WO2015014171A1 - Procédé d'authentification, procédé de génération de justificatifs d'identité et dispositif associé - Google Patents

Procédé d'authentification, procédé de génération de justificatifs d'identité et dispositif associé Download PDF

Info

Publication number
WO2015014171A1
WO2015014171A1 PCT/CN2014/080380 CN2014080380W WO2015014171A1 WO 2015014171 A1 WO2015014171 A1 WO 2015014171A1 CN 2014080380 W CN2014080380 W CN 2014080380W WO 2015014171 A1 WO2015014171 A1 WO 2015014171A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
bsf
identifier
application server
cgc
Prior art date
Application number
PCT/CN2014/080380
Other languages
English (en)
Chinese (zh)
Inventor
陈璟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015014171A1 publication Critical patent/WO2015014171A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement

Definitions

  • the present invention relates to the field of communication security technologies, and in particular, to an authentication method, a method for generating a credential, and related devices. Background technique
  • a generic self-booting architecture (GBA) authentication mechanism is introduced in TS33.220.
  • UE User Equipment
  • BSF self-booting function device
  • Flow UE and BSF share key Ks and key identifier B-TID
  • BSF obtains authentication vector from Home Subscriber Server (HSS)/Home Location Register (HLR)
  • HSS Home Subscriber Server
  • HLR Home Location Register
  • NAF Network Application Function
  • the NAF key Ks_NAF 1 the UE side also generates the same Ks_NAF2 of the domain Ks-NAF 1, and the NAF and the UE perform verification based on the same Ks-NAF1 and Ks-NAF2 to determine whether to pass the login authentication.
  • the UE is a device having a Universal Integrated Circuit Card (UICC), but the UE needs to access the carrier network through a UICC card device such as a personal computer (Personal Computer, PC) or a tablet pad.
  • UICC card device such as a personal computer (Personal Computer, PC) or a tablet pad.
  • B-TID is base64encoded(RAND)@B SF—servers—domain—name , which is “24 case-sensitive characters or numbers @ BSF—servers—domain—name.
  • Ks—NAF is a 256-bit binary bit string For the user, manually entering B-TID/Ks-NAF is very inconvenient.
  • the embodiment of the present invention provides an authentication method, a method for generating a credential, and a related device, which are used to solve the problem that the user input is required in the login authentication process of the application client requesting the application server in the prior art.
  • an authentication method including:
  • the second credential is generated by the self-booting function device BSF and the credential generating client CGC to generate the first credential.
  • the method further includes:
  • the application client is instructed to obtain the first credential from the CGC, where the CGC is installed in the same manner as the application client.
  • One or different terminals are possible.
  • the searching for the second credential corresponding to the first user name includes:
  • the obtaining, by the BSF, the second credential corresponding to the first username includes:
  • the second credential obtaining request carries a second user name, so that the BSF searches for a key and a key identifier corresponding to the second username, according to the
  • the second password is generated by using a setting algorithm to generate the second credential, wherein the second username is associated with the first username, where the key and the secret are
  • the key identifier is a key Ks and a key identifier B-TID shared with the CGC;
  • the second user name is an International Mobile Identification Number (IMSI), a Mobile Subscriber International Integrated Services Digital Network Number (MSISDN), or the carrying of the IMSI Or the identifier of the MSISDN.
  • IMSI International Mobile Identification Number
  • MSISDN Mobile Subscriber International Integrated Services Digital Network Number
  • a method for generating a credential including:
  • the identifier setting algorithm generates a first trust by using an identifier of the application server, a key Ks shared by the self-booting function device BSF, and a key identifier B-TID.
  • Shape including:
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • Credential is the first credential
  • Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow
  • Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
  • the identifier of the application server that the receiving application client requests to log in includes:
  • the method further includes:
  • the identifier of the application server that the receiving application client requests to log in includes:
  • the method further includes:
  • an application server including:
  • a first searching unit configured to: when receiving a login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username;
  • a confirmation unit configured to confirm, according to the second credential, whether the application client passes the verification; wherein the second credential is generated by the self-booting function device BSF and the credential generating client CGC The trust is generated in the same way.
  • the application server further includes:
  • the indicating unit configured to: when the login request indicates that the first credential is not valid, instructing the application client to obtain the first credential from the CGC, where the CGC and the application Clients are installed on the same or different terminals.
  • the first searching unit includes:
  • a second searching unit configured to locally search for the stored second credential corresponding to the first username
  • the first acquiring unit includes:
  • a first sending unit configured to send the second credential obtaining request to the BSF, where the obtaining request carries a second user name, so that the BSF searches for a key and a secret corresponding to the second username Key identifier, the second credential is generated according to the cipher, the key identifier, and the identifier of the application server, where the second username is associated with the first username, where
  • the key and the key identifier are a key Ks and a key identifier B-TID shared with the CGC;
  • a second obtaining unit configured to acquire the second credential generated by the BSF.
  • the second user name is an international mobile identification number IMSI, and a mobile user international integrated service digital network number
  • a credential generating client CGC including:
  • a first receiving unit configured to receive an identifier of an application server that the application client requests to log in
  • a first generating unit configured to use a setting algorithm, to share the identifier of the application server with the self-booting function device BSF
  • the key Ks and the key identifier B-TID generate a first credential, so that the application server performs login verification on the application client according to the second credential corresponding to the first username obtained from the BSF;
  • the second credential is generated by the BSF in the same manner as the first credential is generated.
  • the first generating unit includes:
  • a second generating unit configured to generate the first credential by using the following algorithm:
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • Credential is the first credential
  • Ks_NAF is generated by the Ks and the identifier of the application server NAF_ID according to a general self-booting architecture GBA flow
  • Trunc48 is a low of intercepting 256-bit SHA-256 value 48 Bit, base64encoded for BASE64 encoding.
  • the first receiving unit includes:
  • a second receiving unit configured to receive an identifier of the application server input by a user; and the CGC further includes:
  • an output unit configured to output the first credential to the user.
  • the first receiving unit includes:
  • a third receiving unit configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of the application server;
  • the CGC also includes:
  • a second sending unit configured to send the first credential to the application client.
  • the user can input the user name that is easy to remember and input the CGC and BSF on any terminal.
  • the easy-to-enter credential generated in the same way, through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, Jane This login process has been simplified.
  • FIG. 1 is a schematic diagram of a GBA of a general self-booting architecture in the prior art
  • FIG. 2 is a flow chart of an embodiment of an authentication method according to the present invention.
  • FIG. 3 is a flow chart showing another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2;
  • FIG. 4 is a flow chart of an embodiment of a method for generating a credential according to the present invention.
  • Figure 5 is a flow chart showing another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
  • Figure 6 is a flow chart showing still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention shown in Figure 4;
  • FIG. 7 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7;
  • FIG. 9 is a schematic structural diagram of an embodiment of a credential generating client CGC according to the present invention.
  • FIG. 10 is a schematic structural diagram of another embodiment of further refinement of an embodiment of the CGC of the present invention shown in FIG. ;
  • FIG 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. detailed description
  • FIG. 2 is a flow chart of one embodiment of an authentication method of the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step S101 When receiving a login request generated by the application client according to the first user name and the first credential, searching for a second credential corresponding to the first username, where the second credential is self-directed
  • the functional device BSF is generated in the same manner as the credential generation client CGC generates the first credential.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad.
  • the application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal.
  • CGC credential generation client
  • the first user name may be a user-defined easy-to-remember name
  • the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm.
  • the application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
  • the login request is parsed, the first username is obtained, the first credential is obtained according to the first username, and then the second credential corresponding to the first username is searched for. If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
  • the present invention can use the CGC on any terminal as long as it is a CGC that generates a first credential corresponding to the first username.
  • the BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential
  • the NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential.
  • Step S102 Confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the comparison result is consistent, the verification succeeds, allowing the application client to log in, and returning the login success message to the application client. Otherwise, the verification fails, the application client login is not allowed, and the login failure message is returned to the application client.
  • an authentication method when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input.
  • the credential through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
  • FIG. 3 is a flow chart of another embodiment of a further refinement of an embodiment of an authentication method of the present invention shown in FIG. 2. As shown in FIG. 3, the method includes the following steps:
  • Step S201 Receive a first login request of an application client.
  • the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF.
  • the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
  • the application client If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential.
  • the first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
  • step S202 it is determined whether the first login request carries an indication, indicating that the application client does not have a valid first credential. If the indication is not carried, the process goes to step S205; otherwise, the process goes to step S203.
  • step S205 the process goes to step S205 to continue the following login authentication process; if the login request indicates If there is no valid first credential, then go to step S203.
  • Step S203 sending a response message that the first credential is invalid to the application client, where The response message instructs the application client to obtain the first credential from the credential generation client CGC.
  • the confirmation login process cannot be continued because the login request is not carried, and the response message that the first credential is invalid is sent to the application client, where the application client is instructed or prompted to obtain the CGC from the CGC.
  • First trust For example, the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like.
  • the information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server.
  • the CGC knows the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
  • Step S204 Receive a second login request of the application client.
  • the application client After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
  • Step S205 determining whether a second credential corresponding to the first username is stored locally, and if yes, proceeding to step S206; otherwise, proceeding to step S207.
  • Step S206 Acquire a locally stored second credential corresponding to the first username.
  • the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally.
  • the identifier class is stored with a plurality of users' trusts. Therefore, it is necessary to find and obtain a second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, then go to step S207 to reacquire the second credential from the BSF.
  • Step S207 Send the second trust obtaining request to the BSF, where the obtaining request carries a second user name, and the second user name is associated with the first user name.
  • Step S208 Acquire the second credential generated by the BSF.
  • the first username carried in the login request received from the application client is converted into a BSF.
  • the second user name that can be identified, such as the International Mobile Subscriber Indentification Number (IMSI) or the Mobile Subscriber International ISDN/PSTN number (MSISDN), or the IMSI or MSISDN
  • IMSI International Mobile Subscriber Indentification Number
  • MSISDN Mobile Subscriber International ISDN/PSTN number
  • This second username is used to look up Ks and B-TID on the BSF.
  • the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • Step S209 Confirm, according to the second credential, whether the application client passes the verification. If yes, go to step S210; otherwise, go to step S211.
  • Step S210 Return a login success message to the application client.
  • Step S211 returning a login failure message to the application client.
  • a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
  • an authentication method when an application client requests to log in to an application server, a user name that is easy for the user to record may be input, and an easy input generated by the CGC and the BSF in any terminal may be input.
  • the credential through the user name and credential to complete the application server login authentication, to avoid the user to enter complex usernames and credentials, simplifying the login process.
  • Step S301 Receive an identifier of an application server that the application client requests to log in.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog.
  • OTT Over The Top
  • the browser is also an application client.
  • the application client When the application client requests to log in to an application server, it receives the identifier NAF_ID of the application server sent by the application client or directly input by the user.
  • Step S302 using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to the application server Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal.
  • the first username may be a user-defined easy-to-remember name
  • the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm.
  • the application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
  • the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM
  • the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks.
  • CGC but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
  • the CGC first performs the GBA process with the BSF to obtain the shared B-TID and Ks; then, based on the received NAF-ID, the first credential is generated using the algorithm agreed with the BSF.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • the BSF When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier.
  • the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
  • the credential of any server is generated in the same manner as the BSF, and the credential of the application server can be provided to the application client on any terminal, and the generated trust is generated.
  • User-friendly input is generated.
  • Figure 5 is a flow diagram of another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in FIG. 5, the method includes the following steps:
  • Step S401 Receive an identifier of an application server that the application client input by the user requests to log in.
  • the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF.
  • TID and Ks although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
  • the input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
  • Step S402 generating a first credential by using the setting algorithm, the identifier of the application server, the key Ks shared with the self-booting function device BSF, and the key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first username and the first credential obtained from the BSF; wherein the second credential is used by the BSF and generated The first credential is generated in the same way.
  • Step S402 is the same as step S302 of the foregoing embodiment, and details are not described herein again.
  • Step S403 outputting the first credential to the user.
  • the CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
  • the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be trusted to log in to the application server.
  • Shape, the generated trust is convenient for user input.
  • Figure 6 is a flow diagram of still another embodiment of a further refinement of an embodiment of the method of generating a credential of the present invention illustrated in Figure 4. As shown in Figure 6, the method includes the following steps:
  • Step S501 Receive a credential obtaining request of an application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
  • the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
  • Step S502 using a setting algorithm, generating an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID, so that the application server is configured according to Performing login verification on the application client by using the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the same as the first credential Way to generate.
  • Step S502 is the same as step S302 of the foregoing embodiment, and details are not described herein again.
  • Step S503 Send the first credential to the application client.
  • the CGC After generating the first credential according to the B-TID, the Ks, and the NAF-ID, the CGC sends the first credential directly to the application client, so that the application client generates the login according to the first credential and the first username. Request, send the login request to the application server to request authentication.
  • the credential obtaining request of the application client of the terminal may be directly received, and the credential of any server may be generated in the same manner as the BSF, without the user inputting the credential.
  • FIG. 7 is a schematic structural diagram of an embodiment of an application server according to the present invention.
  • the application server 1000 includes: The first searching unit 11 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, searching for a second credential corresponding to the first username, where the second trust The shape is generated by the self-booting function device BSF and the credential generating client CGC generating the first credential.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad.
  • the application client includes OTT (Over The Top) application client such as Weibo and WeChat. It should be noted that the browser is also an application client.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by a credential generation client (CGC) set by the application client terminal or other terminal.
  • CGC credential generation client
  • the first user name may be a user-defined easy-to-remember name
  • the first credential is also a credibility that the CGC uses to facilitate the user to memorize after processing with a specific algorithm.
  • the application client logs in to the application server according to the login request generated by the first credential and the first username according to an authentication protocol between the application server and the application server.
  • the application server When receiving the login request of the application client, parsing the login request, obtaining the first user name, obtaining the first credential according to the first username, and then the first searching unit 11 searching for the second credential corresponding to the first username . If the user has logged in to the application server, the application server may store the second credential locally. Therefore, the second credential generated by the BSF corresponding to the first username may be found locally; if there is no local storage, A second credential corresponding to the first username is obtained from the BSF.
  • the present invention can use the CGC on any terminal as long as it generates a CGC corresponding to the first trust of the first username.
  • the BSF first performs the GBA process with the CGC, and negotiates to obtain the same B-TID and Ks, and the Ks is stored by the first user name or other identifier associated with the first user name; and then, according to the identifier of the application server that obtains the request by sending the credential.
  • the NAF_ID searches for the corresponding Ks according to the first user name in the acquisition request or the identifier associated with the first user name, and then generates the second credential using the same algorithm as the CGC generates the first credential.
  • the BSF sends the generated second credential to the application server. ⁇ Using a specific algorithm to make the generated credentials are also user-friendly.
  • the confirming unit 12 is configured to confirm, according to the second credential, whether the application client passes the verification. Comparing the first credential and the second credential, if the result of the comparison is consistent, the confirming unit 12 confirms that the verification is successful, allows the application client to log in, and returns a login success message to the application client. Otherwise, the confirmation unit 12 confirms that the verification has failed, does not allow the application client to log in, and returns a login failure message to the application client.
  • the user name that is easy to remember by the user may be input, and the CGC generated by any terminal is generated in the same manner as the BSF.
  • the entered credential completes the login authentication of the application server through the username and the credential, and avoids the user inputting a complicated username and credential, which simplifies the login process.
  • Figure 8 is a block diagram showing another embodiment of a further refinement of an embodiment of an application server of the present invention shown in Figure 7. As shown in FIG. 8, the application server 2000 includes:
  • the indicating unit 21 is configured to: when the first credential is not valid, indicating that the application client obtains the first credential from the CGC, where the CGC is The application client is installed on the same or a different terminal.
  • the terminal where the application client is located may be a device such as a PC or a pad without a UICC card or a Universal Subscriber Identity Module (USIM). Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card. The same B-TID and Ks cannot be shared with the BSF.
  • the terminal with the UICC card can be used to obtain the first credential corresponding to the first username by using the CGC on it.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential obtaining request to the CGC on the terminal.
  • the application client If the application client can obtain a valid first credential from the terminal, the application client generates the login request according to the first username and the first credential; otherwise, the application client generates the login request according to the first username, And carrying an indication in the login request, indicating that the application client does not have a valid first credential.
  • the first user name is input by the user on the application client, and the first user name may be the user's mobile phone number, or may be a format such as an account registered by the user on the application server, and is user-defined and easy to remember. name.
  • the application client If the login request does not carry the indication that the application client does not have a valid first credential, the application client has a valid first credential, and then continues to perform login authentication; if the login request indicates that it has no valid first credential
  • the instructing unit 21 instructs the application client to acquire the first credential from the CGC.
  • the instructing unit 21 sends a response message that the first credential is invalid to the application client, in which the application client is instructed or prompted to obtain the first credential from the CGC.
  • the user is instructed to input the identifier of the application server, such as the NAF_ID, on the CGC of the mobile terminal to which the UICC card is inserted, and the application server or the BSF may further apply the corresponding application client, terminal, and application server through a short message or the like.
  • the information is sent to the user's mobile terminal with the UICC card inserted to prompt the user that he is trying to access an application server.
  • the CGC Knowing the NAF-ID, the CGC generates a first credential according to the algorithm agreed with the BSF according to its B-TID, Ks and the NAF-ID shared with the BSF. If there is no valid Ks or B-TID on the CGC, the CGC needs to perform the GB A process with the B SF to generate valid Ks and B-TIDs.
  • the application client After obtaining the first credential corresponding to the first user name from the terminal inserted with the UICC card, the application client inputs a first credential on the application client, and regenerates the login request according to the first username and the first credential. And resend to the application server. The application server receives the login request resent by the application client.
  • the first searching unit 22 is configured to: when receiving the login request generated by the application client according to the first username and the first credential, find a second credential corresponding to the first username.
  • the first searching unit 22 includes a second searching unit 221 and a first acquiring unit.
  • the second searching unit 221 is configured to locally search for the stored second trust corresponding to the first username.
  • the first obtaining unit 222 is configured to acquire, from the BSF, a second trust corresponding to the first username.
  • the application server may locally store the second credential obtained from the BSF for verifying the login request of the user, and the application server may also be the user locally.
  • the identifier classification class stores the trusts of the plurality of users. Therefore, the second search unit 221 searches for and acquires the second credential corresponding to the first user name according to the first user name. If the second credential corresponding to the first username is not stored locally, the first credential is retrieved from the BSF by the first obtaining unit 222.
  • the first obtaining unit 222 further includes a first sending unit 00 and a second acquiring unit 01. a first sending unit 00, configured to send, to the BSF, an acquisition request of the second credential, where Obtaining a request to carry a second user name, so that the BSF searches for a key and a key identifier corresponding to the second user name, and uses a setting algorithm according to the secret language, a key identifier, and an identifier of an application server. Generating the second credential, wherein the second username is associated with the first username, where the key and the key identifier are a key Ks and a key identifier shared with the CGC Character B-TID.
  • the second obtaining unit 01 is configured to acquire the second credential generated by the BSF.
  • the first user name carried in the login request received from the application client is converted into a second user name that the BSF can recognize, such as an International Mobile Subscriber Indentification Number (IMSI) or a mobile registered user international Mobile Subscriber International ISDN/PSTN number (MSISDN), or an identity that contains IMSI or MSISDN information, since the BSF can only identify IMSI or MSISDN.
  • IMSI International Mobile Subscriber Indentification Number
  • MSISDN mobile registered user international Mobile Subscriber International ISDN/PSTN number
  • This second username is used to look up Ks and B-TID on the BSF.
  • the BSF sends the second credential acquisition request to the BSF, and the BSF first searches for the corresponding Ks according to the second user name, where the Ks is the BSF and the CGC that generates the first credential is shared by performing the GBA process, according to the The CGC-defined algorithm generates a second credential for the Ks, the B-TID, and the NAF_ID of the application server that sent the fetch request, and returns it to the application server.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • the confirming unit 23 is configured to confirm, according to the second credential, whether the application client passes the verification.
  • a login success message is returned to the application client; if the verification fails, a login failure message is returned to the application client.
  • An application server when an application client requests to log in to the application server, may input a user name that is easy for the user to record, and input CGC and BSF on any terminal.
  • the easy-to-enter credentials generated in the same way complete the login authentication of the application server through the username and the credential, thereby avoiding the user inputting complicated user names and credentials, and simplifying the login process.
  • FIG. 9 is a schematic structural diagram of an embodiment of a credential generation client CGC according to the present invention. As shown in Figure 9, the CGC3000 includes:
  • the first receiving unit 31 is configured to receive an identifier of an application server that the application client requests to log in.
  • the application client in the embodiment of the present invention is installed on the terminal, and the terminal may be a device having a UICC card, such as a mobile terminal, or a device without a UICC card, such as a PC or a pad, and the application client includes a microblog.
  • OTT (Over The Top) application client such as WeChat. It should be noted that the browser is also an application client.
  • the first receiving unit 31 receives the identifier NAF_ID of the application server that is sent by the application client or directly input by the user.
  • the first generating unit 32 is configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first The trust is generated in the same way.
  • the user When the user wants to log in to the application server on the application client, the user inputs the first user name on the application client, and the first user name may be the user's mobile phone number or the account registered by the user on the application server.
  • the first credential is input, and the first credential is generated by the CGC set on the terminal where the application client is located or other terminal.
  • the first username may be a user-defined easy-to-remember name
  • the first credential is also a credential that the CGC uses to process the user's memory after processing with a specific algorithm.
  • the application client requests the authentication of the application server according to the login request according to the first user name and the login request generated by the first credential.
  • the terminal where the application client is located is a device such as a PC or a pad without a UICC card or a USIM
  • the terminal cannot communicate with the BSF through the UICC card, and cannot share the same B-TID and Ks with the BSF, although the terminal does not have the same B-TID and Ks.
  • CGC but with other terminals with UICC cards, the first credential corresponding to the first username can be obtained through the CGC on the terminal.
  • the terminal may also be a device with a UICC card or a USIM card, and the application client may directly send a first credential acquisition request to the CGC on the terminal.
  • a method of generating a credential is:
  • Ks NAF KDF (Ks, NAF-ID);
  • Credential base64encoded ⁇ Trunc48[SHA-256(Ks_NAF
  • CGC first generates Ks-NAF according to the method in TS 33.220, and then calculates the SHA-256 value of Ks
  • the lower 48 bits of the 256-bit SHA-256 value are truncated for BASE64 encoding, and the final output is 8 bits of case-sensitive English characters or numbers.
  • the generated credential is a trust that the user can easily enter.
  • the BSF When the BSF performs the GBA process with the CGC, the first user name associated with the first credential, or other identifier associated with the first user name, corresponding to the Ks and B-TID storing the first username or identifier.
  • the application server receives the login request of the application client, the application server obtains the first user name in the login request, and sends a second credential obtaining request to the BSF according to the username, and the BSF carries the first username or the The other identifier associated with the first username finds the corresponding Ks, and generates a second credential and returns to the application server in the same manner as the CGC generates the first credential, so that the application server verifies the login request.
  • the credential of any server is generated in the same manner as the BSF, and the application client on any terminal can be provided with the credential of logging in to the application server, and the generated credential is convenient for the user to input. .
  • FIG 10 is a block diagram showing another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9. As shown in Figure 10, the CGC4000:
  • the second receiving unit 41 is configured to receive an identifier of the application server that the application client input by the user requests to log in.
  • the terminal where the client is located is a device such as a PC or a pad without a UICC card or a USIM. Therefore, the terminal cannot perform communication authentication with the BSF through the UICC card, and the CGC is not set, and the same B- cannot be shared with the BSF. TID and Ks, although the terminal does not have a CGC, the first credential corresponding to the first username can be obtained by using the CGC on the terminal with other terminals having the UICC card.
  • the input method can be manually input, or the NAF-ID of multiple application servers can be preset on the CGC, and the user can select the corresponding application server.
  • a first generating unit 42 configured to use a setting algorithm, and identifiers of the application server
  • the key Ks and the key identifier B-TID shared by the boot function device BSF generate a first credential, so that the application server pairs the application client according to the second credential corresponding to the first user name acquired from the BSF Performing login verification; wherein the second credential is generated by the BSF in the same manner as the first credential is generated.
  • the function of the first generating unit 42 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
  • the output unit 43 is configured to output the first credential to the user.
  • the CGC generates a first credential according to the B-TID, the Ks, and the NAF_ID, and displays the first credential on the terminal screen to the user, so that the user inputs the first credential into the application client of the other terminal, to And causing the application client to generate a login request according to the first credential and the first username, and sending the login request to the application server to request verification.
  • the credential of any server is generated in the same manner as the BSF, and the application client on the terminal that cannot execute the GB A process can be provided with the credential of logging in to the application server, and generated.
  • the credibility is convenient for the user to input.
  • FIG 11 is a block diagram showing still another embodiment of a further refinement of an embodiment of a CGC of the present invention shown in Figure 9.
  • the CGC5000 includes:
  • the third receiving unit 51 is configured to receive a credential obtaining request of the application client, where the credential obtaining request includes an identifier of an application server that the application client requests to log in.
  • the terminal where the application client is located is a device with a UICC card or a USIM card, and the GBA process can be executed with the BSF. Therefore, the credential acquisition request sent by the application client of the terminal directly includes the identifier of the application server that the application client requests to log in.
  • a first generating unit 52 configured to generate, by using a setting algorithm, an identifier of the application server, a key Ks shared with the self-booting function device BSF, and a key identifier B-TID to generate a first credential, so that The application server performs login verification on the application client according to the second credential corresponding to the first user name obtained from the BSF; wherein the second credential is used by the BSF to generate the first
  • the trust is generated in the same way.
  • the function of the first generating unit 52 is the same as that of the first generating unit 32 of the foregoing embodiment, and details are not described herein again.
  • the second sending unit 53 is configured to send the first credential to the application client.
  • the first credential is directly Sending to the application client, so that the application client generates a login request according to the first credential and the first username, and sends the login request to the application server to request verification.
  • the CGC provided by the embodiment of the present invention can directly receive the credential acquisition request of the application client of the terminal, and generate a credential for logging in to any server in the same manner as the BSF, without the user inputting the credential, facilitating the application server. log in.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention porte sur un procédé d'authentification, un procédé de génération de justificatifs d'identité et un dispositif associé. Le procédé d'authentification comprend : après réception d'une requête de connexion d'un client d'application et générée selon un premier nom d'utilisateur et un premier justificatif d'identité, la recherche d'un second justificatif d'identité correspondant au premier nom d'utilisateur ; la vérification, selon le second justificatif d'identité, du point de savoir si le client d'application a été authentifié ; le second justificatif d'identité étant généré par la fonction d'amorçage (BSF) en utilisant le même moyen que celui utilisé par le client de génération de justificatif d'identité (CGC) lors de la génération du premier justificatif d'identité. L'invention porte également sur un procédé et un serveur d'application (NAF) correspondants et un CGC pour générer des justificatifs d'identité. Lorsqu'un client d'application demande à se connecter au NAF, un nom d'utilisateur peut être entré qui est facile à se souvenir pour un utilisateur, et un justificatif d'identité facile à entrer généré de la même manière par le CGC et la BSF sur un quelconque terminal peut être entré ; la connexion au NAF et l'authentification sont obtenues au moyen dudit nom d'utilisateur et dudit justificatif d'identité, supprimant ainsi une entrée, par un utilisateur, d'un nom d'utilisateur et d'un justificatif d'identité complexes et simplifiant le processus de connexion.
PCT/CN2014/080380 2013-07-31 2014-06-20 Procédé d'authentification, procédé de génération de justificatifs d'identité et dispositif associé WO2015014171A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310329541.4 2013-07-31
CN201310329541.4A CN104348801B (zh) 2013-07-31 2013-07-31 认证方法、生成信任状的方法及相关装置

Publications (1)

Publication Number Publication Date
WO2015014171A1 true WO2015014171A1 (fr) 2015-02-05

Family

ID=52430953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080380 WO2015014171A1 (fr) 2013-07-31 2014-06-20 Procédé d'authentification, procédé de génération de justificatifs d'identité et dispositif associé

Country Status (2)

Country Link
CN (1) CN104348801B (fr)
WO (1) WO2015014171A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL126790U1 (pl) * 2017-11-16 2019-05-20 Moj Spolka Akcyjna Sprzęgło elastyczne wieloczłonowe

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037958A1 (fr) * 2018-08-23 2020-02-27 刘高峰 Procédé, dispositif, système de partage de clé et enregistrement de client basés sur gba

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006085169A1 (fr) * 2005-01-12 2006-08-17 Nokia Corporation Procede et appareil pour l'utilisation de procedures faisant appel a une architecture d'authentification generique dans des ordinateurs personnels
CN102196426A (zh) * 2010-03-19 2011-09-21 中国移动通信集团公司 一种接入ims网络的方法、装置和系统
CN102893683A (zh) * 2010-04-14 2013-01-23 高通股份有限公司 通过短程通信网络进行wwan寻呼以减小功耗
CN103024735A (zh) * 2011-09-26 2013-04-03 中国移动通信集团公司 无卡终端的业务访问方法及设备
WO2013064716A1 (fr) * 2011-10-31 2013-05-10 Nokia Corporation Mécanisme de sécurité pour code externe

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006085169A1 (fr) * 2005-01-12 2006-08-17 Nokia Corporation Procede et appareil pour l'utilisation de procedures faisant appel a une architecture d'authentification generique dans des ordinateurs personnels
CN102196426A (zh) * 2010-03-19 2011-09-21 中国移动通信集团公司 一种接入ims网络的方法、装置和系统
CN102893683A (zh) * 2010-04-14 2013-01-23 高通股份有限公司 通过短程通信网络进行wwan寻呼以减小功耗
CN103024735A (zh) * 2011-09-26 2013-04-03 中国移动通信集团公司 无卡终端的业务访问方法及设备
WO2013064716A1 (fr) * 2011-10-31 2013-05-10 Nokia Corporation Mécanisme de sécurité pour code externe

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL126790U1 (pl) * 2017-11-16 2019-05-20 Moj Spolka Akcyjna Sprzęgło elastyczne wieloczłonowe

Also Published As

Publication number Publication date
CN104348801B (zh) 2018-05-04
CN104348801A (zh) 2015-02-11

Similar Documents

Publication Publication Date Title
US11165581B2 (en) System for improved identification and authentication
US10491587B2 (en) Method and device for information system access authentication
US10009340B2 (en) Secure, automatic second factor user authentication using push services
US9692603B2 (en) Biometric PKI authentication
US9979719B2 (en) System and method for converting one-time passcodes to app-based authentication
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
US9813400B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
US8661254B1 (en) Authentication of a client using a mobile device and an optical link
CN107302539B (zh) 一种电子身份注册及认证登录的方法及其系统
WO2015062398A1 (fr) Procédé et dispositif d'authentification d'accès pour un système d'information
US8191124B2 (en) Systems and methods for acquiring network credentials
US8606234B2 (en) Methods and apparatus for provisioning devices with secrets
US8776176B2 (en) Multi-factor password-authenticated key exchange
US8868909B2 (en) Method for authenticating a communication channel between a client and a server
EP3120591B1 (fr) Dispositif sur la base d'un identifiant d'utilisateur, système de gestion d'identité et d'activité
KR20220133206A (ko) 신분 인증 방법 및 장치, 그리고 관련 디바이스
JP5276593B2 (ja) ネットワーク信用証明書を獲得するためのシステムおよび方法
JP2016533694A (ja) ユーザアイデンティティ認証方法、端末及びサーバ
WO2014183526A1 (fr) Procédé, dispositif, et système de reconnaissance d'identité
EP2572489B1 (fr) Système et procédé permettant de protéger un accès à des systèmes d'authentification
WO2007104248A1 (fr) Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques
WO2018099407A1 (fr) Procédé et dispositif de connexion basée sur une authentification de compte
WO2015014171A1 (fr) Procédé d'authentification, procédé de génération de justificatifs d'identité et dispositif associé
CN109460647B (zh) 一种多设备安全登录的方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14831383

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14831383

Country of ref document: EP

Kind code of ref document: A1