WO2012151933A1 - Owned service authentication method and system - Google Patents

Owned service authentication method and system Download PDF

Info

Publication number
WO2012151933A1
WO2012151933A1 PCT/CN2011/082573 CN2011082573W WO2012151933A1 WO 2012151933 A1 WO2012151933 A1 WO 2012151933A1 CN 2011082573 W CN2011082573 W CN 2011082573W WO 2012151933 A1 WO2012151933 A1 WO 2012151933A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
authentication
user terminal
network
server
Prior art date
Application number
PCT/CN2011/082573
Other languages
French (fr)
Chinese (zh)
Inventor
梁国和
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012151933A1 publication Critical patent/WO2012151933A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor

Definitions

  • the present invention relates to the field of communications, and in particular to a method and system for accessing a self-owned service.
  • a wireless communication system in addition to a cellular communication system, such as GSM (Global System for Mobile)
  • WLAN networks are mobile, easy to install, highly flexible, and scalable, and can be deployed in areas with limited coverage, such as independent stores, shopping centers, trains, bus stations, office buildings, hotels, and more. Operators can deploy WLAN hotspots as an extension of traditional wired networks, and can also use WLAN networks as an important offloading network for cellular communication systems.
  • cellular communication systems offer more and more packet-based domain-based services such as multimedia services, location services, gaming and Internet services. Users can enjoy the services provided by the cellular communication system through the WLAN network. Unlike ordinary Internet services, these value-added services generally have to pay a certain fee, so reliable security mechanisms are needed to ensure business security and accurate billing; and basic smart card authentication cannot provide security mechanisms for these services.
  • WLAN network security control is mainly reflected in access control and data encryption.
  • the corresponding business certification is not specified.
  • Many services require authentication between the user and the business server before communication.
  • the user identity of the self-owned service is generally further verified by the user's own participation, so as to ensure that the user uses the service, such as using the user name + basic password + anti-theft password.
  • This approach requires the user to perform an extra large number of operations, which undoubtedly increases the workload.
  • the user who has passed the access authentication needs to perform the service authentication again by the user to access the requested service, so that the repeated authentication not only affects the user experience, but also does not guarantee that the account information is not cracked, thereby the account information of the user.
  • Security poses a threat.
  • a service authentication method including: a user terminal initiates a service access request to a self-service server of a second network through a first network; and a service authentication server of the second network directly performs a service to the user terminal Certification.
  • the method further includes: the user terminal completing the access authentication of the first network by using the access authentication server of the first network; The network completes the access authentication of the second network via the access authentication server of the second network.
  • the service authentication server of the second network directly performs service authentication on the user terminal, including: after receiving the service access request, the service server submits a service authentication application to the service authentication server of the second network; the service authentication server obtains the user information of the user terminal, Establishing a secure channel directly with the user terminal, establishing a security association between the user terminal and the own service server; the service authentication server performs security negotiation with the user terminal according to the information input by the user received by the user terminal through the secure channel; As a result, the service is authenticated, security information is generated and distributed to the user terminal and its own service server.
  • the method further includes: when the user terminal opens the service provided by the own service server, the authentication level is selected.
  • the service authentication server obtains the user information of the user terminal, directly establishes a secure channel with the user terminal, and establishes a security association between the user terminal and the own service server, the method further includes: the user terminal selects or modifies the authentication level according to the operation of the user. .
  • the certification level includes at least one of the following: no authentication, automatic authentication, user terminal confirmation authentication, digital signature authentication.
  • a free service authentication system including: a user terminal, a first network, and a second network, where the user terminal includes: a client, where the second network includes: a service authentication server, and a self-owned The service server, where the client includes: a request initiation module, configured to initiate a service access request to the own service server of the second network through the first network; the service authentication server includes: a service authentication module, configured to directly perform service on the user terminal Certification.
  • the first network includes: a first access authentication server, configured to complete access authentication of the first network of the user terminal.
  • the second network further includes: a second access authentication server, configured to complete access authentication of the second network of the user terminal by using the first network.
  • the self-owned service server includes: an application submission module, configured to submit a service authentication application to the service authentication server after receiving the service access request of the user terminal.
  • the service authentication server further includes: a channel establishment module, configured to acquire user information of the user terminal, directly establish a secure channel with the user terminal, establish a security association between the user terminal and the own service server; and the security negotiation module is set to pass security
  • the channel performs security negotiation with the user terminal according to the information input by the user terminal, and the service authentication module is further configured to perform service authentication according to the result of the security negotiation, generate security information, and distribute the security information to the user terminal and the own service server.
  • the client further includes: an input prompting module, configured to display a prompt message to the user, and request the user to input information.
  • the smart card includes at least one of the following: a level selection module, configured to perform an authentication level selection when opening a self-owned service provided by the own service server; and a level modification module configured to set the authentication level according to the user operation after the security channel is established. Make a selection or modify.
  • a level selection module configured to perform an authentication level selection when opening a self-owned service provided by the own service server
  • a level modification module configured to set the authentication level according to the user operation after the security channel is established. Make a selection or modify.
  • the service authentication server of the second network directly authenticates the user terminal that initiates the request, and solves the existing solution.
  • the self-owned service authentication requires the user to perform an additional large number of operations, thereby achieving the effect of avoiding repeated authentication and improving the user experience.
  • FIG. 1 is a flowchart of a method for authenticating a self-owned service according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a functional structure required for an own service authentication method according to an example of the present invention
  • FIG. 3 is an example according to the present invention.
  • FIG. 4 is a structural block diagram of a self-owned service authentication system according to an embodiment of the present invention.
  • FIG. 5 is a structural diagram of a self-owned service authentication system according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart of performing service authentication by an own service authentication system according to an example of the present invention.
  • BEST MODE FOR CARRYING OUT THE INVENTION BEST MODE FOR CARRYING OUT THE INVENTION
  • the method for authenticating a self-owned service includes: Step S102: A user terminal initiates a service access request to an own service server of a second network by using a first network; Step S104, a service of the second network
  • the authentication server directly performs service authentication on the user terminal.
  • the method of performing service authentication on the user terminal directly by the second network is adopted, although the user is the self-service server of the second network through the first network.
  • the service request initiated by the service but in terms of service authentication, the service authentication server of the second network directly authenticates the user terminal, thereby avoiding repeated input of the user authentication information and reducing unnecessary operations of the user.
  • the premise of the step S102 is: First, the user terminal establishes a connection with the first network; secondly, the user establishes a connection with the second network through the first network.
  • the relationship between the user terminal, the first network, and the second network is diverse, and the user terminal may establish a connection with the first network, and establish a connection with the second network through the first network, and the user terminal and The first network establishes a connection and establishes a connection with the second network through the first network, or the user terminal does not establish a connection with the first network or the second network.
  • a third embodiment is taken as an example to give a preferred embodiment, and other cases can be analogized.
  • the following processing may also be included before step S102:
  • the user terminal completes access authentication of the first network via the access authentication server of the first network
  • step S104 the service authentication server of the second network directly performs service authentication on the user terminal.
  • the preferred embodiment provides a preferred implementation manner.
  • step S104 may further include the following processing: (1) After receiving the service access request, the own service server submits a service authentication application to the service authentication server of the second network;
  • the service authentication server obtains the user information of the user terminal, establishes a secure channel directly with the user terminal, and establishes a security association between the user terminal and the own service server; (3) the service authentication server receives the security channel according to the user terminal. User-entered information and security negotiation with the user terminal;
  • the self-owned service server submits a service authentication application to the service authentication server, requesting the service authentication server to perform service verification on the user terminal that initiates the service access request;
  • the service authentication server To obtain the user information of the user terminal, and then use the original connection that can be established with the user terminal to switch to a service authentication connection or create a new connection dedicated to service authentication to establish a secure channel, and establish a secure connection with the user terminal, so that the user
  • the terminal establishes a security association with its own service server.
  • the service can be authenticated on the basis of the secure channel.
  • security negotiation is performed with the user terminal according to the authentication information input by the user, and then the service is performed according to the result of the negotiation.
  • the corresponding security information is generated, such as the key and the certificate.
  • the security information generated after the authentication succeeds is the basis for the end user terminal to access the self-owned service provided by the own service server.
  • the ultimate purpose of the authentication is to end the authentication. use
  • the user terminal can access the self-owned service provided by the own service server according to the security information.
  • the service authentication server may further include the following processing before the security negotiation with the user terminal according to the information input by the user received by the user terminal through the secure channel: the user terminal displays the prompt information to the user, requesting The user enters information.
  • the method further includes the following process: the user terminal performs the authentication level selection when the service provided by the own service server is activated.
  • the concept of an authentication level is proposed, that is, different authentication methods are adopted for different services to improve the efficiency of authentication.
  • the authentication level can be determined according to the specificity of the service when the user opens the service.
  • the opportunity to select and modify the authentication level can be given once again.
  • the service authentication server acquires user information of the user terminal, After the security channel is directly established with the user terminal, and the security association between the user terminal and the own service server is established, the following processing may be further included:
  • the user terminal selects or modifies the authentication level according to the operation of the user.
  • the above processing further increases the flexibility of the user and improves the user experience.
  • the foregoing authentication level may include at least one of the following: no authentication, automatic authentication, user terminal confirmation authentication, digital signature authentication.
  • the preferred embodiment provides a preferred authentication level dividing method. In a specific implementation process, the following authentication levels may be set: no authentication, automatic authentication, user terminal confirmation authentication, and digital signature authentication.
  • This example provides a service authentication method for a user terminal to access a second network's own service through the first network, and includes the following steps: Step 1: The user terminal completes the access authentication server in the second network and the second network. Access authentication.
  • the access authentication ensures that the network accessed by the user terminal is a legal network, and at the same time, the free and legal user terminal can access the network.
  • the user terminal that has passed the access authentication can access the Internet through the first network and directly access the Internet service.
  • Step 2 When the user terminal accesses the own service server of the second network via the first network, the user terminal establishes a secure channel with the service authentication server through the second network (not through the first network), and establishes security with the own service server. Association. And perform service authentication based on the secure channel.
  • Step 3 After the service authentication succeeds, the key or certificate is distributed, and the key or certificate is sent to the user terminal and the own service server.
  • Step 4 Authorize the user terminal to access the own service of the second network via the first network.
  • the authentication level function is added in the example, that is, the service authentication is hierarchically managed through the cooperation of the user terminal, and the interface is provided for the user, so that the user can perform the authentication level selection, so that the service authentication can be performed securely and flexibly.
  • the function of providing the authentication level in this example is described as follows: According to the provision of own business security requirements, subscription information, user terminal selection, etc., the authentication hierarchical management is performed.
  • the authentication level can be divided into non-authentication, automatic authentication, and user terminal. Certification, and digital signatures supported by the terminal.
  • the authentication level can correspond to different services and authentication methods.
  • the user terminal can perform authentication level selection after the self-owned service is activated or after establishing a secure channel.
  • the user terminal provides the user interface to provide the authentication level selection.
  • the service authentication process (requires user participation), the user can actively establish a secure channel, establish a security association with the own service server, and perform authentication level selection or change.
  • Service authentication can be implemented on the client (user terminal including the client, smart card, etc.) or on the smart card (part of the user terminal).
  • the self-owned service authentication method with the added authentication level function includes the following steps: Step 1: The user terminal accesses the own service server, and the own service server submits the authentication application to the service authentication server. Step 2: The service authentication server determines the service authentication level. The authentication level can be divided into non-authentication, automatic authentication, user terminal confirmation authentication, and digital signature with terminal support. Step 3. Establish a secure channel. Establish a secure channel between the user terminal and the service authentication server, and establish a security association with the own service server.
  • the secure channel can be based on data short message or BIP (Bearer Independent Protocol).
  • Step 4 provides user selection and security negotiation. After the security association is established, the authentication level can be selected through the user terminal.
  • the user terminal can provide a user interface, prompt user information, request user input or provide authentication level selection. It can be provided by smart card based STK (SIM Tool Kit) / SCWS (Smart Card Web Server) and client mode.
  • Step 5 Perform service authentication according to negotiation. In the case of free services, no authentication is performed; in the monthly subscription service, automatic authentication without user terminal intervention is adopted, and AKA (Authentication and Key Agreement) is adopted.
  • AKA Authentication and Key Agreement
  • Step 6 Authorize the user terminal to access the service provided by the own service server.
  • 2 is a schematic diagram showing the functional structure required for a self-owned service authentication method according to an example of the present invention. In order to more clearly explain the authentication process of its own business, Figure 2 modularizes the functions required for its own business authentication and points out the execution subject corresponding to the function.
  • the WLAN network is the first network
  • the cellular communication system is the second network, that is, the user terminal accesses the streaming media service of the cellular communication system through the WLAN network.
  • the service authentication can be implemented on the client or on the smart card. In the smart card to achieve business authentication, confidentiality and negotiation and other related security calculation processes are implemented on the smart card, the security is higher, and it is easy for the operator to master, and the terminal requirements are lower. It is preferred to implement service authentication on the smart card. As shown in FIG. 3, the entire process includes: Step S302: A client accesses a streaming media server corresponding to a self-owned service of a cellular communication system. Step S304, the streaming media server submits a service authentication application to the service authentication server.
  • Step S306 the hierarchical authentication management in the service authentication server determines the authentication level according to the submitted application, the related user information, the contract information, and the like. It is assumed that the streaming media service is a pay-per-view fee, and the authentication level is that the user terminal confirms the authentication, and the user terminal is required to participate. Establish a secure channel between the smart card and the service authentication server, and securely associate with the streaming server. Each of the smart card and the service authentication server has a secure channel management responsible for establishing a secure channel. The two-way identity authentication is completed based on the smart card. If one party is not legal, the interaction is interrupted; if the identification process is passed, a series of keys are generated to establish a secure channel. The bearer adopts the BIP mode.
  • the streaming media server is marked by an IP address.
  • the user terminal acts as a gateway and communicates with the streaming server using TCP/IP, see ETSI (European Telecommunications Standards Institute) TS 102 127.
  • Step S308 after establishing a security association, performing user selection and security negotiation.
  • the amount of consumption of the streaming media service is prompted by the STK technology of the smart card for the user to confirm.
  • the user terminal confirms the current streaming service.
  • the confirmation of the transaction information is sent to the network through a secure channel. This example supports the selection of the authentication level after the user terminal is securely associated with the streaming media service server.
  • the local user selects the option STK menu of the authentication level, and selects the automatic authentication mode as the authentication mode of the streaming media service.
  • the user selects the authentication mode to the network-side security application management through the secure channel, and the security application management stores the corresponding user selection information, and the subsequent streaming media service selects the authentication level according to the user.
  • the user terminal can also actively establish a secure channel for authentication level selection or change.
  • Step S310 authentication and key management.
  • Each of the smart card and the service authentication server has a service authentication management module for authentication and key management.
  • the implementation supports multiple authentication modes and key management.
  • the service authentication includes at least two authentication mechanisms and allows the user to negotiate.
  • the service authentication server completes the corresponding key management. This includes setting the local validity of the key according to the local policy; detecting the life cycle of the key and taking measures with the user terminal to ensure the key is refreshed.
  • Step S312 after the authentication is successful, the key or certificate is distributed. Distribute the key or certificate to the client or its own business server.
  • the client can operate on a mobile terminal or a PC terminal. The client needs to establish a secure local access interface with the smart card to ensure data validity.
  • the streaming media server has a communication interface with the service authentication server, and can obtain a security key and security settings between the client and the service authentication server.
  • Step S314 the authorized client accesses the streaming media service of the cellular communication system.
  • the self-owned service authentication system includes: a user terminal 42, a first network 44, and a second network 46.
  • the user terminal 42 includes: a client 422, and the second network 46 includes: The service authentication server 462, the self-service server 464, wherein the client 422 includes: a request initiation module 4222, configured to initiate a service access request to the own service server 464 of the second network 46 through the first network 44; the service authentication server 462
  • the method includes: a service authentication module 4622, configured to directly perform service authentication on the user terminal 42.
  • the manner in which the user authentication is directly performed on the user terminal 42 by the second network 46 is adopted, although the user terminal 42 is adopted.
  • the first network 44 sends a service request to the own service server 464 of the second network 46, but in terms of service authentication, the service authentication server 462 of the second network 46 directly terminates the user.
  • the authentication performed by the terminal 42 avoids repeated input of the user authentication information, reduces unnecessary operations of the user, improves the security of the user authentication information, and improves the user experience.
  • the first network 44 may include: a first access authentication server, configured to complete access authentication of the first network of the user terminal 42; the second network 46 may further include: a second access authentication server, configured to pass The first network completes access authentication of the second network of the user terminal.
  • the first access authentication server and the second access authentication server ensure that the user terminal 42 establishes a connection with the first network 44 and establishes a connection with the second network 46 via the first network 44, providing a basis for execution for subsequent processing.
  • the self-owned service server 462 may include: an application submission module, configured to submit a service authentication request to the service authentication server 462 after receiving the service access request of the user terminal 42; the service authentication server 462 may further include: a channel establishment module And setting the user information of the user terminal 42 to establish a secure channel directly with the user terminal 42 to establish a security association between the user terminal 42 and the own service server 464.
  • the security negotiation module is configured to pass through the secure channel according to the user terminal 42.
  • the received information input by the user is in security negotiation with the user terminal 42.
  • the service authentication module 4622 is further configured to perform service authentication according to the result of the security negotiation, generate security information, and distribute the security information to the user terminal 42 and the own service server 464.
  • the self-owned service server 464 after receiving the service access request, submits a service authentication application to the service authentication server 462, requesting the service authentication server 462 to perform service verification on the user terminal 42 that initiates the service access request;
  • the service authentication server 462 first acquires the user information of the user terminal 42 and then uses the original connection that can be established with the user terminal to be used as a service authentication connection or a new connection dedicated to service authentication to construct a secure channel, and the user terminal. 42.
  • Establish a secure connection and establish a security association between the user terminal 42 and the own service server 464. After the secure channel is established, the service authentication can be performed on the basis of the secure channel, firstly, according to the authentication information input by the user and the user terminal 42.
  • the client 422 may further include: an input prompting module, configured to display prompt information to the user, and request the user to input information.
  • the function of the input prompt module facilitates the user's use and improves the user experience.
  • the user terminal 42 may further include a smart card, and the smart card may include at least one of the following: a level selection module configured to perform an authentication level selection when the self-owned service provided by the own service server 464 is opened.
  • the level modification module is set to select or modify the authentication level according to the user's operation after the secure channel is established.
  • the level selection module and the level modification module provide an authentication level function, that is, adopt different authentication methods for different services to improve the efficiency of authentication.
  • the authentication level can be determined by the level selection module according to the specific service when the user opens the service, or the user information of the user terminal 42 can be obtained at the service authentication server 462, and a secure channel is established directly with the user terminal 42 to establish a security channel.
  • the self-owned service authentication system includes a user terminal and a network.
  • the user terminal includes a client and a smart card.
  • the client can run on the mobile terminal or PC terminal, and the client needs to establish a secure local access interface with the smart card to ensure data validity.
  • the user terminal has the ability to access the first network and the second network.
  • Business authentication can be implemented on the client or on a smart card.
  • the smart card implements service authentication, and the related security calculation processes such as confidentiality and negotiation are implemented on the smart card.
  • the security is higher, and it is easier for the operator to grasp.
  • the terminal has lower requirements, and the service authentication is preferably implemented on the smart card.
  • the user terminal establishes a secure channel with the service authentication server through the second network, and establishes a security association with the own service server.
  • the secure channel bearer can be based on data short message mode or BIP mode.
  • the user terminal Based on the secure channel, the user terminal performs security negotiation and service authentication with the service authentication server located in the second network.
  • the user terminal can provide a user interface, prompt the user information, and request the user to input. It can be provided by smart card based STK/SCWS and client mode.
  • the network includes systems such as a first network and a second network.
  • the second network includes an access authentication server, a service authentication server, and a plurality of own service servers. After being authenticated by the access terminal, the user terminal can directly access the Internet service through the first network. After the service is authenticated, the user terminal can access the self-owned service of the second network.
  • the self-owned service server mainly provides various service services based on the second network, and provides services with user terminal authentication requirements, such as packet domain services of the cellular communication system. There is one server per service, so the user terminal and the service authentication server may have multiple own service authentications. Before the establishment of the secure channel, the user terminal does not establish a security association with its own service server.
  • the secure communication interface between the self-owned service server and the service authentication server can obtain security information such as a security key or a certificate reached by the user terminal and the service authentication server.
  • the access authentication server completes the access authentication of the user terminal to access the second network through the first network. Generally, the access authentication ensures that the network accessed by the user terminal is a legal network, and only a legitimate user terminal can access the network.
  • the service authentication server completes the service authentication between the user terminal and the own service server.
  • the service authentication server obtains user-related information from the second network (such as the home subscriber server/home location register in the cellular communication system), establishes a secure channel through the second network, and establishes a security association between the user terminal and the own service server.
  • the service authentication server performs security negotiation and authentication based on the established secure channel.
  • the service authentication server completes the corresponding key management, including setting the key validity according to the local policy; detecting the life cycle of the key and taking measures with the user terminal to ensure the key is refreshed.
  • the authentication level function is added in this example. That is, the smart card provides a user interface based on STK/SCWS or client mode, prompts user information, requires user input or provides authentication level selection, and can perform authentication level selection during service authentication process (requires user participation) or active security channel establishment. Or change.
  • the smart card performs the two-way identity authentication with the network as the authentication entity of the user terminal. If one party is not legal, the interaction is interrupted; if the identification process passes, a series of keys are generated to establish a secure channel; the bearer may be based on data short message mode or BIP mode. After establishing a secure channel, the user terminal establishes a security association with its own service server. Preferably, the BIP mode is adopted.
  • the service authentication server is marked by an IP address.
  • the terminal acts as a gateway, communicating with the service authentication server using TCP/IP, following ETSI TS 102 127.
  • the service authentication server is mainly responsible for completing service authentication between the user terminal and the own service server.
  • the service authentication server includes functions such as hierarchical authentication management, secure channel management, and service authentication management.
  • the hierarchical authentication management submits a service authentication application according to its own service server, calls relevant user information, contract information, etc., determines the authentication level, and performs hierarchical authentication management.
  • the authentication level can be divided into non-authentication, automatic authentication, user terminal confirmation authentication, and digital signature with terminal support.
  • the WLAN network is used as the first network
  • the cellular communication system is the second network.
  • the first network is a WLAN network
  • the WLAN network includes an AP (Access Point) and an Access Controller (AC).
  • the AC connects and manages the wireless AP through the wireless interface to form a core layer of the WLAN network. It is also interconnected with an external network.
  • the user terminal includes a client and a smart card. User terminals have the ability to simultaneously access WLAN networks and cellular communication systems.
  • the client can operate on the mobile terminal or PC terminal, and the client and the smart card have a secure local access interface to ensure data validity.
  • Business authentication can be implemented on the client or on a smart card. In the smart card to achieve business authentication, confidentiality and negotiation and other related security calculation processes are implemented on the smart card, the security is higher, and it is easy for the operator to master, and the terminal requirements are lower.
  • the smart card establishes a secure channel with the service authentication server.
  • the user terminal After establishing a secure channel, the user terminal establishes a security association with its own service server.
  • the network includes WLAN networks, cellular communication systems, the Internet, and the like.
  • the cellular communication system includes an access authentication server, a service authentication server, and a plurality of own service servers.
  • the WLAN network includes APs and ACs.
  • the access authentication server completes the access authentication of the cellular communication system through the WLAN network, and may adopt
  • ⁇ 3GPP AAA Authentication Authorization and Accounting
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • AP / AC supports EAP-SIM/AKA, and the same terminal also needs to support EAP-SIM/AKA protocol.
  • EAP-SIM/AKA see related protocols.
  • the 3GPP AAA Server and the WLAN cooperate to complete the unified authentication, and the authentication directly accesses the Internet. For example, the user name/password mode can be charged. At the same time, it can distinguish between direct access to Internet traffic and subsequent traffic that may be connected to the packet domain.
  • the 3GPP AAA Server accepts the charging information collected from the WLAN, generates a bill file according to the local policy, and provides it to the billing system, the billing system performs the batch accounting processing, and produces the final bill.
  • the service authentication server completes the service authentication between the user terminal and the own service server.
  • the service authentication server obtains user-related information from the cellular communication system, establishes a secure channel, and enables the user terminal to perform security association with the own service server. And providing a user interface to prompt user information or requesting input by the smart card on the secure channel, performing security negotiation; performing authentication and key management according to the result of the negotiation; and transmitting the session key and security settings to the own service server.
  • At least two authentication mechanisms are included in this example.
  • TLS Transport Layer Security
  • IKE IKE with pre-shared key and preferential use of username and password mechanism (Internet Key Exchange, Internet) Key exchange) protocol
  • AKA AKA
  • the main problem with this type of authentication mechanism is how to be consistent on pre-shared secrets.
  • This authentication method is symmetrical. At present, mobile terminals adopt this method more. The other is to authenticate based on asymmetric ciphers. This authentication method requires that the entity that requires authentication has a password pair and a corresponding digital certificate.
  • the self-owned service server mainly provides various business services to the user terminal, and provides services with user terminal authentication requirements. Packet domain based services such as multimedia services, location services, gaming and internet services are included in cellular communication systems. Before the establishment of the secure channel, the user terminal does not establish a security association with its own service server. In this example, hierarchical authentication management is supported, business authentication is hierarchically managed, and a user interface is provided for authentication level selection.
  • Step S602 The client performs access authentication with an access authentication server in the cellular communication system via the WLAN network.
  • Step S604 after the access authentication is successful, the user terminal can access the Internet through the WLAN network and directly access the Internet service.
  • Step S606 the client accesses the own service server of the cellular communication system via the WLAN network (through tunnel technology).
  • Step S608 the self-owned service server submits a service authentication application to the service authentication server.
  • the service authentication server submits an application according to its own service, and calls related user information, contract information, etc., to determine the authentication level.
  • Step S610 The service authentication server establishes a secure channel with the user terminal, so that the user terminal performs security association with the own service server.
  • the two-way identity authentication is completed based on the smart card. If one party is not legal, the interaction is interrupted; if the identification process is passed, a series of keys are generated to establish a secure channel.
  • the bearer adopts the BIP mode.
  • the service authentication server is marked by an IP address.
  • the user terminal acts as a gateway, communicating with the service authentication server using TCP/IP, following ETSI TS 102 127.
  • Step S612 after establishing a security association, performing user selection and security negotiation.
  • the smart card provides a user interface that prompts the user for information and requires the user to enter. Users can provide it via smart card-based STK/SCWS and client.
  • the smart card provides the user interface to provide the authentication level selection.
  • the service authentication process (requires user participation), or when the security channel is established actively, and the security association is established with the own service server, the authentication level is selected or changed.
  • Step S614 performing authentication and key management according to the result of the negotiation. Includes two authentication mechanisms and allows users to negotiate. One is based on shared secrets between entities, and the other is based on key pairs.
  • the service authentication server completes the corresponding key management, including: setting the local valid condition of the key according to the local policy; detecting the life cycle of the key and taking measures to ensure the key refreshing with the user terminal.
  • Step S616 performing secret key or certificate distribution.
  • the key or certificate is distributed to the client or its own business server.
  • the client can operate on a mobile terminal or a PC terminal.
  • the client needs to establish a secure local access interface with the smart card to ensure data validity.
  • the secure communication interface between the self-owned service server and the authentication server can obtain the security key and security settings reached by the corresponding client and the authentication server.
  • Step S618, the authorized client accesses the own service of the cellular communication system through the WLAN network.
  • the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or Multiple of these modules or steps are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed are an owned service authentication method and system. The method includes: user equipment initiating a service access request toward an owned service server of a second network via a first network; and a service authentication server of the second network directly performing service authentication on the user equipment. The technical solution provided by the present invention solves the problem that the existing owned service authentication requires the user to perform a large amount of additional operations, thereby realizing the effects of avoiding repeated authentication and improving user experience.

Description

自有业务认证方法及系统 技术领域 本发明涉及通信领域, 具体而言, 涉及一种自有业务访问方法及系统。 背景技术 在无线通信系统中, 除了蜂窝通信系统, 如 GSM ( Global System for Mobile TECHNICAL FIELD The present invention relates to the field of communications, and in particular to a method and system for accessing a self-owned service. BACKGROUND OF THE INVENTION In a wireless communication system, in addition to a cellular communication system, such as GSM (Global System for Mobile)
Communication, 全球通信移动系统)、 UMTS ( Universal Mobile Telecommunications System, 通用移动通讯系统) 以及 LTE (long term evolution, 长期演进系统) 等, 还 有日益广泛部署的 WLAN(Wireless Local, 无线局域网)。 WLAN网络具有可移动性、 安装简单、 高度灵活和扩展能力强的特点, 可以被部署在覆盖有限的区域, 诸如独立 的商店、 购物中心、 火车、 汽车站、 办公楼、 旅店等。 运营商可以部署 WLAN热点区 域作为传统有线的延伸, 也可以把 WLAN网络作为蜂窝通信系统重要的分流网络。 除了基本的电信业务外,蜂窝通信系统提供了越来越多的基于分组域的自有业务, 如多媒体业务、位置业务、游戏和互联网业务等。用户可以通过 WLAN网络享受蜂窝 通信系统提供的自有业务。 与普通互联网业务不同, 这些增值业务一般要缴纳一定费 用, 因此需要可靠的安全机制来保证业务的安全性和准确的记费; 而基础的智能卡认 证无法为这些业务提供安全机制。 Communication, global communication mobile systems, UMTS (Universal Mobile Telecommunications System) and LTE (long term evolution), as well as WLAN (Wireless Local). WLAN networks are mobile, easy to install, highly flexible, and scalable, and can be deployed in areas with limited coverage, such as independent stores, shopping centers, trains, bus stations, office buildings, hotels, and more. Operators can deploy WLAN hotspots as an extension of traditional wired networks, and can also use WLAN networks as an important offloading network for cellular communication systems. In addition to basic telecommunications services, cellular communication systems offer more and more packet-based domain-based services such as multimedia services, location services, gaming and Internet services. Users can enjoy the services provided by the cellular communication system through the WLAN network. Unlike ordinary Internet services, these value-added services generally have to pay a certain fee, so reliable security mechanisms are needed to ensure business security and accurate billing; and basic smart card authentication cannot provide security mechanisms for these services.
WLAN网络安全控制主要体现在接入控制及数据加密两方面。但并未规定相应的 业务认证。 而许多业务在通信前都需要用户和业务服务器之间进行认证。 现有技术中 一般通过用户自身参与的方式进一步验证使用自有业务的用户身份, 以确保用户本人 使用该业务, 如采用用户名 +基本密码 +防盗密码的方式进行验证。 这种方式需要用户 执行额外的大量的操作, 无疑增加了工作量。 同时已经通过接入认证的用户还需要再 次通过用户参与进行业务认证才能对所请求的业务进行访问, 这样重复认证不仅影响 用户体验, 也不能保证账户信息不被破解, 从而对用户的账户信息的安全造成威胁。 针对这些问题, 目前尚未提出有效的解决方案。 发明内容 本发明提供了一种自有业务认证方法及系统, 以至少解决上述问题之一。 根据本发明的一个方面, 提供了一种业务认证方法, 包括: 用户终端通过第一网 络向第二网络的自有业务服务器发起业务访问请求; 第二网络的业务认证服务器直接 对用户终端进行业务认证。 在用户终端通过第一网络向第二网络的自有业务服务器发起业务访问请求之前, 还包括: 用户终端经由第一网络的接入认证服务器完成第一网络的接入认证; 用户终 端通过第一网络经由第二网络的接入认证服务器完成第二网络的接入认证。 第二网络的业务认证服务器直接对用户终端进行业务认证包括: 自有业务服务器 收到业务访问请求后, 向第二网络的业务认证服务器提交业务认证申请; 业务认证服 务器获取用户终端的用户信息, 直接与用户终端建立安全通道, 建立用户终端与自有 业务服务器之间的安全关联; 业务认证服务器通过安全通道, 根据用户终端接收到的 用户输入的信息与用户终端进行安全协商; 根据安全协商的结果进行业务认证, 生成 安全信息并分发给用户终端及自有业务服务器。 在业务认证服务器通过安全通道, 根据用户终端接收到的用户输入的信息与用户 终端进行安全协商之前, 还包括: 用户终端在开通自有业务服务器提供的业务时, 进 行认证级别选择。 在业务认证服务器获取用户终端的用户信息, 直接与用户终端建立安全通道, 建 立用户终端与自有业务服务器之间的安全关联之后, 还包括: 用户终端根据用户的操 作对认证级别进行选择或修改。 认证级别包括以下至少之一: 不进行认证、 自动认证、 用户终端确认认证、 数字 签名认证。 根据本发明的另一方面, 提供了一种自由业务认证系统, 包括: 用户终端、 第一 网络、 第二网络, 其中, 用户终端包括: 客户端, 第二网络包括: 业务认证服务器、 自有业务服务器, 其中, 客户端包括: 请求发起模块, 设置为通过第一网络向第二网 络的自有业务服务器发起业务访问请求; 业务认证服务器包括: 业务认证模块, 设置 为直接对用户终端进行业务认证。 第一网络包括: 第一接入认证服务器, 设置为完成用户终端的第一网络的接入认 证。 第二网络还包括: 第二接入认证服务器, 设置为通过第一网络完成用户终端的第 二网络的接入认证。 自有业务服务器, 包括: 申请提交模块, 设置为在接收到用户终端的业务访问请 求后, 向业务认证服务器提交业务认证申请。 业务认证服务器, 还包括: 通道建立模块, 设置为获取用户终端的用户信息, 直 接与用户终端建立安全通道, 建立用户终端与自有业务服务器之间的安全关联; 安全 协商模块, 设置为通过安全通道, 根据用户终端接收到的用户输入的信息与用户终端 进行安全协商; 业务认证模块, 还设置为根据安全协商的结果进行业务认证, 生成安 全信息并分发给用户终端及自有业务服务器。 客户端还包括: 输入提示模块, 设置为向用户显示提示信息, 要求用户进行信息 输入。 智能卡包括以下至少之一: 级别选择模块, 设置为在开通自有业务服务器提供的 自有业务时, 进行认证级别选择; 级别修改模块, 设置为在安全通道建立之后, 根据 用户的操作对认证级别进行选择或修改。 通过本发明, 采用当用户终端通过第一网络向第二网络的自有业务服务器发起业 务访问请求时, 第二网络的业务认证服务器直接对发起请求的用户终端进行认证的方 案, 解决了现有自有业务认证需要用户执行额外的大量的操作的问题, 进而达到了避 免重复认证, 提高用户体验的效果。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1是根据本发明实施例的自有业务认证方法的流程图; 图 2是根据本发明实例的自有业务认证方法所需的功能结构示意图; 图 3是根据本发明实例的在图 2所示功能结构中应用自有业务认证方法的流程示 意图; 图 4是根据本发明实施例的自有业务认证系统的结构框图; 图 5是根据本发明实例的自有业务认证系统的结构示意图; 图 6是根据本发明实例的自有业务认证系统进行业务认证的流程示意图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 1是根据本发明实施例的自有业务认证方法的流程图。 如图 1所示, 根据本发 明实施例的自有业务认证方法包括: 步骤 S102,用户终端通过第一网络向第二网络的自有业务服务器发起业务访问请 求; 步骤 S104, 第二网络的业务认证服务器直接对用户终端进行业务认证。 在本实施例中, 为了使用户避免重复认证, 以提高用户体验, 采用了由第二网络 直接对用户终端进行业务认证的方式, 尽管用户是通过第一网络向第二网络的自有业 务服务器服发起的业务请求, 但是从业务认证这方面来讲, 则是由第二网络的业务认 证服务器直接对用户终端进行的认证, 从而避免了用户认证信息的重复输入, 减少了 用户的不必要操作, 同时提高了用户认证信息的安全性, 提高了用户体验。 步骤 S102执行的前提是: 首先, 用户终端与第一网络建立了连接; 其次, 用户通 过第一网络与第二网络建立了连接。 在具体执行过程中, 用户终端、 第一网络、 第二 网络之间的关系是多样的, 可能是用户终端与第一网络建立了连接没有通过第一网络 与第二网络建立连接、 用户终端与第一网络建立了连接且通过第一网络与第二网络建 立了连接, 或者用户终端与第一网络、 第二网络连接都没建立连接。 在本优选实施中 以第三种情况为例, 给出一种优选的实施方式, 其他情况可以类比处理。 优选地, 在步骤 S102之前还可以包括以下处理: WLAN network security control is mainly reflected in access control and data encryption. However, the corresponding business certification is not specified. Many services require authentication between the user and the business server before communication. In the prior art, the user identity of the self-owned service is generally further verified by the user's own participation, so as to ensure that the user uses the service, such as using the user name + basic password + anti-theft password. This approach requires the user to perform an extra large number of operations, which undoubtedly increases the workload. At the same time, the user who has passed the access authentication needs to perform the service authentication again by the user to access the requested service, so that the repeated authentication not only affects the user experience, but also does not guarantee that the account information is not cracked, thereby the account information of the user. Security poses a threat. In response to these problems, no effective solution has been proposed yet. SUMMARY OF THE INVENTION The present invention provides a self-owned service authentication method and system to solve at least one of the above problems. According to an aspect of the present invention, a service authentication method is provided, including: a user terminal initiates a service access request to a self-service server of a second network through a first network; and a service authentication server of the second network directly performs a service to the user terminal Certification. Before the user terminal initiates a service access request to the second network's own service server by using the first network, the method further includes: the user terminal completing the access authentication of the first network by using the access authentication server of the first network; The network completes the access authentication of the second network via the access authentication server of the second network. The service authentication server of the second network directly performs service authentication on the user terminal, including: after receiving the service access request, the service server submits a service authentication application to the service authentication server of the second network; the service authentication server obtains the user information of the user terminal, Establishing a secure channel directly with the user terminal, establishing a security association between the user terminal and the own service server; the service authentication server performs security negotiation with the user terminal according to the information input by the user received by the user terminal through the secure channel; As a result, the service is authenticated, security information is generated and distributed to the user terminal and its own service server. Before the service authentication server performs security negotiation with the user terminal according to the information input by the user terminal through the secure channel, the method further includes: when the user terminal opens the service provided by the own service server, the authentication level is selected. After the service authentication server obtains the user information of the user terminal, directly establishes a secure channel with the user terminal, and establishes a security association between the user terminal and the own service server, the method further includes: the user terminal selects or modifies the authentication level according to the operation of the user. . The certification level includes at least one of the following: no authentication, automatic authentication, user terminal confirmation authentication, digital signature authentication. According to another aspect of the present invention, a free service authentication system is provided, including: a user terminal, a first network, and a second network, where the user terminal includes: a client, where the second network includes: a service authentication server, and a self-owned The service server, where the client includes: a request initiation module, configured to initiate a service access request to the own service server of the second network through the first network; the service authentication server includes: a service authentication module, configured to directly perform service on the user terminal Certification. The first network includes: a first access authentication server, configured to complete access authentication of the first network of the user terminal. The second network further includes: a second access authentication server, configured to complete access authentication of the second network of the user terminal by using the first network. The self-owned service server includes: an application submission module, configured to submit a service authentication application to the service authentication server after receiving the service access request of the user terminal. The service authentication server further includes: a channel establishment module, configured to acquire user information of the user terminal, directly establish a secure channel with the user terminal, establish a security association between the user terminal and the own service server; and the security negotiation module is set to pass security The channel performs security negotiation with the user terminal according to the information input by the user terminal, and the service authentication module is further configured to perform service authentication according to the result of the security negotiation, generate security information, and distribute the security information to the user terminal and the own service server. The client further includes: an input prompting module, configured to display a prompt message to the user, and request the user to input information. The smart card includes at least one of the following: a level selection module, configured to perform an authentication level selection when opening a self-owned service provided by the own service server; and a level modification module configured to set the authentication level according to the user operation after the security channel is established. Make a selection or modify. According to the present invention, when the user terminal initiates a service access request to the own service server of the second network through the first network, the service authentication server of the second network directly authenticates the user terminal that initiates the request, and solves the existing solution. The self-owned service authentication requires the user to perform an additional large number of operations, thereby achieving the effect of avoiding repeated authentication and improving the user experience. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 1 is a flowchart of a method for authenticating a self-owned service according to an embodiment of the present invention; FIG. 2 is a schematic diagram of a functional structure required for an own service authentication method according to an example of the present invention; FIG. 3 is an example according to the present invention. FIG. 4 is a structural block diagram of a self-owned service authentication system according to an embodiment of the present invention; FIG. 5 is a structural diagram of a self-owned service authentication system according to an embodiment of the present invention; FIG. 6 is a schematic flowchart of performing service authentication by an own service authentication system according to an example of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. 1 is a flow chart of a method for authenticating a self service according to an embodiment of the present invention. As shown in FIG. 1, the method for authenticating a self-owned service according to an embodiment of the present invention includes: Step S102: A user terminal initiates a service access request to an own service server of a second network by using a first network; Step S104, a service of the second network The authentication server directly performs service authentication on the user terminal. In this embodiment, in order to prevent the user from repeating the authentication to improve the user experience, the method of performing service authentication on the user terminal directly by the second network is adopted, although the user is the self-service server of the second network through the first network. The service request initiated by the service, but in terms of service authentication, the service authentication server of the second network directly authenticates the user terminal, thereby avoiding repeated input of the user authentication information and reducing unnecessary operations of the user. At the same time, the security of user authentication information is improved and the user experience is improved. The premise of the step S102 is: First, the user terminal establishes a connection with the first network; secondly, the user establishes a connection with the second network through the first network. In a specific implementation process, the relationship between the user terminal, the first network, and the second network is diverse, and the user terminal may establish a connection with the first network, and establish a connection with the second network through the first network, and the user terminal and The first network establishes a connection and establishes a connection with the second network through the first network, or the user terminal does not establish a connection with the first network or the second network. In the preferred embodiment, a third embodiment is taken as an example to give a preferred embodiment, and other cases can be analogized. Preferably, the following processing may also be included before step S102:
( 1 ) 用户终端经由第一网络的接入认证服务器完成第一网络的接入认证; (1) the user terminal completes access authentication of the first network via the access authentication server of the first network;
(2)用户终端通过第一网络经由第二网络的接入认证服务器完成第二网络的接入 认证。 通过上述处理, 即可保证用户终端与第一网络建立了连接且通过第一网络与第二 网络建立了连接, 为后续处理提供执行的基础。 步骤 S104 中由第二网络的业务认证服务器直接对用户终端进行业务认证有多种 实现方式, 本优选实施例给出一种优选的实施方式。优选地, 步骤 S104可以进一步包 括以下处理: ( 1 ) 自有业务服务器收到业务访问请求后, 向第二网络的业务认证服务器提交业 务认证申请; (2) The user terminal completes the access authentication of the second network through the access authentication server of the second network through the first network. Through the above processing, it can be ensured that the user terminal establishes a connection with the first network and establishes a connection with the second network through the first network, providing a basis for execution for subsequent processing. In the step S104, the service authentication server of the second network directly performs service authentication on the user terminal. The preferred embodiment provides a preferred implementation manner. Preferably, step S104 may further include the following processing: (1) After receiving the service access request, the own service server submits a service authentication application to the service authentication server of the second network;
(2) 业务认证服务器获取用户终端的用户信息, 直接与用户终端建立安全通道, 建立用户终端与自有业务服务器之间的安全关联; (3 )业务认证服务器通过安全通道,根据用户终端接收到的用户输入的信息与用 户终端进行安全协商; (2) The service authentication server obtains the user information of the user terminal, establishes a secure channel directly with the user terminal, and establishes a security association between the user terminal and the own service server; (3) the service authentication server receives the security channel according to the user terminal. User-entered information and security negotiation with the user terminal;
(4)根据安全协商的结果进行业务认证, 生成安全信息并分发给用户终端及自有 业务服务器。 在本优选实施例中, 自有业务服务器在收到业务访问请求后, 会向业务认证服务 器提交业务认证申请, 请求业务认证服务器对发起业务访问请求的用户终端进行业务 验证; 请求业务认证服务器首先要获取用户终端的用户信息, 然后利用原有的可以与 用户终端建立的连接转用为业务认证连接或新建一种专门用于业务认证的连接构建安 全通道, 与用户终端建立安全连接, 使用户终端与自有业务服务器建立安全关联; 在 安全通道建立后, 即可在安全通道的基础上进行业务认证, 首先要根据用户输入的认 证信息与用户终端进行安全协商, 再根据协商的结果进行业务认证, 认证成功后会生 成相应的安全信息, 例如密钥、 证书, 认证成功后生成的安全信息就是最终用户终端 可以访问自有业务服务器提供的自有业务的基础, 认证的最终目的就是使终用户终端 可以根据安全信息访问自有业务服务器提供的自有业务。 优选地, 在上述优选实施例中, 业务认证服务器通过安全通道, 根据用户终端接 收到的用户输入的信息与用户终端进行安全协商之前, 还可以包括以下处理: 用户终 端向用户显示提示信息, 要求用户进行信息输入。 上述处理进一步方便了用户的使用, 提高了用户体验。 优选地,步骤 S102之前还可以进一步包括以下处理:用户终端在开通自有业务服 务器提供的业务时, 进行认证级别选择。 在本优选实施例中, 提出了认证级别的理念, 即对不同的业务采取不同的认证方 法以提高认认证的效率。 认证级别的确定可以在用户在开通业务时, 根据业务的不同 具体进行选择。 为了进一步便于用户使用, 除了在开通业务时进行认证级别选择, 可以再给一次 选择和修改认证级别的机会。 优选地, 在业务认证服务器获取用户终端的用户信息, 直接与用户终端建立安全通道,建立用户终端与自有业务服务器之间的安全关联之后, 还可以进一步包括以下处理: 用户终端根据用户的操作对认证级别进行选择或修改。 上述处理进一步增加了用户使用的灵活性, 提高了用户体验。 优选地, 上述认证等级可以包括以下至少之一: 不进行认证、 自动认证、 用户终 端确认认证、 数字签名认证。 本优选实施例提出一种优选地认证等级划分方法, 在具体实施过程中, 可以设置 如下认证等级: 不进行认证、 自动认证、 用户终端确认认证、 数字签名认证。 在免费 业务时, 不进行认证; 在包月业务进行不用用户终端干预的自动认证; 在按次记费, 进行用户终端确认认证; 在用户终端支持的情况下, 可以同时进行数字签名等防抵赖 认证。 认证等级划分方法并不是唯一的, 可以根据不同的需要进行不同的划分。 下面结合实例对上述优选实施例进行详细说明。 本实例给出了一种用户终端通过第一网络访问第二网络的自有业务的业务认证方 法, 包括以下步骤: 步骤 1, 用户终端经由第一网络与第二网络内的接入认证服务器完成接入认证。 一般的, 接入认证保证用户终端所访问的网络是合法网络, 同时保证自由合法的用户 终端才能接入网络。 经过接入认证的用户终端可以通过第一网络接入互联网, 直接访 问互联网业务。 步骤 2, 当用户终端经由第一网络访问第二网络的自有业务服务器时, 用户终端 与业务认证服务器通过第二网络建立安全通道(不通过第一网络), 并与自有业务服务 器建立安全关联。 并基于该安全通道进行业务认证。 步骤 3, 业务认证成功后进行密钥或证书的分发, 安全将密钥或证书将发送到用 户终端和自有业务服务器。 步骤 4, 授权用户终端经由第一网络访问第二网络的自有业务。 在上述实例的基础上, 本实例中加入认证级别功能, 即通过用户终端配合, 将业 务认证进行分级管理的, 为用户提供接口, 使用户可以进行认证级别选择, 从而可以 安全灵活地进行业务认证。 在本实例中提供认证级别功能描述如下: 根据提供自有业务安全要求、签约信息、 用户终端选择等进行认证分级管理。 认证级别可分为不认证、 自动认证、 用户终端确 认认证、 以及在终端支持下进行数字签名等。 认证级别可以对应不同的业务及认证方 式。 如: 在免费业务时, 不进行认证; 在包月业务进行不用用户终端干预的自动认证; 在按次记费, 进行用户终端确认认证; 在用户终端支持的情况下, 可以同时进行数字签名等防抵赖认证。 用户终端可以在自有业务开通或在建立安全通道后进行认证级别选择。 用户终端 提供用户接口提供认证级别选择, 可以在业务认证过程中(需要用户参与), 也可以主 动进行安全通道建立, 与自有业务服务器建立安全关联, 进行认证级别选择或更改。 业务认证可以在客户端 (用户终端包括客户端、 智能卡等模块) 上实现, 也可以 在智能卡 (用户终端的一部分) 上实现。 在智能卡实现业务认证, 密要和协商等相关 安全计算过程都在智能卡上实现, 安全性更高, 也容易为运营商所掌握, 对终端要求 较低。 优选在智能卡上实现业务认证。 增加了认证级别功能的自有业务认方法包含以下步骤: 步骤 1, 用户终端访问自有业务服务器, 自有业务服务器向业务认证服务器提交 认证申请。 步骤 2, 业务认证服务器确定业务认证级别。 认证级别可分为不认证、 自动认证、 用户终端确认认证、 以及在终端支持下进行数字签名等。 步骤 3, 建立安全通道。 在用户终端与业务认证服务器之间建立安全通道, 并与 自有业务服务器建立安全关联。 安全通道可以是基于数据短信方式或 BIP (Bearer Independent Protocol, 承载独立协议) 方式。 步骤 4, 提供用户选择及安全协商。 建立安全关联后, 可通过用户终端进行认证 级别选择。 用户终端能够提供用户接口, 提示用户信息、 要求用户进行输入或提供认 证级别选择。 可以通过基于智能卡的 STK ( SIM Tool Kit, 用户识别应用发展工具) /SCWS ( Smart Card Web Server, 智能卡网络服务器) 以及客户端方式提供。 步骤 5, 按协商进行业务认证。 在免费业务时, 不进行认证; 在包月业务进行不 用用户终端干预的自动认证, 采用 AKA (Authentication and Key Agreement, 认证与 密钥协商) 方式; 在按次记费时, 进行用户终端确认认证, 采用 EAP (Extensible Authentication Protocol, 可扩展认证协议) -SIM ( Subscriber Identity Module, 用户身 份识别模块) /AKA方式; 在用户终端支持的情况下, 可以同时进行数字签名等防抵 赖认证, 采用数字证书方式。 步骤 6, 业务认证成功进行分发相应密钥或证书。 步骤 7, 授权用户终端访问自有业务服务器提供的业务。 图 2是根据本发明实例的自有业务认证方法所需的功能结构示意图。 为更清楚地 说明自有业务的认证流程, 图 2将自有业务认证所需的功能进行了模块化并指出了该 功能对应的执行主体。 在本实例中, WLAN网络为第一网络, 蜂窝通信系统为第二网 络, 即用户终端通过 WLAN网络访问蜂窝通信系统的流媒体业务。在本实例中, 业务 认证可以在客户端上实现, 也可以在智能卡上实现。 在智能卡实现业务认证, 密要和 协商等相关安全计算过程都在智能卡上实现, 安全性更高, 也容易为运营商所掌握, 对终端要求较低。 优选在智能卡上实现业务认证。 如图 3所示, 整个流程包括: 步骤 S302, 客户端访问蜂窝通信系统的自有业务对应的流媒体服务器。 步骤 S304, 流媒体服务器向业务认证服务器提交业务认证申请。 步骤 S306,业务认证服务器中的分级认证管理根据提交申请,调用相关用户信息、 签约信息等, 确定认证级别。 假定流媒体业务为按次记费, 认证级别为用户终端确认 认证, 需用户终端参与。 在智能卡与业务认证服务器之间建立安全通道, 与流媒体服务器进行安全关联。 在智能卡与业务认证服务器中各有安全通道管理负责建立安全通道。 基于智能卡完成 双向身份鉴别, 若一方不合法, 则中断交互; 若是识别过程通过则生成一系列密钥, 建立安全通道。其承载采用 BIP方式, 当智能卡需要与流媒体服务器通过 TCP/IP通信 时, 流媒体服务器由一个 IP地址标示。 当 BIP通道打开时, 用户终端起到一个网关的 作用,与流媒体服务器使用 TCP/IP通信,具体参见 ETSI (European Telecommunications Standards Institute, 欧洲电信标准化协会) TS 102 127。 步骤 S308, 建立安全关联后, 进行用户选择及安全协商。 通过智能卡的 STK技 术提示用户本次流媒体业务消费金额供用户确认。 用户终端确认本次流媒体业务。 并 通过安全通道将本次交易信息确认发送到网络。 本实例支持用户终端与流媒体业务服务器安全关联后进行选择认证级别。 如用户 认为每次通过用户确认麻烦, 则调用本地用户选择认证级别的选项 STK菜单, 选择自 动认证方式作为以后流媒体业务的认证方式。 并通过安全通道将用户选择认证方式发 送到网络侧安全应用管理, 安全应用管理存储相应的用户选择信息, 后续流媒体业务 都按用户选择认证级别。 此外用户终端也可以主动进行安全通道建立进行认证级别选 择或更改。 步骤 S310, 认证及密钥管理。 在智能卡与业务认证服务器中各有业务认证管理模 块进行认证及密钥管理。 本实施支持多种认证方式及密钥管理, 业务认证至少包括两 种认证机制, 并且允许用户进行协商。 一种是给基于实体之间的共享秘密, 另一种是 基于密钥对。 业务认证服务器完成相应的密钥管理。 包括根据本地策略设置密钥的本 地有效情况; 检测密钥的生命周期以及与用户终端采取措施来保证密钥的刷新等。 步骤 S312, 认证成功后进行秘钥或证书分发。将密钥或证书分发给客户端或自有 业务服务器。 客户端可以运营在在移动终端或 PC终端上。 客户端需与智能卡建立安 全的本地访问接口以保证数据有效性。 流媒体服务器与业务认证服务器之间具有通信 接口, 并可以获得客户端与业务认证服务器达成的安全密钥及安全设置。 步骤 S314, 授权客户端访问蜂窝通信系统的流媒体业务。 图 4是根据本发明实施例的自有业务认证系统的结构框图。 如图 4所示, 根据本 发明实施例的自有业务认证系统包括: 用户终端 42、 第一网络 44、 第二网络 46, 其 中, 用户终端 42包括: 客户端 422, 第二网络 46包括: 业务认证服务器 462、 自有业 务服务器 464, 其中, 客户端 422包括: 请求发起模块 4222,设置为通过第一网络 44向第二网络 46的自有业务服务器 464 发起业务访问请求; 业务认证服务器 462包括: 业务认证模块 4622, 设置为直接对用户终端 42进行业务认证。 在根据本发明实施例的自有业务认证系统中, 为了使用户避免重复认证, 以提高 用户体验, 采用了由第二网络 46直接对用户终端 42进行业务认证的方式, 尽管用户 终端 42是通过第一网络 44向第二网络 46的自有业务服务器 464服发起的业务请求, 但是从业务认证这方面来讲,则是由第二网络 46的业务认证服务器 462直接对用户终 端 42进行的认证, 从而避免了用户认证信息的重复输入, 减少了用户的不必要操作, 同时提高了用户认证信息的安全性, 提高了用户体验。 优选地, 第一网络 44可以包括: 第一接入认证服务器, 设置为完成用户终端 42 的第一网络的接入认证; 第二网络 46还可以包括: 第二接入认证服务器, 设置为通过 第一网络完成用户终端的第二网络的接入认证。 第一接入认证服务器和第二接入认证服务器保证了用户终端 42与第一网络 44建 立了连接且通过第一网络 44与第二网络 46建立了连接,为后续处理提供执行的基础。 优选地, 自有业务服务器 462可以包括: 申请提交模块, 设置为在接收到用户终 端 42的业务访问请求后, 向业务认证服务器 462提交业务认证申请; 业务认证服务器 462还可以包括: 通道建立模块, 设置为获取用户终端 42的用户信息, 直接与用户终 端 42建立安全通道, 建立用户终端 42与自有业务服务器 464之间的安全关联; 安全 协商模块, 设置为通过安全通道,根据用户终端 42接收到的用户输入的信息与用户终 端 42进行安全协商; 业务认证模块 4622, 还设置为根据安全协商的结果进行业务认 证, 生成安全信息并分发给用户终端 42及自有业务服务器 464。 在本优选实施例中, 自有业务服务器 464在收到业务访问请求后, 会向业务认证 服务器 462提交业务认证申请, 请求业务认证服务器 462对发起业务访问请求的用户 终端 42进行业务验证;请求业务认证服务器 462首先要获取用户终端 42的用户信息, 然后利用原有的可以与用户终端建立的连接转用为业务认证连接或新建一种专门用于 业务认证的连接构建安全通道, 与用户终端 42建立安全连接, 使用户终端 42与自有 业务服务器 464建立安全关联; 在安全通道建立后, 即可在安全通道的基础上进行业 务认证, 首先要根据用户输入的认证信息与用户终端 42进行安全协商, 再根据协商的 结果进行业务认证, 认证成功后会生成相应的安全信息, 例如密钥、 证书, 认证成功 后生成的安全信息就是最终用户终端 42可以访问自有业务服务器 464提供的自有业务 的基础,认证的最终目的就是使终用户终端 42可以根据安全信息访问自有业务服务器 464提供的自有业务。 优选地, 客户端 422还可以包括: 输入提示模块, 设置为向用户显示提示信息, 要求用户进行信息输入。 输入提示模块的功能一步方便了用户的使用, 提高了用户体验。 优选地, 用户终端 42可以进一步包括智能卡, 智能卡可以包括以下至少之一: 级 别选择模块, 设置为在开通自有业务服务器 464提供的自有业务时, 进行认证级别选 择; 级别修改模块, 设置为在安全通道建立之后, 根据用户的操作对认证级别进行选 择或修改。 在本优选实施例中, 级别选择模块和级别修改模块提供了认证级别功能, 即对不 同的业务采取不同的认证方法以提高认认证的效率。 认证级别的确定可以通过级别选 择模块在用户在开通业务时, 根据业务的不同具体进行选择, 也可以在在业务认证服 务器 462获取用户终端 42的用户信息, 直接与用户终端 42建立安全通道, 建立用户 终端 42与自有业务服务器 464之间的安全关联之后,通过级别修改模块进行选择或修 改。 上述模块进一步增加了用户使用的灵活性, 提高了用户体验。 下面结合实例对上述优选实施例进行详细说明。 在本实例中, 自有业务认证系统包括用户终端与网络等部分。 用户终端包括客户端和智能卡等部分。客户端可以运行在移动终端或 PC终端上, 客户端需要与智能卡建立安全的本地访问接口以保证数据有效性。 用户终端具有接入 第一网络和第二网络的能力。业务认证可以在客户端上实现, 也可以在智能卡上实现。 在智能卡实现业务认证, 密要和协商等相关安全计算过程都在智能卡上实现, 安全性 更高, 也容易为运营商所掌握, 对终端要求较低, 优选在智能卡上实现业务认证。 用户终端与业务认证服务器通过第二网络建立安全通道, 与自有业务服务器建立 安全关联。 安全通道承载可以是基于数据短信方式或 BIP方式。 基于该安全通道, 用户终端与位于第二网络内业务认证服务器进行安全协商及业 务认证。 用户终端能够提供用户接口, 提示用户信息、 要求用户进行输入。 可以通过基于 智能卡的 STK/SCWS以及客户端方式提供。 网络包括第一网络及第二网络等系统。 其中第二网络包括接入认证服务器、 业务 认证服务器、 以及多个自有业务服务器。 用户终端在经过接入认证后, 可以通过第一 网络直接访问互联网业务, 经过业务认证后可以访问第二网络的自有业务。 自有业务服务器主要提供基于第二网络的各种业务服务, 以及提供具有用户终端 认证需求的业务, 如蜂窝通信系统的分组域业务。 每个业务一个服务器, 因此用户终 端和业务认证服务器可能存在多个自有业务认证。 在安全通道建立前, 用户终端与自 有业务服务器没有建立安全关联。 自有业务服务器与业务认证服务器之间具有安全通 信接口, 可以获得用户终端与业务认证服务器达成的安全密钥或证书等安全信息。 接入认证服务器完成用户终端通过第一网络访问第二网络的接入认证。 一般的, 接入认证保证用户终端所访问的网络是合法网络, 同时保证只有合法的用户终端才能 接入网络。 业务认证服务器完成用户终端与自有业务服务器之间的业务认证。 业务认证服务 器从第二网络(如蜂窝通信系统中的归属用户服务器 /本地位置寄存器)获得用户相关 信息, 通过第二网络建立安全通道, 使用户终端与自有业务服务器建立安全关联。 业 务认证服务器基于建立的安全通道进行安全协商及认证。 提供用户接口提示用户信息 或要求用户进行输入, 进行安全协商; 根据协商的结果进行认证及密钥管理; 认证成 功后将密钥等安全信息传递给自有业务服务器。 同时, 业务认证服务器完成相应的密 钥管理, 包括根据本地策略设置密钥有效情况; 检测密钥的生命周期以及与用户终端 采取措施来保证密钥的刷新等。 在上述实例的基础上, 本实例中增加了认证级别功能。 即智能卡基于 STK/SCWS 或客户端方式提供用户接口,提示用户信息、要求用户进行输入或提供认证级别选择, 可以在业务认证过程中 (需要用户参与) 或主动进行安全通道建立时进行认证级别选 择或更改。 智能卡作为用户终端的认证实体完成与网络的双向身份鉴别。 若一方不合法, 则 中断交互; 若是识别过程通过则生成一系列密钥, 建立安全通道; 其承载可以是基于 数据短信方式或 BIP方式。 建立安全通道后, 用户终端与自有业务服务器建立安全关 联。优选采用 BIP方式, 当智能卡需要与业务认证服务器通过 TCP/IP通信时, 业务认 证服务器由一个 IP地址标示。 当 BIP通道打开时, 终端起到一个网关的作用, 与业务 认证服务器使用 TCP/IP通信, 遵循 ETSI TS 102 127。 本实例中, 业务认证服务器主要负责完成用户终端与自有业务服务器之间的业务 认证。 业务认证服务器在功能上包括分级认证管理、 安全通道管理、 业务认证管理等 几部分。 分级认证管理根据自有业务服务器提交业务认证申请, 调用相关用户信息、 签约信息等, 确定认证级别并进行分级认证管理。认证级别可分为不认证、 自动认证、 用户终端确认认证、 以及在终端支持下进行数字签名等。 下面以 WLAN网络为第一网络, 蜂窝通信系统为第二网络, 结合图 4说明根据实 例的自有业务认证系统的结构。 在本实例中, 有业务认证系统包括用户终端与网络两部分。 第一网络为 WLAN网络, WLAN网络又包括 AP (Access Point, 接入点) 及 AC (Access Controller, 接入控制器)等部分, AC通过无线接口连接和管理无线 AP, 组 成 WLAN网络核心层, 同时与外部网络互联。 用户终端包括客户端和智能卡等部分。 用户终端具有同时接入 WLAN网络和蜂窝通信系统能力。客户端可以运营在在移 动终端或 PC终端上, 客户端与智能卡有安全的本地访问接口以保证数据有效性。 业务认证可以在客户端上实现, 也可以在智能卡上实现。在智能卡实现业务认证, 密要和协商等相关安全计算过程都在智能卡上实现, 安全性更高, 也容易为运营商所 掌握, 对终端要求较低。 优选在智能卡上实现业务认证。 智能卡作为本地的认证模块与业务认证服务器建立安全通道。 建立安全通道后, 用户终端与自有业务服务器建立安全关联。 网络包括 WLAN网络、蜂窝通信系统、互联网等部分。其中蜂窝通信系统包括接 入认证服务器、 业务认证服务器、 以及多个自有业务服务器。 WLAN网络包括 AP及 AC等部分。 接入认证服务器完成通过 WLAN 网络接入蜂窝通信系统的接入认证, 可采用(4) Perform service authentication according to the result of security negotiation, generate security information and distribute it to the user terminal and its own service server. In the preferred embodiment, after receiving the service access request, the self-owned service server submits a service authentication application to the service authentication server, requesting the service authentication server to perform service verification on the user terminal that initiates the service access request; To obtain the user information of the user terminal, and then use the original connection that can be established with the user terminal to switch to a service authentication connection or create a new connection dedicated to service authentication to establish a secure channel, and establish a secure connection with the user terminal, so that the user The terminal establishes a security association with its own service server. After the security channel is established, the service can be authenticated on the basis of the secure channel. First, security negotiation is performed with the user terminal according to the authentication information input by the user, and then the service is performed according to the result of the negotiation. After the authentication succeeds, the corresponding security information is generated, such as the key and the certificate. The security information generated after the authentication succeeds is the basis for the end user terminal to access the self-owned service provided by the own service server. The ultimate purpose of the authentication is to end the authentication. use The user terminal can access the self-owned service provided by the own service server according to the security information. Preferably, in the foregoing preferred embodiment, the service authentication server may further include the following processing before the security negotiation with the user terminal according to the information input by the user received by the user terminal through the secure channel: the user terminal displays the prompt information to the user, requesting The user enters information. The above processing further facilitates the use of the user and improves the user experience. Preferably, before the step S102, the method further includes the following process: the user terminal performs the authentication level selection when the service provided by the own service server is activated. In the preferred embodiment, the concept of an authentication level is proposed, that is, different authentication methods are adopted for different services to improve the efficiency of authentication. The authentication level can be determined according to the specificity of the service when the user opens the service. In order to further facilitate the user's use, in addition to the authentication level selection when the service is opened, the opportunity to select and modify the authentication level can be given once again. Preferably, the service authentication server acquires user information of the user terminal, After the security channel is directly established with the user terminal, and the security association between the user terminal and the own service server is established, the following processing may be further included: The user terminal selects or modifies the authentication level according to the operation of the user. The above processing further increases the flexibility of the user and improves the user experience. Preferably, the foregoing authentication level may include at least one of the following: no authentication, automatic authentication, user terminal confirmation authentication, digital signature authentication. The preferred embodiment provides a preferred authentication level dividing method. In a specific implementation process, the following authentication levels may be set: no authentication, automatic authentication, user terminal confirmation authentication, and digital signature authentication. In the case of free services, no authentication is performed; in the monthly subscription service, automatic authentication without user terminal intervention is performed; in the case of the secondary fee, the user terminal confirms the authentication; and in the case of the user terminal support, the digital signature and other non-repudiation authentication can be simultaneously performed. . The authentication level division method is not unique and can be divided according to different needs. The above preferred embodiments will be described in detail below with reference to examples. This example provides a service authentication method for a user terminal to access a second network's own service through the first network, and includes the following steps: Step 1: The user terminal completes the access authentication server in the second network and the second network. Access authentication. Generally, the access authentication ensures that the network accessed by the user terminal is a legal network, and at the same time, the free and legal user terminal can access the network. The user terminal that has passed the access authentication can access the Internet through the first network and directly access the Internet service. Step 2: When the user terminal accesses the own service server of the second network via the first network, the user terminal establishes a secure channel with the service authentication server through the second network (not through the first network), and establishes security with the own service server. Association. And perform service authentication based on the secure channel. Step 3: After the service authentication succeeds, the key or certificate is distributed, and the key or certificate is sent to the user terminal and the own service server. Step 4: Authorize the user terminal to access the own service of the second network via the first network. On the basis of the above example, the authentication level function is added in the example, that is, the service authentication is hierarchically managed through the cooperation of the user terminal, and the interface is provided for the user, so that the user can perform the authentication level selection, so that the service authentication can be performed securely and flexibly. . The function of providing the authentication level in this example is described as follows: According to the provision of own business security requirements, subscription information, user terminal selection, etc., the authentication hierarchical management is performed. The authentication level can be divided into non-authentication, automatic authentication, and user terminal. Certification, and digital signatures supported by the terminal. The authentication level can correspond to different services and authentication methods. For example, in the case of free service, no authentication is performed; in the monthly service, automatic authentication without user terminal intervention is performed; in the case of the secondary fee, the user terminal is confirmed and authenticated; in the case of user terminal support, digital signature can be simultaneously performed. Responsible for certification. The user terminal can perform authentication level selection after the self-owned service is activated or after establishing a secure channel. The user terminal provides the user interface to provide the authentication level selection. In the service authentication process (requires user participation), the user can actively establish a secure channel, establish a security association with the own service server, and perform authentication level selection or change. Service authentication can be implemented on the client (user terminal including the client, smart card, etc.) or on the smart card (part of the user terminal). In the smart card to achieve business authentication, confidentiality and negotiation and other related security calculation processes are implemented on the smart card, the security is higher, and it is easy for the operator to master, and the terminal requirements are lower. It is preferred to implement service authentication on the smart card. The self-owned service authentication method with the added authentication level function includes the following steps: Step 1: The user terminal accesses the own service server, and the own service server submits the authentication application to the service authentication server. Step 2: The service authentication server determines the service authentication level. The authentication level can be divided into non-authentication, automatic authentication, user terminal confirmation authentication, and digital signature with terminal support. Step 3. Establish a secure channel. Establish a secure channel between the user terminal and the service authentication server, and establish a security association with the own service server. The secure channel can be based on data short message or BIP (Bearer Independent Protocol). Step 4 provides user selection and security negotiation. After the security association is established, the authentication level can be selected through the user terminal. The user terminal can provide a user interface, prompt user information, request user input or provide authentication level selection. It can be provided by smart card based STK (SIM Tool Kit) / SCWS (Smart Card Web Server) and client mode. Step 5: Perform service authentication according to negotiation. In the case of free services, no authentication is performed; in the monthly subscription service, automatic authentication without user terminal intervention is adopted, and AKA (Authentication and Key Agreement) is adopted. Key negotiation method; In the case of pay-per-view, the user terminal confirms the authentication, and uses the EAP (Extensible Authentication Protocol) - SIM (Subscriber Identity Module) / AKA mode; In the case of non-repudiation certification such as digital signature, digital certificate can be used. Step 6. The service authentication succeeds in distributing the corresponding key or certificate. Step 7: Authorize the user terminal to access the service provided by the own service server. 2 is a schematic diagram showing the functional structure required for a self-owned service authentication method according to an example of the present invention. In order to more clearly explain the authentication process of its own business, Figure 2 modularizes the functions required for its own business authentication and points out the execution subject corresponding to the function. In this example, the WLAN network is the first network, and the cellular communication system is the second network, that is, the user terminal accesses the streaming media service of the cellular communication system through the WLAN network. In this example, the service authentication can be implemented on the client or on the smart card. In the smart card to achieve business authentication, confidentiality and negotiation and other related security calculation processes are implemented on the smart card, the security is higher, and it is easy for the operator to master, and the terminal requirements are lower. It is preferred to implement service authentication on the smart card. As shown in FIG. 3, the entire process includes: Step S302: A client accesses a streaming media server corresponding to a self-owned service of a cellular communication system. Step S304, the streaming media server submits a service authentication application to the service authentication server. Step S306, the hierarchical authentication management in the service authentication server determines the authentication level according to the submitted application, the related user information, the contract information, and the like. It is assumed that the streaming media service is a pay-per-view fee, and the authentication level is that the user terminal confirms the authentication, and the user terminal is required to participate. Establish a secure channel between the smart card and the service authentication server, and securely associate with the streaming server. Each of the smart card and the service authentication server has a secure channel management responsible for establishing a secure channel. The two-way identity authentication is completed based on the smart card. If one party is not legal, the interaction is interrupted; if the identification process is passed, a series of keys are generated to establish a secure channel. The bearer adopts the BIP mode. When the smart card needs to communicate with the streaming media server through TCP/IP, the streaming media server is marked by an IP address. When the BIP channel is opened, the user terminal acts as a gateway and communicates with the streaming server using TCP/IP, see ETSI (European Telecommunications Standards Institute) TS 102 127. Step S308, after establishing a security association, performing user selection and security negotiation. The amount of consumption of the streaming media service is prompted by the STK technology of the smart card for the user to confirm. The user terminal confirms the current streaming service. And the confirmation of the transaction information is sent to the network through a secure channel. This example supports the selection of the authentication level after the user terminal is securely associated with the streaming media service server. If the user thinks that each time the user confirms the trouble, the local user selects the option STK menu of the authentication level, and selects the automatic authentication mode as the authentication mode of the streaming media service. The user selects the authentication mode to the network-side security application management through the secure channel, and the security application management stores the corresponding user selection information, and the subsequent streaming media service selects the authentication level according to the user. In addition, the user terminal can also actively establish a secure channel for authentication level selection or change. Step S310, authentication and key management. Each of the smart card and the service authentication server has a service authentication management module for authentication and key management. The implementation supports multiple authentication modes and key management. The service authentication includes at least two authentication mechanisms and allows the user to negotiate. One is based on shared secrets between entities, and the other is based on key pairs. The service authentication server completes the corresponding key management. This includes setting the local validity of the key according to the local policy; detecting the life cycle of the key and taking measures with the user terminal to ensure the key is refreshed. Step S312, after the authentication is successful, the key or certificate is distributed. Distribute the key or certificate to the client or its own business server. The client can operate on a mobile terminal or a PC terminal. The client needs to establish a secure local access interface with the smart card to ensure data validity. The streaming media server has a communication interface with the service authentication server, and can obtain a security key and security settings between the client and the service authentication server. Step S314, the authorized client accesses the streaming media service of the cellular communication system. 4 is a structural block diagram of a self-owned service authentication system according to an embodiment of the present invention. As shown in FIG. 4, the self-owned service authentication system according to the embodiment of the present invention includes: a user terminal 42, a first network 44, and a second network 46. The user terminal 42 includes: a client 422, and the second network 46 includes: The service authentication server 462, the self-service server 464, wherein the client 422 includes: a request initiation module 4222, configured to initiate a service access request to the own service server 464 of the second network 46 through the first network 44; the service authentication server 462 The method includes: a service authentication module 4622, configured to directly perform service authentication on the user terminal 42. In the self-owned service authentication system according to the embodiment of the present invention, in order to prevent the user from repeating the authentication to improve the user experience, the manner in which the user authentication is directly performed on the user terminal 42 by the second network 46 is adopted, although the user terminal 42 is adopted. The first network 44 sends a service request to the own service server 464 of the second network 46, but in terms of service authentication, the service authentication server 462 of the second network 46 directly terminates the user. The authentication performed by the terminal 42 avoids repeated input of the user authentication information, reduces unnecessary operations of the user, improves the security of the user authentication information, and improves the user experience. Preferably, the first network 44 may include: a first access authentication server, configured to complete access authentication of the first network of the user terminal 42; the second network 46 may further include: a second access authentication server, configured to pass The first network completes access authentication of the second network of the user terminal. The first access authentication server and the second access authentication server ensure that the user terminal 42 establishes a connection with the first network 44 and establishes a connection with the second network 46 via the first network 44, providing a basis for execution for subsequent processing. Preferably, the self-owned service server 462 may include: an application submission module, configured to submit a service authentication request to the service authentication server 462 after receiving the service access request of the user terminal 42; the service authentication server 462 may further include: a channel establishment module And setting the user information of the user terminal 42 to establish a secure channel directly with the user terminal 42 to establish a security association between the user terminal 42 and the own service server 464. The security negotiation module is configured to pass through the secure channel according to the user terminal 42. The received information input by the user is in security negotiation with the user terminal 42. The service authentication module 4622 is further configured to perform service authentication according to the result of the security negotiation, generate security information, and distribute the security information to the user terminal 42 and the own service server 464. In the preferred embodiment, after receiving the service access request, the self-owned service server 464 submits a service authentication application to the service authentication server 462, requesting the service authentication server 462 to perform service verification on the user terminal 42 that initiates the service access request; The service authentication server 462 first acquires the user information of the user terminal 42 and then uses the original connection that can be established with the user terminal to be used as a service authentication connection or a new connection dedicated to service authentication to construct a secure channel, and the user terminal. 42. Establish a secure connection, and establish a security association between the user terminal 42 and the own service server 464. After the secure channel is established, the service authentication can be performed on the basis of the secure channel, firstly, according to the authentication information input by the user and the user terminal 42. Security negotiation, and then performing service authentication according to the result of the negotiation. After the authentication succeeds, corresponding security information, such as a key and a certificate, is generated. The security information generated after the authentication succeeds is that the end user terminal 42 can access the self-owned service server 464. Have a business foundation, certification The final purpose is to make the end user terminal 42 can access its own service server 464 of its own service provided by the security information. Preferably, the client 422 may further include: an input prompting module, configured to display prompt information to the user, and request the user to input information. The function of the input prompt module facilitates the user's use and improves the user experience. Preferably, the user terminal 42 may further include a smart card, and the smart card may include at least one of the following: a level selection module configured to perform an authentication level selection when the self-owned service provided by the own service server 464 is opened. The level modification module is set to select or modify the authentication level according to the user's operation after the secure channel is established. In the preferred embodiment, the level selection module and the level modification module provide an authentication level function, that is, adopt different authentication methods for different services to improve the efficiency of authentication. The authentication level can be determined by the level selection module according to the specific service when the user opens the service, or the user information of the user terminal 42 can be obtained at the service authentication server 462, and a secure channel is established directly with the user terminal 42 to establish a security channel. After the security association between the user terminal 42 and the own service server 464, the selection or modification is performed by the level modification module. The above modules further increase the flexibility of user use and improve the user experience. The above preferred embodiments will be described in detail below with reference to examples. In this example, the self-owned service authentication system includes a user terminal and a network. The user terminal includes a client and a smart card. The client can run on the mobile terminal or PC terminal, and the client needs to establish a secure local access interface with the smart card to ensure data validity. The user terminal has the ability to access the first network and the second network. Business authentication can be implemented on the client or on a smart card. The smart card implements service authentication, and the related security calculation processes such as confidentiality and negotiation are implemented on the smart card. The security is higher, and it is easier for the operator to grasp. The terminal has lower requirements, and the service authentication is preferably implemented on the smart card. The user terminal establishes a secure channel with the service authentication server through the second network, and establishes a security association with the own service server. The secure channel bearer can be based on data short message mode or BIP mode. Based on the secure channel, the user terminal performs security negotiation and service authentication with the service authentication server located in the second network. The user terminal can provide a user interface, prompt the user information, and request the user to input. It can be provided by smart card based STK/SCWS and client mode. The network includes systems such as a first network and a second network. The second network includes an access authentication server, a service authentication server, and a plurality of own service servers. After being authenticated by the access terminal, the user terminal can directly access the Internet service through the first network. After the service is authenticated, the user terminal can access the self-owned service of the second network. The self-owned service server mainly provides various service services based on the second network, and provides services with user terminal authentication requirements, such as packet domain services of the cellular communication system. There is one server per service, so the user terminal and the service authentication server may have multiple own service authentications. Before the establishment of the secure channel, the user terminal does not establish a security association with its own service server. The secure communication interface between the self-owned service server and the service authentication server can obtain security information such as a security key or a certificate reached by the user terminal and the service authentication server. The access authentication server completes the access authentication of the user terminal to access the second network through the first network. Generally, the access authentication ensures that the network accessed by the user terminal is a legal network, and only a legitimate user terminal can access the network. The service authentication server completes the service authentication between the user terminal and the own service server. The service authentication server obtains user-related information from the second network (such as the home subscriber server/home location register in the cellular communication system), establishes a secure channel through the second network, and establishes a security association between the user terminal and the own service server. The service authentication server performs security negotiation and authentication based on the established secure channel. Provide user interface to prompt user information or require user input to perform security negotiation; perform authentication and key management according to the result of negotiation; and pass security information such as key to its own service server after successful authentication. At the same time, the service authentication server completes the corresponding key management, including setting the key validity according to the local policy; detecting the life cycle of the key and taking measures with the user terminal to ensure the key is refreshed. Based on the above examples, the authentication level function is added in this example. That is, the smart card provides a user interface based on STK/SCWS or client mode, prompts user information, requires user input or provides authentication level selection, and can perform authentication level selection during service authentication process (requires user participation) or active security channel establishment. Or change. The smart card performs the two-way identity authentication with the network as the authentication entity of the user terminal. If one party is not legal, the interaction is interrupted; if the identification process passes, a series of keys are generated to establish a secure channel; the bearer may be based on data short message mode or BIP mode. After establishing a secure channel, the user terminal establishes a security association with its own service server. Preferably, the BIP mode is adopted. When the smart card needs to communicate with the service authentication server through TCP/IP, the service authentication server is marked by an IP address. When the BIP channel is open, the terminal acts as a gateway, communicating with the service authentication server using TCP/IP, following ETSI TS 102 127. In this example, the service authentication server is mainly responsible for completing service authentication between the user terminal and the own service server. The service authentication server includes functions such as hierarchical authentication management, secure channel management, and service authentication management. The hierarchical authentication management submits a service authentication application according to its own service server, calls relevant user information, contract information, etc., determines the authentication level, and performs hierarchical authentication management. The authentication level can be divided into non-authentication, automatic authentication, user terminal confirmation authentication, and digital signature with terminal support. Hereinafter, the WLAN network is used as the first network, and the cellular communication system is the second network. The structure of the self-owned service authentication system according to the example is explained with reference to FIG. In this example, there is a service authentication system including a user terminal and a network. The first network is a WLAN network, and the WLAN network includes an AP (Access Point) and an Access Controller (AC). The AC connects and manages the wireless AP through the wireless interface to form a core layer of the WLAN network. It is also interconnected with an external network. The user terminal includes a client and a smart card. User terminals have the ability to simultaneously access WLAN networks and cellular communication systems. The client can operate on the mobile terminal or PC terminal, and the client and the smart card have a secure local access interface to ensure data validity. Business authentication can be implemented on the client or on a smart card. In the smart card to achieve business authentication, confidentiality and negotiation and other related security calculation processes are implemented on the smart card, the security is higher, and it is easy for the operator to master, and the terminal requirements are lower. It is preferred to implement service authentication on the smart card. As a local authentication module, the smart card establishes a secure channel with the service authentication server. After establishing a secure channel, the user terminal establishes a security association with its own service server. The network includes WLAN networks, cellular communication systems, the Internet, and the like. The cellular communication system includes an access authentication server, a service authentication server, and a plurality of own service servers. The WLAN network includes APs and ACs. The access authentication server completes the access authentication of the cellular communication system through the WLAN network, and may adopt
EAP-SIM/AKAo ¾|Λ 3GPP AAA (Authentication Authorization and Accounting, 鉴权 认证清算) Server,建立与 HSS(Home Subscriber Server,归属用户服务器)/ HLR(Home Location Register, 归属位置寄存器) 的连接; AP/ AC支持 EAP-SIM/AKA, 同样的终 端也需要支持 EAP-SIM/AKA协议。 EAP-SIM/AKA参见相关协议。 接入认证服务器 完成相应记费、 账单、 管理功能。 3GPP AAA Server和 WLAN配合完成统一认证, 认 证直接访问互联网的应用场景, 如可以实现用户名 /密码方式计费。 同时可以区分直接 访问互联网业务流量和后续可能接入到分组域的流量。 3GPP AAA Server 接受从 WLAN采集到的计费信息, 根据本地策略产生话单文件, 并提供给记费系统, 记费系 统进行批价核算处理, 并生产最终话单。 业务认证服务器完成用户终端与自有业务服务器之间的业务认证。 业务认证服务 器从蜂窝通信系统获得用户相关信息, 建立安全通道, 使用户终端与自有业务服务器 进行安全关联。 并在该安全通道上通过智能卡提供用户接口提示用户信息或要求用户 进行输入, 进行安全协商; 根据协商的结果进行认证及密钥管理; 并将会话密钥和安 全设置传递给自有业务服务器。 本实例中至少包括两种认证机制。 一种是给基于实体之间的共享秘密, 另一种是 基于密钥对。 基于实体之间共享秘密机制有若干认证协议, 常用的包括预共享密钥 TLS (Transport Layer Security,传输层安全),具有预共享密钥与优先使用用户名密码机制 的 IKE (Internet Key Exchange, 因特网密钥交换)协议, 以及 AKA。 这类认证机制的 主要问题在于如何在预共享秘密上保持一致, 这种认证方法是对称的。 目前移动终端 采用这种方式较多。 另一种是基于非对称密码进行认证。 该认证方法需要假定需要认证的实体拥有一 个密码对以及相应的数字证书。 包括 PGP (Pretty Good Privacy, 可靠加密)、 HTTPS ( Secure Hypertext Transfer Protocol, 安全超文本传输协议, 可参考 RFC2818)。 这类 非对称密钥认证方法与对称密钥相比, 其计算量会比较大, 对终端要求较高。 自有业务服务器主要向用户终端提供各种业务服务, 以及提供具有用户终端认证 需求的业务。 在蜂窝通信系统中包括基于分组域的业务, 如多媒体业务、 位置业务、 游戏和互联网业务等。 在安全通道建立前, 用户终端与自有业务服务器没有建立安全 关联。 本实例中支持分级认证管理, 将业务认证进行分级管理, 并可提供用户接口进行 认证级别选择。 图 6是根据本发明实例的自有业务认证系统进行业务认证的流程示意图。 如图 6 所示, 在上述系统中进行业务认证的流程包括以下步骤: 步骤 S602, 客户端经由 WLAN网络与蜂窝通信系统内的接入认证服务器进行接 入认证。 步骤 S604, 接入认证成功后, 用户终端可以通过 WLAN网络接入互联网, 直接 访问互联网业务。 步骤 S606, 客户端经由 WLAN网络 (可通过隧道技术) 访问蜂窝通信系统的自 有业务服务器。 步骤 S608, 自有业务服务器向业务认证服务器提交业务认证申请。 业务认证服务 器根据自有业务提交申请, 调用相关用户信息、 签约信息等, 确定认证级别。 步骤 S610, 业务认证服务器与用户终端建立安全通道, 使用户终端与自有业务服 务器进行安全关联。 基于智能卡完成双向身份鉴别, 若一方不合法, 则中断交互; 若 是识别过程通过则生成一系列密钥, 建立安全通道。 其承载采用 BIP方式, 当智能卡 需要与业务认证服务器通过 TCP/IP通信时, 业务认证服务器由一个 IP地址标示。 当 BIP通道打开时,用户终端起到一个网关的作用,与业务认证服务器使用 TCP/IP通信, 遵循 ETSI TS 102 127。 步骤 S612, 建立安全关联后, 进行用户选择及安全协商。 智能卡能够提供用户接 口, 提示用户信息、 要求用户进行输入。 用户可以通过基于智能卡的 STK/SCWS以及 客户端方式提供。 智能卡提供用户接口提供认证级别选择, 在业务认证过程中 (需要 用户参与), 或在主动进行安全通道建立, 与自有业务服务器建立安全关联时, 进行认 证级别选择或更改。 步骤 S614, 根据协商的结果进行认证及密钥管理。 包括两种认证机制, 并且允许 用户进行协商。 一种是给基于实体之间的共享秘密, 另一种是基于密钥对。 业务认证 服务器完成相应的密钥管理包括: 根据本地策略设置密钥的本地有效情况; 检测密钥 的生命周期以及与用户终端采取措施来保证密钥的刷新等。 步骤 S616, 进行秘钥或证书分发。 认证成功后将密钥或证书分发给客户端或自有 业务服务器。 客户端可以运营在在移动终端或 PC终端上。 客户端需要与智能卡建立 安全的本地访问接口以保证数据有效性。 自有业务服务器与认证服务器之间具有安全 通信接口, 可以获得相应客户端与认证服务器达成的安全密钥及安全设置。 步骤 S618, 授权客户端通过 WLAN网络访问蜂窝通信系统的自有业务。 从以上的描述中, 可以看出, 本发明提供的技术方案, 重新考虑了无线通信系统 接入及业务认证机制, 既保证了用户终端可以灵活使用各种不同的接入技术, 为用户 终端提供灵活安全的认证选择, 也避免了重复业务认证, 保证了业务安全, 提高了用 户体验。 需要指出的是, 本发明不仅适用于多通信系统接入与业务分级认证, 也适用于单 通信系统业务认证。 用户终端既可以在完成第一网络接入认证后, 进行业务认证, 也 可以进行单独进行安全认证。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 EAP-SIM/AKAo 3⁄4|Λ 3GPP AAA (Authentication Authorization and Accounting) Server, establishes connection with HSS (Home Subscriber Server) / HLR (Home Location Register); AP / AC supports EAP-SIM/AKA, and the same terminal also needs to support EAP-SIM/AKA protocol. EAP-SIM/AKA see related protocols. Access the authentication server to complete the corresponding billing, billing, and management functions. The 3GPP AAA Server and the WLAN cooperate to complete the unified authentication, and the authentication directly accesses the Internet. For example, the user name/password mode can be charged. At the same time, it can distinguish between direct access to Internet traffic and subsequent traffic that may be connected to the packet domain. The 3GPP AAA Server accepts the charging information collected from the WLAN, generates a bill file according to the local policy, and provides it to the billing system, the billing system performs the batch accounting processing, and produces the final bill. The service authentication server completes the service authentication between the user terminal and the own service server. The service authentication server obtains user-related information from the cellular communication system, establishes a secure channel, and enables the user terminal to perform security association with the own service server. And providing a user interface to prompt user information or requesting input by the smart card on the secure channel, performing security negotiation; performing authentication and key management according to the result of the negotiation; and transmitting the session key and security settings to the own service server. At least two authentication mechanisms are included in this example. One is based on shared secrets between entities, and the other is based on key pairs. There are several authentication protocols based on the shared secret mechanism between entities. Commonly used are pre-shared key TLS (Transport Layer Security), IKE with pre-shared key and preferential use of username and password mechanism (Internet Key Exchange, Internet) Key exchange) protocol, and AKA. The main problem with this type of authentication mechanism is how to be consistent on pre-shared secrets. This authentication method is symmetrical. At present, mobile terminals adopt this method more. The other is to authenticate based on asymmetric ciphers. This authentication method requires that the entity that requires authentication has a password pair and a corresponding digital certificate. Including PGP (Pretty Good Privacy), HTTPS (Secure Hypertext Transfer Protocol, refer to RFC2818). Compared with the symmetric key, this type of asymmetric key authentication method has a relatively large amount of computation and a high requirement for the terminal. The self-owned service server mainly provides various business services to the user terminal, and provides services with user terminal authentication requirements. Packet domain based services such as multimedia services, location services, gaming and internet services are included in cellular communication systems. Before the establishment of the secure channel, the user terminal does not establish a security association with its own service server. In this example, hierarchical authentication management is supported, business authentication is hierarchically managed, and a user interface is provided for authentication level selection. FIG. 6 is a schematic flowchart of performing service authentication by a self-owned service authentication system according to an example of the present invention. As shown in FIG. 6, the process of performing service authentication in the foregoing system includes the following steps: Step S602: The client performs access authentication with an access authentication server in the cellular communication system via the WLAN network. Step S604, after the access authentication is successful, the user terminal can access the Internet through the WLAN network and directly access the Internet service. Step S606, the client accesses the own service server of the cellular communication system via the WLAN network (through tunnel technology). Step S608, the self-owned service server submits a service authentication application to the service authentication server. The service authentication server submits an application according to its own service, and calls related user information, contract information, etc., to determine the authentication level. Step S610: The service authentication server establishes a secure channel with the user terminal, so that the user terminal performs security association with the own service server. The two-way identity authentication is completed based on the smart card. If one party is not legal, the interaction is interrupted; if the identification process is passed, a series of keys are generated to establish a secure channel. The bearer adopts the BIP mode. When the smart card needs to communicate with the service authentication server through TCP/IP, the service authentication server is marked by an IP address. When the BIP channel is opened, the user terminal acts as a gateway, communicating with the service authentication server using TCP/IP, following ETSI TS 102 127. Step S612, after establishing a security association, performing user selection and security negotiation. The smart card provides a user interface that prompts the user for information and requires the user to enter. Users can provide it via smart card-based STK/SCWS and client. The smart card provides the user interface to provide the authentication level selection. In the service authentication process (requires user participation), or when the security channel is established actively, and the security association is established with the own service server, the authentication level is selected or changed. Step S614, performing authentication and key management according to the result of the negotiation. Includes two authentication mechanisms and allows users to negotiate. One is based on shared secrets between entities, and the other is based on key pairs. The service authentication server completes the corresponding key management, including: setting the local valid condition of the key according to the local policy; detecting the life cycle of the key and taking measures to ensure the key refreshing with the user terminal. Step S616, performing secret key or certificate distribution. After the authentication is successful, the key or certificate is distributed to the client or its own business server. The client can operate on a mobile terminal or a PC terminal. The client needs to establish a secure local access interface with the smart card to ensure data validity. The secure communication interface between the self-owned service server and the authentication server can obtain the security key and security settings reached by the corresponding client and the authentication server. Step S618, the authorized client accesses the own service of the cellular communication system through the WLAN network. From the above description, it can be seen that the technical solution provided by the present invention re-consides the access and service authentication mechanism of the wireless communication system, which ensures that the user terminal can flexibly use various access technologies to provide the user terminal. Flexible and secure authentication options also avoid duplicate service authentication, ensuring business security and improving user experience. It should be noted that the present invention is applicable not only to multi-communication system access and service grading authentication, but also to single-communication system service authentication. The user terminal can perform service authentication after completing the first network access authentication, or perform security authentication separately. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, thereby Storing them in a storage device is performed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or Multiple of these modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claims
1. 一种自有业务认证方法, 包括: 1. A method of self-owned business authentication, including:
用户终端通过第一网络向第二网络的自有业务服务器发起业务访问请求; 所述第二网络的业务认证服务器直接对所述用户终端进行业务认证。  The user terminal initiates a service access request to the self-service server of the second network through the first network; the service authentication server of the second network directly performs service authentication on the user terminal.
2. 根据权利要求 1所述的方法, 其中, 在所述用户终端通过第一网络向第二网络 的自有业务服务器发起业务访问请求之前, 还包括: The method according to claim 1, wherein before the user terminal initiates a service access request to the own service server of the second network by using the first network, the method further includes:
所述用户终端经由所述第一网络的接入认证服务器完成所述第一网络的接 入认证;  The user terminal completes access authentication of the first network via an access authentication server of the first network;
所述用户终端通过所述第一网络经由所述第二网络的接入认证服务器完成 所述第二网络的接入认证。  The user terminal completes access authentication of the second network by using an access authentication server of the second network by using the first network.
3. 根据权利要求 1所述的方法, 其中, 所述第二网络的业务认证服务器直接对所 述用户终端进行业务认证包括: The method according to claim 1, wherein the service authentication server of the second network directly performs service authentication on the user terminal, including:
所述自有业务服务器收到所述业务访问请求后, 向所述第二网络的业务认 证服务器提交业务认证申请;  After receiving the service access request, the own service server submits a service authentication application to the service authentication server of the second network;
所述业务认证服务器获取所述用户终端的用户信息, 直接与所述用户终端 建立安全通道, 建立所述用户终端与所述自有业务服务器之间的安全关联; 所述业务认证服务器通过所述安全通道, 根据所述用户终端接收到的用户 输入的信息与所述用户终端进行安全协商;  The service authentication server obtains the user information of the user terminal, establishes a secure channel with the user terminal, and establishes a security association between the user terminal and the own service server; a secure channel, performing security negotiation with the user terminal according to information input by the user received by the user terminal;
根据所述安全协商的结果进行业务认证, 生成安全信息并分发给所述用户 终端及所述自有业务服务器。  The service is authenticated according to the result of the security negotiation, and the security information is generated and distributed to the user terminal and the own service server.
4. 根据权利要求 3所述的方法, 其中, 在业务认证服务器通过所述安全通道, 根 据所述用户终端接收到的用户输入的信息与所述用户终端进行安全协商之前, 还包括: The method according to claim 3, wherein before the service authentication server performs security negotiation with the user terminal according to the information input by the user terminal, the service authentication server further includes:
所述用户终端向用户显示提示信息, 要求用户进行信息输入。  The user terminal displays prompt information to the user, and requests the user to input information.
5. 根据权利要求 3所述的方法, 其中, 在用户终端通过第一网络向第二网络的自 有业务服务器发起业务访问请求之前, 还包括: 所述用户终端在开通所述自有业务服务器提供的业务时, 进行认证级别选 择。 根据权利要求 5所述的方法, 其中, 在所述业务认证服务器获取所述用户终端 的用户信息, 直接与所述用户终端建立安全通道, 建立所述用户终端与所述自 有业务服务器之间的安全关联之后, 还包括: The method of claim 3, wherein before the user terminal initiates a service access request to the own service server of the second network by using the first network, the method further includes: When the user terminal opens the service provided by the own service server, the user terminal performs an authentication level selection. The method according to claim 5, wherein the service authentication server acquires user information of the user terminal, directly establishes a secure channel with the user terminal, and establishes a relationship between the user terminal and the own service server. After the security association, it also includes:
所述用户终端根据用户的操作对所述认证级别进行选择或修改。 根据权利要求 5或 6所述的方法, 其中,  The user terminal selects or modifies the authentication level according to an operation of the user. The method according to claim 5 or 6, wherein
所述认证级别包括以下至少之一: 不进行认证、 自动认证、 用户终端确认 认证、 数字签名认证。 一种自有业务认证系统, 包括: 用户终端、 第一网络、 第二网络, 其中, 所述 用户终端包括: 客户端, 所述第二网络包括: 业务认证服务器、 自有业务服务 器, 其中,  The authentication level includes at least one of the following: no authentication, automatic authentication, user terminal confirmation authentication, digital signature authentication. A self-owned service authentication system includes: a user terminal, a first network, and a second network, where the user terminal includes: a client, where the second network includes: a service authentication server and a self-service server, where
所述客户端包括:  The client includes:
请求发起模块, 设置为通过所述第一网络向所述第二网络的自有业务服务 器发起业务访问请求;  And the request initiating module is configured to initiate a service access request to the own service server of the second network by using the first network;
业务认证服务器包括:  The business authentication server includes:
业务认证模块, 设置为直接对所述用户终端进行业务认证。 根据权利要求 8所述的系统, 其中, 所述第一网络包括:  The service authentication module is configured to directly perform service authentication on the user terminal. The system according to claim 8, wherein the first network comprises:
第一接入认证服务器, 设置为完成所述用户终端的所述第一网络的接入认 证;  a first access authentication server, configured to complete an access authentication of the first network of the user terminal;
所述第二网络还包括:  The second network further includes:
第二接入认证服务器, 设置为通过所述第一网络完成所述用户终端的所述 第二网络的接入认证。 根据权利要求 8所述的系统, 其中, 所述自有业务服务器, 包括:  And a second access authentication server, configured to complete access authentication of the second network of the user terminal by using the first network. The system according to claim 8, wherein the self-owned service server comprises:
申请提交模块, 设置为在接收到所述用户终端的业务访问请求后, 向所述 业务认证服务器提交业务认证申请; 所述业务认证服务器, 还包括: The application submission module is configured to submit a service authentication application to the service authentication server after receiving the service access request of the user terminal; The service authentication server further includes:
通道建立模块, 设置为获取所述用户终端的用户信息, 直接与所述用户终 端建立安全通道, 建立所述用户终端与所述自有业务服务器之间的安全关联; 安全协商模块, 设置为通过所述安全通道, 根据所述用户终端接收到的用 户输入的信息与所述用户终端进行安全协商;  a channel establishing module, configured to acquire user information of the user terminal, establish a secure channel directly with the user terminal, establish a security association between the user terminal and the own service server, and set a security negotiation module to pass The secure channel performs security negotiation with the user terminal according to information input by the user received by the user terminal;
所述业务认证模块, 还设置为根据所述安全协商的结果进行业务认证, 生 成安全信息并分发给所述用户终端及所述自有业务服务器。  The service authentication module is further configured to perform service authentication according to the result of the security negotiation, generate security information, and distribute the information to the user terminal and the own service server.
11. 根据权利要求 10所述的系统, 其中, 所述客户端还包括: The system according to claim 10, wherein the client further comprises:
输入提示模块, 设置为向用户显示提示信息, 要求用户进行信息输入。  The input prompt module is set to display a prompt message to the user, and the user is required to input information.
12. 根据权利要求 10所述的系统, 其中, 所述用户终端还包括: 智能卡, 其中, 所 述智能卡包括以下至少之一: The system of claim 10, wherein the user terminal further comprises: a smart card, wherein the smart card comprises at least one of the following:
级别选择模块, 设置为在开通所述自有业务服务器提供的自有业务时, 进 行认证级别选择;  a level selection module, configured to perform an authentication level selection when the self-owned service provided by the own service server is opened;
级别修改模块, 设置为在所述安全通道建立之后, 根据用户的操作对所述 认证级别进行选择或修改。  The level modification module is configured to select or modify the authentication level according to a user operation after the security channel is established.
PCT/CN2011/082573 2011-07-27 2011-11-21 Owned service authentication method and system WO2012151933A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110211978.9A CN102905258B (en) 2011-07-27 2011-07-27 Own service authentication method and system
CN201110211978.9 2011-07-27

Publications (1)

Publication Number Publication Date
WO2012151933A1 true WO2012151933A1 (en) 2012-11-15

Family

ID=47138716

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/082573 WO2012151933A1 (en) 2011-07-27 2011-11-21 Owned service authentication method and system

Country Status (2)

Country Link
CN (1) CN102905258B (en)
WO (1) WO2012151933A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015003527A1 (en) * 2013-07-11 2015-01-15 成都西加云杉科技有限公司 Access point (ap) and system based on ap and access point controller (ac) architectures
CN112102108B (en) * 2020-08-28 2024-03-01 国网思极网安科技(北京)有限公司 Self-service terminal of electric power business hall

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104426656B (en) 2013-08-19 2019-04-05 中兴通讯股份有限公司 Data receiving-transmitting method and system, the processing method and processing device of message
CN104796399B (en) * 2015-01-08 2017-09-19 北京思普崚技术有限公司 A kind of cryptographic key negotiation method of Data Encryption Transmission

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567864A (en) * 2003-06-17 2005-01-19 华为技术有限公司 Method for receiving external network data by target user equipment
CN101610507A (en) * 2009-06-16 2009-12-23 天津工业大学 A kind of method that inserts the 3G-WLAN internet
CN101984724A (en) * 2010-11-19 2011-03-09 中兴通讯股份有限公司 Method and system for building tunnel in converged network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7826353B2 (en) * 2003-05-05 2010-11-02 Nokia Corporation Method, system and network element for authorizing a data transmission
CN100337229C (en) * 2003-06-02 2007-09-12 华为技术有限公司 Network verifying, authorizing and accounting system and method
CN1265607C (en) * 2003-12-08 2006-07-19 华为技术有限公司 Method for building up service tunnel in wireless local area network
KR100762644B1 (en) * 2004-12-14 2007-10-01 삼성전자주식회사 WLAN-UMTS Interworking System and Authentication Method Therefor
CN101001144B (en) * 2006-01-13 2010-05-12 华为技术有限公司 Method for implementing authentication by entity authentication centre
CN101052032B (en) * 2006-04-04 2010-05-12 华为技术有限公司 Business entity certifying method and device
CN101192927B (en) * 2006-11-28 2012-07-11 中兴通讯股份有限公司 Authorization based on identity confidentiality and multiple authentication method
KR100843081B1 (en) * 2006-12-06 2008-07-02 삼성전자주식회사 System and method for providing security

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567864A (en) * 2003-06-17 2005-01-19 华为技术有限公司 Method for receiving external network data by target user equipment
CN101610507A (en) * 2009-06-16 2009-12-23 天津工业大学 A kind of method that inserts the 3G-WLAN internet
CN101984724A (en) * 2010-11-19 2011-03-09 中兴通讯股份有限公司 Method and system for building tunnel in converged network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015003527A1 (en) * 2013-07-11 2015-01-15 成都西加云杉科技有限公司 Access point (ap) and system based on ap and access point controller (ac) architectures
CN112102108B (en) * 2020-08-28 2024-03-01 国网思极网安科技(北京)有限公司 Self-service terminal of electric power business hall

Also Published As

Publication number Publication date
CN102905258B (en) 2018-03-13
CN102905258A (en) 2013-01-30

Similar Documents

Publication Publication Date Title
US8769647B2 (en) Method and system for accessing 3rd generation network
US8959598B2 (en) Wireless device authentication between different networks
US20230070253A1 (en) Methods and systems for authenticating devices using 3gpp network access credentials for providing mec services
US8522025B2 (en) Authenticating an application
CN101616410B (en) Access method and access system for cellular mobile communication network
CN101156352B (en) Authentication method, system and authentication center based on mobile network P2P communication
CN101610241B (en) Method, system and device for authenticating binding
WO2007085175A1 (en) Authentication method, system and authentication center based on end to end communication in the mobile network
CN101442402B (en) Method, system and apparatus for authenticating access point equipment
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
WO2004107650A1 (en) A system and method of network authentication, authorization and accounting
WO2005096644A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
WO2009065347A1 (en) Security communication method, system and apparatus for home base-station
JP6997886B2 (en) Non-3GPP device access to core network
JP7337912B2 (en) Non-3GPP device access to core network
WO2006097041A1 (en) A general authentication former and a method for implementing the authentication
WO2012151933A1 (en) Owned service authentication method and system
WO2013044766A1 (en) Service access method and device for cardless terminal
CN101272297B (en) EAP authentication method of WiMAX network user
WO2012068801A1 (en) Authentication method for mobile terminal and mobile terminal
CN102282800A (en) Terminal authentication method and apparatus
RU2779029C1 (en) Access of a non-3gpp compliant apparatus to the core network
KR20100054191A (en) Improved 3gpp-aka method for the efficient management of authentication procedure in 3g network
Almuhaideb et al. Authentication in ubiquitous networking

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864934

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11864934

Country of ref document: EP

Kind code of ref document: A1