WO2011017851A1 - Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants - Google Patents

Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants Download PDF

Info

Publication number
WO2011017851A1
WO2011017851A1 PCT/CN2009/073267 CN2009073267W WO2011017851A1 WO 2011017851 A1 WO2011017851 A1 WO 2011017851A1 CN 2009073267 W CN2009073267 W CN 2009073267W WO 2011017851 A1 WO2011017851 A1 WO 2011017851A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage server
message storage
client
secure channel
tls
Prior art date
Application number
PCT/CN2009/073267
Other languages
English (en)
Chinese (zh)
Inventor
胡志远
万永根
骆志刚
Original Assignee
上海贝尔股份有限公司
阿尔卡特朗讯公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海贝尔股份有限公司, 阿尔卡特朗讯公司 filed Critical 上海贝尔股份有限公司
Priority to PCT/CN2009/073267 priority Critical patent/WO2011017851A1/fr
Priority to CN200980160925XA priority patent/CN102474503A/zh
Publication of WO2011017851A1 publication Critical patent/WO2011017851A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to access by a client to a message storage server in a communication network, and more particularly to how secure access to a message storage server is achieved without a client having a certificate. Background technique
  • Converged IP Communications provides a convergence of multimedia communication services while efficiently using standardized service functions in existing communication engines such as instant messaging. Storing a message in the message store and forwarding the message to the user later is one of the primary services provided by the CPM.
  • IMAP4 version 4 of the Internet Information Access Protocol
  • This protocol is a standard protocol for accessing e-mail from a remote server. It is a client/server model protocol.
  • Two security mechanisms for IMAP4 are currently defined in RFC2060. The first is SASL (Simple Authentication and Security Layer) as defined by RFC2222, and the second is Username/Password in plain text form. These two security mechanisms only provide authentication from the client to the message storage server. In addition, username/password and message communication can easily be tampered with and eavesdropped.
  • TLS Transport Layer Security
  • the user's certificate is required (of course, the user may not use the certificate, but the user cannot be authenticated at this time, and it is difficult to ensure that the TLS connection is secure).
  • only users with certificates can securely access the message store server.
  • Most of the former mobile phone users do not have a certificate. Therefore, for users who do not have a certificate, especially for a general mobile phone user, secure access to the message storage server becomes a problem.
  • PSK-TLS Transport Layer Security Pre-Shared Key Agreement
  • AKA Authentication and Key Agreement Protocol
  • the pre-shared key PSK is a symmetric key that is pre-shared between communication participants.
  • PSK-TLS has made some modifications to the existing TLS so that both parties can establish a TLS connection using a pre-shared symmetric key or certificate. That is, in this case, one of the communicating parties can use the pre-shared symmetric key and the other party can use the digital certificate or both of the communicating parties use the pre-shared symmetric key to establish the TLS connection.
  • the AKA protocol is a protocol for authentication and key agreement in a mobile communication network. The concept and principle can be applied to a UMTS network, called UMTS AKA. The same concept/principle can be reused for the IP multimedia core network subsystem. , known as IMS AKA.
  • the present invention provides a method for a client to access a message storage server in a communication network, the method comprising:
  • the message storage server replies with a response to the security layer of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA;
  • the client and the message storage server negotiate to establish a PSK-TLS or AKA security Full channel;
  • a PSK-TLS or AKA security channel is established between the message storage server and the client, and the confidentiality and integrity of the associated authentication communication between the client and the message storage server is protected via the secure channel.
  • the establishing, by the client, the PSK-TLS or the AKA secure channel by the message storage server includes: the client sending a request for establishing a PSK-TLS or AKA secure channel to the message storage server, and The message storage server replies to the client with a response to begin establishing a PSK-TLS or AKA secure channel.
  • the service GPRS support node SGSN or the serving call session control function included in the client and the communication network according to an embodiment of the present invention is included.
  • the S-CSCF performs two-way authentication and shares security parameters related to the user. Further, the service GPRS support node SGSN or service call session control function
  • the S-CSCF authenticates the message storage server and sends the user-related security parameters to the message storage server.
  • the user-related security parameters can be used to protect authentication process information and user data trust between the client and the message storage server,
  • an embodiment according to the present invention includes a digital certificate of a client authentication message storage server, the message storage server obtaining user-related authentication information from a network-side functional entity and the message storage server from the client The user's authentication information is directly obtained and the above two types of authentication information are compared and verified.
  • the present invention also provides a client in a communication network and a message storage server.
  • FIG. 1 shows a schematic diagram of a client secure access message storage server in accordance with the mechanism of the present invention
  • FIG. 2 is a flow chart of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention
  • FIG. 3 is a flow diagram of establishing a PSK-TLS secure channel between a client and a message storage server in accordance with another embodiment of the present invention. detailed description
  • FIG. 1 shows a schematic diagram of a client secure access to a message storage server in accordance with the mechanism of the present invention.
  • it is considered to add two types of secure channels, namely PSK-TLS secure channel and AKA secure channel, based on the original only providing TLS secure channel.
  • step 101 the client pre-accesses the message store server, and the message store server notifies the client that the relevant service is ready.
  • step 102 the client queries the message storage server for security capabilities.
  • the message storage server replies to the client with a response of STARTPSKTLS/STARTAKA, LOGINDISABLED, that is, needs to establish a PSK-TLS or AKA secure channel, and prohibits the login using the plaintext username/password at this time.
  • step 104 the client can send a request to the message storage server to establish a PSK-TLS or AKA secure channel.
  • step 105 the message storage server replies to the client with an immediate response to establish a PSK-TLS or AKA secure channel.
  • step 106 the client and the message storage server begin to establish a PSK-TLS or AKA secure channel.
  • the specific process of how to establish a secure channel according to the mechanism of the present invention will be described in detail below according to the flow of FIG. 3 and FIG. 4 below.
  • the PSK-TLS or AKA secure channel is established, the confidentiality protection and integrity protection of the associated authentication communication between the client and the message storage server is provided by the PSK-TLS or AKA channel.
  • this secure channel is mainly used to enhance the client.
  • the user's subsequent communication data may not be protected by confidentiality.
  • the PSK-TLS/AKA secure channel of the solution can be reused to protect the confidentiality of the user communication data.
  • step 107 the client queries the message storage server for its security capabilities.
  • step 108 the message storage server replies to the client with a response whose authentication capability is authenticated using plaintext authentication.
  • the client sends the plaintext username/password to the message storage server, step 109.
  • an OK response is sent to the client, indicating that the verification is successful, and the state of the user is changed from the unauthenticated state to the authenticated state, that is, step 110.
  • the client accesses the service of the message storage server, and of course the access of the client needs to be controlled by the set authority of the message storage server.
  • the PSK-TLS or AKA security channel of the solution can be reused to protect the confidentiality of the user communication data.
  • FIG. 2 is a flow diagram of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention.
  • the AKA procedure mentioned in the present invention may be IMS AKA, UMTS AKA, CDMA2000 AKA, and the corresponding standards can be found in 3GPP TS 33.102, 3GPP TS 33.203, 3GPP2 S.R0032.
  • step 201 the client sends a request to the message storage server to establish an AKA secure channel.
  • step 201 the message storage server replies to the client to establish an AKA secure channel.
  • the client performs the UMTS AKA or IMS AKA procedure with the Serving GPRS Support Node (SGSN) / Serving Call Session Control Function (S-CSCF) and the Home Subscriber Server (HSS).
  • SGSN Serving GPRS Support Node
  • S-CSCF Serving Call Session Control Function
  • HSS Home Subscriber Server
  • the SGSN/S-CSCF authenticates the message storage server. If the IMS AKA process is used, the S-CSCF sends the user's security parameters (such as CryptoKey, IntegrityKey) to the message storage server through the standard interface ISC according to the relevant policy.
  • security parameters such as CryptoKey, IntegrityKey
  • UMTS AKA there is currently no standard interface for the SGSN to send relevant security parameters to the message storage server, but in theory it is possible to reuse the Gp/Gn interface to send relevant security parameters to the message storage server.
  • the client and the message storage server protect the IMAPv4 authentication information and user data information between the client and the message storage server according to the shared security parameters (such as CryptoKey, IntegrityKey).
  • shared security parameters such as CryptoKey, IntegrityKey
  • the flowchart of Figure 3 shows a flow chart for establishing a PSK-TLS security channel between the client and the message storage server.
  • GBA General Bootstrapping Architecture
  • the client sends a request to the message storage server to establish a PSK-TLS secure channel.
  • the message storage server replies to the client to establish a PSK-TLS secure channel, and the message storage server also sends its digital certificate to the client.
  • the client verifies the digital certificate of the message store server.
  • a shared key K_MessageStorage can be generated between the client and the BSF (Boot Service Function).
  • the client sends a message to the message storage server, the message containing the address or identifier of the BSF, the identity information of the user, and the authentication information (eg, the authentication credential generated by the shared key K_MessageStorage) Wait.
  • the message storage server obtains user-related authentication information, such as K_MessageStorage, from the BSF according to the address or identifier of the BSF.
  • the message storage server then performs a comparison verification based on the user authentication information obtained from the BSF and the user authentication information obtained from the client.
  • the interface Zn between the message storage server and the BSF has a standard definition.
  • step 307 after the message storage server successfully verifies, an OK message is sent back to the client, indicating that the PSK-TLS secure channel is established. Thereafter, IMAPv4 authentication information and user data information between the client and the message storage server can be secured by confidentiality based on the key derived from K_MessageStorage.
  • both the client and the message storage server use the negotiated key or the client uses the key and the message storage server uses the digital certificate.
  • the client does not have the certificate, the same can be used. Securely access the message store server.
  • the present invention also provides a client in a communication network and a message storage server.
  • the client includes an inquiry device for inquiring about a security capability related to the message storage server, and the client further includes:
  • a secure channel negotiation device configured to receive, when receiving, from the message storage server, a security capability of the message storage server, a transport layer secure pre-shared key PSK-TLS or an authentication and key agreement AKA response, and the message storage
  • the server negotiates to establish a PSK-TLS or AKA secure channel
  • a secure channel establishing means for establishing a PSK-TLS or AKA secure channel with the message storage server to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.
  • the secure channel negotiation means is configured to send a request to establish a PSK-TLS or AKA secure channel to the message storage server and to receive a response from the message storage server to initiate establishment of a PSK-TLS or AKA secure channel .
  • the secure channel when the AKA protocol is applied, the secure channel is built
  • the device is configured to perform two-way authentication with the serving GPRS support node SGSN or the serving call session control function S-CSCF in the communication network, and share security parameters related to the user.
  • the security parameter is sent to the message storage server after authenticating the service GPRS support node SGSN or the serving call session control function S-CSCF to the message storage server. In this way, the security process can be used to protect authentication process information and user data information between the client and the message storage server.
  • the secure channel establishing means is configured to verify a digital certificate of the message storage server, generate a shared key with the boot service function BSF, and The message storage server sends the authentication information, so that the message storage server obtains the user-related authentication information from the boot service function BSF and the message storage server obtains the user's relevant authentication information from the client and compares and verifies the above two types of authentication information. .
  • the message storage server comprises:
  • a security capability replying device configured to: when the client queries the security capability related to the message storage server, replies to the client with the security capability of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA Answer
  • a secure channel negotiation device configured to negotiate with the client to establish a PSK-TLS or AKA secure channel
  • a secure channel establishing means for establishing a PSK-TLS or AKA security channel with the client to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.
  • the secure channel negotiation device is configured to: receive a request to establish a PSK-TLS or AKA secure channel from the client and reply to the client to start establishing a PSK-TLS or AKA secure channel Answer.
  • the secure channel establishing means when the AKA protocol is used, is configured to: verify, by the message storage server, the QoS support node SGSN or the serving call session control function S-CSCF, and from the Service GPRS support node The SGSN or Serving Call Session Control Function S-CSCF receives user-related security parameters.
  • the secure channel establishing means when the PSK-TLS protocol is used, is configured to: obtain user-related authentication information from the client, and obtain a user from a boot service function B SF of the communication network Relevant authentication information and comparison verification of the above two types of authentication information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L’invention concerne un procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages dans un réseau de communication. Le procédé comprend les étapes suivantes: quand le client interroge le serveur de stockage de messages concernant la fonction de sécurité correspondante, le serveur de3 stockage de messages répond au client que sa fonction de sécurité consiste en une clé préalablement partagée de sécurité de couche de transport (PSK-TLS) ou une concordance d’authentification et de clé (AKA); le client et le serveur de stockage de messages négocient l’établissement de la voie sécurisée PSK-TLS ou AKA; la voie sécurisée PSK-TLS ou AKA est établie entre le serveur de stockage de messages et le client, et la confidentialité et l’intégralité de la communication d’authentification correspondante entre le client et le serveur ainsi que la confidentialité et l’intégralité des données d’utilisateur sont protégées au moyen de la voie sécurisée.
PCT/CN2009/073267 2009-08-14 2009-08-14 Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants WO2011017851A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2009/073267 WO2011017851A1 (fr) 2009-08-14 2009-08-14 Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants
CN200980160925XA CN102474503A (zh) 2009-08-14 2009-08-14 客户端安全访问消息存储服务器的方法和相关设备

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/073267 WO2011017851A1 (fr) 2009-08-14 2009-08-14 Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants

Publications (1)

Publication Number Publication Date
WO2011017851A1 true WO2011017851A1 (fr) 2011-02-17

Family

ID=43585858

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073267 WO2011017851A1 (fr) 2009-08-14 2009-08-14 Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants

Country Status (2)

Country Link
CN (1) CN102474503A (fr)
WO (1) WO2011017851A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11153285B2 (en) * 2018-11-07 2021-10-19 Citrix Systems, Inc. Systems and methods for application pre-launch

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008010003A1 (fr) * 2006-07-14 2008-01-24 Abb Research Ltd. protocole de distribution de clé et d'authentification par mot de passe sécurisé avec des propriétés de disponibilité solides
CN101267301A (zh) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 通信网络中基于身份的认证和密钥协商方法及装置
CN101304310A (zh) * 2008-07-04 2008-11-12 成都卫士通信息产业股份有限公司 一种加固网络ssl服务的方法
CN101370007A (zh) * 2007-08-13 2009-02-18 北京三星通信技术研究有限公司 Wimax网络中对定位业务增强安全性和保护隐私权的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008010003A1 (fr) * 2006-07-14 2008-01-24 Abb Research Ltd. protocole de distribution de clé et d'authentification par mot de passe sécurisé avec des propriétés de disponibilité solides
CN101267301A (zh) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 通信网络中基于身份的认证和密钥协商方法及装置
CN101370007A (zh) * 2007-08-13 2009-02-18 北京三星通信技术研究有限公司 Wimax网络中对定位业务增强安全性和保护隐私权的方法
CN101304310A (zh) * 2008-07-04 2008-11-12 成都卫士通信息产业股份有限公司 一种加固网络ssl服务的方法

Also Published As

Publication number Publication date
CN102474503A (zh) 2012-05-23

Similar Documents

Publication Publication Date Title
EP3752941B1 (fr) Gestion de sécurité pour autorisation de service dans des systèmes de communication avec architecture basée sur un service
JP5651313B2 (ja) 連続する再認証を必要としないsipシグナリング
US8468353B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
JP6189953B2 (ja) 無線ユニットのユーザを認証するための方法およびシステム
US9167422B2 (en) Method for ensuring media stream security in IP multimedia sub-system
US7246236B2 (en) Method and apparatus for providing peer authentication for a transport layer session
EP2039199B1 (fr) Système de références d'équipement utilisateur
US8321663B2 (en) Enhanced authorization process using digital signatures
US20090063851A1 (en) Establishing communications
US20060059344A1 (en) Service authentication
US20080222714A1 (en) System and method for authentication upon network attachment
US8875236B2 (en) Security in communication networks
US20080137859A1 (en) Public key passing
WO2011022999A1 (fr) Procédé et système de cryptage de données de vidéoconférence par un terminal
WO2006000144A1 (fr) Procede d'identification de protocole initial de session
WO2005112338A1 (fr) Procede de distribution de cles
WO2016115694A1 (fr) Établissement amélioré de session ims avec des supports sécurisés
CN100544247C (zh) 安全能力协商方法
EP1639782B1 (fr) Procede de distribution de mots de passe
WO2013023475A1 (fr) Procédé destiné au partage de données d'utilisateur dans un réseau et serveur fournissant une identité
WO2012126299A1 (fr) Système d'authentification combiné et procédé d'authentification
WO2011017851A1 (fr) Procédé permettant à un client d’accéder de manière sécurisée à un serveur de stockage de messages, et dispositifs correspondants
WO2013127342A2 (fr) Signature unique ims sur un procédé et un système d'authentification combinés
Guillet et al. SIP authentication based on HOTP
WO2013064040A1 (fr) Procédé et système d'authentification combinée pour un sso d'ims

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980160925.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09848181

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09848181

Country of ref document: EP

Kind code of ref document: A1