WO2015014171A1 - Authentication method, method of generating credentials, and associated device - Google Patents

Authentication method, method of generating credentials, and associated device Download PDF

Info

Publication number
WO2015014171A1
WO2015014171A1 PCT/CN2014/080380 CN2014080380W WO2015014171A1 WO 2015014171 A1 WO2015014171 A1 WO 2015014171A1 CN 2014080380 W CN2014080380 W CN 2014080380W WO 2015014171 A1 WO2015014171 A1 WO 2015014171A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
bsf
identifier
application server
cgc
Prior art date
Application number
PCT/CN2014/080380
Other languages
French (fr)
Chinese (zh)
Inventor
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015014171A1 publication Critical patent/WO2015014171A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present invention relates to the field of communication security technologies, and in particular, to an authentication method, a method for generating a credential, and related devices. Background technique
  • a generic self-booting architecture (GBA) authentication mechanism is introduced in TS33.220.
  • UE User Equipment
  • BSF self-booting function device
  • Flow UE and BSF share key Ks and key identifier B-TID
  • BSF obtains authentication vector from Home Subscriber Server (HSS)/Home Location Register (HLR)
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • NAF Network Application Function
  • the NAF key Ks_NAF 1 the UE side also generates the same Ks_NAF2 of the domain Ks-NAF 1, and the NAF and the UE perform verification based on the same Ks-NAF1 and Ks-NAF2 to determine whether to pass the login authentication.
  • the UE is a device having a Universal Integrated Circuit Card (UICC), but the UE needs to access the carrier network through a UICC card device such as a personal computer (Personal Computer, PC) or a tablet pad.
  • UICC card device such as a personal computer (Personal Computer, PC) or a tablet pad.
  • B-TID is base64encoded(RAND)@B SF—servers—domain—name , which is “24 case-sensitive characters or numbers @ BSF—servers—domain—name.
  • Ks—NAF is a 256-bit binary bit string For the user, manually entering B-TID/Ks-NAF is very inconvenient.
  • the embodiment of the present invention provides an authentication method, a method for generating a credential, and a related device, which are used to solve the problem that the user input is required in the login authentication process of the application client requesting the application server in the prior art.
  • an authentication method including:
  • the second credential is generated by the self-booting function device BSF and the credential generating client CGC to generate the first credential.
  • the method further includes:
  • the application client is instructed to obtain the first credential from the CGC, where the CGC is installed in the same manner as the application client.
  • One or different terminals are possible.
  • the searching for the second credential corresponding to the first user name includes:
  • the obtaining, by the BSF, the second credential corresponding to the first username includes:
  • the second credential obtaining request carries a second user name, so that the BSF searches for a key and a key identifier corresponding to the second username, according to the
  • the second password is generated by using a setting algorithm to generate the second credential, wherein the second username is associated with the first username, where the key and the secret are
  • the key identifier is a key Ks and a key identifier B-TID shared with the CGC;
  • the second user name is an International Mobile Identification Number (IMSI), a Mobile Subscriber International Integrated Services Digital Network Number (MSISDN), or the carrying of the IMSI Or the identifier of the MSISDN.
  • IMSI International Mobile Identification Number
  • MSISDN Mobile Subscriber International Integrated Services Digital Network Number
  • a method for generating a credential including:
  • the identifier setting algorithm generates a first trust by using an identifier of the application server, a key Ks shared by the self-booting function device BSF, and a key identifier B-TID.
  • Shape including:
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • Credential is the first credential
  • Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow
  • Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
  • the identifier of the application server that the receiving application client requests to log in includes:
  • the method further includes:
  • the identifier of the application server that the receiving application client requests to log in includes:
  • the method further includes:
  • an application server including:
  • a first searching unit configured to: when receiving a login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username;
  • a confirmation unit configured to confirm, according to the second credential, whether the application client passes the verification; wherein the second credential is generated by the self-booting function device BSF and the credential generating client CGC The trust is generated in the same way.
  • the application server further includes:
  • the indicating unit configured to: when the login request indicates that the first credential is not valid, instructing the application client to obtain the first credential from the CGC, where the CGC and the application Clients are installed on the same or different terminals.
  • the first searching unit includes:
  • a second searching unit configured to locally search for the stored second credential corresponding to the first username
  • the first acquiring unit includes:
  • a first sending unit configured to send the second credential obtaining request to the BSF, where the obtaining request carries a second user name, so that the BSF searches for a key and a secret corresponding to the second username Key identifier, the second credential is generated according to the cipher, the key identifier, and the identifier of the application server, where the second username is associated with the first username, where
  • the key and the key identifier are a key Ks and a key identifier B-TID shared with the CGC;
  • a second obtaining unit configured to acquire the second credential generated by the BSF.
  • the second user name is an international mobile identification number IMSI, and a mobile user international integrated service digital network number
  • a credential generating client CGC including:
  • a first receiving unit configured to receive an identifier of an application server that the application client requests to log in
  • a first generating unit configured to use a setting algorithm, to share the identifier of the application server with the self-booting function device BSF
  • the key Ks and the key identifier B-TID generate a first credential, so that the application server performs login verification on the application client according to the second credential corresponding to the first username obtained from the BSF;
  • the second credential is generated by the BSF in the same manner as the first credential is generated.
  • the first generating unit includes:
  • a second generating unit configured to generate the first credential by using the following algorithm:
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • Credential is the first credential
  • Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow
  • Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
  • the first receiving unit includes:
  • a second receiving unit configured to receive an identifier of the application server input by a user; and the CGC further includes:
  • an output unit configured to output the first credential to the user.
  • the first receiving unit includes:
  • a third receiving unit configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of the application server;
  • the CGC also includes:
  • a second sending unit configured to send the first credential to the application client.
  • the user can input the user name that is easy to remember and input the CGC and BSF on any terminal.
  • the easy-to-enter credential generated in the same way, through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, Jane This login process has been simplified.
  • FIG. 1 is a schematic diagram of a GBA of a general self-booting architecture in the prior art
  • FIG. 2 is a flow chart of an embodiment of an authentication method according to the present invention.
  • FIG. 3 is a flow chart showing another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2;
  • FIG. 4 is a flow chart of an embodiment of a method for generating a credential according to the present invention.
  • Figure 5 is a flow chart showing another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
  • Figure 6 is a flow chart showing still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
  • FIG. 7 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7;
  • FIG. 9 is a schematic structural diagram of an embodiment of a credential generating client CGC according to the present invention.
  • FIG. 10 is a schematic structural diagram of another embodiment of further refinement of an embodiment of the CGC of the present invention shown in FIG. ;
  • FIG 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. detailed description
  • FIG. 2 is a flow chart of one embodiment of an authentication method of the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step S101 When receiving a login request generated by the application client according to the first user name and the first credential, searching for a second credential corresponding to the first username, where the second credential is self-directed
  • the functional device BSF is generated in the same manner as the credential generation client CGC generates the first credential.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad.
  • the application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal.
  • CGC credential generation client
  • the first user name may be a user-defined easy-to-remember name
  • the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm.
  • the application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
  • the login request is parsed, the first username is obtained, the first credential is obtained according to the first username, and then the second credential corresponding to the first username is searched for. If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
  • the present invention can use the CGC on any terminal as long as it is a CGC that generates a first credential corresponding to the first username.
  • the BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential
  • the NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential.
  • Step S102 Confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the comparison result is consistent, the verification succeeds, allowing the application client to log in, and returning the login success message to the application client. Otherwise, the verification fails, the application client login is not allowed, and the login failure message is returned to the application client.
  • an authentication method when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input.
  • the credential through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
  • FIG. 3 is a flow chart of another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2. As shown in FIG. 3, the method includes the following steps:
  • Step S201 Receive a first login request of an application client.
  • the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF.
  • the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
  • the application client If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential.
  • the first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
  • step S202 it is determined whether the first login request carries an indication, indicating that the application client does not have a valid first credential. If the indication is not carried, the process goes to step S205; otherwise, the process goes to step S203.
  • step S205 the process goes to step S205 to continue the following login authentication process; if the login request indicates If there is no valid first credential, then go to step S203.
  • Step S203 sending a response message that the first credential is invalid to the application client, where The response message instructs the application client to obtain the first credential from the credential generation client CGC.
  • the confirmation login process cannot be continued because the login request is not carried, and the response message that the first credential is invalid is sent to the application client, where the application client is instructed or prompted to obtain the CGC from the CGC.
  • First trust For example, the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like.
  • the information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server.
  • the CGC knows the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
  • Step S204 Receive a second login request of the application client.
  • the application client After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
  • Step S205 determining whether a second credential corresponding to the first username is stored locally, and if yes, proceeding to step S206; otherwise, proceeding to step S207.
  • Step S206 Acquire a locally stored second credential corresponding to the first username.
  • the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally.
  • the identifier class is stored with a plurality of users' trusts. Therefore, it is necessary to find and obtain a second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, then go to step S207 to reacquire the second credential from the BSF.
  • Step S207 Send the second trust obtaining request to the BSF, where the obtaining request carries a second user name, and the second user name is associated with the first user name.
  • Step S208 Acquire the second credential generated by the BSF.
  • the first username carried in the login request received from the application client is converted into a BSF.
  • the second user name that can be identified, such as the International Mobile Subscriber Indentification Number (IMSI) or the Mobile Subscriber International ISDN/PSTN number (MSISDN), or the IMSI or MSISDN
  • IMSI International Mobile Subscriber Indentification Number
  • MSISDN Mobile Subscriber International ISDN/PSTN number
  • This second username is used to look up Ks and B-TID on the BSF.
  • the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • Step S209 Confirm, according to the second credential, whether the application client passes the verification. If yes, go to step S210; otherwise, go to step S211.
  • Step S210 Return a login success message to the application client.
  • Step S211 returning a login failure message to the application client.
  • a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
  • an authentication method when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input.
  • the credential through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
  • Step S301 Receive an identifier of an application server that the application client requests to log in.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog.
  • OTT Over The Top
  • the browser is also an application client.
  • the application client When the application client requests to log in to an application server, it receives the identifier NAF_ID of the application server sent by the application client or directly input by the user.
  • Step S302 using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to the application server Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal.
  • the first username may be a user-defined easy-to-remember name
  • the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm.
  • the application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
  • the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM
  • the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks.
  • CGC but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
  • the CGC first performs the GBA process with the BSF to obtain the shared B-TID and Ks; then, based on the received NAF-ID, the first credential is generated using the algorithm agreed with the BSF.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • the BSF When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier.
  • the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
  • the credential of any server is generated in the same manner as the BSF, and the credential of the application server can be provided to the application client on any terminal, and the generated trust is generated.
  • User-friendly input is generated.
  • Figure 5 is a flow diagram of another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in FIG. 5, the method includes the following steps:
  • Step S401 Receive an identifier of an application server that the application client input by the user requests to log in.
  • the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF.
  • TID and Ks although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
  • the input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
  • Step S402 generating a first credential by using the setting algorithm, the identifier of the application server, the key Ks shared with the self-booting function device BSF, and the key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first username and the first credential obtained from the BSF; wherein the second credential is used by the BSF and generated The first credential is generated in the same way.
  • Step S402 is the same as step S302 of the foregoing embodiment, and details are not described herein again.
  • Step S403 outputting the first credential to the user.
  • the CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
  • the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be trusted to log in to the application server.
  • Shape, the generated trust is convenient for user input.
  • Figure 6 is a flow diagram of still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in Figure 6, the method includes the following steps:
  • Step S501 Receive a credential obtaining request of an application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
  • the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
  • Step S502 using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
  • Step S502 is the same as step S302 of the foregoing embodiment, and details are not described herein again.
  • Step S503 Send the first credential to the application client.
  • the CGC After generating the first credential according to the B-TID, the Ks, and the NAF-ID, the CGC sends the first credential directly to the application client, so that the application client generates the login according to the first credential and the first username. Request, send the login request to the application server to request authentication.
  • the credential obtaining request of the application client of the terminal may be directly received, and the credential of any server may be generated in the same manner as the BSF, without the user inputting the credential.
  • FIG. 7 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • the application server 1000 includes: The first searching unit 11 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username, where the second trust The shape is generated by the self-booting function device BSF and the credential generating client CGC generating the first credential.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad.
  • the application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal.
  • CGC credential generation client
  • the first user name may be a user-defined easy-to-remember name
  • the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm.
  • the application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
  • the application server When receiving the login request of the application client, parsing the login request, obtaining the first user name, obtaining the first credential according to the first username, and then the first searching unit 11 searching for the second credential corresponding to the first username . If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
  • the present invention can use the CGC on any terminal as long as it generates a CGC corresponding to the first trust of the first username.
  • the BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential.
  • the NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential.
  • the BSF sends the generated second credential to the application server. ⁇ Using a specific algorithm to make the generated credentials are also user-friendly.
  • the confirming unit 12 is configured to confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the result of the comparison is consistent, the confirming unit 12 confirms that the verification is successful, allows the application client to log in, and returns a login success message to the application client. Otherwise, the confirmation unit 12 confirms that the verification has failed, does not allow the application client to log in, and returns a login failure message to the application client.
  • the user name that is easy to remember by the user may be input, and the CGC generated by any terminal is generated in the same manner as the BSF.
  • the entered credential completes the login authentication of the application server through the username and the credential, and avoids the user inputting a complicated username and credential, which simplifies the login process.
  • Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7. As shown in FIG. 8, the application server 2000 includes:
  • the indicating unit 21 is configured to: when the first credential is not valid, indicating that the application client obtains the first credential from the CGC, where the CGC is The application client is installed on the same or a different terminal.
  • the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF.
  • the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
  • the application client If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential.
  • the first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
  • the application client If the login request does not carry the indication that the application client does not have a valid first credential, the application client has a valid first credential, and then continues to perform login authentication; if the login request indicates that it has no valid first credential
  • the instructing unit 21 instructs the application client to acquire the first credential from the CGC.
  • the instructing unit 21 sends a response message that the first credential is invalid to the application client, in which the application client is instructed or prompted to obtain the first credential from the CGC.
  • the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like.
  • the information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server.
  • the CGC Knowing the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
  • the application client After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
  • the first searching unit 22 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, find a second credential corresponding to the first username.
  • the first searching unit 22 includes a second searching unit 221 and a first acquiring unit.
  • the second searching unit 221 is configured to locally search for the stored second trust corresponding to the first username.
  • the first obtaining unit 222 is configured to acquire, from the BSF, a second trust corresponding to the first username.
  • the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally.
  • the identifier classification class stores the trusts of the plurality of users. Therefore, the second search unit 221 searches for and acquires the second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, the first credential is retrieved from the BSF by the first obtaining unit 222.
  • the first obtaining unit 222 further includes a first sending unit 00 and a second acquiring unit 01. a first sending unit 00, configured to send, to the BSF, an acquisition request of the second credential, where Obtaining a request to carry a second user name, so that the BSF searches for a key and a key identifier corresponding to the second user name, and uses a setting algorithm according to the secret language, a key identifier, and an identifier of an application server. Generating the second credential, wherein the second username is associated with the first username, where the key and the key identifier are a key Ks and a key identifier shared with the CGC Character B-TID.
  • the second obtaining unit 01 is configured to acquire the second credential generated by the BSF.
  • the first user name carried in the login request received from the application client is converted into a second user name that the BSF can recognize, such as an International Mobile Subscriber Indentification Number (IMSI) or a mobile registered user international Mobile Subscriber International ISDN/PSTN number (MSISDN), or an identity that contains IMSI or MSISDN information, since the BSF can only identify IMSI or MSISDN.
  • IMSI International Mobile Subscriber Indentification Number
  • MSISDN mobile registered user international Mobile Subscriber International ISDN/PSTN number
  • This second username is used to look up Ks and B-TID on the BSF.
  • the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • the confirming unit 23 is configured to confirm, according to the second credential, whether the application client passes the verification.
  • a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
  • An application server when an application client requests to log in to the application server, may input a user name that is easy for the user to record, and input CGC and BSF on any terminal.
  • the easy-to-enter credentials generated in the same way complete the login authentication of the application server through the username and the credential, thereby avoiding the user inputting complicated user names and credentials, and simplifying the login process.
  • FIG. 9 is a schematic structural diagram of an embodiment of a credential generation client CGC according to the present invention. As shown in Figure 9, the CGC3000 includes:
  • the first receiving unit 31 is configured to receive an identifier of an application server that the application client requests to log in.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog.
  • OTT (Over The Top) application client such as WeChat. It should be noted that the browser is also an application client.
  • the first receiving unit 31 receives the identifier NAF_ID of the application server that is sent by the application client or directly input by the user.
  • the first generating unit 32 is configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first The trust is generated in the same way.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal.
  • the first username may be a user-defined easy-to-remember name
  • the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm.
  • the application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
  • the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM
  • the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks.
  • CGC but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • the BSF When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier.
  • the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
  • the credential of any server is generated in the same manner as the BSF, and the application client on any terminal can be provided with the credential of logging in to the application server, and the generated credential is convenient for the user to input. .
  • FIG 10 is a block diagram showing another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. As shown in Figure 10, the CGC4000:
  • the second receiving unit 41 is configured to receive an identifier of the application server that the application client input by the user requests to log in.
  • the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF. TID and Ks, although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
  • the input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
  • a first generating unit 42 configured to use a setting algorithm, and identifiers of the application server
  • the key Ks and the key identifier B-TID shared by the boot function device BSF generate a first credential, so that the application server pairs the application client according to the second credential corresponding to the first user name acquired from the BSF Performing login verification; wherein the second credential is generated by the BSF in the same manner as the first credential is generated.
  • the function of the first generating unit 42 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
  • the output unit 43 is configured to output the first credential to the user.
  • the CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
  • the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be provided with the credential of logging in to the application server, and generated.
  • the credibility is convenient for the user to input.
  • FIG 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9.
  • the CGC5000 includes:
  • the third receiving unit 51 is configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
  • the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
  • a first generating unit 52 configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first
  • the trust is generated in the same way.
  • the function of the first generating unit 52 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
  • the second sending unit 53 is configured to send the first credential to the application client.
  • the first credential is directly Sending to the application client, so that the application client generates a login request according to the first credential and the first username, and sends the login request to the application server to request verification.
  • the CGC provided by the embodiment of the present invention can directly receive the credential acquisition request of the application client of the terminal, and generate a credential for logging in to any server in the same manner as the BSF, without the user inputting the credential, facilitating the application server. log in.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)
  • Stored Programmes (AREA)

Abstract

An authentication method, method of generating credentials, and associated device. the authentication method comprising: upon receiving a logon request of an application client and generated according to a first user name and a first credential, searching for a second credential corresponding to the first user name; verifying, according to the second credential, whether the application client has been authenticated; the second credential is generated by the bootstrapping function (BSF) using the same means as that used by the credential-generating client (CGC) when generating the first credential. Also disclosed are a corresponding method and application server (NAF) and CGC for generating credentials. When an application client requests to log on to the NAF, a username can be entered that is easy for a user to remember, and an easy-to-input credential generated in the same manner by the CGC and BSF on any terminal can be inputted; the NAF logon and authentication is completed by means of said user name and credential, thereby avoiding input, by a user, of a complex user name and credential and simplifying the logon process.

Description

认证方法、 生成信任状的方法及相关装置 技术领域  Authentication method, method for generating trust, and related device
本发明涉及通信安全技术领域, 尤其涉及认证方法、 生成信任状的方法及 相关装置。 背景技术  The present invention relates to the field of communication security technologies, and in particular, to an authentication method, a method for generating a credential, and related devices. Background technique
在第三代合作伙伴项目(The 3rd Generation Partnership Project,3GPP) In the Third Generation Partnership Project (The 3 rd Generation Partnership Project, 3GPP)
TS33.220中介绍了一种通用自引导架构 (Generic Bootstrapping Architecture, GBA) 认证机制, 如图 1所示, 首先, 用户设备 (User Equipment, UE)和自引导功能装 置 BSF(Bootstrapping Function)执行认证流程, UE和 BSF共享密钥 Ks和密钥标 示符 B-TID, 在该流程中, BSF从家庭注册用户服务器 (Home Subscriber Server, HSS)/归属位置寄存器(Home Location Register, HLR )获取认证向量, 然后, UE和某应用服务器 (Network Application Function, NAF)执行登录认证流程, 具 体是安装在 UE上的应用客户端如浏览器登录应用服务器, NAF根据该用户的 B-TID从 BSF获得登录该 NAF的密钥 Ks— NAF 1 , UE侧也生成域 Ks— NAF 1相 同的 Ks— NAF2 , NAF和 UE基于相同的 Ks— NAF1和 Ks— NAF2进行验证, 以确 定是否通过登录认证。该 GBA认证机制中, UE是具有通用集成电路卡 (Universal Integrated Circuit Card, UICC)的设备, 但在 UE需要通过个人计算机 (Personal Computer, PC), 平板电脑 pad等无 UICC卡设备访问运营商网络时, 或者用户 使用的插卡设备上的应用客户端无法自动获取 B-TID、 Ks— NAF的情况下, 用户 需要手工将 B-TID/Ks— NAF输入到应用客户端或网页的表单中。 B-TID的格式 为 base64encoded(RAND)@B SF— servers— domain— name , 即 "24个区分大小写的 字符或数字 @ BSF— servers— domain— name。 Ks— NAF是 256比特的二进制比特串。 对于用户而言, 手工输入 B-TID/Ks— NAF非常不方便。 A generic self-booting architecture (GBA) authentication mechanism is introduced in TS33.220. As shown in Figure 1, first, user equipment (User Equipment, UE) and self-booting function device BSF (Bootstrapping Function) perform authentication. Flow, UE and BSF share key Ks and key identifier B-TID, in this process, BSF obtains authentication vector from Home Subscriber Server (HSS)/Home Location Register (HLR) Then, the UE and a Network Application Function (NAF) perform a login authentication process, specifically, an application client installed on the UE, such as a browser, logs in to the application server, and the NAF obtains the login from the BSF according to the B-TID of the user. The NAF key Ks_NAF 1 , the UE side also generates the same Ks_NAF2 of the domain Ks-NAF 1, and the NAF and the UE perform verification based on the same Ks-NAF1 and Ks-NAF2 to determine whether to pass the login authentication. In the GBA authentication mechanism, the UE is a device having a Universal Integrated Circuit Card (UICC), but the UE needs to access the carrier network through a UICC card device such as a personal computer (Personal Computer, PC) or a tablet pad. When the application client on the card device used by the user cannot automatically obtain the B-TID and Ks-NAF, the user needs to manually input the B-TID/Ks-NAF into the form of the application client or the webpage. The format of B-TID is base64encoded(RAND)@B SF—servers—domain—name , which is “24 case-sensitive characters or numbers @ BSF—servers—domain—name. Ks—NAF is a 256-bit binary bit string For the user, manually entering B-TID/Ks-NAF is very inconvenient.
因此, 在应用客户端请求应用服务器的登录认证过程中, 如何避免需要用 户输入复杂的登录该应用服务器的用户名和信任状已成为目前迫切需要解决的 问题。 发明内容 Therefore, how to avoid using the login authentication process of the application server when the application client requests the application server It has become an urgent problem to be solved by the user to enter a complex login to the application server's username and credentials. Summary of the invention
有鉴于此,本发明实施例提供了认证方法、生成信任状的方法及相关装置, 用以解决现有技术中存在着的在应用客户端请求应用服务器的登录认证过程 中, 需要用户输入复杂的登录该应用服务器的用户名和信任状的技术问题。  In view of this, the embodiment of the present invention provides an authentication method, a method for generating a credential, and a related device, which are used to solve the problem that the user input is required in the login authentication process of the application client requesting the application server in the prior art. The technical question of logging in to the application server's username and credentials.
第一方面, 提供了一种认证方法, 包括:  In the first aspect, an authentication method is provided, including:
当接收到应用客户端的根据第一用户名和第一信任状生成的登录请求时, 查找对应所述第一用户名的第二信任状;  When receiving the login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username;
根据所述第二信任状, 确认所述应用客户端是否通过验证;  Determining, according to the second credential, whether the application client passes the verification;
其中, 所述第二信任状是由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任状的相同的方式生成的。  The second credential is generated by the self-booting function device BSF and the credential generating client CGC to generate the first credential.
在第一种可能的实现方式中, 所述接收到应用客户端的登录请求之后, 以 及所述查找对应所述第一用户名的第二信任状之前, 所述方法还包括:  In a first possible implementation manner, after the receiving the login request of the application client, and the searching for the second credential corresponding to the first user name, the method further includes:
若所述登录请求中指示没有有效的所述第一信任状时, 指示所述应用客户 端从所述 CGC获取所述第一信任状, 其中, 所述 CGC与所述应用客户端安装 在同一个或不同的终端上。  If the first credential is not valid in the login request, the application client is instructed to obtain the first credential from the CGC, where the CGC is installed in the same manner as the application client. One or different terminals.
结合第一方面或第一方面的第一种可能的实现方式, 在第二种可能的实现 方式中, 所述查找对应所述第一用户名的第二信任状, 包括:  With reference to the first aspect, or the first possible implementation manner of the first aspect, in the second possible implementation manner, the searching for the second credential corresponding to the first user name includes:
在本地查找存储的对应所述第一用户名的第二信任状; 或  Finding locally stored second credentials corresponding to the first username; or
从所述 BSF获取对应所述第一用户名的第二信任状。  Obtaining a second credential corresponding to the first username from the BSF.
结合第一方面的第二种可能的实现方式, 在第三种可能的实现方式中, 所 述从所述 BSF获取对应所述第一用户名的第二信任状, 包括:  With reference to the second possible implementation of the first aspect, in a third possible implementation, the obtaining, by the BSF, the second credential corresponding to the first username includes:
向所述 BSF发送所述第二信任状的获取请求, 所述获取请求携带第二用户 名, 以使所述 BSF查找对应所述第二用户名的密钥和密钥标示符, 根据所述密 语、 密钥标示符、 应用服务器的标识符釆用设定算法生成所述第二信任状, 其 中, 所述第二用户名与所述第一用户名关联, 其中, 所述密钥和密钥标示符为 与所述 CGC共享的密钥 Ks和密钥标示符 B-TID;  And sending, by the BSF, the second credential obtaining request, where the obtaining request carries a second user name, so that the BSF searches for a key and a key identifier corresponding to the second username, according to the The second password is generated by using a setting algorithm to generate the second credential, wherein the second username is associated with the first username, where the key and the secret are The key identifier is a key Ks and a key identifier B-TID shared with the CGC;
获取所述 BSF生成的所述第二信任状。 结合第一方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所 述第二用户名为国际移动识别号 IMSI、 移动用户国际综合业务数字网号码 MSISDN或携带所述 IMSI或 MSISDN的标识。 第二方面, 提供了一种生成信任状的方法, 包括: Obtaining the second credential generated by the BSF. In conjunction with the third possible implementation of the first aspect, in a fourth possible implementation, the second user name is an International Mobile Identification Number (IMSI), a Mobile Subscriber International Integrated Services Digital Network Number (MSISDN), or the carrying of the IMSI Or the identifier of the MSISDN. In a second aspect, a method for generating a credential is provided, including:
接收应用客户端请求登录的应用服务器的标识符;  Receiving an identifier of an application server that the application client requests to log in;
釆用设定算法, 将所述应用服务器的标识符、 与自引导功能装置 BSF共享 的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相同的 方式生成的。  And generating, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate the first credential, so that the application server obtains according to the BSF Performing login verification on the application client corresponding to the second credential of the first username; wherein the second credential is generated by the BSF in the same manner as the first credential is generated. .
在第一种可能的实现方式中, 所述釆用设定算法, 将所述应用服务器的标 识符、 与自引导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信 任状, 包括:  In a first possible implementation manner, the identifier setting algorithm generates a first trust by using an identifier of the application server, a key Ks shared by the self-booting function device BSF, and a key identifier B-TID. Shape, including:
釆用下面的算法生成所述第一信任状:  The following algorithm is used to generate the first credential:
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。  Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
其中, Credential为所述第一信任状, Ks_NAF为根据通用自引导架构 GBA 流程由所述 Ks和所述应用服务器的标识符 NAF— ID生成的, Trunc48为截取 256 位 SHA-256值的低 48比特, base64encoded为进行 BASE64编码。  Wherein, Credential is the first credential, Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow, and Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
结合第二方面或第二方面的第一种可能的实现方式, 在第二种可能的实现 方式中, 所述接收应用客户端请求登录的应用服务器的标识符, 包括:  With reference to the second aspect, or the first possible implementation manner of the second aspect, in a second possible implementation, the identifier of the application server that the receiving application client requests to log in includes:
接收用户输入的所述应用服务器的标识符; 以及  Receiving an identifier of the application server input by a user;
所述釆用设定算法, 将所述应用服务器的标识符、 与 BSF共享的密钥和密 钥标示符生成第一信任状之后, 所述方法还包括:  And after the generating the identifier of the application server, the key shared by the BSF, and the key identifier to generate the first credential, the method further includes:
输出所述第一信任状给所述用户。 结合第二方面或第二方面的第一种可能的实现方式, 在第三种可能的实现 方式中, 所述接收应用客户端请求登录的应用服务器的标识符, 包括:  The first credential is output to the user. With reference to the second aspect, or the first possible implementation manner of the second aspect, in a third possible implementation manner, the identifier of the application server that the receiving application client requests to log in includes:
接收所述应用客户端的信任状获取请求, 所述信任状获取请求包括所述应 用服务器的标识符; 以及 所述釆用设定算法, 将所述应用服务器的标识符、 与 BSF共享的密钥和密 钥标示符生成第一信任状之后, 所述方法还包括: Receiving a credential obtaining request of the application client, where the credential obtaining request includes an identifier of the application server; And after the generating the identifier of the application server, the key shared by the BSF, and the key identifier to generate the first credential, the method further includes:
将所述第一信任状发送给所述应用客户端。 第三方面, 提供了一种应用服务器, 包括:  Sending the first credential to the application client. In a third aspect, an application server is provided, including:
第一查找单元, 用于当接收到应用客户端的根据第一用户名和第一信任状 生成的登录请求时, 查找对应所述第一用户名的第二信任状;  a first searching unit, configured to: when receiving a login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username;
确认单元, 用于根据所述第二信任状, 确认所述应用客户端是否通过验证; 其中, 所述第二信任状是由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任状的相同的方式生成的。  a confirmation unit, configured to confirm, according to the second credential, whether the application client passes the verification; wherein the second credential is generated by the self-booting function device BSF and the credential generating client CGC The trust is generated in the same way.
在第一种可能的实现方式中, 所述应用服务器还包括:  In a first possible implementation manner, the application server further includes:
指示单元, 用于若所述登录请求中指示没有有效的所述第一信任状时, 指 示所述应用客户端从所述 CGC获取所述第一信任状, 其中, 所述 CGC与所述 应用客户端安装在同一个或不同的终端上。  And the indicating unit, configured to: when the login request indicates that the first credential is not valid, instructing the application client to obtain the first credential from the CGC, where the CGC and the application Clients are installed on the same or different terminals.
结合第三方面或第三方面的第一种可能的实现方式, 在第二种可能的实现 方式中, 所述第一查找单元包括:  With reference to the third aspect, or the first possible implementation manner of the third aspect, in the second possible implementation manner, the first searching unit includes:
第二查找单元, 用于在本地查找存储的对应所述第一用户名的第二信任状; 或  a second searching unit, configured to locally search for the stored second credential corresponding to the first username; or
第一获取单元, 用于从所述 BSF获取对应所述第一用户名的第二信任状。 结合第三方面的第二种可能的实现方式, 在第三种可能的实现方式中, 所 述第一获取单元包括:  a first obtaining unit, configured to acquire, from the BSF, a second credential corresponding to the first username. With reference to the second possible implementation of the third aspect, in a third possible implementation, the first acquiring unit includes:
第一发送单元, 用于向所述 BSF发送所述第二信任状的获取请求, 所述获 取请求携带第二用户名, 以使所述 BSF查找对应所述第二用户名的密钥和密钥 标示符, 根据所述密语、 密钥标示符、 应用服务器的标识符釆用设定算法生成 所述第二信任状, 其中, 所述第二用户名与所述第一用户名关联, 其中, 所述 密钥和密钥标示符为与所述 CGC共享的密钥 Ks和密钥标示符 B-TID;  a first sending unit, configured to send the second credential obtaining request to the BSF, where the obtaining request carries a second user name, so that the BSF searches for a key and a secret corresponding to the second username Key identifier, the second credential is generated according to the cipher, the key identifier, and the identifier of the application server, where the second username is associated with the first username, where The key and the key identifier are a key Ks and a key identifier B-TID shared with the CGC;
第二获取单元, 用于获取所述 BSF生成的所述第二信任状。  And a second obtaining unit, configured to acquire the second credential generated by the BSF.
结合第三方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所 述第二用户名为国际移动识别号 IMSI、 移动用户国际综合业务数字网号码 In conjunction with the third possible implementation manner of the third aspect, in a fourth possible implementation manner, the second user name is an international mobile identification number IMSI, and a mobile user international integrated service digital network number
MSISDN或携带所述 IMSI或 MSISDN的标识。 第四方面, 提供了一种信任状生成客户端 CGC, 包括: The MSISDN or the identifier carrying the IMSI or MSISDN. In a fourth aspect, a credential generating client CGC is provided, including:
第一接收单元, 用于接收应用客户端请求登录的应用服务器的标识符; 第一生成单元, 用于釆用设定算法, 将所述应用服务器的标识符、 与自引 导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所 述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户 端进行登录验证;  a first receiving unit, configured to receive an identifier of an application server that the application client requests to log in; a first generating unit, configured to use a setting algorithm, to share the identifier of the application server with the self-booting function device BSF The key Ks and the key identifier B-TID generate a first credential, so that the application server performs login verification on the application client according to the second credential corresponding to the first username obtained from the BSF;
其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相同的 方式生成的。  The second credential is generated by the BSF in the same manner as the first credential is generated.
在第一种可能的实现方式中, 所述第一生成单元包括:  In a first possible implementation manner, the first generating unit includes:
第二生成单元, 用于釆用下面的算法生成所述第一信任状:  a second generating unit, configured to generate the first credential by using the following algorithm:
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。  Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
其中, Credential为所述第一信任状, Ks_NAF为根据通用自引导架构 GBA 流程由所述 Ks和所述应用服务器的标识符 NAF— ID生成的, Trunc48为截取 256 位 SHA-256值的低 48比特, base64encoded为进行 BASE64编码。  Wherein, Credential is the first credential, Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow, and Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
结合第四方面或第四方面的第一种可能的实现方式, 在第二种可能的实现 方式中, 所述第一接收单元包括:  With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in the second possible implementation manner, the first receiving unit includes:
第二接收单元, 用于接收用户输入的所述应用服务器的标识符; 以及 所述 CGC还包括:  a second receiving unit, configured to receive an identifier of the application server input by a user; and the CGC further includes:
输出单元, 用于输出所述第一信任状给所述用户。  And an output unit, configured to output the first credential to the user.
结合第四方面或第四方面的第一种可能的实现方式, 在第三种可能的实现 方式中, 所述第一接收单元包括:  With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in a third possible implementation manner, the first receiving unit includes:
第三接收单元, 用于接收所述应用客户端的信任状获取请求, 所述信任状 获取请求包括所述应用服务器的标识符; 以及  a third receiving unit, configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of the application server;
所述 CGC还包括:  The CGC also includes:
第二发送单元, 用于将所述第一信任状发送给所述应用客户端。  a second sending unit, configured to send the first credential to the application client.
釆用本发明的认证方法、 生成信任状的方法及相关装置的技术方案, 在应 用客户端请求登录应用服务器时, 可以输入用户易记的用户名, 并输入任一终 端上的 CGC与 BSF釆用相同的方式生成的容易输入的信任状,通过该用户名和 信任状完成应用服务器的登录认证, 避免用户输入复杂的用户名和信任状, 简 化了该登录过程。 附图说明 When the application client requests to log in to the application server, the user can input the user name that is easy to remember and input the CGC and BSF on any terminal. The easy-to-enter credential generated in the same way, through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, Jane This login process has been simplified. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付 出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any creative work.
图 1为现有技术中的通用自引导架构 GBA示意图;  1 is a schematic diagram of a GBA of a general self-booting architecture in the prior art;
图 2为本发明一种认证方法的一个实施例的流程图;  2 is a flow chart of an embodiment of an authentication method according to the present invention;
图 3为对图 2所示的本发明一种认证方法的实施例的进一步细化的另一个 实施例的流程图;  3 is a flow chart showing another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2;
图 4为本发明一种生成信任状的方法的一个实施例的流程图;  4 is a flow chart of an embodiment of a method for generating a credential according to the present invention;
图 5为对图 4所示的本发明一种生成信任状的方法的实施例的进一步细化 的另一个实施例的流程图;  Figure 5 is a flow chart showing another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
图 6为对图 4所示的本发明一种生成信任状的方法的实施例的进一步细化 的又一个实施例的流程图;  Figure 6 is a flow chart showing still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
图 7为本发明一种应用服务器的一个实施例的结构示意图;  7 is a schematic structural diagram of an embodiment of an application server according to the present invention;
图 8为对图 7所示的本发明一种应用服务器的实施例的进一步细化的另一 个实施例的结构示意图;  Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7;
图 9为本发明一种信任状生成客户端 CGC的一个实施例的结构示意图; 图 10为对图 9所示的本发明一种 CGC的实施例的进一步细化的另一个实 施例的结构示意图;  FIG. 9 is a schematic structural diagram of an embodiment of a credential generating client CGC according to the present invention; FIG. 10 is a schematic structural diagram of another embodiment of further refinement of an embodiment of the CGC of the present invention shown in FIG. ;
图 11为对图 9所示的本发明一种 CGC的实施例的进一步细化的又一个实 施例的结构示意图。 具体实施方式  Figure 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。 图 2为本发明一种认证方法的一个实施例的流程图。 如图 2所示, 该方法 包括以下步骤: The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention. 2 is a flow chart of one embodiment of an authentication method of the present invention. As shown in FIG. 2, the method includes the following steps:
步骤 S101 , 当接收到应用客户端的根据第一用户名和第一信任状生成的登 录请求时, 查找对应所述第一用户名的第二信任状, 其中, 所述第二信任状是 由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任状的相同的 方式生成的。  Step S101: When receiving a login request generated by the application client according to the first user name and the first credential, searching for a second credential corresponding to the first username, where the second credential is self-directed The functional device BSF is generated in the same manner as the credential generation client CGC generates the first credential.
本发明实施例中的应用客户端安装在终端上,该终端可以是有 UICC卡的设 备, 如移动终端, 也可以是无 UICC卡的设备, 如 PC、 pad等。 应用客户端包 括微博、 微信等 OTT(Over The Top)应用客户端。 需要注意的是, 浏览器也是一 种应用客户端。  The application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad. The application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
用户想要在应用客户端上登录应用服务器时, 用户在应用客户端上输入第 一用户名, 该第一用户名可以是用户的手机号码, 也可以是用户在应用服务器 上注册的账号等格式; 同时, 输入第一信任状, 该第一信任状是由应用客户端 所在终端或其它终端上设置的信任状生成客户端 (Credential Generation Client , CGC)生成的。 值得说明的是, 该第一用户名可以是用户自定义的易记的名称, 该第一信任状也是 CGC釆用特定的算法处理后便于用户记忆的信任状。 应用客 户端按照和应用服务器之间的认证协议, 根据第一信任状和第一用户名生成的 登录请求登录应用服务器。  When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server. At the same time, the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal. It should be noted that the first user name may be a user-defined easy-to-remember name, and the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm. The application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
接收到应用客户端的登录请求时, 解析该登录请求, 获得第一用户名, 根 据该第一用户名, 获得第一信任状, 然后查找对应第一用户名的第二信任状。 若用户曾经登录过该应用服务器, 应用服务器本地可能存储有该第二信任状, 因此, 可以在本地查找到对应该第一用户名的由 BSF生成的第二信任状; 若本 地没有存储, 则从 BSF获取对应该第一用户名的第二信任状。  Upon receiving the login request of the application client, the login request is parsed, the first username is obtained, the first credential is obtained according to the first username, and then the second credential corresponding to the first username is searched for. If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
本发明可以釆用任意终端上的 CGC, 只要是生成对应第一用户名的第一信 任状的 CGC即可。 BSF首先和该 CGC执行 GBA流程, 协商得到相同的 B-TID 和 Ks, 该 Ks 以第一用户名或第一用户名关联的其它标识存储; 然后, 根据发 送信任状获取请求的应用服务器的标识 NAF— ID,根据获取请求中的第一用户名 或与第一用户名关联的标识查找到相应的 Ks,然后釆用与 CGC生成第一信任状 的相同的算法, 生成该第二信任状。 BSF 将生成的第二信任状发送给应用服务 器。 釆用特定的算法使生成的信任状也便于用户输入。 步骤 S102, 根据所述第二信任状, 确认所述应用客户端是否通过验证。 比较第一信任状和第二信任状, 如果比较的结果一致, 则验证成功, 允许 应用客户端登录, 向应用客户端返回登录成功消息。 否则, 则验证失败, 不允 许应用客户端登录, 向应用客户端返回登录失败消息。 The present invention can use the CGC on any terminal as long as it is a CGC that generates a first credential corresponding to the first username. The BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential The NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential. The BSF sends the generated second credential to the application server.特定 Using a specific algorithm to make the generated credentials are also user-friendly. Step S102: Confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the comparison result is consistent, the verification succeeds, allowing the application client to log in, and returning the login success message to the application client. Otherwise, the verification fails, the application client login is not allowed, and the login failure message is returned to the application client.
根据本发明实施例提供的一种认证方法, 在应用客户端请求登录应用服务 器时,可以输入用户易记的用户名, 并输入任一终端上的 CGC与 BSF釆用相同 的方式生成的容易输入的信任状, 通过该用户名和信任状完成应用服务器的登 录认证, 避免用户输入复杂的用户名和信任状, 简化了该登录过程。  According to an authentication method provided by an embodiment of the present invention, when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input. The credential, through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
图 3为对图 2所示的本发明一种认证方法的实施例的进一步细化的另一个 实施例的流程图。 如图 3所示, 该方法包括以下步骤:  3 is a flow chart of another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2. As shown in FIG. 3, the method includes the following steps:
步骤 S201 , 接收应用客户端的第一登录请求。  Step S201: Receive a first login request of an application client.
在本实施例中, 应用客户端所在的终端可以为 PC、 pad等无 UICC卡或全 球用户识别模块 (Universal Subscriber Identity Module, USIM)的设备, 因此, 该 终端无法通过 UICC卡与 BSF进行通信认证, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它具有 UICC卡的终端, 通过其上的 CGC ,获取对应该第一用户名的第一信任状。该终端也可以是有 UICC卡或 USIM 卡的设备, 应用客户端可以直接发送第一信任状获取请求给该终端上的 CGC。  In this embodiment, the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF. Although the terminal does not have a CGC, the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it. The terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
如果应用客户端能从所在终端获得有效的第一信任状, 则该应用客户端根 据第一用户名和第一信任状生成该登录请求; 否则, 应用客户端根据第一用户 名生成该登录请求, 并在登录请求中携带指示, 说明该应用客户端没有有效的 第一信任状。 该第一用户名是由用户在应用客户端上输入的, 该第一用户名可 以是用户的手机号码, 也可以是用户在应用服务器上注册的账号等格式, 是用 户自定义的易记的名称。  If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential. The first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
步骤 S202, 查找所述第一登录请求中是否携带指示, 说明所述应用客户端 没有有效的第一信任状, 如果没有携带指示, 则转至步骤 S205; 否则, 转至步 骤 S203。  In step S202, it is determined whether the first login request carries an indication, indicating that the application client does not have a valid first credential. If the indication is not carried, the process goes to step S205; otherwise, the process goes to step S203.
登录请求若没有携带指示说明应用客户端没有有效的第一信任状, 则说明 应用客户端有有效的第一信任状, 转至步骤 S205, 继续进行下面的登录认证流 程; 如果登录请求中指示其没有有效的第一信任状, 则转至步骤 S203。  If the login request does not carry the indication that the application client does not have a valid first credential, the application client has a valid first credential, and the process goes to step S205 to continue the following login authentication process; if the login request indicates If there is no valid first credential, then go to step S203.
步骤 S203 , 发送所述第一信任状无效的响应消息给所述应用客户端, 所述 响应消息指示所述应用客户端从信任状生成客户端 CGC获取所述第一信任状。 由于确认登录请求中没有携带有效的第一信任状, 该登录认证流程无法继 续, 发送第一信任状无效的响应消息给应用客户端, 在该响应消息中指示或提 示应用客户端从 CGC获取该第一信任状。 例如, 指示用户在其插有 UICC卡的 移动终端的 CGC上输入应用服务器的标识 NAF— ID等,应用服务器或 BSF也可 能进一步通过短消息等渠道将相应的应用客户端、 终端和应用服务器的信息发 送给用户的插有 UICC卡的移动终端,以提示用户其正在尝试访问某个应用服务 器。 识 NAF— ID, CGC根据其与 BSF共享的 B-TID、 Ks以及该 NAF— ID,按照与 BSF 约定的算法生成第一信任状。 若 CGC上没有有效的 Ks、 B-TID, 则 CGC需要 和 B SF执行 GB A流程以生成有效的 Ks、 B-TID。 Step S203, sending a response message that the first credential is invalid to the application client, where The response message instructs the application client to obtain the first credential from the credential generation client CGC. The confirmation login process cannot be continued because the login request is not carried, and the response message that the first credential is invalid is sent to the application client, where the application client is instructed or prompted to obtain the CGC from the CGC. First trust. For example, the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like. The information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server. Knowing the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
步骤 S204, 接收应用客户端的第二登录请求。  Step S204: Receive a second login request of the application client.
应用客户端从插有 UICC 卡的终端上获得对应该第一用户名的第一信任状 后, 在应用客户端上输入第一信任状, 根据第一用户名和第一信任状重新生成 登录请求, 并重新发送给应用服务器。 应用服务器接收应用客户端重新发送的 登录请求。  After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
步骤 S205, 判断本地是否存储有对应所述第一用户名的第二信任状, 如果 是, 则转至步骤 S206; 否则, 转至步骤 S207。  Step S205, determining whether a second credential corresponding to the first username is stored locally, and if yes, proceeding to step S206; otherwise, proceeding to step S207.
步骤 S206, 获取在本地存储的对应所述第一用户名的第二信任状。  Step S206: Acquire a locally stored second credential corresponding to the first username.
如果用户曾以该第一用户名和第一信任状成功登录过该应用服务器, 应用 服务器本地可能存储有用于验证该用户的登录请求的从 BSF 获取的第二信任 状, 应用服务器本地可能还以用户名为标识分类存储有多个用户的信任状, 因 此, 需根据第一用户名查找和获取对应该第一用户名的第二信任状。 如果本地 没有存储对应该第一用户名的第二信任状, 则转至步骤 S207 , 从 BSF重新获取 该第二信任状。  If the user has successfully logged in to the application server with the first username and the first credential, the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally. The identifier class is stored with a plurality of users' trusts. Therefore, it is necessary to find and obtain a second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, then go to step S207 to reacquire the second credential from the BSF.
步骤 S207, 向 BSF发送所述第二信任状的获取请求, 所述获取请求携带第 二用户名, 所述第二用户名与所述第一用户名关联。  Step S207: Send the second trust obtaining request to the BSF, where the obtaining request carries a second user name, and the second user name is associated with the first user name.
步骤 S208, 获取所述 BSF生成的所述第二信任状。  Step S208: Acquire the second credential generated by the BSF.
首先, 将从应用客户端接收到的登录请求中携带的第一用户名转换成 BSF 能识别的第二用户名, 如国际移动用户识别码 (International Mobile Subscriber Indentification Number, IMSI)或移动注册用户国际综合业务数字网号码 (Mobile Subscriber International ISDN/PSTN number, MSISDN),或包含 IMSI或 MSISDN 信息的身份标识, 这是由于 BSF只能识别 IMSI或 MSISDN。 该第二用户名用 于在 BSF上查找 Ks和 B-TID。 然后, 向 BSF发送该第二信任状的获取请求, BSF首先根据该第二用户名查找到对应的 Ks, 该 Ks是 BSF和生成第一信任状 的 CGC通过执行 GBA流程共享的, 根据与该 CGC约定的算法, 将 Ks、 B-TID 和发送该获取请求的应用服务器的 NAF— ID生成第二信任状, 并返回给应用服 务器。 First, the first username carried in the login request received from the application client is converted into a BSF. The second user name that can be identified, such as the International Mobile Subscriber Indentification Number (IMSI) or the Mobile Subscriber International ISDN/PSTN number (MSISDN), or the IMSI or MSISDN The identity of the information, since the BSF can only identify IMSI or MSISDN. This second username is used to look up Ks and B-TID on the BSF. Then, the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
一种信任状 (; Credential)的生成方法为:  A method of generating a credential (;Credential) is:
Ks NAF = KDF (Ks, NAF— ID);  Ks NAF = KDF (Ks, NAF-ID);
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。  Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
即, CGC先根据 TS 33.220中的方法生成 Ks— NAF, 然后计算 Ks||B-TID的 SHA-256值。 截取 256位 SHA-256值的低 48比特进行 BASE64编码, 最后输 出为 8位区分大小写的英文字符或数字。 生成的信任状为用户容易输入的信任 状。  That is, CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks||B-TID. The lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers. The generated credential is a trust that the user can easily enter.
步骤 S209, 根据所述第二信任状, 确认所述应用客户端是否通过验证。 如 果是, 则转至步骤 S210; 否则, 转至步骤 S211。  Step S209: Confirm, according to the second credential, whether the application client passes the verification. If yes, go to step S210; otherwise, go to step S211.
比较第一信任状和第二信任状是否一致, 若是, 则验证成功, 如果不一致, 则马全证失败。  Compare whether the first credential and the second credential are consistent. If yes, the verification succeeds. If they are inconsistent, the complete certificate fails.
步骤 S210, 向所述应用客户端返回登录成功消息。  Step S210: Return a login success message to the application client.
步骤 S211 , 向所述应用客户端返回登录失败消息。  Step S211, returning a login failure message to the application client.
如果验证通过, 则向应用客户端返回登录成功消息; 如果验证失败, 则向 应用客户端返回登录失败消息。  If the verification is passed, a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
根据本发明实施例提供的一种认证方法, 在应用客户端请求登录应用服务 器时,可以输入用户易记的用户名, 并输入任一终端上的 CGC与 BSF釆用相同 的方式生成的容易输入的信任状, 通过该用户名和信任状完成应用服务器的登 录认证, 避免用户输入复杂的用户名和信任状, 简化了该登录过程。  According to an authentication method provided by an embodiment of the present invention, when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input. The credential, through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
图 4为本发明一种生成信任状的方法的一个实施例的流程图。 如图 4所示, 该方法包括以下步骤: 步骤 S301 , 接收应用客户端请求登录的应用服务器的标识符。 4 is a flow chart of one embodiment of a method of generating a credential of the present invention. As shown in FIG. 4, the method includes the following steps: Step S301: Receive an identifier of an application server that the application client requests to log in.
本发明实施例中的应用客户端安装在终端上,该终端可以是有 UICC卡的设 备, 如移动终端, 也可以是无 UICC卡的设备, 如 PC、 pad等, 应用客户端包 括微博、 微信等 OTT(Over The Top)应用客户端。 需要注意的是, 浏览器也是一 种应用客户端。  The application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog. OTT (Over The Top) application client such as WeChat. It should be noted that the browser is also an application client.
当应用客户端请求登录某应用服务器时, 接收该应用客户端发送的或者用 户直接输入的该应用服务器的标识符 NAF— ID。  When the application client requests to log in to an application server, it receives the identifier NAF_ID of the application server sent by the application client or directly input by the user.
步骤 S302, 釆用设定算法, 将所述应用服务器的标识符、 与自引导功能装 置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所述应用服 务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户端进行登 录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相 同的方式生成的。  Step S302, using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to the application server Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
用户想要在应用客户端上登录应用服务器时, 用户在应用客户端上输入第 一用户名, 该第一用户名可以是用户的手机号码, 也可以是用户在应用服务器 上注册的账号等格式; 同时, 输入第一信任状, 该第一信任状是由应用客户端 所在终端或其它终端上设置的 CGC生成的。 值得说明的是, 该第一用户名可以 是用户自定义的易记的名称, 该第一信任状也是 CGC釆用特定的算法处理后便 于用户记忆的信任状。 应用客户端根据第一用户名和第一信任状生成的登录请 求, 根据该登录请求请求应用服务器的验证。  When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server. At the same time, the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal. It should be noted that the first username may be a user-defined easy-to-remember name, and the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm. The application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
如果应用客户端所在的终端为 PC、 pad等无 UICC卡或 USIM的设备, 因 此, 该终端无法通过 UICC卡与 BSF进行通信认证, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它具有 UICC卡的终端, 通 过该终端上的 CGC, 获取对应该第一用户名的第一信任状。 该终端也可以是有 UICC卡或 USIM卡的设备,应用客户端可以直接发送第一信任状获取请求给该 终端上的 CGC。  If the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM, the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks. CGC, but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal. The terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
CGC首先与 BSF执行 GBA流程, 以获得共享的 B-TID和 Ks; 然后, 根据 接收到的 NAF— ID , 釆用与 BSF 约定的算法生成第一信任状。 一种信任状 (Credential)的生成方法为:  The CGC first performs the GBA process with the BSF to obtain the shared B-TID and Ks; then, based on the received NAF-ID, the first credential is generated using the algorithm agreed with the BSF. A method of generating a credential is:
Ks NAF = KDF (Ks, NAF— ID);  Ks NAF = KDF (Ks, NAF-ID);
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。 即, CGC先根据 TS 33.220中的方法生成 Ks— NAF, 然后计算 Ks||B-TID的 SHA-256值。 截取 256位 SHA-256值的低 48比特进行 BASE64编码, 最后输 出为 8位区分大小写的英文字符或数字。 生成的信任状为用户容易输入的信任 状。 Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}. That is, the CGC first generates Ks_NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks||B-TID. The lower 48 bits of the 256-bit SHA-256 value are intercepted for BASE64 encoding, and the final output is 8-bit case-sensitive English characters or numbers. The generated credential is a credential that the user can easily enter.
BSF在与 CGC执行 GBA流程时, 根据第一信任状关联的第一用户名, 或 釆用第一用户名关联的其它标识, 对应存储了该第一用户名或标识的 Ks 和 B-TID。 当应用服务器接收到应用客户端的登录请求时, 应用服务器获取登录请 求中的第一用户名, 根据该用户名向 BSF发送第二信任状获取请求, BSF根据 该获取请求携带的第一用户名或与第一用户名关联的其它标识查找到对应的 Ks, 根据与 CGC生成第一信任状相同的方式, 生成第二信任状并返回给应用服 务器, 以使应用服务器对该登录请求进行验证。  When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier. When the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
根据本发明实施例提供的生成信任状的方法, 釆用与 BSF相同的方式生成 登录任一服务器的信任状, 可以为任意终端上的应用客户端提供登录该应用服 务器的信任状, 生成的信任状方便用户输入。  According to the method for generating a credential provided by the embodiment of the present invention, the credential of any server is generated in the same manner as the BSF, and the credential of the application server can be provided to the application client on any terminal, and the generated trust is generated. User-friendly input.
图 5为对图 4所示的本发明一种生成信任状的方法的实施例的进一步细化 的另一个实施例的流程图。 如图 5所示, 该方法包括以下步骤:  Figure 5 is a flow diagram of another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in FIG. 5, the method includes the following steps:
步骤 S401 , 接收用户输入的应用客户端请求登录的应用服务器的标识符。 本实施例中, 应用客户端所在的终端为 PC、 pad等无 UICC卡或 USIM的 设备, 因此, 该终端无法通过 UICC卡与 BSF进行通信认证, 没有设置 CGC, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它 具有 UICC卡的终端, 通过其上的 CGC, 获取对应该第一用户名的第一信任状。  Step S401: Receive an identifier of an application server that the application client input by the user requests to log in. In this embodiment, the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF. TID and Ks, although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
因此, 需要用户在该 CGC上输入需要登录的应用服务器的标识符。 输入方 式可以手工输入, 也可以在 CGC上预设置多个应用服务器的 NAF— ID, 用户点 选对应的应用服务器即可。  Therefore, the user is required to enter an identifier of the application server that needs to log in on the CGC. The input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
步骤 S402, 釆用设定算法, 将所述应用服务器的标识符、 与自引导功能装 置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所述应用服 务器根据从 BSF获取的对应所述第一用户名的第二信任状和所述第一信任状对 应用客户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所 述第一信任状的相同的方式生成的。  Step S402, generating a first credential by using the setting algorithm, the identifier of the application server, the key Ks shared with the self-booting function device BSF, and the key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first username and the first credential obtained from the BSF; wherein the second credential is used by the BSF and generated The first credential is generated in the same way.
步骤 S402与前述实施例的步骤 S302相同, 在此不再赘述。 步骤 S403, 输出所述第一信任状给所述用户。 Step S402 is the same as step S302 of the foregoing embodiment, and details are not described herein again. Step S403, outputting the first credential to the user.
CGC根据 B-TID、 Ks和 NAF— ID生成第一信任状, 并将第一信任状在终端 屏幕上显示给用户, 以供用户将该第一信任状输入另一终端的应用客户端, 以 使该应用客户端根据该第一信任状和第一用户名生成登录请求, 将该登录请求 发送给应用服务器以请求验证。  The CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
根据本发明实施例提供的生成信任状的方法, 釆用与 BSF相同的方式生成 登录任一服务器的信任状, 可以为无法执行 GB A流程的终端上的应用客户端提 供登录该应用服务器的信任状, 生成的信任状方便用户输入。  According to the method for generating a credential provided by the embodiment of the present invention, the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be trusted to log in to the application server. Shape, the generated trust is convenient for user input.
图 6为对图 4所示的本发明一种生成信任状的方法的实施例的进一步细化 的又一个实施例的流程图。 如图 6所示, 该方法包括以下步骤:  Figure 6 is a flow diagram of still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in Figure 6, the method includes the following steps:
步骤 S501 , 接收应用客户端的信任状获取请求, 所述信任状获取请求包括 所述应用客户端请求登录的应用服务器的标识符。  Step S501: Receive a credential obtaining request of an application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
本实施例中,应用客户端所在的终端为有 UICC卡或 USIM卡的设备,可以 与 BSF执行 GBA流程。因此,直接本终端的应用客户端发送的信任状获取请求, 该请求中包括应用客户端请求登录的应用服务器的标识。  In this embodiment, the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
步骤 S502, 釆用设定算法, 将所述应用服务器的标识符、 与自引导功能装 置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所述应用服 务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户端进行登 录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相 同的方式生成的。  Step S502, using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
步骤 S502与前述实施例的步骤 S302相同, 在此不再赘述。  Step S502 is the same as step S302 of the foregoing embodiment, and details are not described herein again.
步骤 S503 , 将所述第一信任状发送给所述应用客户端。  Step S503: Send the first credential to the application client.
CGC根据 B-TID、 Ks和 NAF— ID生成第一信任状后, 将该第一信任状直接 发送给应用客户端, 以使该应用客户端根据该第一信任状和第一用户名生成登 录请求, 将该登录请求发送给应用服务器以请求验证。  After generating the first credential according to the B-TID, the Ks, and the NAF-ID, the CGC sends the first credential directly to the application client, so that the application client generates the login according to the first credential and the first username. Request, send the login request to the application server to request authentication.
根据本发明实施例提供的生成信任状的方法, 可以直接接收本终端的应用 客户端的信任状获取请求, 釆用与 BSF相同的方式生成登录任一服务器的信任 状, 无需用户输入该信任状, 方便应用服务器的登录。  According to the method for generating a credential provided by the embodiment of the present invention, the credential obtaining request of the application client of the terminal may be directly received, and the credential of any server may be generated in the same manner as the BSF, without the user inputting the credential. Convenient application server login.
图 7为本发明一种应用服务器的一个实施例的结构示意图。 如图 7所示, 该应用服务器 1000包括: 第一查找单元 11 , 用于当接收到应用客户端的根据第一用户名和第一信任 状生成的登录请求时, 查找对应所述第一用户名的第二信任状, 其中, 所述第 二信任状是由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任 状的相同的方式生成的。 FIG. 7 is a schematic structural diagram of an embodiment of an application server according to the present invention. As shown in FIG. 7, the application server 1000 includes: The first searching unit 11 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username, where the second trust The shape is generated by the self-booting function device BSF and the credential generating client CGC generating the first credential.
本发明实施例中的应用客户端安装在终端上,该终端可以是有 UICC卡的设 备, 如移动终端, 也可以是无 UICC卡的设备, 如 PC、 pad等。 应用客户端包 括微博、 微信等 OTT(Over The Top)应用客户端。 需要注意的是, 浏览器也是一 种应用客户端。  The application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad. The application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
用户想要在应用客户端上登录应用服务器时, 用户在应用客户端上输入第 一用户名, 该第一用户名可以是用户的手机号码, 也可以是用户在应用服务器 上注册的账号等格式; 同时, 输入第一信任状, 该第一信任状是由应用客户端 所在终端或其它终端上设置的信任状生成客户端 (Credential Generation Client , CGC)生成的。 值得说明的是, 该第一用户名可以是用户自定义的易记的名称, 该第一信任状也是 CGC釆用特定的算法处理后便于用户记忆的信任状。 应用客 户端按照和应用服务器之间的认证协议, 根据第一信任状和第一用户名生成的 登录请求登录应用服务器。  When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server. At the same time, the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal. It should be noted that the first user name may be a user-defined easy-to-remember name, and the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm. The application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
接收到应用客户端的登录请求时, 解析该登录请求, 获得第一用户名, 根 据该第一用户名, 获得第一信任状, 然后第一查找单元 11查找对应第一用户名 的第二信任状。 若用户曾经登录过该应用服务器, 应用服务器本地可能存储有 该第二信任状, 因此, 可以在本地查找到对应该第一用户名的由 BSF生成的第 二信任状; 若本地没有存储, 则从 BSF获取对应该第一用户名的第二信任状。  When receiving the login request of the application client, parsing the login request, obtaining the first user name, obtaining the first credential according to the first username, and then the first searching unit 11 searching for the second credential corresponding to the first username . If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
本发明可以釆用任意终端上的 CGC, 只要是生成对应第一用户名的第一信 任状的 CGC即可。 BSF首先和该 CGC执行 GBA流程, 协商得到相同的 B-TID 和 Ks, 该 Ks 以第一用户名或第一用户名关联的其它标识存储; 然后, 根据发 送信任状获取请求的应用服务器的标识 NAF— ID,根据获取请求中的第一用户名 或与第一用户名关联的标识查找到相应的 Ks,然后釆用与 CGC生成第一信任状 的相同的算法, 生成该第二信任状。 BSF 将生成的第二信任状发送给应用服务 器。 釆用特定的算法使生成的信任状也便于用户输入。  The present invention can use the CGC on any terminal as long as it generates a CGC corresponding to the first trust of the first username. The BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential The NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential. The BSF sends the generated second credential to the application server.特定 Using a specific algorithm to make the generated credentials are also user-friendly.
确认单元 12, 用于根据所述第二信任状, 确认所述应用客户端是否通过验 证。 比较第一信任状和第二信任状, 如果比较的结果一致, 则确认单元 12确认 验证成功, 允许应用客户端登录, 向应用客户端返回登录成功消息。 否则, 则 确认单元 12确认验证失败, 不允许应用客户端登录, 向应用客户端返回登录失 败消息。 The confirming unit 12 is configured to confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the result of the comparison is consistent, the confirming unit 12 confirms that the verification is successful, allows the application client to log in, and returns a login success message to the application client. Otherwise, the confirmation unit 12 confirms that the verification has failed, does not allow the application client to log in, and returns a login failure message to the application client.
根据本发明实施例提供的一种应用服务器, 在应用客户端请求登录该应用 服务器时,可以输入用户易记的用户名, 并输入任一终端上的 CGC与 BSF釆用 相同的方式生成的容易输入的信任状, 通过该用户名和信任状完成应用服务器 的登录认证, 避免用户输入复杂的用户名和信任状, 简化了该登录过程。  According to an application server provided by an embodiment of the present invention, when an application client requests to log in to the application server, the user name that is easy to remember by the user may be input, and the CGC generated by any terminal is generated in the same manner as the BSF. The entered credential completes the login authentication of the application server through the username and the credential, and avoids the user inputting a complicated username and credential, which simplifies the login process.
图 8为对图 7所示的本发明一种应用服务器的实施例的进一步细化的另一 个实施例的结构示意图。 如图 8所示, 该应用服务器 2000包括:  Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7. As shown in FIG. 8, the application server 2000 includes:
指示单元 21 , 用于若所述登录请求中指示没有有效的所述第一信任状时, 指示所述应用客户端从所述 CGC获取所述第一信任状, 其中, 所述 CGC与所 述应用客户端安装在同一个或不同的终端上。  The indicating unit 21 is configured to: when the first credential is not valid, indicating that the application client obtains the first credential from the CGC, where the CGC is The application client is installed on the same or a different terminal.
在本实施例中, 应用客户端所在的终端可以为 PC、 pad等无 UICC卡或全 球用户识别模块 (Universal Subscriber Identity Module, USIM)的设备, 因此, 该 终端无法通过 UICC卡与 BSF进行通信认证, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它具有 UICC卡的终端, 通过其上的 CGC ,获取对应该第一用户名的第一信任状。该终端也可以是有 UICC卡或 USIM 卡的设备, 应用客户端可以直接发送第一信任状获取请求给该终端上的 CGC。  In this embodiment, the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF. Although the terminal does not have a CGC, the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it. The terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
如果应用客户端能从所在终端获得有效的第一信任状, 则该应用客户端根 据第一用户名和第一信任状生成该登录请求; 否则, 应用客户端根据第一用户 名生成该登录请求, 并在登录请求中携带指示, 说明该应用客户端没有有效的 第一信任状。 该第一用户名是由用户在应用客户端上输入的, 该第一用户名可 以是用户的手机号码, 也可以是用户在应用服务器上注册的账号等格式, 是用 户自定义的易记的名称。  If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential. The first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
登录请求若没有携带指示说明应用客户端没有有效的第一信任状, 则说明 应用客户端有有效的第一信任状, 则继续进行登录认证; 如果登录请求中指示 其没有有效的第一信任状, 则指示单元 21指示应用客户端从 CGC获取第一信 任状。  If the login request does not carry the indication that the application client does not have a valid first credential, the application client has a valid first credential, and then continues to perform login authentication; if the login request indicates that it has no valid first credential The instructing unit 21 instructs the application client to acquire the first credential from the CGC.
由于确认登录请求中没有携带有效的第一信任状, 该登录认证流程无法继 续, 指示单元 21发送第一信任状无效的响应消息给应用客户端, 在该响应消息 中指示或提示应用客户端从 CGC获取该第一信任状。 例如, 指示用户在其插有 UICC卡的移动终端的 CGC上输入应用服务器的标识 NAF— ID等, 应用服务器 或 BSF也可能进一步通过短消息等渠道将相应的应用客户端、 终端和应用服务 器的信息发送给用户的插有 UICC卡的移动终端,以提示用户其正在尝试访问某 个应用服务器。 识 NAF— ID, CGC根据其与 BSF共享的 B-TID、 Ks以及该 NAF— ID,按照与 BSF 约定的算法生成第一信任状。 若 CGC上没有有效的 Ks、 B-TID, 则 CGC需要 和 B SF执行 GB A流程以生成有效的 Ks、 B-TID。 The login authentication process cannot be continued because the confirmation login request does not carry a valid first credential. Continued, the instructing unit 21 sends a response message that the first credential is invalid to the application client, in which the application client is instructed or prompted to obtain the first credential from the CGC. For example, the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like. The information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server. Knowing the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
应用客户端从插有 UICC 卡的终端上获得对应该第一用户名的第一信任状 后, 在应用客户端上输入第一信任状, 根据第一用户名和第一信任状重新生成 登录请求, 并重新发送给应用服务器。 应用服务器接收应用客户端重新发送的 登录请求。  After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
第一查找单元 22, 用于当接收到应用客户端的根据第一用户名和第一信任 状生成的登录请求时, 查找对应所述第一用户名的第二信任状。  The first searching unit 22 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, find a second credential corresponding to the first username.
在本实施例中, 第一查找单元 22 包括第二查找单元 221 和第一获取单元 In this embodiment, the first searching unit 22 includes a second searching unit 221 and a first acquiring unit.
222。 222.
第二查找单元 221 ,用于在本地查找存储的对应所述第一用户名的第二信任 状。  The second searching unit 221 is configured to locally search for the stored second trust corresponding to the first username.
第一获取单元 222, 用于从所述 BSF获取对应所述第一用户名的第二信任 状。  The first obtaining unit 222 is configured to acquire, from the BSF, a second trust corresponding to the first username.
如果用户曾以该第一用户名和第一信任状成功登录过该应用服务器, 应用 服务器本地可能存储有用于验证该用户的登录请求的从 BSF 获取的第二信任 状, 应用服务器本地可能还以用户名为标识分类存储有多个用户的信任状, 因 此, 第二查找单元 221 根据第一用户名查找和获取对应该第一用户名的第二信 任状。 如果本地没有存储对应该第一用户名的第二信任状, 则由第一获取单元 222从 BSF重新获取该第二信任状。  If the user has successfully logged in to the application server with the first username and the first credential, the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally. The identifier classification class stores the trusts of the plurality of users. Therefore, the second search unit 221 searches for and acquires the second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, the first credential is retrieved from the BSF by the first obtaining unit 222.
其中, 第一获取单元 222又包括第一发送单元 00和第二获取单元 01。 第一发送单元 00, 用于向所述 BSF发送所述第二信任状的获取请求, 所述 获取请求携带第二用户名, 以使所述 BSF查找对应所述第二用户名的密钥和密 钥标示符, 根据所述密语、 密钥标示符、 应用服务器的标识符釆用设定算法生 成所述第二信任状, 其中, 所述第二用户名与所述第一用户名关联, 其中, 所 述密钥和密钥标示符为与所述 CGC共享的密钥 Ks和密钥标示符 B-TID。 The first obtaining unit 222 further includes a first sending unit 00 and a second acquiring unit 01. a first sending unit 00, configured to send, to the BSF, an acquisition request of the second credential, where Obtaining a request to carry a second user name, so that the BSF searches for a key and a key identifier corresponding to the second user name, and uses a setting algorithm according to the secret language, a key identifier, and an identifier of an application server. Generating the second credential, wherein the second username is associated with the first username, where the key and the key identifier are a key Ks and a key identifier shared with the CGC Character B-TID.
第二获取单元 01 , 用于获取所述 BSF生成的所述第二信任状。  The second obtaining unit 01 is configured to acquire the second credential generated by the BSF.
首先, 将从应用客户端接收到的登录请求中携带的第一用户名转换成 BSF 能识别的第二用户名, 如国际移动用户识别码 (International Mobile Subscriber Indentification Number, IMSI)或移动注册用户国际综合业务数字网号码 (Mobile Subscriber International ISDN/PSTN number, MSISDN),或包含 IMSI或 MSISDN 信息的身份标识, 这是由于 BSF只能识别 IMSI或 MSISDN。 该第二用户名用 于在 BSF上查找 Ks和 B-TID。 然后, 向 BSF发送该第二信任状的获取请求, BSF首先根据该第二用户名查找到对应的 Ks, 该 Ks是 BSF和生成第一信任状 的 CGC通过执行 GBA流程共享的, 根据与该 CGC约定的算法, 将 Ks、 B-TID 和发送该获取请求的应用服务器的 NAF— ID生成第二信任状, 并返回给应用服 务器。  First, the first user name carried in the login request received from the application client is converted into a second user name that the BSF can recognize, such as an International Mobile Subscriber Indentification Number (IMSI) or a mobile registered user international Mobile Subscriber International ISDN/PSTN number (MSISDN), or an identity that contains IMSI or MSISDN information, since the BSF can only identify IMSI or MSISDN. This second username is used to look up Ks and B-TID on the BSF. Then, the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
一种信任状 (; Credential)的生成方法为:  A method of generating a credential (;Credential) is:
Ks NAF = KDF (Ks, NAF— ID);  Ks NAF = KDF (Ks, NAF-ID);
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。  Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
即, CGC先根据 TS 33.220中的方法生成 Ks— NAF, 然后计算 Ks||B-TID的 SHA-256值。 截取 256位 SHA-256值的低 48比特进行 BASE64编码, 最后输 出为 8位区分大小写的英文字符或数字。 生成的信任状为用户容易输入的信任 状。  That is, CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks||B-TID. The lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers. The generated credential is a trust that the user can easily enter.
确认单元 23 , 用于根据所述第二信任状, 确认所述应用客户端是否通过验 证。  The confirming unit 23 is configured to confirm, according to the second credential, whether the application client passes the verification.
比较第一信任状和第二信任状是否一致, 若是, 则验证成功, 如果不一致, 则马全证失败。  Compare whether the first credential and the second credential are consistent. If yes, the verification succeeds. If they are inconsistent, the complete certificate fails.
如果验证通过, 则向应用客户端返回登录成功消息; 如果验证失败, 则向 应用客户端返回登录失败消息。  If the verification is passed, a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
根据本发明实施例提供的一种应用服务器, 在应用客户端请求登录该应用 服务器时,可以输入用户易记的用户名, 并输入任一终端上的 CGC与 BSF釆用 相同的方式生成的容易输入的信任状, 通过该用户名和信任状完成应用服务器 的登录认证, 避免用户输入复杂的用户名和信任状, 简化了该登录过程。 An application server according to an embodiment of the present invention, when an application client requests to log in to the application server, may input a user name that is easy for the user to record, and input CGC and BSF on any terminal. The easy-to-enter credentials generated in the same way complete the login authentication of the application server through the username and the credential, thereby avoiding the user inputting complicated user names and credentials, and simplifying the login process.
图 9为本发明一种信任状生成客户端 CGC的一个实施例的结构示意图。 如 图 9所示, 该 CGC3000包括:  FIG. 9 is a schematic structural diagram of an embodiment of a credential generation client CGC according to the present invention. As shown in Figure 9, the CGC3000 includes:
第一接收单元 31 , 用于接收应用客户端请求登录的应用服务器的标识符。 本发明实施例中的应用客户端安装在终端上,该终端可以是有 UICC卡的设 备, 如移动终端, 也可以是无 UICC卡的设备, 如 PC、 pad等, 应用客户端包 括微博、 微信等 OTT(Over The Top)应用客户端。 需要注意的是, 浏览器也是一 种应用客户端。  The first receiving unit 31 is configured to receive an identifier of an application server that the application client requests to log in. The application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog. OTT (Over The Top) application client such as WeChat. It should be noted that the browser is also an application client.
当应用客户端请求登录某应用服务器时, 第一接收单元 31接收该应用客户 端发送的或者用户直接输入的该应用服务器的标识符 NAF— ID。  When the application client requests to log in to an application server, the first receiving unit 31 receives the identifier NAF_ID of the application server that is sent by the application client or directly input by the user.
第一生成单元 32, 用于釆用设定算法, 将所述应用服务器的标识符、 与自 引导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使 所述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客 户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一 信任状的相同的方式生成的。  The first generating unit 32 is configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first The trust is generated in the same way.
用户想要在应用客户端上登录应用服务器时, 用户在应用客户端上输入第 一用户名, 该第一用户名可以是用户的手机号码, 也可以是用户在应用服务器 上注册的账号等格式; 同时, 输入第一信任状, 该第一信任状是由应用客户端 所在终端或其它终端上设置的 CGC生成的。 值得说明的是, 该第一用户名可以 是用户自定义的易记的名称, 该第一信任状也是 CGC釆用特定的算法处理后便 于用户记忆的信任状。 应用客户端根据第一用户名和第一信任状生成的登录请 求, 根据该登录请求请求应用服务器的验证。  When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server. At the same time, the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal. It should be noted that the first username may be a user-defined easy-to-remember name, and the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm. The application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
如果应用客户端所在的终端为 PC、 pad等无 UICC卡或 USIM的设备, 因 此, 该终端无法通过 UICC卡与 BSF进行通信认证, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它具有 UICC卡的终端, 通 过该终端上的 CGC, 获取对应该第一用户名的第一信任状。 该终端也可以是有 UICC卡或 USIM卡的设备,应用客户端可以直接发送第一信任状获取请求给该 终端上的 CGC。  If the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM, the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks. CGC, but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal. The terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
CGC首先与 BSF执行 GBA流程, 以获得共享的 B-TID和 Ks; 然后, 根据 接收到的 NAF— ID , 釆用与 BSF 约定的算法生成第一信任状。 一种信任状 (Credential)的生成方法为: CGC first performs the GBA process with the BSF to obtain the shared B-TID and Ks; then, according to The received NAF_ID uses the algorithm agreed with the BSF to generate the first credential. A method of generating a credential is:
Ks NAF = KDF (Ks, NAF— ID);  Ks NAF = KDF (Ks, NAF-ID);
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。  Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
即, CGC先根据 TS 33.220中的方法生成 Ks— NAF, 然后计算 Ks||B-TID的 SHA-256值。 截取 256位 SHA-256值的低 48比特进行 BASE64编码, 最后输 出为 8位区分大小写的英文字符或数字。 生成的信任状为用户容易输入的信任 状。  That is, CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks||B-TID. The lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers. The generated credential is a trust that the user can easily enter.
BSF在与 CGC执行 GBA流程时, 根据第一信任状关联的第一用户名, 或 釆用第一用户名关联的其它标识, 对应存储了该第一用户名或标识的 Ks 和 B-TID。 当应用服务器接收到应用客户端的登录请求时, 应用服务器获取登录请 求中的第一用户名, 根据该用户名向 BSF发送第二信任状获取请求, BSF根据 该获取请求携带的第一用户名或与第一用户名关联的其它标识查找到对应的 Ks, 根据与 CGC生成第一信任状相同的方式, 生成第二信任状并返回给应用服 务器, 以使应用服务器对该登录请求进行验证。  When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier. When the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
根据本发明实施例提供的 CGC, 釆用与 BSF相同的方式生成登录任一服务 器的信任状, 可以为任意终端上的应用客户端提供登录该应用服务器的信任状 , 生成的信任状方便用户输入。  According to the CGC provided by the embodiment of the present invention, the credential of any server is generated in the same manner as the BSF, and the application client on any terminal can be provided with the credential of logging in to the application server, and the generated credential is convenient for the user to input. .
图 10为对图 9所示的本发明一种 CGC的实施例的进一步细化的另一个实 施例的结构示意图。 如图 10所示, 该 CGC4000:  Figure 10 is a block diagram showing another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. As shown in Figure 10, the CGC4000:
第二接收单元 41 , 用于接收用户输入的应用客户端请求登录的应用服务器 的标识符。  The second receiving unit 41 is configured to receive an identifier of the application server that the application client input by the user requests to log in.
本实施例中, 应用客户端所在的终端为 PC、 pad等无 UICC卡或 USIM的 设备, 因此, 该终端无法通过 UICC卡与 BSF进行通信认证, 没有设置 CGC, 无法与 BSF共享相同的 B-TID和 Ks, 虽然该终端没有 CGC, 但可以借助其它 具有 UICC卡的终端, 通过其上的 CGC, 获取对应该第一用户名的第一信任状。  In this embodiment, the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF. TID and Ks, although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
因此, 需要用户在该 CGC上输入需要登录的应用服务器的标识符。 输入方 式可以手工输入, 也可以在 CGC上预设置多个应用服务器的 NAF— ID, 用户点 选对应的应用服务器即可。  Therefore, the user is required to enter an identifier of the application server that needs to log in on the CGC. The input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
第一生成单元 42, 用于釆用设定算法, 将所述应用服务器的标识符、 与自 引导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使 所述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客 户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一 信任状的相同的方式生成的。 a first generating unit 42, configured to use a setting algorithm, and identifiers of the application server The key Ks and the key identifier B-TID shared by the boot function device BSF generate a first credential, so that the application server pairs the application client according to the second credential corresponding to the first user name acquired from the BSF Performing login verification; wherein the second credential is generated by the BSF in the same manner as the first credential is generated.
第一生成单元 42的功能与前述实施例的第一生成单元 32相同, 在此不再 赘述。  The function of the first generating unit 42 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
输出单元 43 , 用于输出所述第一信任状给所述用户。  The output unit 43 is configured to output the first credential to the user.
CGC根据 B-TID、 Ks和 NAF— ID生成第一信任状, 并将第一信任状在终端 屏幕上显示给用户, 以供用户将该第一信任状输入另一终端的应用客户端, 以 使该应用客户端根据该第一信任状和第一用户名生成登录请求, 将该登录请求 发送给应用服务器以请求验证。  The CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
根据本发明实施例提供的 CGC, 釆用与 BSF相同的方式生成登录任一服务 器的信任状, 可以为无法执行 GB A流程的终端上的应用客户端提供登录该应用 服务器的信任状, 生成的信任状方便用户输入。  According to the CGC provided by the embodiment of the present invention, the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be provided with the credential of logging in to the application server, and generated. The credibility is convenient for the user to input.
图 11为对图 9所示的本发明一种 CGC的实施例的进一步细化的又一个实 施例的结构示意图。 如图 11所示, 该 CGC5000包括:  Figure 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. As shown in Figure 11, the CGC5000 includes:
第三接收单元 51 , 用于接收应用客户端的信任状获取请求, 所述信任状获 取请求包括所述应用客户端请求登录的应用服务器的标识符。  The third receiving unit 51 is configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
本实施例中,应用客户端所在的终端为有 UICC卡或 USIM卡的设备,可以 与 BSF执行 GBA流程。因此,直接本终端的应用客户端发送的信任状获取请求, 该请求中包括应用客户端请求登录的应用服务器的标识。  In this embodiment, the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
第一生成单元 52, 用于釆用设定算法, 将所述应用服务器的标识符、 与自 引导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使 所述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客 户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一 信任状的相同的方式生成的。  a first generating unit 52, configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first The trust is generated in the same way.
第一生成单元 52的功能与前述实施例的第一生成单元 32相同, 在此不再 赘述。  The function of the first generating unit 52 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
第二发送单元 53 , 用于将所述第一信任状发送给所述应用客户端。  The second sending unit 53 is configured to send the first credential to the application client.
CGC根据 B-TID、 Ks和 NAF— ID生成第一信任状后, 将该第一信任状直接 发送给应用客户端, 以使该应用客户端根据该第一信任状和第一用户名生成登 录请求, 将该登录请求发送给应用服务器以请求验证。 After the CGC generates the first credential according to the B-TID, Ks, and NAF_ID, the first credential is directly Sending to the application client, so that the application client generates a login request according to the first credential and the first username, and sends the login request to the application server to request verification.
根据本发明实施例提供的 CGC, 可以直接接收本终端的应用客户端的信任 状获取请求, 釆用与 BSF相同的方式生成登录任一服务器的信任状, 无需用户 输入该信任状, 方便应用服务器的登录。  The CGC provided by the embodiment of the present invention can directly receive the credential acquisition request of the application client of the terminal, and generate a credential for logging in to any server in the same manner as the BSF, without the user inputting the credential, facilitating the application server. log in.
以上所揭露的仅为本发明较佳实施例而已, 当然不能以此来限定本发明之 权利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的范围。  The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

Claims

权 利 要 求 书 claims
1、 一种认证方法, 其特征在于, 包括: 1. An authentication method, characterized by including:
当接收到应用客户端的根据第一用户名和第一信任状生成的登录请求时, 查找对应所述第一用户名的第二信任状; When receiving a login request generated based on the first username and the first credential from the application client, search for the second credential corresponding to the first username;
根据所述第二信任状, 确认所述应用客户端是否通过验证; Confirm whether the application client passes verification according to the second credential;
其中, 所述第二信任状是由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任状的相同的方式生成的。 Wherein, the second credential is generated by the bootstrap function device BSF in the same manner as the credential generation client CGC generates the first credential.
2、 如权利要求 1所述的方法, 其特征在于, 所述接收到应用客户端的登录 请求之后, 以及所述查找对应所述第一用户名的第二信任状之前, 还包括: 若所述登录请求中指示没有有效的所述第一信任状时, 指示所述应用客户 端从所述 CGC获取所述第一信任状, 其中, 所述 CGC与所述应用客户端安装 在同一个或不同的终端上。 2. The method of claim 1, wherein after receiving the login request from the application client and before searching for the second credential corresponding to the first user name, the method further includes: if the When the login request indicates that there is no valid first credential, the application client is instructed to obtain the first credential from the CGC, where the CGC and the application client are installed in the same or different on the terminal.
3、 如权利要求 1或 2所述的方法, 其特征在于, 所述查找对应所述第一用 户名的第二信任状, 包括: 3. The method according to claim 1 or 2, characterized in that the search for the second credential corresponding to the first user name includes:
在本地查找存储的对应所述第一用户名的第二信任状; 或 Search locally for a second stored credential corresponding to the first username; or
从所述 BSF获取对应所述第一用户名的第二信任状。 Obtain a second credential corresponding to the first user name from the BSF.
4、 如权利要求 3所述的方法, 其特征在于, 所述从所述 BSF获取对应所述 第一用户名的第二信任状, 包括: 4. The method of claim 3, wherein said obtaining the second credential corresponding to the first user name from the BSF includes:
向所述 BSF发送所述第二信任状的获取请求, 所述获取请求携带第二用户 名, 以使所述 BSF查找对应所述第二用户名的密钥和密钥标示符, 根据所述密 语、 密钥标示符、 应用服务器的标识符釆用设定算法生成所述第二信任状, 其 中, 所述第二用户名与所述第一用户名关联, 其中, 所述密钥和密钥标示符为 与所述 CGC共享的密钥 Ks和密钥标示符 B-TID; Send an acquisition request for the second credential to the BSF, where the acquisition request carries a second username, so that the BSF searches for the key and key identifier corresponding to the second username, according to the The secret word, key identifier, and application server identifier are used to generate the second credential using a set algorithm, wherein the second user name is associated with the first user name, and the key and password are The key identifier is the key Ks shared with the CGC and the key identifier B-TID;
获取所述 BSF生成的所述第二信任状。 Obtain the second credential generated by the BSF.
5、 如权利要求 4所述的方法, 其特征在于, 所述第二用户名为国际移动识 别号 IMSI、 移动用户国际综合业务数字网号码 MSISDN或携带所述 IMSI或 MSISDN的标识。 5. The method of claim 4, wherein the second username is International Mobile Identity Number. Alias IMSI, Mobile Subscriber International Integrated Services Digital Network number MSISDN or an identifier carrying the IMSI or MSISDN.
6、 一种生成信任状的方法, 其特征在于, 包括: 6. A method of generating a certificate of credence, characterized by including:
接收应用客户端请求登录的应用服务器的标识符; The identifier of the application server that receives the application client's login request;
釆用设定算法, 将所述应用服务器的标识符、 与自引导功能装置 BSF共享 的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户端进行登录验证; 其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相同的 方式生成的。 Using a setting algorithm, the identifier of the application server, the key Ks shared with the bootstrap function device BSF and the key identifier B-TID are used to generate a first credential, so that the application server obtains the first credential from the BSF The second credential corresponding to the first user name performs login verification on the application client; wherein, the second credential is generated by the BSF in the same manner as the first credential. .
7、 如权利要求 6所述的方法, 其特征在于, 所述釆用设定算法, 将所述应 用服务器的标识符、与自引导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID 生成第一信任状, 包括: 7. The method of claim 6, wherein the application setting algorithm combines the identifier of the application server, the key Ks shared with the bootstrap function device BSF and the key identifier B- TID generates the first credential, including:
釆用下面的算法生成所述第一信任状: The following algorithm is used to generate the first credential:
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。 Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
其中, Credential为所述第一信任状, Ks— NAF为根据通用自引导架构 GBA 流程由所述 Ks和所述应用服务器的标识符 NAF— ID生成的, Trunc48为截取 256 位 SHA-256值的低 48比特, base64encoded为进行 BASE64编码。 Wherein, Credential is the first credential, Ks-NAF is generated from the Ks and the identifier NAF-ID of the application server according to the general bootstrap architecture GBA process, and Trunc48 is the 256-bit SHA-256 value intercepted. The lower 48 bits, base64encoded, are BASE64 encoded.
8、 如权利要求 6或 7所述的方法, 其特征在于, 所述接收应用客户端请求 登录的应用服务器的标识符, 包括: 8. The method of claim 6 or 7, wherein the identifier of the application server that receives the application client's request to log in includes:
接收用户输入的所述应用服务器的标识符; 以及 receiving user input for an identifier of the application server; and
所述釆用设定算法, 将所述应用服务器的标识符、 与 BSF共享的密钥和密 钥标示符生成第一信任状之后, 还包括: After using the setting algorithm to generate a first credential from the identifier of the application server, the key shared with the BSF and the key identifier, it also includes:
输出所述第一信任状给所述用户。 Output the first credential to the user.
9、 如权利要求 6或 7所述的方法, 其特征在于, 所述接收应用客户端请求 登录的应用服务器的标识符, 包括: 9. The method of claim 6 or 7, wherein the identifier of the application server that receives the application client's request to log in includes:
接收所述应用客户端的信任状获取请求, 所述信任状获取请求包括所述应 用服务器的标识符; 以及 Receive a credential acquisition request from the application client, where the credential acquisition request includes the application client using the server’s identifier; and
所述釆用设定算法, 将所述应用服务器的标识符、 与 BSF共享的密钥和密 钥标示符生成第一信任状之后, 还包括: After using the setting algorithm to generate a first credential from the identifier of the application server, the key shared with the BSF and the key identifier, it also includes:
将所述第一信任状发送给所述应用客户端。 Send the first credential to the application client.
10、 一种应用服务器, 其特征在于, 包括: 10. An application server, characterized by including:
第一查找单元, 用于当接收到应用客户端的根据第一用户名和第一信任状 生成的登录请求时, 查找对应所述第一用户名的第二信任状; A first search unit configured to search for a second credential corresponding to the first user name when receiving a login request generated by the application client based on the first user name and the first credential;
确认单元, 用于根据所述第二信任状, 确认所述应用客户端是否通过验证; 其中, 所述第二信任状是由自引导功能装置 BSF釆用和信任状生成客户端 CGC生成第一信任状的相同的方式生成的。 A confirmation unit, configured to confirm whether the application client passes the verification according to the second credential; wherein the second credential is generated by the self-boot function device BSF and the credential generating client CGC. Credentials are generated in the same manner.
11、 如权利要求 10所述的应用服务器, 其特征在于, 还包括: 11. The application server according to claim 10, further comprising:
指示单元, 用于若所述登录请求中指示没有有效的所述第一信任状时, 指 示所述应用客户端从所述 CGC获取所述第一信任状, 其中, 所述 CGC与所述 应用客户端安装在同一个或不同的终端上。 Instruction unit, configured to instruct the application client to obtain the first credential from the CGC if the login request indicates that there is no valid first credential, wherein the CGC and the application Clients are installed on the same or different terminals.
12、 如权利要求 10或 11所述的应用服务器, 其特征在于, 所述第一查找 单元包括: 12. The application server according to claim 10 or 11, characterized in that the first search unit includes:
第二查找单元, 用于在本地查找存储的对应所述第一用户名的第二信任状; 或 A second search unit configured to locally search for a stored second credential corresponding to the first user name; or
第一获取单元, 用于从所述 BSF获取对应所述第一用户名的第二信任状。 A first obtaining unit, configured to obtain a second credential corresponding to the first user name from the BSF.
13、 如权利要求 12所述的应用服务器, 其特征在于, 所述第一获取单元包 括: 13. The application server according to claim 12, characterized in that the first acquisition unit includes:
第一发送单元, 用于向所述 BSF发送所述第二信任状的获取请求, 所述获 取请求携带第二用户名, 以使所述 BSF查找对应所述第二用户名的密钥和密钥 标示符, 根据所述密语、 密钥标示符、 应用服务器的标识符釆用设定算法生成 所述第二信任状, 其中, 所述第二用户名与所述第一用户名关联, 其中, 所述 密钥和密钥标示符为与所述 CGC共享的密钥 Ks和密钥标示符 B-TID; 第二获取单元, 用于获取所述 BSF生成的所述第二信任状。 The first sending unit is configured to send an acquisition request for the second credential to the BSF, where the acquisition request carries a second username, so that the BSF searches for the key and password corresponding to the second username. key identifier, using a setting algorithm to generate the second credential based on the password, the key identifier, and the identifier of the application server, where the second user name is associated with the first user name, where , the key and key identifier are the key Ks and key identifier B-TID shared with the CGC; The second acquisition unit is used to acquire the second credential generated by the BSF.
14、 如权利要求 13所述的应用服务器, 其特征在于, 所述第二用户名为国 际移动识别号 IMSI、 移动用户国际综合业务数字网号码 MSISDN或携带所述 IMSI或 MSISDN的标识。 14. The application server according to claim 13, wherein the second user name is an International Mobile Identity IMSI, a Mobile Subscriber International Integrated Services Digital Network Number MSISDN, or an identifier carrying the IMSI or MSISDN.
15、 一种信任状生成客户端 CGC, 其特征在于, 包括: 15. A credential generation client CGC, which is characterized by including:
第一接收单元, 用于接收应用客户端请求登录的应用服务器的标识符; 第一生成单元, 用于釆用设定算法, 将所述应用服务器的标识符、 与自引 导功能装置 BSF共享的密钥 Ks和密钥标示符 B-TID生成第一信任状, 以使所 述应用服务器根据从 BSF获取的对应所述第一用户名的第二信任状对应用客户 端进行登录验证; The first receiving unit is used to receive the identifier of the application server that the application client requests to log in; the first generating unit is used to use the setting algorithm to share the identifier of the application server with the self-boot function device BSF The key Ks and the key identifier B-TID generate a first credential, so that the application server performs login verification on the application client based on the second credential corresponding to the first user name obtained from the BSF;
其中, 所述第二信任状是由所述 BSF釆用与生成所述第一信任状的相同的 方式生成的。 Wherein, the second credential is generated by the BSF in the same manner as the first credential.
16、 如权利要求 15所述的 CGC, 其特征在于, 所述第一生成单元包括: 第二生成单元, 用于釆用下面的算法生成所述第一信任状: 16. The CGC of claim 15, wherein the first generation unit includes: a second generation unit configured to generate the first credential using the following algorithm:
Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}。 Credential = base64encoded{Trunc48[SHA-256(Ks_NAF || B-TID)]}.
其中, Credential为所述第一信任状, Ks_NAF为根据通用自引导架构 GBA 流程由所述 Ks和所述应用服务器的标识符 NAF— ID生成的, Trunc48为截取 256 位 SHA-256值的低 48比特, base64encoded为进行 BASE64编码。 Among them, Credential is the first credential, Ks_NAF is generated from the Ks and the identifier NAF_ID of the application server according to the general bootstrap architecture GBA process, and Trunc48 is the low 48 of the intercepted 256-bit SHA-256 value. bits, base64encoded for BASE64 encoding.
17、 如权利要求 15或 16所述的 CGC, 其特征在于, 所述第一接收单元包 括: 17. The CGC according to claim 15 or 16, characterized in that the first receiving unit includes:
第二接收单元, 用于接收用户输入的所述应用服务器的标识符; 以及 所述 CGC还包括: The second receiving unit is configured to receive the identifier of the application server input by the user; and the CGC also includes:
输出单元, 用于输出所述第一信任状给所述用户。 An output unit, configured to output the first credential to the user.
18、 如权利要求 15或 16所述的 CGC, 其特征在于, 所述第一接收单元包 第三接收单元, 用于接收所述应用客户端的信任状获取请求, 所述信任状 获取请求包括所述应用服务器的标识符; 以及 18. The CGC according to claim 15 or 16, characterized in that, the first receiving unit packet A third receiving unit, configured to receive a credential acquisition request from the application client, where the credential acquisition request includes the identifier of the application server; and
所述 CGC还包括: The CGC also includes:
第二发送单元, 用于将所述第一信任状发送给所述应用客户端。 The second sending unit is configured to send the first credential to the application client.
PCT/CN2014/080380 2013-07-31 2014-06-20 Authentication method, method of generating credentials, and associated device WO2015014171A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310329541.4 2013-07-31
CN201310329541.4A CN104348801B (en) 2013-07-31 2013-07-31 Authentication method, the method and relevant apparatus for generating credential

Publications (1)

Publication Number Publication Date
WO2015014171A1 true WO2015014171A1 (en) 2015-02-05

Family

ID=52430953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080380 WO2015014171A1 (en) 2013-07-31 2014-06-20 Authentication method, method of generating credentials, and associated device

Country Status (2)

Country Link
CN (1) CN104348801B (en)
WO (1) WO2015014171A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL126790U1 (en) * 2017-11-16 2019-05-20 Moj Spolka Akcyjna Multi-membered elastic coupling

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037958A1 (en) * 2018-08-23 2020-02-27 刘高峰 Gba-based client registration and key sharing method, device, and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006085169A1 (en) * 2005-01-12 2006-08-17 Nokia Corporation Method and apparatus for using generic authentication architecture procedures in personal computers
CN102196426A (en) * 2010-03-19 2011-09-21 中国移动通信集团公司 Method, device and system for accessing IMS (IP multimedia subsystem) network
CN102893683A (en) * 2010-04-14 2013-01-23 高通股份有限公司 Wwan paging through short range communication network to reduce power consumption
CN103024735A (en) * 2011-09-26 2013-04-03 中国移动通信集团公司 Method and equipment for service access of card-free terminal
WO2013064716A1 (en) * 2011-10-31 2013-05-10 Nokia Corporation Security mechanism for external code

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006085169A1 (en) * 2005-01-12 2006-08-17 Nokia Corporation Method and apparatus for using generic authentication architecture procedures in personal computers
CN102196426A (en) * 2010-03-19 2011-09-21 中国移动通信集团公司 Method, device and system for accessing IMS (IP multimedia subsystem) network
CN102893683A (en) * 2010-04-14 2013-01-23 高通股份有限公司 Wwan paging through short range communication network to reduce power consumption
CN103024735A (en) * 2011-09-26 2013-04-03 中国移动通信集团公司 Method and equipment for service access of card-free terminal
WO2013064716A1 (en) * 2011-10-31 2013-05-10 Nokia Corporation Security mechanism for external code

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL126790U1 (en) * 2017-11-16 2019-05-20 Moj Spolka Akcyjna Multi-membered elastic coupling

Also Published As

Publication number Publication date
CN104348801B (en) 2018-05-04
CN104348801A (en) 2015-02-11

Similar Documents

Publication Publication Date Title
US11165581B2 (en) System for improved identification and authentication
US10491587B2 (en) Method and device for information system access authentication
US10009340B2 (en) Secure, automatic second factor user authentication using push services
US9692603B2 (en) Biometric PKI authentication
US9979719B2 (en) System and method for converting one-time passcodes to app-based authentication
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
US9813400B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
US8661254B1 (en) Authentication of a client using a mobile device and an optical link
CN107302539B (en) Electronic identity registration and authentication login method and system
WO2015062398A1 (en) Access authentication method and device for information system
US8191124B2 (en) Systems and methods for acquiring network credentials
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
US8776176B2 (en) Multi-factor password-authenticated key exchange
US8868909B2 (en) Method for authenticating a communication channel between a client and a server
EP3120591B1 (en) User identifier based device, identity and activity management system
KR20220133206A (en) Identity authentication method and apparatus, and related devices
JP5276593B2 (en) System and method for obtaining network credentials
JP2016533694A (en) User identity authentication method, terminal and server
WO2014183526A1 (en) Identity recognition method, device and system
EP2572489B1 (en) System and method for protecting access to authentication systems
WO2007104248A1 (en) Method, system, apparatus and bsf entity for preventing bsf entity from attack
WO2018099407A1 (en) Account authentication login method and device
KR102171377B1 (en) Method of login control
WO2015014171A1 (en) Authentication method, method of generating credentials, and associated device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14831383

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14831383

Country of ref document: EP

Kind code of ref document: A1