • the B-TID can be indicated by adding a string, such as base64encode(RAND)- Visited@BSF_servers_domain_ name in the "- Visited" string to identify the user as a roaming user.
  • the V-NAF After the V-NAF receives the connection request, if the V-NAF cannot query the B-TID locally, the V-BSF sends a request query message carrying the self-identity and the B-TID to the V-BSF for querying. A plurality of V-BSFs in the roaming network can authenticate the roaming user. Then, the V-NAF can send a request query message carrying the self identifier and the B-TID to all V-BSFs that can authenticate the roaming user. Inquire. If the V-BSF cannot locally query the B-TID, the V-NAF is notified that the V-NAF does not have the information of the roaming user.
  • the V-NAF notifies the roaming user to perform mutual authentication, that is, returns to step 500 to re-execute the method flow; If the V-BSF queries the B-TID, the shared algorithm is calculated using the same derivative algorithm as the user side. The derived key of the key Ks is then sent to the V-NAF with a success response message carrying the B-TID, the derived key corresponding to the B-TID, and the validity period of the shared key Ks. After receiving the success response message from the V-BSF, the V-NAF considers that the roaming user is a legitimate user who has performed mutual authentication, and the V-NAF shares the derived key calculated by the shared key Ks. The derivative key is consistent with the roaming user calculating the derived key according to the shared key Ks. The user uses the derived key to protect communication between the two in subsequent access V-NAF.
  • the user When the user finds that the shared key Ks is about to expire, or the NAF requires the user to re-authenticate to the BSF, the user repeats the above mutual authentication step and then re-authenticates to the BSF to obtain a new shared key Ks and B-TID.
  • the current roaming network is referred to as a first roaming network
  • the other roaming network is referred to as a second roaming network.
  • the method of the present invention may further include: when the user leaves the first roaming network, the UE deletes the shared key Ks allocated by the V-BSF in the first roaming network to the user, the generated "generated key" and the B-TID; Of course, if the NAF of the second roaming network requests the first roaming network for the secure communication information of the user, the V-BSF of the first roaming network does not return the secure communication information such as the derived key of the user to the NAF. .
  • FIG. 6 is a flowchart of Embodiment 1 of the present invention for accessing NAF.
  • the general authentication entity in Embodiment 1 is composed of V-BSF. It is assumed that the roaming user does not perform mutual authentication before the UE sends the first connection request to the V-NAF.
  • the embodiment specifically includes the following steps:
  • Steps 600 to 601 After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process.
  • the specific implementation of this step is completely consistent with the prior art, and details are not described herein again.
  • Step 602 to step 604 The UE sends an authentication request carrying the user information to the V-BSF in the roaming network, and the V-BSF determines the home network subscription database address to which the UE belongs according to the user information, and obtains the UE from the user subscription database. Authentication information.
  • Step 605 - Step 606 The mutual authentication and key agreement process between the UE and the V-BSF is a mutual authentication process, and the UE and the V-BSF mutually authenticate the identity and generate a shared key Ks, where the V-BSF is The shared key Ks defines an expiration date and allocates a B-TID to the roaming user; the V-BSF and the UE respectively store the shared key Ks, B-TID and the validity period; the UE adopts a preset derivation algorithm according to the shared key Ks. Calculate the derived key and save it.
  • the types of the two user B-TIDs can also be distinguished.
  • the B-TID assigned to the local user can be similar to base64encode(RAND)@BSF_server_domain_name, and the B-TID for the roaming user can be indicated by adding a string, such as base64encode(RAND)
  • the "- Visited" string is added to the Visited@BSF_servers-domain-name to identify the user as a roaming user.
  • Step 607 - Step 609 The UE carries the obtained B-TID in the connection request, and initiates a service request to the V-NAF.
  • the V-NAF sends the V-NAF ID and the B-TID to the V-BSF.
  • the derived derivative algorithm is calculated by the same preset derivative algorithm as the user side.
  • the V-NAF is notified that there is no authentication information of the UE.
  • the V-NAJF initiates a request query message to the V-BSF. Otherwise, the request query message may be omitted, which is consistent with the prior art.
  • Step 610 to step 611 The V-BSF carries the generated derivative key, the B-TID, and the validity period stored in association with the B-TID in the request query response message, and returns it to the V-NAF.
  • the derived key is obtained for secure communication.
  • FIG. 7 is a flowchart of Embodiment 2 of the present invention for accessing NAF.
  • the general authentication entity in Embodiment 2 is composed of V-BSF and SGSN, compared with Embodiment 1 shown in FIG.
  • the embodiment specifically includes the following steps:
  • Step 700 - Step 701 After the V-NAF in the roaming network receives the connection request sent by the roaming user through the UE, the V-NAF finds that the UE has not performed mutual authentication, and sends a GBA indication to the UE to notify the UE to perform The mutual authentication process is the Bootstrapping process.
  • the UE carries a flag indicating that the user is a roaming user in the connection request. Therefore, after the NAF learns that the UE is a roaming user, the mutual authentication address of the universal authentication entity in the universal authentication system is carried in the UE. Returned to the UE in the GBA indication.
  • Step 702 Step 704: The UE sends an authentication request carrying the user information to the V-BSF corresponding to the obtained mutual authentication address, and the V-BSF determines the user subscription database address of the home network to which the UE belongs according to the user information, and signs the subscription from the user through the SGSN.
  • the authentication information of the UE is obtained in the database.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un système d'authentification générale comportant un client itinérant, une entité d'authentification générale et une fonction d'application de réseau. L'invention concerne également un procédé d'accès à la fonction d'application de réseau dudit système d'authentification générale permettant la fourniture à un client itinérant de la fonction GBA. Le réseau local du client itinérant ne supporte pas l'architecture d'authentification générale (GAA), mais le réseau d'itinérance supporte la situation de GAA du réseau d'itinérance dans laquelle se trouve le client itinérant. Le procédé permet la réalisation par le client itinérant de l'opération d'authentification mutuelle dans le réseau d'itinérance, mettant en oeuvre ainsi l'accès au service de fonction d'application de réseau (NAF) du réseau d'itinérance.
PCT/CN2006/003153 2006-02-23 2006-11-23 Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système WO2007095806A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610008040.6 2006-02-23
CNB2006100080406A CN100563159C (zh) 2006-02-23 2006-02-23 通用鉴权系统及访问该系统中网络业务应用的方法

Publications (1)

Publication Number Publication Date
WO2007095806A1 true WO2007095806A1 (fr) 2007-08-30

Family

ID=38436922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/003153 WO2007095806A1 (fr) 2006-02-23 2006-11-23 Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système

Country Status (2)

Country Link
CN (1) CN100563159C (fr)
WO (1) WO2007095806A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729998A (zh) * 2008-10-29 2010-06-09 华为技术有限公司 转发消息、通用引导架构、鉴权方法、系统及装置
CN102196438A (zh) 2010-03-16 2011-09-21 高通股份有限公司 通信终端标识号管理的方法和装置
US9112905B2 (en) * 2010-10-22 2015-08-18 Qualcomm Incorporated Authentication of access terminal identities in roaming networks
US9668128B2 (en) 2011-03-09 2017-05-30 Qualcomm Incorporated Method for authentication of a remote station using a secure element

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (zh) * 1998-05-07 2000-07-12 朗迅科技公司 用于在通信系统中进行鉴权的方法和装置
WO2004091176A2 (fr) * 2003-04-02 2004-10-21 Qualcomm Incorporated Chiffrement entre un reseau cdma et un reseau gsm
CN1553610A (zh) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ 码分多址系统用户漫游到全球移动通信系统的鉴权方法
CN1717096A (zh) * 2004-06-28 2006-01-04 华为技术有限公司 应用通用鉴权框架对接入拜访网络的用户实现管理的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259811A (zh) * 1998-05-07 2000-07-12 朗迅科技公司 用于在通信系统中进行鉴权的方法和装置
WO2004091176A2 (fr) * 2003-04-02 2004-10-21 Qualcomm Incorporated Chiffrement entre un reseau cdma et un reseau gsm
CN1553610A (zh) * 2003-05-30 2004-12-08 ��Ϊ�������޹�˾ 码分多址系统用户漫游到全球移动通信系统的鉴权方法
CN1717096A (zh) * 2004-06-28 2006-01-04 华为技术有限公司 应用通用鉴权框架对接入拜访网络的用户实现管理的方法

Also Published As

Publication number Publication date
CN101026453A (zh) 2007-08-29
CN100563159C (zh) 2009-11-25

Similar Documents

Publication Publication Date Title
CN110800331B (zh) 网络验证方法、相关设备及系统
US8275355B2 (en) Method for roaming user to establish security association with visited network application server
US7882346B2 (en) Method and apparatus for providing authentication, authorization and accounting to roaming nodes
KR100985869B1 (ko) 엔티티의 제 1 아이덴티티 및 제 2 아이덴티티 검증 방법
US20030079124A1 (en) Secure method for getting on-line status, authentication, verification, authorization, communication and transaction services for web-enabled hardware and software, based on uniform telephone address
CA2552917C (fr) Procede d'obtention d'une identification utilisateur pour entite d'application du reseau
WO2007036104A1 (fr) Procede de transmission de demandes de sessions
WO2006000152A1 (fr) Procede pour la gestion d'equipement d'utilisateur d'acces au reseau au moyen de l'architecture d'authentification generique
WO2006097041A1 (fr) Forme d'authentification generale et procede pour mettre en place l'authentification
WO2008006306A1 (fr) Procédé et dispositif de dérivation d'une clé interface locale
WO2005046118A1 (fr) Procede pour verifier la validite d'un abonne
WO2014183260A1 (fr) Procédé, dispositif et système de traitement de service de données dans un scénario d'itinérance
JP7453388B2 (ja) サービスアプリケーションとの暗号化された通信のための通信ネットワーク内のアンカキー生成および管理のための方法、デバイス、ならびにシステム
WO2008125062A1 (fr) Procédé de détermination d'admission et de radiomessagerie d'utilisateur dans un système de communication mobile, système et dispositif apparentés
WO2007079698A1 (fr) Procédé et système d'authentification d'entité, procédé et système d'authentification de bout en bout et centre d'authentification
WO2013040957A1 (fr) Procédé et système d'authentification unique, et procédé et système de traitement d'informations
TWI516151B (zh) 通訊方法與通訊系統
WO2008009232A1 (fr) Procédé, système et dispositif pour déterminer la clé ip mobile et notifier le type ip mobile
TW201706893A (zh) 實現雲端身份認證的網路系統、方法及移動設備
WO2007095806A1 (fr) Système d'authentification générale et procédé d'accès à la fonction d'application de réseau du système
WO2015089969A1 (fr) Procédé et dispositif de gestion d'accessibilité pour terminal/périphérique de terminal m2m
WO2007003105A1 (fr) Procede, systeme et appareil pour la mise en relation d'informations associee a l'utilisateur dans un systeme nass
WO2005093990A1 (fr) Procede d'acces a un serveur d'abonne domestique dans une infrastructure d'authentification universelle
WO2010133073A1 (fr) Procédé d'obtention d'informations d'état de certificat et système de gestion d'état de certificat
WO2011017921A1 (fr) Système et procédé permettant de visiter un fournisseur de services visité

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06817882

Country of ref document: EP

Kind code of ref document: A1