WO2007104245A1 - Système de cadre de référence pour développement des services web et son procédé d'authentification - Google Patents

Système de cadre de référence pour développement des services web et son procédé d'authentification Download PDF

Info

Publication number
WO2007104245A1
WO2007104245A1 PCT/CN2007/000762 CN2007000762W WO2007104245A1 WO 2007104245 A1 WO2007104245 A1 WO 2007104245A1 CN 2007000762 W CN2007000762 W CN 2007000762W WO 2007104245 A1 WO2007104245 A1 WO 2007104245A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
service
entity
user terminal
point
Prior art date
Application number
PCT/CN2007/000762
Other languages
English (en)
Chinese (zh)
Inventor
Chengdong He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007104245A1 publication Critical patent/WO2007104245A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Definitions

  • the present invention relates to the field of the Internet technology and the Next Generation Networks (NGN) technology field and the third generation partnership project (3GPP), and specifically relates to an identity identification webpage service network system. (ID-WSF, Identity Web Service Framework) and its authentication method.
  • NTN Next Generation Networks
  • 3GPP Third Generation Partnership Project
  • 3GPP defines a Generic Bootstrapping Architecture (GBA), which is usually guided by the IP Multimedia Core Subsystem (UE, User Equipment).
  • BSF Service Function Entity
  • HSS Home Subscriber Server
  • SLF Subscriber Locator Function
  • NAF Network Application Function
  • the UE and the BSF are connected through the Ub interface
  • the UE and the NAF are connected through the Ua interface
  • the BSF and the HSS are connected through the Zh interface
  • the BSF and the NAF are connected through the Zn interface
  • the BSF and the SLF are connected through the Dz interface.
  • the BSF is used to perform mutual authentication with the UE when performing bootstrapping, and generates a shared key Ks of the BSF and the user;
  • the HSS stores a subscription file for describing user information, and the HSS also generates authentication information.
  • Function SLF is used to assist the BSF to find the corresponding HSS when there are multiple HSSs;
  • NAF is used to provide network services for the UE.
  • Step 1 When the UE needs to use a certain service, if it knows that the service needs to go to the BSF for mutual authentication, it directly sends an authentication request to the BSF to perform mutual authentication. Otherwise, the UE first contacts the NAF corresponding to the service, if the NAF uses the GBA universal authentication architecture, And the UE is not yet to the BSF to perform the mutual authentication process, and the NAF notifies the UE to perform mutual authentication to verify the identity, and then the UE sends an authentication request to the BSF for mutual authentication.
  • Step 2 The BSF receives the UE. After the authentication request, first obtain an authentication vector quintuple (AUTN, RAND, IK, CK, XRES) of the UE to the HSS;
  • AUTN, RAND, IK, CK, XRES authentication vector quintuple
  • Step 3 to Step 6 The BSF uses the HTTP digest AKA protocol to perform mutual authentication and key agreement with the UE to complete mutual authentication between the UE and the BSF.
  • Step 7 The BSF generates a shared root key Ks, which also defines an expiration date for the shared key Ks to periodically update the Ks;
  • Step 8 The BSF allocates a bootstrapping transaction identifier (B-TID) to identify the current authentication interaction transaction between the BSF and the UE.
  • B-TID bootstrapping transaction identifier
  • the BSF uses the B-TID with the root key Ks and the private UE.
  • the user identifier IMPI, IMS Private Identity
  • IMPI IMS Private Identity
  • Step 9 The UE also generates the same shared key Ks as the BSF side.
  • a root key Ks is shared between the UE and the BSF, and the UE can use the formula:
  • the NAF and the protocol identifier (UalD) on the Ua interface are connected.
  • RAND is a random number
  • IMPI is the private user identifier of the UE
  • "gba-me” and “gba-u” represent strings
  • KDF is a key export.
  • Abbreviation of function such that the UE side obtains the derived shared key Ks - (Ext / Int) - NAF.
  • the remaining task is how NAF obtains the derived shared key Ks—(Ext Int)—NAF. Only NAF and UE acquire Ks—(Ext/Int)—NAF to establish a secure channel for mutual communication.
  • the flow of NAF obtaining Ks_(Ext/Int)_NAF is shown in Figure 3.
  • the UE first derives the derived shared key Ks_(Ext/Int)_NAF according to the above formula, and then performs the following steps:
  • Step 1 B-TID is the username, Ks_(Ext/Int)—NAF is the password to send the connection to NAF.
  • TLS TransportLayer Security
  • TLS TransportLayer Security
  • Step 2 After receiving the connection request from the UE, the NAF sends an authentication request message to the BSF, where the BV carries the boot transaction identifier B-TID and the NAF host name, that is, the NAF_ID.
  • Step 3 The BSF retains B-TID, IMPL Ks, key validity period, start time of mutual authentication between BSF and UE, and application related GBA User security setting (GUSS), if The BSF can find the corresponding Ks according to the B-TID, and then complete the authentication of the corresponding user, and then the BSF calculates the derived shared key Ks_(Ext/Int)_NAF using the same formula as the user side, and then In the authentication response message, Ks—(Ext/Int)—NAF, Ks—(Ext/Int)—the expiration date of the NAF, the start time of the mutual authentication between the BSF and the UE, and the user security settings related to other applications.
  • (USS, User security setting) information is sent to NAF, which may contain multiple USSs in a GUSS.
  • Step 4 After NAF receives it, save the information.
  • Step 5 The NAF returns an application response to the UE.
  • the NAF and the UE share the Ks-derived key Ks_(Ext/Int)-NAF, so that the two can communicate securely in subsequent communications.
  • LAP Liberty Alliance Project
  • ID-FF Identity-based Alliance Network Architecture
  • ID-WSF Identity-based Web Service Network Architecture
  • ID-SIS Identity Services Interface Specifications
  • ID-FF mainly includes Identity Federation function and single point authentication function (SSO, , Single Sign On).
  • ID-WSF mainly defines some identity-based Web service architectures based on ID-FF to provide some simple, user-customizable Web services.
  • ID-SIS defines some interface specifications related to Web services.
  • the architecture of ID-FF is shown in Figure 4. It mainly consists of three entities: UE, Identity Provider (IdP, Identity Provider), Service Provider (SP).
  • IdP Identity Provider
  • SP Service Provider
  • the UE has its own identity on the IdP and SP, namely the user identity.
  • the logos can form an alliance.
  • SS0 refers to the above-mentioned identity identification alliance function. As long as the UE passes the authentication on the IdP, it is equal to the authentication at the same time on all the SPs that form the alliance.
  • the ID-FF and GBA interworking architecture is shown in Figure 5.
  • the UE has two authentication modes: one is that the UE authenticates (Assertion) directly after the UE passes the authentication on the IdP. Returning to the UE; the UE sends the Assertion to the SP; the SP authenticates the UE by analyzing Assertion. The other is that after the UE passes the authentication on the IdP, the IdP returns the Artifact of the UE to the UE; the UE sends the Artifact to the SP; the SP then sends the Artifact to the IdP through the SOAP protocol. IdP queries the corresponding Assertion according to the Artifact and returns it to the SP; Finally, the SP authenticates the UE by analyzing Assertion.
  • the ID-WSF architecture is shown in Figure 6. It mainly consists of the following entities: UE, IdP, SP, Web Service Consumer (WSC) for Web services. Web Service Provider (WSP) ⁇ Discovery Service Entity (DS, Discover Service).
  • WSP Web Service Provider
  • DS Discovery Service Entity
  • the WSP registers the type of Web service that it can provide on the DS; when the UE accesses the WSC, the WSC goes to the DS to query the accessible WSP; the DS matches the relevant WSP address and provides it to the WSC. ; then WSC can access the relevant WSP on behalf of the UE.
  • WSC and WSP are relative, that is, WSC can be used as a Web service consumer, as well as a Web service provider (WSP or SP). WSP or SP can also be another WEB Business Consumer (WSC) while serving as a Web service provider.
  • FIG. 7 A further simplified form of the above architecture is shown in Figure 7, where the functionality of the WSC is implemented on the UE, and a WSP can provide the functionality of an Authentication Service Entity (AS).
  • AS Authentication Service Entity
  • the AS function in the ID-WSF is equivalent to the IdP function in the ID-FF, and is used to complete the identity authentication Web service network authentication function. Since Figure 7 mainly deals with the authentication of ID-WSF, DS is omitted.
  • Figure 8 shows the network architecture of the ID-WSF of the Single-Sign-On Service (SSOS).
  • the main workflow is as follows: First, the UE and the AS interact through the SASL protocol to complete the AS authentication. After the right is passed, the AS returns the SSOS address to the UE and The credentials required to access the SSOS (Credentials); the UE accesses the SSOS by using the Credentials obtained from the AS to perform SSOS authentication, and the SSOS returns the corresponding Assertion to the UE after successfully authenticating the UE; the UE uses the Assertion to access the related SP.
  • the UE and the AS interact through the SASL protocol to complete the AS authentication.
  • the AS returns the SSOS address to the UE and The credentials required to access the SSOS (Credentials); the UE accesses the SSOS by using the Credentials obtained from the AS to perform SSOS authentication, and the SSOS returns the corresponding Assertion to the UE after successfully authenticating the
  • the UE after the UE interacts with the BSF to obtain the root key Ks and B-TID in the universal authentication architecture, it needs to use the B-TID as the user name, KsJExt/Int) - NAF as the password. Authentication is performed on each NAF to access individual NAFs. This frequent authentication enhances security but increases the complexity and inconvenience of terminal operations.
  • the identity identification webpage service network architecture establishes an identity security association between each SP and SSOS through a single-point authentication function, and forms a security trust circle. As long as the authentication is passed on the SSOS, it is equal to the SSOS. Authentication is also passed on all SPs within the security trust.
  • the prior art provides a network architecture in which GBA and ID-WSF interworking when AS and SSOS are different entities, but does not provide any corresponding authentication method. Therefore, although there is an interworking network architecture in the prior art, there is no way to implement interworking between the two network architectures, so that the interworking network architecture cannot be practically applied.
  • the security of the ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate. Therefore, the application scenario of the extended user terminal is convenient for the user terminal to apply various kinds of existing WEB services.
  • an object of the present invention is to provide an identity identification webpage service network system and an authentication method thereof.
  • an identity identification webpage service network system a user home network server including a universal authentication architecture, a guidance service function entity, a service provider entity, a user terminal, a user home network server, and a service
  • the functional entities communicate through the Zh interface, and the functional entity and the user terminal communicate through the Ub interface, and are characterized by: a network service application function/authentication service/single point authentication service entity, including a network
  • the service application function module, the authentication service module, the single point authentication service module, the network service application function module are used to provide the network service application function entity function, and the authentication service module is used to provide the authentication service entity function.
  • the single-point authentication service module is used to provide a single-point authentication service entity function, and the network service application function module and the 1-way service function entity communicate through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface.
  • the identity identification webpage service network system wherein: the single-point authentication service module and the user terminal use a single-point authentication and identity association protocol described by the security declaration markup language to perform communication between the two, using a single-object access protocol or The hypertext transfer protocol encapsulates the communication message; the authentication service module and the user terminal use a simple authentication and security layer protocol to communicate between the two, and use a simple object access protocol or a hypertext transfer protocol to encapsulate the communication message; the single point authentication service module When communicating with the service provider entity, the communication message is encapsulated by the simple object access protocol; when the user terminal communicates with the service provider entity, the communication message is encapsulated by a simple object access protocol or a hypertext transfer protocol.
  • An authentication method for an identity identification webpage service network system includes the following steps:
  • the communication process between the user terminal and the service provider entity of the identity identification webpage service network system includes two authentication processes, namely, a common authentication architecture authentication process and
  • the identification webpage service network architecture authentication process in the universal authentication architecture authentication process, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal generate roots.
  • the authentication service entity or the authentication service module generates a credential required for the user terminal to access the single-point authentication service entity or the single-point authentication service module in the authentication network service network architecture authentication process; the single-point authentication service entity Or the single-point authentication service module generates an authentication declaration and sends it to the user terminal, or the single-point authentication service entity or the single-point authentication service module generates an authentication statement and a corresponding authentication declaration link, and saves the authentication declaration and the authentication declaration link.
  • the correspondence table sends the authentication declaration link to the user terminal.
  • the method for authenticating the identity identification webpage service network system includes the following steps: the user terminal sends an identity identification webpage service network architecture authentication request message to the corresponding authentication service entity or the authentication service module, and the authentication service entity or the authentication
  • the service module sends a challenge response message requesting the user to perform the authentication of the universal authentication framework to the user terminal, and the service function entity performs the universal authentication architecture authentication on the user terminal, and after the authentication succeeds, the universal authentication architecture is successfully authenticated to the user terminal.
  • the authentication success response message includes a boot transaction identifier and a key validity period; the user terminal sends an application request message to the authentication service entity or the authentication service module, and the authentication is performed.
  • the service entity or the authentication service module authenticates the user terminal according to the application request message, and after the authentication is passed, sends a response message to the user terminal, where the address and the credential of the single-point authentication service entity or the single-point authentication service module are included.
  • the method for authenticating the identity identification webpage service network system includes the steps of: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and sends the identity to the user terminal after the authentication succeeds.
  • the webpage service network architecture authentication success response message is identified, and the authentication success response message includes an authentication statement.
  • the authentication method for the identity identification webpage service network system includes the following steps: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and generates an authentication statement and corresponding authentication. Declaring the link, saving the correspondence table of the authentication claim and the authentication claim link, and including the authentication claim link in the identity network service network architecture authentication success response message subsequently sent to the user terminal.
  • the identity identification webpage service network system authentication method includes the following steps:
  • the user terminal sends an application request message to the service provider entity
  • the service provider entity After receiving the application request message, the service provider entity first obtains the address of the authentication service entity or the authentication service module, and then sends a response message to the user terminal, where the authentication request header field is carried;
  • the user terminal sends an application request message to the authentication service entity or the authentication service module, where the user includes a simple authentication and security layer protocol request header field, where the authentication mechanism header field is included, and the authentication mechanism header field includes user terminal support. List of authentication methods;
  • the authentication service entity or the authentication service module sends a challenge response message to the user terminal, where the simple authentication and security layer protocol response header field is included, which includes a server authentication mechanism header field and a challenge header field, and a server authentication mechanism header.
  • the domain records the rights of the authentication service entity or the authentication service module.
  • the user terminal interacts with the guiding service function entity to perform universal authentication architecture authentication. ⁇ 6.
  • the user terminal sends an application request message to the authentication service entity or the authentication service module, where the simple authentication and security layer protocol request header field is included.
  • the simple authentication and security layer protocol request header field contains a challenge response header field
  • the challenge response header field contains a boot transaction identifier and an authentication response header.
  • the A7, the authentication service entity or the authentication service module obtains information such as a shared key, a user security setting, a key validity period, a boot time, and the like by using the ⁇ n interface, and the authentication service entity or the authentication service module is simple according to the receipt.
  • the authentication and security layer protocol request header field authenticates the user terminal, and after the authentication is passed, sends a response message to the user terminal, which includes a simple authentication and a security layer protocol response header field, and the header domain has a single authentication service.
  • the address and credentials of the entity or single-point authentication service module is accessed using the ⁇ n interface.
  • the identity identification webpage service network system authentication method wherein: the application request sent by the user terminal that supports the common authentication architecture authentication and the identity identification webpage service network architecture authentication to the authentication service entity or the authentication service module
  • the common authentication architecture identifier is set in the message. If the authentication service entity or the authentication service module finds the universal authentication architecture identifier, the user terminal is notified to start the universal authentication architecture authentication process, and then the user identity identification webpage service network architecture is started. The authentication process, otherwise, notifies the user terminal that only the user identity webpage service network architecture authentication process is initiated.
  • the authentication method for the identity identification webpage service network system wherein: the step ⁇ 5 includes the following steps:
  • the user terminal sends a universal authentication framework authentication request message to the guiding service function entity, where the private user identifier is included;
  • the guiding service function entity After receiving the universal authentication framework authentication request message, acquires an authentication vector of the user terminal from the user home network server.
  • the guiding service function entity sends a challenge message to the user terminal, where the authentication sequence number parameter and the random parameter are carried;
  • the user terminal checks the validity of the authentication sequence number parameter and generates a desired result
  • the user terminal sends a message to the guiding service function entity, where the private user identifier and the expected result are carried;
  • the guiding service function entity checks the validity of the expected result and generates a root key; ⁇ 7.
  • the guiding service function entity sends a universal authentication architecture success response message to the user terminal, where the guiding transaction identifier and the root key validity period are carried;
  • the identity identification webpage service network system authentication method includes the following steps:
  • the address of the single-point authentication service entity or the single-point authentication service module is sent to the single-point authentication service entity or the single-point authentication service module to send an application request message;
  • the C2 the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, and sends a success response message to the user terminal after the authentication succeeds, which includes an authentication statement, and the authentication claim has a single The digital signature of the point authentication service entity or the single point authentication service module;
  • the user terminal sends an application request message to the service provider entity, where the authentication claim is included;
  • the service provider entity processes the authentication statement, and verifies the digital signature of the single-point authentication service entity or the single-point authentication service module, and after completing the authentication of the user terminal, sends a response message to the user terminal.
  • the identity identification webpage service network system authentication method includes the following steps:
  • the user terminal sends an application request message to the single-point authentication service entity or the single-point authentication service module according to the address of the single-point authentication service entity or the single-point authentication service module;
  • the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, generates an authentication statement and a corresponding authentication declaration link, and saves the authentication statement, the authentication statement, and the corresponding certificate. After the authentication is successful, the success response message is sent to the user terminal, and the authentication claim link is included.
  • the user terminal sends an application request message to the service provider entity, where the authentication claim link is included;
  • the service provider entity sends an application request message to the single-point authentication service entity or the single-point authentication service module, where the authentication claim link is included;
  • the single-point authentication service entity or the single-point authentication service module finds a corresponding authentication statement according to the authentication declaration link, and sends a response message to the service provider entity, where the authentication claim is included, and the authentication claim has a single-point authentication service entity. Or the digital signature of the single-point authentication service module;
  • the service provider entity processes the authentication statement, and verifies the single-point authentication service entity or a single point.
  • the digital signature of the authentication service module sends a response message to the user terminal after completing the authentication of the user terminal.
  • the identity identification webpage service network system authentication method wherein: simple authentication and security encapsulation.
  • the authentication method of the identity identification webpage service network system wherein: the service provider entity receives the exit link request message sent by the user terminal, the single-point authentication service entity or the single-point authentication service module.
  • the service provider entity requests the user terminal to re-authenticate in the subsequent communication process with the user terminal.
  • the identity identification page service network system authentication method The following local security policy is configured on the authentication service entity or the authentication service module: When re-authenticating the user terminal, if the shared key of the two parties does not expire, the user terminal is only authenticated.
  • the identity identification webpage service network system authentication method wherein: the authentication service entity or the Configuring local security policy follows the service module: When the user terminal re-authentication, shared key Kampo if not expired, the user terminal generic authentication architecture and identity authentication page authentication service network architecture.
  • the technical solution of the present invention improves the ID-WSF of the prior art, and provides a new interworking architecture, that is, the function of the original authentication service entity, the single-point authentication service entity, and the network service application function are respectively
  • the different modules in the network service application function/authentication service/single-point authentication service entity that is, the authentication service module, the single-point authentication service module, and the network service application function module are implemented, thereby realizing the interworking of the ID-WSF and the GBA.
  • the present invention also provides a method for realizing the authentication of the identity identification webpage service system, so that the interworking of the GBA and the ID-WSF is realized. Therefore, the security of ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate.
  • the problem is that the application scenario of the user terminal is extended, and the limitation of the various WEB services existing in the user terminal application is avoided.
  • the invention includes the following figures:
  • GBA Common Authentication Architecture
  • FIG. 2 is a flow chart of a UE performing a bootstrapping process in a prior art universal authentication architecture
  • FIG. 3 is a flow chart of the prior art NAF acquiring a shared key Ks_(Ext/Int)_NAF;
  • FIG. 4 is a schematic diagram of a prior art identity identity alliance network architecture (ID-FF);
  • FIG. 5 is a schematic diagram of a prior art ID-FF and GBA interworking architecture
  • FIG. 6 is a schematic diagram of a prior art identity identification webpage service network architecture (ID-WSF);
  • FIG. 7 is a simplified schematic diagram of a prior art ID-WSF;
  • FIG. 8 is a schematic diagram of an ID-WSF including a single point authentication service entity (SSOS) in the prior art
  • FIG. 9 is a schematic diagram of a network architecture of a prior art GBA and ID-WSF interworking
  • FIG. 10 is a network service according to an embodiment of the present invention. Schematic diagram of application function/authentication service/single point authentication service entity;
  • FIG. 11 is a schematic diagram of an identity identification webpage service network system according to an embodiment of the present invention
  • FIG. 12 is a flowchart of an authentication method for returning Assertion to a UE when NAF/AS and SSOS are different entities according to an embodiment of the invention
  • FIG. 13 is a diagram showing an Artifact to a UE when NAF/AS and SSOS are different entities according to an embodiment of the present invention.
  • FIG. 14 is a flowchart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning Assertion to the UE according to an embodiment of the present invention
  • 15 is a flow chart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning an Artifact to the UE according to an embodiment of the present invention.
  • the present invention provides a network service application function/authentication service/single point authentication service entity, which includes a network service application function module, an authentication service module, a single point authentication service module, and a network.
  • the service application function module is used to provide a network service application function entity function
  • the authentication service module is used to provide an authentication service entity function
  • the single point authentication service module is used to provide a single point authentication service entity function.
  • the present invention provides an identity identification webpage service network system, which includes a user home network server and a derivative service function entity of a universal authentication architecture, and a network service application function/authentication service/single point authentication service.
  • the entity, the service provider entity, the user terminal, the user home network server, and the boot service function entity communicate through the zh interface, and the first service function entity communicates with the user terminal through the ub interface, and the network service application function module and the The service function entities communicate with each other through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface; the single point authentication service module and the user terminal use the security declaration markup language to describe the single point authentication and identity identity alliance.
  • the protocol performs communication between the two, and may encapsulate the communication message by using a single object access protocol or a hypertext transfer protocol; the user terminal and the authentication service module use a simple authentication and security layer protocol to communicate between the two, and Simple object access protocol or hypertext transfer protocol can be used Communication message; single authentication between the service module and the service provider entity, for communication between the user terminal and the service provider entity, using the access protocol or a hypertext transfer protocol Simple Object message encapsulated communication.
  • the present invention not only provides a network architecture different from the existing GBA and ID-WSF interworking, but also provides a method for implementing authentication based on the two architectures.
  • FIG. 12 and FIG. 13 the method for authenticating the UE is as shown in FIG. 12 and FIG. 13 , wherein FIG. 12 is the same as FIG. 13 in that NAF/AS and SSOS are Different entities, the difference is that FIG. 12 is Embodiment 1 for returning Assertion to the UE, and FIG. 13 is a second embodiment of the authentication method for returning Artifact to the UE.
  • the network service application function/authentication service/single point authentication provided by the present invention is provided.
  • the method for authenticating the UE by the service entity is as shown in FIG. 14 and FIG. 15 , wherein FIG. 14 is the same as FIG.
  • FIG. 15 in that the NAP/AS and the SSOS are the same entity, and the difference is that FIG. 14 is a reference for returning the Assertion to the UE.
  • FIG. 15 is an embodiment 4 of an authentication method for returning an Artifact to a UE.
  • the implementation of the authentication method shown in Figures 12 and 13 and Figures 14 and 15 The steps are basically the same, the difference is: the single-point authentication service entity in FIG. 12 and 13 and the authentication service entity including the network service application function are two separate logical entities, and in FIGS. 14 and 15, the two entities are The function is implemented by three modules in a network service application function/authentication service/single point authentication service entity, namely, a network service application function module, a single point authentication service module, and an authentication service module.
  • Embodiments 1 and 3, 2 and 4 are substantially the same, the implementation process of the authentication method of the present invention will be described below by the specific description of Embodiment 1 and Embodiment 2.
  • the main point of the authentication method of the present invention is In order to realize the interworking between the GBA and the ID-WSF, and improve the security and application convenience of the ID-WSF network communication, two authentication processes are included in the communication process between the user terminal of the identity page service network system and the service provider entity.
  • the boot service function entity In the process of authenticating the authority structure, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal both generate a root key;
  • the authentication service entity or the authentication service module generates a credential required by the user terminal to access the single-point authentication service entity or the single-point authentication service module;
  • the single-point authentication service entity or the single-point authentication service module generates an authentication statement.
  • Right declaration and the corresponding authentication affirm the link and save affirmed authentication, authentication corresponding relationship declaration stated link and authentication, and transmits the link to the user terminal authentication affirmed.
  • the UE and the AS negotiate through the SASL protocol, adopting the HTTP DIGEST authentication mode, and if other authentication methods are adopted, the digest-challenge header field (challenge header field) and the digest-response header field are used. (4 mil war response header field) is changed to the challenge header field and challenge response header field of the corresponding authentication mode.
  • Embodiment 1 The following is a description of Embodiment 1:
  • Step 1 The UE sends an HTTP Request message (application request message) to the SP.
  • HTTP Request message application request message
  • a TLS security tunnel can be established in advance between the UE and the SP.
  • Step 2 After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field (authentication request header field) is carried.
  • Step 3 Since the UE integrates the WSC entity function, it receives the inclusion returned by the SP.
  • the UE After the response message of the AuthnRequest header field, the UE knows through the WSC on it that the AS should be authenticated through the SASL (Simple Authentication and Security Layer) protocol instead of authenticating the IdP through the HTTP DIGEST protocol.
  • the UE sends an HTTP Request message to the AS, which carries a SASLRequest header field (Simple Authentication and Security Layer Protocol Request Header Domain) encapsulated by the Simple Object Access Protocol (SOAP), where the mechanism header field of the SASLRequest header field (Authentication mechanism header field) contains a list of authentication modes supported by the UE, such as mechanism- "CRAM-MD5 DIGEST-MD5", where DIGEST-MD5 indicates HTTP DIGEST authentication mode;
  • Step 4 AS returns an HTTP Response message To the UE, which carries the S ASLResponse header field encapsulated by the SOAP protocol (simple authentication and security layer protocol response header field), and the serverMechanism header field of the SASLRespon
  • Step 5 The UE sends a GBA authentication request message to the BSF, which includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
  • IMPI Private User Identity
  • Step 6 After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the ,, that is, the authentication vector (authentication number parameter AUTN, random parameter RAND, integrity key IK, confidentiality secret) Key CK, expected result XRES);
  • the authentication vector authentication number parameter AUTN, random parameter RAND, integrity key IK, confidentiality secret
  • Key CK expected result XRES
  • Step 7 The BSF saves the RES, IK, and CK, and sends a message to the UE, which carries the AUTN and the RAND;
  • Step 8 The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
  • Step 9 The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
  • Step 10 The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
  • Step 11 The BSF sends a GBA success response message to the UE, where the BV is carried with the boot transaction identifier (B-TID) and the root key Ks;
  • Step 12 The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
  • Step 13 The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol.
  • the mechanism header field of the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (the authentication mode here is HTTP DIGEST).
  • the digest-response header field (challenge response header field) of the SASLRequest header field contains the usemame header field, the B-TID in the usemame header field, and the authentication response summary calculated by the key Ks_(Ext/Int)-NAF.
  • Step 14 AS and NAF are on one entity. If there is no relevant information such as Ks_(Ext/Int)-NAF key in the AS, the Ks "Ext/Int” can be obtained from the BSF through the Zn interface - NAF, USS, Key validity period, boot time, and other information, where the USS may contain some identity-related alliance information;
  • Step 15 According to the obtained Ks_(Ext/Int)-NAF key information, the AS processes the digest-response in the SASLRequest header field, and after the AS authentication passes, sends an HTTP Response response message to the UE, where the SOAP is carried.
  • the SASLResponse header of the protocol encapsulation contains the SSOS address and the ServiceType field.
  • the contents of the ServiceType field include urn:liberty:ssos:2004-04, and other SSO related information such as the Credentials required to access the SSOS.
  • Step 16 The UE sends an HTTP Request message to the SSOS according to the SS0 address obtained in step 15 to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Correlation header field, and the wsse:security header field encapsulated by the SOAP protocol are carried.
  • the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, which includes some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to Um:liberty:iff:profiles:id-wsf, to indicate that you want to use the SAML protocol binding, the wsse:security header field contains the credentials to access the SSOS in the previous step, the sb orrelation header field is mainly Used to associate a response message returned by the SSOS with a corresponding request message;
  • Step 17 The SSOS performs authentication processing according to the content of the received HTTP Request message. After the success of the right, the SSOS may tell the UE which identities to form an identity alliance with the UE. The UE agrees and completes the identity association with the SP. Then the SSOS returns an HTTP Response response message carrying the samlp2:Response header field encapsulated by the SOAP protocol, where the Response is The header field contains the saml: Assertion header field required to access the SP (which contains the digital signature of the SSOS);
  • Step 18 The UE sends an HTTP Request message to the SP again, which carries the saml:Assertion header field returned in the previous step of the SOAP protocol encapsulation;
  • Step 19 The SP processes the saml:Assertion header field, and verifies the digital signature of the SSOS, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP Response message after successful.
  • the AS may require the UE to perform steps 5 to 12 each time, and then perform step 13 to ensure that each time the user identifier B-TID and the key Ks — (Ext/Int) — NAF is regenerated. Or,
  • step 3 to step 12 are not performed, and step 13 is directly executed, that is, the HTTP Request request sent by the UE to the AS is sent.
  • the digest-response header field in the SASLRequest header field of the message contains the username header field, the username header field is filled with the B-TID, and the shared key Ks_(Ext/Int)_NAF is used to calculate the authentication response summary information.
  • Step 3 If no security association is established between the UE and the AS, you need to perform Step 3 to Step 12 to obtain the B-TID and key information Ks_(Ext/Int)-NAF in the normal GBA boot process, and then perform the steps. 13.
  • step 3 also has the existing B-TID, and the key Ks-( Ext/Int) - the authentication response summary information calculated by the NAF, then the AS challenges the UE through step 4, and the UE performs steps 5 to 12 to perform the normal GBA authentication process to obtain the updated B-TID and the shared key Ks. — (Ext/Int) — NAF, then proceed to step 13.
  • the UE when the UE sends an HTTP request to the AS in step 3, the UE needs to carry an identifier indicating that the GBA mechanism is supported, for example, based on ME (Mobile Equipment, mobile) Device) application, in the User-Agent header
  • ME Mobile Equipment, mobile
  • the domain is set to "3gpp-gba,”; for applications based on UICC (Universal Integrated Circuit Card), set to "3gpp-gba-uicc," in the User-Agent header field.
  • the challenge response in step 4 also carries an identifier indicating that the UE needs to perform the GBA mechanism.
  • step 13 is performed. Otherwise, step 13 is directly executed, where the user name and password are obtained through the existing SSO mechanism. Processing, for example, can play a dialog box for the user, and the user directly enters the username and password.
  • step 14 When the UE sends an HTTP request to the AS again in step 13, as in step 3, it also needs to carry an identifier indicating that the GBA mechanism is supported. If the AS finds the identifier, it knows that step 14 needs to be performed first, and then step 15 is performed; otherwise, Go directly to step 15.
  • Steps 1 to 16 are exactly the same as steps 1 to 16 in Embodiment 1, and are specifically:
  • Step 1 The UE sends an HTTP Request message to the SP.
  • Step 2 After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field is carried.
  • Step 3 Since the UE integrates the WSC entity function, after receiving the response message including the AuthnRequest header field returned by the SP, the UE knows through the WSC on which the UE should authenticate to the AS through the SASL protocol, instead of using the HTTP DIGEST protocol to the IdP.
  • the UE sends an HTTP Request message to the AS, which carries the SASLRequest header field encapsulated by the SOAP protocol.
  • the mechanism header field of the SASLRequest header field contains a list of authentication modes supported by the UE, for example, mechanism- "CRAM-MD5 DIGEST- MD5", where DIGEST-MD5 indicates the HTTP DIGEST authentication mode;
  • Step 4 The AS returns an HTTP Response response message to the UE, which carries the SOAP Response header field that is loaded by the SOAP, and the serverMechanism header of the SASLResponse header field.
  • the domain (server authentication mechanism header field) records the authentication mode selected by the AS from the list of authentication modes supported by the UE (for example, serverMechanism: "DIGEST-MD5" indicates that the authentication mode selected by the AS is HTTP DIGEST), and the challenge header Domain digest-challenge;
  • Step 5 The UE sends a GBA authentication request message to the BSF, where the UE includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
  • IMPI Private User Identity
  • Step 6 After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the UE, that is, the authentication vector (authentication sequence number parameter AUTN, random parameter RAND, integrity key IK:, confidentiality). Key CK, expected result XRES);
  • Step 7 The BSF saves XRES, IK, CK, and sends a message to the UE, which carries AUTN and RAND;
  • Step 8 The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
  • Step 9 The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
  • Step 10 The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
  • Step 11 The BSF sends a GBA success response message to the UE, where the boot transaction identifier (B-TID) and the root key Ks are valid;
  • Step 12 The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
  • Step 13 The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol, where the mechanism header field in the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (authentication in this embodiment)
  • the method is HTTP DIGEST
  • the challenge response header field contains the usemame header field in the digest-response, the B-TID in the username header field, and the authentication response summary information calculated by the key Ks_(Ext/Int)-NAF;
  • Step 14 The AS and the NAF are on one entity. If there is no information such as the Ks_(ext)_NAF key in the AS, the Ks_(Ext/Int)_NAF, USS, key validity period, and bootstrap can be obtained from the Zn interface through the Zn interface. Information such as time, where the USS may contain some information about the identity alliance;
  • Step 15 The AS processes the SASLRequest header field, and after the AS authentication succeeds, sends an HTTP Response response message to the UE, where the SASLResponse header field of the SOAP encapsulation is carried, and the ID-WSF EPR (EndpointReference header field) in the SASLResponse header field is used. Contains the SSOS address, the ServiceType field in the SASLResponse header field is set to urn:liberty:ssos:2004-04, the credentials required to access the SSOS;
  • Step 16 The UE sends an HTTP Request message to the SSOS obtained in the previous step to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Corrdation header field, and the wsse:security header field encapsulated by the SOAP protocol are present.
  • the application and network model, the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, including some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to um:liberty:iff: Profiles: id-wsf, to indicate the SAML protocol binding to be used.
  • the wsse:security header field contains the credentials (Credentials header field) information required to access the SSOS returned in the previous step.
  • the sb: Correlation header field is mainly used to The response message returned by the SSOS is associated with the corresponding request message;
  • Step 17 The SSOS processes the received HTTP Request message, generates the corresponding Artifact and Assertion, and saves the relationship between the two, and then returns an HTTP Response success response message, which carries the Samlp2:Response header field encapsulated by the SOAP protocol;
  • the header field contains the Artifact header field corresponding to the saml: Assertion required to access the SP;
  • the response returned to the UE in this step includes "Artifact”, and the response returned to the UE in step 17 of Figure 12 (Embodiment 1) contains "Assertion", thus causing subsequent processing to be different.
  • Step 18 The UE sends an HTTP Request message to the SP again, where the Artifact header field returned in step 17 of the SOAP protocol encapsulation is carried;
  • Step 19 The SP sends an HTTP Request message to the SSOS, where the Artifact header field obtained in the previous step of the SOAP protocol encapsulation is used to request an Assertion for the UE authentication process.
  • Step 20 The SSOS finds the corresponding Assertion according to the Artifact, and then returns the HTTP. Response message, which carries the saml:Assertion encapsulated by the SOAP protocol (which contains the digital signature of the SSOS);
  • Step 21 The SP processes the saml:Assertion header field, and verifies the digital signature thereof, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP after success. Response message.
  • Embodiment 1 or Embodiment 2 After the authentication process of Embodiment 1 or Embodiment 2 is completed, the UE and the SP can continue to communicate, and the UE must be re-authenticated when the following conditions occur:
  • the SP needs to send a new HTTP Response message carrying the AuthnRequest to the UE in the next interaction with the UE, indicating that it needs to re-authenticate, and then the process starting from step 3 in Embodiment 1 or Embodiment 2 is performed later.
  • the new GBA can be omitted according to the local security policy configured on the AS.
  • the rights process can also be used to perform a new GB A authentication process. If the new GBA authentication process is not performed, steps 3 to 12 and 14 may be omitted. Steps 13, 15 and 16 are the same as the last corresponding message content.
  • SSOS needs to generate a new Assertion (for In Embodiment 2, a new Artifact is also generated, and the remaining steps are unchanged.
  • FIG. 14 is substantially the same as the embodiment shown in FIG. 12, and FIG. 15 is basically the same as the embodiment shown in FIG. 13, except that: NAF/AS is a logical entity, and SSOS is a logical entity in FIG. 12 and FIG. In 14, 15, NAF/AS/SSOS is a logical entity.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un système de cadre de référence pour développement des services Web (ID-WSF) comprenant HSS, BSF, une fonction d'application réseau/service d'authentification/authentification unique (SSO), SP et UE. Le procédé d'authentification comprend: une étape de communication entre UE et SP faisant intervenir les procédures d'authentification GBA et ID-WSF; une étape de génération d'une entité de fonction de service d'amorçage, pendant la procédure d'authentification GBA, d'un identificateur de transaction d'amorçage et de la période de validité de la clé racine, son envoi vers UE et la génération par la fonction de service d'amorçage et l'UE de la clé racine; une étape de génération par l'entité AS ou le module AS, pendant la procédure d'authentification ID-WSF, de documents de légitimation que l'UE nécessite pour accéder à l'entité SSOS ou au module SSOS; et une étape de génération par l'entité de service SSO ou le module de service SSO de l'acceptation de l'authentification et de son artéfact correspondant, suivie de l'enregistrement de la table de rapport correspondant de la confirmation d'authentification et de son artéfact, puis de l'envoi de la confirmation d'authentification de l'artéfact à UE.
PCT/CN2007/000762 2006-03-16 2007-03-09 Système de cadre de référence pour développement des services web et son procédé d'authentification WO2007104245A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610034493.6 2006-03-16
CN200610034493A CN101039311B (zh) 2006-03-16 2006-03-16 一种身份标识网页业务网系统及其鉴权方法

Publications (1)

Publication Number Publication Date
WO2007104245A1 true WO2007104245A1 (fr) 2007-09-20

Family

ID=38509049

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000762 WO2007104245A1 (fr) 2006-03-16 2007-03-09 Système de cadre de référence pour développement des services web et son procédé d'authentification

Country Status (2)

Country Link
CN (1) CN101039311B (fr)
WO (1) WO2007104245A1 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
WO2018010150A1 (fr) * 2016-07-14 2018-01-18 华为技术有限公司 Procédé d'authentification et système d'authentification
CN111756733A (zh) * 2020-06-23 2020-10-09 恒生电子股份有限公司 一种身份认证方法和相关装置
CN112311543A (zh) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 Gba的密钥生成方法、终端和naf网元
CN113518349A (zh) * 2020-10-23 2021-10-19 中国移动通信有限公司研究院 业务管理方法、装置、系统及存储介质
CN114422258A (zh) * 2022-01-25 2022-04-29 百安居信息技术(上海)有限公司 一种基于多认证协议的单点登录方法、介质及电子设备
CN115396178A (zh) * 2022-08-23 2022-11-25 中国民航信息网络股份有限公司 用户分布式鉴权方法、装置、电子设备及存储介质
CN116055153A (zh) * 2023-01-04 2023-05-02 浙江网商银行股份有限公司 一种防止越权访问的方法、装置和设备

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2210436A1 (fr) * 2007-10-05 2010-07-28 InterDigital Technology Corporation Technique de découpage en canaux sécurisé entre une uicc et un terminal
EP2425644B1 (fr) * 2009-05-01 2017-11-22 Nokia Technologies Oy Systèmes, procédés et appareils pour faciliter l'autorisation d'un terminal mobile en itinérance
KR101981229B1 (ko) * 2011-04-15 2019-05-22 삼성전자주식회사 머신-대-머신 노드 소거 절차
CN102869010A (zh) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 单点登录方法及系统
CN103051594A (zh) * 2011-10-13 2013-04-17 中兴通讯股份有限公司 一种标识网端到端安全建立的方法、网络侧设备及系统
CN105553923A (zh) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 一种获取用户标识的方法及网络侧设备
US20190020643A1 (en) * 2016-02-12 2019-01-17 Telefonaktiebolaget Lm Ericsson (Publ) Securing an interface and a process for establishing a secure communication link
EP3253020A1 (fr) * 2016-06-03 2017-12-06 Gemalto Sa Procédé et appareil de publication d'assertions dans une base de données répartie d'un réseau de télécommunication mobile
CN110399713B (zh) * 2018-07-27 2024-06-25 腾讯科技(北京)有限公司 一种信息认证的方法及相关装置
CN111404933B (zh) * 2020-03-16 2022-04-15 维沃移动通信有限公司 鉴权方法、电子设备及鉴权服务器
CN113840280A (zh) * 2020-06-04 2021-12-24 中国电信股份有限公司 通话加密方法、系统、引导服务器、终端和电子设备
CN114338618A (zh) * 2020-10-10 2022-04-12 中国电信股份有限公司 多方通话的方法、系统、会议服务器以及电子设备
CN114978480A (zh) * 2021-02-22 2022-08-30 中国电信股份有限公司 分发数字证书的方法及相关设备
CN113596830B (zh) * 2021-07-27 2023-03-24 中国联合网络通信集团有限公司 通信方法、装置、电子设备、存储介质及程序产品

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286104B1 (en) * 1999-08-04 2001-09-04 Oracle Corporation Authentication and authorization in a multi-tier relational database management system
US20040117493A1 (en) * 2002-11-28 2004-06-17 International Business Machines Corporation Method and system for accessing internet resources through a proxy using the form-based authentication
CN1614903A (zh) * 2003-11-07 2005-05-11 华为技术有限公司 一种验证用户合法性的方法
CN1642079A (zh) * 2004-01-16 2005-07-20 华为技术有限公司 一种网络应用实体获取用户身份标识信息的方法
US20060021004A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for externalized HTTP authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286104B1 (en) * 1999-08-04 2001-09-04 Oracle Corporation Authentication and authorization in a multi-tier relational database management system
US20040117493A1 (en) * 2002-11-28 2004-06-17 International Business Machines Corporation Method and system for accessing internet resources through a proxy using the form-based authentication
CN1614903A (zh) * 2003-11-07 2005-05-11 华为技术有限公司 一种验证用户合法性的方法
CN1642079A (zh) * 2004-01-16 2005-07-20 华为技术有限公司 一种网络应用实体获取用户身份标识信息的方法
US20060021004A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for externalized HTTP authentication

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US10673858B2 (en) 2015-05-29 2020-06-02 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US11425137B2 (en) 2015-05-29 2022-08-23 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
WO2018010150A1 (fr) * 2016-07-14 2018-01-18 华为技术有限公司 Procédé d'authentification et système d'authentification
CN111756733A (zh) * 2020-06-23 2020-10-09 恒生电子股份有限公司 一种身份认证方法和相关装置
CN113518349A (zh) * 2020-10-23 2021-10-19 中国移动通信有限公司研究院 业务管理方法、装置、系统及存储介质
CN112311543A (zh) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 Gba的密钥生成方法、终端和naf网元
CN112311543B (zh) * 2020-11-17 2023-04-18 中国联合网络通信集团有限公司 Gba的密钥生成方法、终端和naf网元
CN114422258A (zh) * 2022-01-25 2022-04-29 百安居信息技术(上海)有限公司 一种基于多认证协议的单点登录方法、介质及电子设备
CN115396178A (zh) * 2022-08-23 2022-11-25 中国民航信息网络股份有限公司 用户分布式鉴权方法、装置、电子设备及存储介质
CN116055153A (zh) * 2023-01-04 2023-05-02 浙江网商银行股份有限公司 一种防止越权访问的方法、装置和设备

Also Published As

Publication number Publication date
CN101039311B (zh) 2010-05-12
CN101039311A (zh) 2007-09-19

Similar Documents

Publication Publication Date Title
WO2007104245A1 (fr) Système de cadre de référence pour développement des services web et son procédé d'authentification
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
EP3750342B1 (fr) Identité mobile pour signature unique dans des réseaux d'entreprise
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
US8572708B2 (en) Method and arrangement for integration of different authentication infrastructures
CN101022651B (zh) 一种组合鉴权架构及其实现方法
EP3120591B1 (fr) Dispositif sur la base d'un identifiant d'utilisateur, système de gestion d'identité et d'activité
MX2008012363A (es) Certificacion de una aplicacion.
KR20050064119A (ko) 인터넷접속을 위한 확장인증프로토콜 인증시 단말에서의서버인증서 유효성 검증 방법
CN109121135A (zh) 基于gba的客户端注册和密钥共享方法、装置及系统
WO2012058896A1 (fr) Procédé et système pour ouverture de session unique
WO2006072209A1 (fr) Procede de negociation d'une cle dans un sous-systeme multimedia ip
KR20200130141A (ko) 무선 통신 시스템에서 모바일 엣지 컴퓨팅 서비스를 제공하기 위한 장치 및 방법
KR20200130106A (ko) 무선 통신 시스템에서 모바일 엣지 컴퓨팅 서비스를 제공하기 위한 장치 및 방법
WO2013044766A1 (fr) Procédé et dispositif d'accès aux services pour un terminal sans carte
WO2013053305A1 (fr) Procédé d'établissement de sécurité de bout en bout de réseau d'identification, dispositif côté réseau et système
WO2013023475A1 (fr) Procédé destiné au partage de données d'utilisateur dans un réseau et serveur fournissant une identité
CN103067345A (zh) 一种变异gba的引导方法及系统
CN102694779B (zh) 组合认证系统及认证方法
WO2013127342A2 (fr) Signature unique ims sur un procédé et un système d'authentification combinés
CN103428694A (zh) 一种分离终端单点登录组合鉴权方法和系统
TWI755951B (zh) 通訊系統及通訊方法
WO2013064040A1 (fr) Procédé et système d'authentification combinée pour un sso d'ims
WO2011017851A1 (fr) Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants
WO2023249519A1 (fr) L'invention concerne la fourniture d'un jeton d'authentification pour l'authentification d'un dispositif utilisateur pour une application tierce à l'aide d'un serveur d'authentification.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720360

Country of ref document: EP

Kind code of ref document: A1