WO2018004114A2 - Proxy authentication system and authentication method for providing proxy service - Google Patents

Proxy authentication system and authentication method for providing proxy service Download PDF

Info

Publication number
WO2018004114A2
WO2018004114A2 PCT/KR2017/003364 KR2017003364W WO2018004114A2 WO 2018004114 A2 WO2018004114 A2 WO 2018004114A2 KR 2017003364 W KR2017003364 W KR 2017003364W WO 2018004114 A2 WO2018004114 A2 WO 2018004114A2
Authority
WO
WIPO (PCT)
Prior art keywords
proxy
authentication
terminal
key
information
Prior art date
Application number
PCT/KR2017/003364
Other languages
French (fr)
Korean (ko)
Other versions
WO2018004114A3 (en
Inventor
전병천
김의국
이창우
최재원
Original Assignee
(주)넷비젼텔레콤
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)넷비젼텔레콤 filed Critical (주)넷비젼텔레콤
Publication of WO2018004114A2 publication Critical patent/WO2018004114A2/en
Publication of WO2018004114A3 publication Critical patent/WO2018004114A3/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Definitions

  • the present invention relates to a proxy authentication system and an authentication method for providing a proxy service. More specifically, proxy authentication is performed by checking whether the same key value is used instead of matching subscriber information in proxy authentication performed every proxy session.
  • the present invention relates to a proxy authentication system and an authentication method for providing a proxy service that can rapidly perform proxy authentication and minimize performance degradation that occurs during proxy authentication in a commercial mobile network with a large number of subscribers.
  • Proxy Server technology is a technology that provides additional services for a packet by passing a specific proxy server before the packet arrives at the receiving end. It is used to provide differentiated supplementary services to network users such as observation, data leakage prevention, and providing aggregation point for MPTCP.
  • Proxy Server technology provides additional services to users, it may be necessary to provide only to specific users.
  • standard specifications RFC1928, RFC1929, etc. of Proxy Server technology provide a user authentication method using Username / Password.
  • this username / password user authentication method when used in a commercial network that covers a large number of subscribers, is a proxy authentication procedure that must be contrasted with a large amount of information and the administrative burden of managing a database that manages a large number of subscriber information. There is a limit that the degradation of proxy service provisioning performance occurs.
  • the proxy server passes the information required for authentication (eg Username / Password) to the authentication server and allows or denies the access according to the result of the authentication server.
  • this method is not suitable for MPTCP-based aggregation applications because the access delay is long and processing performance is deteriorated when it is necessary to determine whether access from a plurality of mobile terminals in real time.
  • the present invention has been made to solve the above problems, and an object of the present invention is to manage the management of millions of subscribers while using the existing proxy authentication method when providing a service using a proxy in a commercial mobile network having millions or more of subscribers. It is to provide proxy authentication system and authentication method for proxy service provision that can reduce proxy performance and subscriber management burden by the number of subscribers by not needing.
  • Proxy authentication system for providing a proxy service according to an embodiment of the present invention includes a Proxy-Manager for pre-authenticating subscribers and forwarding initial configuration information for proxy authentication without subscriber information to the terminal and the Proxy-Server; A terminal for generating a username code1 and a password code2 constituting a proxy authentication packet based on the initial configuration information received from the proxy-manager, and transmitting the proxy authentication packet to the proxy-server; And based on the initial configuration information received from the Proxy-Manager, generates an analysis key to enable authentication processing without subscriber information, perform authentication by using the analysis key in the authentication request of the terminal, authentication And a Proxy-Server for restoring and storing the information of the completed subscriber.
  • the initial configuration information may include a usage code list including each terminal-independent code item and / or a code item dependent on each terminal, a group code, a shared secret for generating an One Time Password (OTP), and a random- Including the length of the number, each terminal non-dependent code item of each code item included in the use code list, the value of the code item if the value of the code item that can not be collected from the network is included It may further include.
  • OTP One Time Password
  • code2 is a random-number equal to the length of the code item included in the use code list received from the proxy-manager and the length of the random number among the value of the terminal dependent code item that each terminal can store.
  • Code1 may be generated by combining the UE-ID having the terminal information and the Random-Number and then encrypting using a Proxy authentication key generated based on the initial configuration information.
  • the proxy authentication key includes a Group-Key and a Master-key
  • the Group-Key is generated based on the Group Code
  • the Master-key is based on the Shared Secret for OTP generation included in the use code list OTP generated by, and may be composed of each code item included in the use code list.
  • the Proxy authentication key may be updated whenever one or more events occur, such as reaching a regeneration period of an OTP value, receiving an authentication policy change from the Proxy-Manager, or changing a value of each code item included in a use code list. have.
  • the Proxy-Server may perform authentication without subscriber information by checking whether the analysis key is the same as the Proxy authentication key used when the terminal encrypts the Code1.
  • the Proxy-Server extracts a Random-Number from Code2 contained in the Password field of the Proxy authentication packet received from the terminal, and decrypts the information stored in the Username field of the Proxy authentication packet using the analysis key. After extracting the decrypted Code1, it may be determined whether the analysis key is the same as the Proxy authentication key by comparing the Random-Number extracted from the decrypted Code1 and the Random-Number extracted from the Code2.
  • the Proxy-Server generates an OTP at a plurality of preset time points in order to overcome the difference in the OTP value due to time asynchronous with the terminal, and proceeds with the analysis key generation and authentication attempt by the number of generated OTPs. Can be.
  • the proxy-manager pre-authenticates a subscriber and initializes initial setting information for performing proxy authentication without subscriber information to the terminal and the proxy-server.
  • a transmitter-side key generation step of generating, by the terminal, Code1 and Code2 used for a proxy authentication packet based on the initial configuration information received from the Proxy-Manager;
  • An authentication packet transmission step of transmitting, by the terminal, the Code1 and Code2 to the Proxy-Server in the Username field and the Password field of the Proxy authentication packet, respectively;
  • An analysis key generation step of generating an analysis key for allowing the Proxy-Server to process the authentication request without subscriber information based on the initial configuration information received from the Proxy-Manager when an authentication request is made by the terminal;
  • an authentication and user information restoration step in which the Proxy-Server processes the authentication request of the terminal and restores and stores the information of the subscriber which has been authenticated upon successful authentication.
  • the code2 includes a code item value included in a usage code list received from the proxy-manager among terminal-dependent values that each terminal can store, and a random received from the proxy-manager. It consists of a random number as long as the number of -Number, Code1 is encrypted by using the Proxy authentication key generated based on the initial configuration information after combining the UE-ID having the information of the terminal and the Random-Number Can be generated.
  • the proxy authentication key includes a Group-Key and Master-key
  • the Group-Key is generated based on the Group Code
  • the Master-key based on the Shared Secret for generating OTP included in the initial configuration information
  • the generated OTP and each code item included in the usage code list may be included.
  • the proxy-server of the OTP generated at a plurality of preset time points to overcome the difference in the OTP value due to time asynchronous with the terminal The number of times may be repeated to attempt authentication of the terminal.
  • the terminal can be authenticated without subscriber information by checking whether the analysis key is the same as the Proxy authentication key used when the terminal encrypts the Code1.
  • the authentication and user information restoration step may include: extracting a Random-Number from Code2 contained in a Password field of a Proxy authentication packet transmitted from the terminal; Extracting the decrypted Code1 by decrypting the information stored in the Username field of the Proxy authentication packet by using the analysis key, and extracting a Random-Number included in the decrypted Code1; Contrasting the Random-Number extracted from Code1 with the Random-Number extracted from Code2; And when the two random numbers coincide, completing terminal authentication, and extracting user information of the authenticated terminal from the proxy authentication packet and storing them for monitoring proxy service usage and usage pattern information of each proxy service subscriber. Can be done.
  • the Proxy Server used to provide additional network services provides a number of Proxy authentication requests received from multiple subscribers while providing proxy services in a network having a large number of subscribers. You have to deal quickly.
  • the present invention regardless of the number of subscribers to provide a constant proxy authentication performance, even when used in a network having a large number of subscribers, it is possible to provide a proxy service and authentication without degradation.
  • one of the major problems faced when installing equipment that provides differentiated additional services for each subscriber is management of the subscriber.
  • the use of subscriber database is essential.
  • the proxy server using the authentication concept of the present invention uses subscriber information for subscriber authentication. Since it is not used, it can be freed from the management burden on subscriber information.
  • FIG. 1 is a configuration diagram of an entire network of an MPTCP Aggregation service system which is an embodiment of a proxy authentication system of the present invention.
  • FIG. 3 is an introduction to the Proxy Server's Proxy Authentication Key Generation for solving the difference in OTP caused by network delay or time synchronization delay.
  • 9 is a description of a proxy authentication key generation method.
  • 11 is a description of the procedure of the authentication and user information restoration step.
  • One embodiment of the present invention is a typical server that a terminal of a particular subscriber does not support MPTCP using MPTCP using an Aggregation Point Proxy Server for MPTCP (MPTCP) in a commercial network
  • MPTCP Aggregation Point Proxy Server for MPTCP
  • This is a proxy authentication system and authentication method that does not require extensive subscriber management in Proxy-Server and does not cause deterioration of proxy performance when proceeding with authentication of a specific subscriber's terminal using Username / Password. .
  • the proxy authentication system includes a Proxy-Manager for pre-authenticating subscribers and delivering initial configuration information for performing Proxy authentication without subscriber information to the terminal and the Proxy-Server, and from the Proxy-Manager.
  • the Proxy-Manager transmits initial configuration information for pre-authenticating subscribers and proceeding with proxy authentication without subscriber information to the terminal and the Proxy-Server to transmit the initial configuration information.
  • Initial setup step for the terminal and the Proxy-Server to share Step for generating a key on the sending side for generating the Code1 for the Username and Code2 for the password to be used for the packet for the proxy authentication
  • the terminal is the Proxy authentication packet for the Code1 and Code2 Authentication packet transmission step of sending to the Proxy-Server in Username and Password fields of the server, and generation of an analysis key that generates an analysis key that allows the Proxy-Server to process the authentication request of the terminal without subscriber information when the terminal requests authentication.
  • Step, and process the authentication request of the terminal, and restore and save for later operations such as monitoring, statistics, information of the subscriber is completed authentication Authentication and a user information recovery method comprising.
  • the Proxy-Server when the operation of the Proxy-Server starts, the Proxy-Server requests initial configuration information from the Proxy-Manager, and the Proxy-Manager delivers initial configuration information to the Proxy-Server in response to the request.
  • the process proceeds to a part of the initial setting step.
  • the terminal when the operation of the terminal starts, the terminal requests pre-authentication from the Proxy-Manager, and after the Proxy-Manager proceeds with the authentication of the subscriber, the initial authentication information is transmitted to the authenticated subscriber station. Proceed with some of the initial setup steps. At this time, it is recommended to use strong security techniques such as Secure Tunnel and VPN for pre-authentication that the terminal proceeds with Proxy-Manager.
  • the initial configuration information delivered by the Proxy-Manager to the Proxy-Server and the terminal is a Group Code, Shared Secret for generating one time password (OTP), a usage code list, and a random-number length.
  • OTP one time password
  • the values of terminal-independent items which are not dependent on the terminal and are shared by all the terminals on the network are not properly shared between the Proxy-Server and each terminal. Hold in addition.
  • Each code item included in the usage code list is information that can be stored by the terminal itself while all terminals on the network such as MCC (Mobile Country Code) and MNC (Mobile Network Code) share the same value, or IP address,
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • Each terminal, such as MSISDN and IMSI, can be kept and is dependent on each terminal, and the concept of the present invention is not limited to the code used for MCC, MNC, IP Address, MSISDN, IMSI. If necessary, a number of necessary codes can be selected and used.
  • the terminal completes the proxy authentication without subscriber information. You are ready to generate proxy authentication information (packets) to make it possible.
  • This proxy authentication information is composed of two codes, Code1 and Code2.
  • Code2 is a code included in the usage code list received from Proxy-Manager among the device-dependent values that each terminal can store, such as IP Address, MSISDN, and IMSI. It consists of the value of the item and the Random-Number equal to the length of the Random-Number received from the Proxy-Manager.
  • Code1 is based on the initial configuration information after combining the UE-ID having the terminal information and the Random-Number of Code2. It is generated by encrypting using the proxy authentication key generated by. In this way, the terminal creates Code1 and Code2 to complete the generation of the proxy authentication information.
  • the terminal divides the initial configuration information into two groups to generate the proxy authentication key.
  • the first group is an immutable group unless the authentication policy is changed.
  • the group code is received from the Proxy-Manager when the terminal completes the Proxy-Manage and pre-authentication.
  • the Group-Code received from the Proxy-Manager is the Group-Key. It is used to create a subset of the Proxy authentication keys.
  • the second group consists of the codes included in the OTP generated based on the shared secret for generating the OTP received from the Proxy-Manager and the usage code list received from the Proxy-Manager. It is used to generate a key after being updated for each proxy authentication key regeneration event and used to generate a master-key which is a key of the remaining part except the group code in the proxy authentication key.
  • the proxy authentication key be at least 256 bits in size.
  • the size of the proxy authentication key, the size of the Group-Key, and the size of the Master-key generated from the information of the second group may be operators using the concept of the present invention. Can be decided according to your needs.
  • the Proxy authentication key regeneration event is triggered when the OTP value is regenerated, the authentication policy change is received from the Proxy-Manager, and the value of each code included in the use code list is changed.
  • Code1 and Code2 update using new Proxy authentication key is also performed.
  • the terminal may be able to request a proxy service using the Proxy-Server at any time.
  • the terminal if a packet that requires a proxy service is generated at the terminal, the terminal first attempts authentication with the proxy server to establish a proxy connection.
  • Code1 and Code2 generated at the sender key generation step are generated. Is sent to the Proxy-Server with the Username and Password fields of the Proxy authentication packet. If the authentication packet is authenticated by the proxy server in response to the authentication packet, the communication session of the terminal can use the proxy service immediately.
  • the Proxy-Server of the present invention accesses the subscriber database and compares the subscriber information one by one. Generates an interpretation key that is dependent on each terminal needed to perform proxy authentication.
  • the Proxy-Server also divides the initial configuration information into two groups, like the terminal.
  • the Proxy-Server forwards it from the Proxy-Manager in advance. Generate Group-Key using the received Group Code as the first group and use it as part of the analysis key, and receive it in advance from the OTP and Proxy-Manager created in advance as Shared Secret for OTP generation received from Proxy-Manager.
  • the remaining key of the analysis key is generated by using the value of each terminal-independent code included in the usage code list and each terminal-dependent value extracted from Code2 in the Password field of the Proxy authentication packet received from the terminal as a second group. This completes the analysis key generation step.
  • the OTP is generated at every regeneration cycle of the OTP or when a new shared secret for OTP is received due to the change of the proxy-manager's authentication policy.
  • the Proxy-Server When generation of an analysis key dependent on each terminal necessary to perform proxy authentication for a terminal without subscriber information through the interpretation key generation step, the Proxy-Server checks the subscriber information using the analysis key. It authenticates the proxy authentication packet transmitted by the terminal without any authentication, and extracts user information of the completed terminal from the proxy authentication packet and stores it for monitoring information such as proxy service usage and usage pattern of each proxy service subscriber. And the user information restoration step.
  • the Proxy-Server extracts a Random-Number from Code2 sent by the terminal using the Password field of the Proxy authentication packet transmitted by the terminal, and uses the analysis key generated in the analysis key generation step. After decrypting the information stored in the Username field of the extracted Decoded Code1, and then compares the Random-Number extracted from the decrypted Code1 and the Random-Number extracted from Code2 to proceed with the proxy authentication of the terminal without subscriber information.
  • the decryption key generated by the Proxy-Server is identical to the proxy authentication key of the terminal by verifying that the Random-Number extracted from Code1 is the same as the Random-Number delivered by the terminal through Code2 through decryption. This means that the terminal completed the pre-authentication with the Proxy-Manager without any problem, so that the Proxy-Server can immediately proceed with the Proxy authentication without checking the user of the terminal.
  • the Proxy-Server may generate the OTP at a plurality of preset time points in order to overcome the difference in the OTP value due to time asynchronous with the terminal. For example, up to three OTPs may be generated, and upon receiving a proxy authentication packet, three proxy authentication keys may be generated and authentication attempts may be performed. At this time, the three proxy authentication keys may be OTP at the present time, OTP at one time before, and OTP at one time after, respectively.In case of proxy authentication request or proxy authentication failure, an analysis key generation step and authentication and user information are performed. Repeated restoration steps are generated three times each and authentication is attempted.
  • the OTP generation period must be larger than the time difference between the terminal and the Proxy-Server and the packet reception delay due to the network delay, and a period in which the proxy authentication security is not invalidated due to packet eavesdropping should be set.
  • OTP generation period can also be set according to the needs of the operator using the present invention,
  • the Proxy-Server checks whether the terminal uses the same Proxy authentication key (interpretation key) instead of checking the user information of the terminal, and confirms whether the terminal has completed pre-authentication with the Proxy-Manager.
  • the Proxy-Server eliminates the need for the subscriber information management and eliminates the change in the terminal authentication performance according to the number of subscribers. To provide.
  • FIG. 1 is a network diagram of an MPTCP Aggregation Service System 1000, which is an embodiment of a proxy authentication system of the present invention.
  • the MPTCP Aggregation Service System 1000 which applies the concept of proxy authentication system of the present invention, can quickly identify subscribers and provide MPTCP Aggregation differentially without burdening subscriber information management.
  • the MPTCP Aggregation Service System 1000 as shown in Figure 1, the proxy for pre-authenticating each terminal 300, and forwards the initial configuration information 400 to each of the authenticated terminal 300 and Proxy-Server (200)
  • the manager 100 generates the same analysis key 500 as the Proxy authentication key 500 generated by the terminal whenever the authentication request of each terminal is shared with the initial configuration information 400 shared by the Proxy-Manager 100.
  • the Proxy-Server (200) to quickly authenticate the terminal, and the terminal 300 using the MPTCP Aggregation service provided by the Proxy-Server (200).
  • the Proxy-Server 200 and the terminals 300 when the Proxy-Server 200 and the terminals 300 are started, the subscriber information after pre-authentication with the Proxy-Manager 100 is performed.
  • MPTCP in an environment where huge subscriber information such as a commercial mobile network is used, by allowing each of the authenticated terminals 300 and the Proxy-Server 200 to share the initial configuration information 400 that allows the proxy authentication request to proceed quickly without the need for storage.
  • the Aggregation Service System 1000 provides a service in which the number of proxy authentications is increased according to the number of paths, the authentication procedure can be processed at a constant rate without being affected by the number of subscribers without storing subscriber information. .
  • the server to which the terminal 300 makes a TCP connection must have the MPTCP function.
  • the conventional servers existing in the commercial network have the new technology MPTCP.
  • the terminal 300 can obtain a benefit of MPTCP by allowing the proxy-server to communicate with the Proxy-Server 200 having the MPTCP function located in a high-speed back-borne network.
  • An MPTCP Aggregation Service System 1000 is provided.
  • the MPTCP Aggregation service system 1000 utilizes the concept of the present invention instead of collating subscriber information.
  • the terminal 300 requesting authentication uses the same Proxy authentication key 500 as the Proxy-Server 200, it processes the Proxy authentication request, thereby maintaining a constant and rapid rate without being affected by the number of subscribers without storing subscriber information. It allows the authentication process to be processed at a speed, thereby preventing the gain from using the MPTCP technology from being lowered.
  • the initial configuration information 400 is information received from the Proxy-Manager 100 when the terminal 300 or the Proxy-Server 200 of each subscriber subscribed to the MPTCP Aggregation Service System 1000 is authenticated by the Operator. Unless the policy is modified, the information is unchanged, and information necessary for proceeding with the proxy authentication procedure of the present invention for quickly performing proxy authentication between the subscriber terminal 300 and the Proxy-Server 200 where pre-authentication is completed.
  • the initial configuration information 400 is a "Group Code” (410), “OTP Shared Secret” (420), “Use Code List” (430), “Random-Number length 440, “value of each terminal independent item” 450.
  • the “Group Code” 410 is a code generated and used by the Proxy-Manager and is transmitted to the terminal and the Proxy-Server where the pre-authentication is completed and used as the Group-Key 510 which is part of the Proxy authentication key 500.
  • “Shared Secret for OTP” (420) is also a value generated by the Proxy-Manager and transmitted to the terminal and Proxy-Server where pre-authentication is completed, and Master-Key (part of Proxy authentication key 500 in each terminal and Proxy-Server). While generating one time password (hereinafter referred to as OTP), which is one of information for generation, based on the current time, the UE and the Proxy-Server can generate the same OTP.
  • OTP one time password
  • the reason why the OTP is used to generate the master-key 520 is to prevent an unauthenticated terminal from using an eavesdropping packet unfairly using a function of the Proxy-Server 200 such as the MPTC aggregation service. Yet, since the authenticated terminals 300 and the Proxy-Server 200 must share the same Proxy authentication key 500, the authenticated terminals 300 and the Proxy-Server 200 should have the same OTP. In order to accomplish this, the concept of the present invention delivers the same shared secret 420 for the OTP to the authenticated terminals 300 and the Proxy-Server 200 to calculate the OTP.
  • the “use code list” 430 transmits a list of information of which items are used as information for generating a master-key 520 that is part of the proxy authentication key 500.
  • the terminal 300 and the proxy-server The terminal 300 and the Proxy-Server 200 can share the same Proxy authentication key 500 when the 200 generates the Master-Key 520 with the same item information, and the same Proxy authentication of the present invention. Since the concept of quickly processing the proxy authentication request without subscriber information may be implemented by checking whether the key 500 is used, the Proxy-Manager 100 may authenticate the terminals 300 and the Proxy-Server 200. Information to pass on.
  • Terminal independent refers to an item that all terminals have the same information because the information is shared by the network, such as MNC and MCC.
  • terminal independent items are items that the Proxy-Server 200 needs to store without the terminal 300 having to transmit them to the Proxy-Server 200.
  • the terminal 300 and the Proxy-Server 200 may also collect information on the “terminal independent item” from the network, but when collecting information on a specific “terminal independent item” is difficult, the corresponding information Only the Proxy-Manager 100 can use the "value of each terminal non-dependent items" (450) so that the corresponding information can be shared between each terminal 300 and the Proxy-Server (200) that pre-authentication is completed.
  • “Terminal dependent item” is an item in which each terminal has different information such as IP address and MSISDN, and each terminal 300 and Proxy- which have been pre-authenticated by being included in the Proxy authentication packet when the authentication procedure of the present invention is performed. Information shared by the server 200.
  • Random-Number Length (440) is used to check instead of subscriber information in the Proxy authentication process of the present invention to determine whether the terminal 300 and the Proxy-Server (200) uses the same Proxy authentication key (500)
  • Code1 610 and Code2 620 constituting the proxy authentication information 600 are generated.
  • Proxy-Server 200 should collect Random-Number information from Code2 620 when processing Proxy authentication request, terminals 300 and Proxy-Server 200 should use the same Random-Number length.
  • the Proxy-Manager 100 transmits the “Random-Number Length” 440 information to the terminals 300 and the Proxy-Server 200 where each authentication is completed.
  • the Proxy-Server 200 can infer the length of the Random-Number by excluding all of the “terminal dependent item” information from Code2.
  • the value of each terminal-independent item 450 indicates that the terminal 300 and the Proxy-Server (for which the authentication is completed) are performed by the Proxy-Manager 100 only for the "terminal-independent item" which is difficult to collect specific information. This field is used to allow the information to be shared.
  • the terminal 300 Proxy authentication key 500 may be different from Proxy authentication key 500 of Proxy-Server 200.
  • the Proxy-Server 200 stores three OTPs as shown in FIG. 3, and then generates three Proxy authentication keys 500 when the Proxy authentication packet is received. Before rejecting the request, the authentication attempt for each of the three proxy authentication keys 500 is performed so that a delay occurs in the network or time synchronization between the terminal 300 and the Proxy-Server 200. It will provide as much time as possible.
  • the OTP generation cycle can be set according to the needs of the operator using the present invention.
  • the OTP generation cycle can be set according to the state of the network in which the service is provided. A time that is long enough to cope with the delay caused by the time synchronization scheme used is recommended.
  • the time synchronization method may also be selected according to the needs of the operator using the present invention, and time synchronization through a third server or a direct time synchronization method between the Proxy-Server 200 and the terminal 300 may be performed according to the needs of the operator. Can be selected.
  • Proxy authentication key 500 is composed of two keys, Group-Key (510) and Master-key (520).
  • the Group-Key 510 is a key generated based on the Group Code 410 received from the Proxy-Manager 100 and uses Key-Generation in the Group Code 410 according to the needs of the Operator using the present invention.
  • the generated or Group Code 410 may be used as the Group-Key 510 which is part of the Proxy authentication key 500 as it is, and the length of the Group-Key 510 may be set according to the needs of the operator.
  • the master-key 520 is generated based on the sum of the values of the items specified in the OTP and the use code list 430 generated through the shared secret 420 for generating the OTP.
  • the Master-key 520 together with the Group-Key 510 constitutes a part of the Proxy authentication key 500, and like the Group-Key 510, the Master-key 520 according to the needs of the operator using the present invention.
  • the length can also be set. However, the present invention recommends the total length of the proxy authentication key 500 to be at least 256 bits.
  • the Proxy-Server 200 and the terminal 300 generate and share the same Proxy authentication key 500 by using the initial configuration information 400 that is identically received after the strong line authentication with the Proxy-Manager 100.
  • the Proxy-Server 200 checks whether the Proxy-Server 200 and the terminal 300 share the same key by transmitting the same Proxy authentication key 500 shared in the Proxy authentication packet. Authentication of the 300 is quickly processed without subscriber information.
  • the concept of the present invention is that the terminal 300 uses the Proxy authentication key ( Proxy-Server which encrypts the information of the terminal 300 and prepares the proxy authentication information 600, inserts it into the Username field and the Password field of the Proxy authentication packet, and transfers the received packet.
  • Proxy authentication key Proxy-Server which encrypts the information of the terminal 300 and prepares the proxy authentication information 600, inserts it into the Username field and the Password field of the Proxy authentication packet, and transfers the received packet.
  • the same proxy authentication key is decrypted sequentially by using three proxy authentication keys 500 generated based on three OTPs and initial configuration information 400 storing the proxy authentication information 600 received by the 200. If 500 is found to be used, authentication is completed and if the same Proxy authentication key 500 is found not to be used, the authentication is rejected.
  • Proxy authentication information 600 used in this process will have Code1 610 and Code2 620.
  • Code1 610 is random generated when Proxy authentication information 600 is generated.
  • UE-ID which is terminal information
  • the value is encrypted with Proxy authentication key 500
  • Code2 620 is a value that combines the terminal-dependent code and the Random-Number value.
  • Code1 610 is transmitted to the Proxy-Server 200 using the Username field of the Proxy authentication packet
  • Code2 620 is transmitted to the Proxy-Server 200 using the Password field of the Proxy authentication packet.
  • Code1 610 and Code2 620 delivered to Proxy-Server 200 share the same Random-Number while Code1 610 is encrypted with Proxy authentication key 500 and Code2 620 is not encrypted. Since the Proxy-Server 200 decodes Code1 610 after decoding the Code1 610, the Proxy-Server 200 compares the Random-Number extracted from the Code2 620, and the terminal 300 and the Proxy-Server 200 have the same Proxy. It is possible to check whether the authentication key 500 is used, so that the Proxy-Server 200 can quickly perform authentication for the terminal without subscriber information.
  • Code1 610 which is decrypted in the concept of the present invention, includes UE-ID, which is terminal information, to determine who is using a subscriber's service even when Proxy-Server 200 does not store subscriber information. To get information.
  • UE-ID which is terminal information
  • the Proxy-Manager 100 may use the high-performance authentication method that consumes a lot of time and resources depending on the number of subscribers when the service of the Proxy-Server 200 and the terminal 300 starts. Proceed to pre-authentication with the client and allow the authenticated terminal 300 and the Proxy-Server 200 to generate the same Proxy authentication key 500 based on the same initial configuration information 400 and then use the Proxy service.
  • the Proxy authentication process that proceeds when the Proxy-Server (200) using the Proxy authentication information (600) created based on the same Proxy authentication key 500, the Proxy-Server (200) is quickly authenticated the terminal 300, the pre-authentication is completed without the subscriber information Identify and provide services immediately.
  • the first step of the present invention is the initial setting step
  • Figure 6 shows the detailed procedure of the initial setting step.
  • the initial setting step is to initialize the information necessary for the operation of the present invention when each component of the present invention is started, the time-consuming but strong line authentication for the Proxy-Server (200) and the terminal (300)
  • This is a procedure for sharing the initial configuration information 400 necessary for the operation of the present invention, which can rapidly proceed with proxy authentication without using subscriber information, to the Proxy-Server 200 and the subscriber station 300.
  • each component of the present invention performs authentication with the Proxy-Manager 100 and receives initial configuration information 400 from the Proxy-Manager 100.
  • the Proxy-Server (200) When the Proxy-Server (200) is started in the first procedure, the Proxy-Server (200) after the authentication with the Proxy-Manager (100), and stores the initial configuration information (400) received in the second procedure .
  • the third procedure proceeds when the terminal 300 starts to use the MPTCP Aggregation service provided by the Proxy-Server 200, and proceeds with pre-authentication with the Proxy-Manager 100 for use of the service at the same time as the service starts. do.
  • This pre-authentication is not a quick authentication of the present invention, but is a normal authentication procedure, and is a procedure for confirming whether the terminal 300 is a service subscriber, and an authentication method may be selected according to the needs of an operator using the concept of the present invention. have. Unlike the proxy authentication that occurs every time, the terminal 300 and the proxy-manager 100 proceed with the line authentication, which requires a periodic or one-time authentication at the start of the service. The use of authentication methods is recommended. In the concept of the present invention, this pre-authentication actually authenticates the subscriber, and the method of rapidly proxieing the proxy without the subscriber information introduced by the concept of the present invention only determines whether the terminal 300 requesting the proxy authentication has completed the pre-authentication process. Check and provide fast proxy authentication.
  • the terminal 300 When the terminal 300 completes pre-authentication with the Proxy-Manager 100 in the third procedure of FIG. 6, the terminal 300 transmits the initial configuration information 400 to the Proxy-Manager 100 in the fourth procedure of FIG. 6. Will be provided by The terminal 300 generates the proxy authentication information 500 based on the received initial configuration information 400 and the proxy authentication information 600 using the random number, and performs the proxy authentication procedure for each proxy communication session. By using it, the Proxy-Server 200 allows the terminal 300 to request Proxy authentication to proceed with quick authentication by checking only using the same Proxy authentication key 500 as its own. The procedure up to Proxy authentication after the initial configuration step is described in detail later in the drawings and paragraphs.
  • the terminal 300 using the MPTCP Aggregation service completes the initial setting step of FIG. 6 and receives and stores the initial setting information 400.
  • the stored initial setting information 400 is stored in the proxy authentication procedure of FIG. It is used to generate a key 500 and information 600 for proxy authentication.
  • the terminal which has been authenticated through the initial setting step, has received the initial setting information 400 according to the authentication policy, and using the initial setting information 400, the proxy authentication key 500 and the proxy authentication shown in FIG. 7 immediately.
  • the procedure for generating the usage information 600 is entered.
  • the terminal generates an OTP using the shared secret 420 for generating the OTP included in the received initial setting information 400, and the group code 410 of the initial setting information 400 together with the generated OTP.
  • the proxy authentication key 500 is generated and stored using the value of each item of the usage code list 430. The detailed method of generating the Proxy authentication key 500 is described in detail with the description of FIG. 9 in the following paragraph.
  • the terminal 300 When the proxy authentication key 500 is generated in this way, the terminal 300 generates a random number in the manner of FIG. 8 illustrating a method of generating Code 1 610 and Code 2 620, and the Proxy-Server 200 MPTCP.
  • Code1 (610) is generated by encrypting using the Proxy authentication key (500) generated above, and among the use code list (430) items.
  • Code2 620 is generated by combining the value of the terminal-dependent item and the same value as the Random-Number used to generate Code1 610.
  • the position of Random-Number in Code2 620 is set to Random-Number even if Proxy-Server 200 does not have information about the length of Random-Number. It is recommended that the length information of each item is aggregated after the values of the published terminal dependent items so that the length of each item can be extracted from the random number.
  • the Random-Number and the UE-ID are combined to generate Code1 610, the Random-Number is placed before the UE-ID as shown in FIG. 8, so that the Proxy-Server 200 does not know the exact length of the UE-ID. It is recommended to be able to extract the UE-ID by using the length of the Random-Number extracted in Code2.
  • the concept of the present invention is described as transferring the information of Code2 620 without encryption in order to make the authentication of the Proxy authentication packet as quick as possible, but this is not a problem using any encryption method according to the needs of the operator. .
  • the terminal 300 stores this information for subsequent Proxy authentication packets.
  • Event of type causes regeneration process.
  • the first event is the change of the authentication policy, when the authentication policy is changed according to the needs of the operator, the Proxy-Server (200) and the terminal (300) to receive a new initial configuration information 400 according to the changed authentication policy.
  • the second event is when the regeneration cycle of the OTP is reached, which is triggered when the regeneration cycle of the OTP, which the present invention uses as a countermeasure against packet eavesdropping, arrives. Since the OTP is regenerated, the proxy authentication key 500 generated with the information including the OTP expires, and the terminal 300 newly generates the proxy authentication key 500, Code1 (610), and Code2 (620). The process of creating and archiving is going on.
  • the terminal dependent information used to generate the proxy authentication key 500 is changed.
  • the terminal dependent information may include information that may be changed due to terminal mobility, such as IP-Address of the terminal, and the change of the terminal dependent information may mean the expiration of the existing Proxy authentication key 500, and thus, a new Proxy authentication key ( 500), Code1 (610), and Code2 (620) will be created and stored.
  • the terminal 300 can start the proxy communication at any time using the concept of the present invention. do.
  • the communication using the MPTCP Aggregation service is started in the terminal, the communication becomes a proxy communication, and the proxy authentication procedure for authenticating whether the corresponding proxy communication is started from the terminal of the service subscriber is started.
  • the terminal inserts Code1 610 and Code2 620, which are generated in advance in the Username and Password fields of the Proxy authentication packet, as described in FIG. Thereafter, when the terminal 300 receives the authentication success from the Proxy-Server 200, the proxy 300 may proceed with the proxy communication. If the terminal 300 receives the authentication failure, the proxy 300 does not proceed.
  • the Random-Number is generated in advance, and Code1 610 and Code2 620 are generated and stored in advance, but the Random-Number is generated at the time of starting the proxy communication according to the needs of the operator. It is also possible.
  • the terminal 300 generates and stores only the proxy authentication key 500, and generates a random number when a proxy authentication packet is produced due to the start of proxy communication, and generates Code1 610 and Code2 620. It is generated and used for Proxy authentication packet. This method requires more time and resources to generate Proxy authentication packets, but can prevent the random number leakage of the terminal 300 due to packet eavesdropping.
  • the Proxy-Server When the Proxy authentication packet of the terminal 300 is transmitted to the Proxy-Server 200 as described above, the Proxy-Server performs the Proxy authentication of the terminal 300 through a key generation step for interpretation, authentication, and user information restoration.
  • the proxy authentication key 500 will be described in detail with reference to FIG. 9 before explaining the proxy authentication procedure of the Proxy-Server 200.
  • the proxy authentication key 500 is a combination of a Group-Key 510 and a Master-key 520.
  • the Group-Key (510) and the Master-key (520) are the values of each item of the initial setting information (400) received by the terminal 300 and the Proxy-Server 200 after the pre-authentication with the Proxy-Manager 100, respectively. Is generated based on
  • the Group-Key 510 is generated based on the Group Code 410 of the initial setting information 400.
  • the Key-Generation module used at this time is not specified and can be selected by the operator as needed.
  • the OTP generated based on the shared secret 420 for generating the OTP among the initial setting information 400 and the value of each item specified in the use code list 430 are generated.
  • the Key-Generation module used for generating the Master-key 520 is not specified and can be selected by the Operator as needed.
  • the Group-Key 510 and the Master-key 520 may use different Key-Generation modules.
  • the Master-key 520 may use a plurality of values of each item specified in the use code list 430, but the Operator may decide which item to use. If there is no information that the operator wants to use in generating the master-key 520 by specifying the use code list 430, the use code list 430 and the value 450 of each terminal-independent item are set in the initial setting information 400. It may be completely excluded. However, at least one information is required to prepare the master-key 520, and since OTP is selected as a protection against packet eavesdropping, the OTP value must be included when generating the master-key 520. As the method of generating the OTP value, as shown in FIG. 9, the time-based One-time Password Algorithm (RFC 6238) method is recommended. Can be freely selected as needed.
  • RRC 6238 One-time Password Algorithm
  • each terminal-independent item such as an MNC may be included.
  • the terminal 300 and the proxy-server 200 collect information on these values from the network or initialize information.
  • the terminal non-dependent items of 400 may be collected through the value 450.
  • the two keys are combined into one to generate the Proxy authentication key 500. That is, when a 128-bit key is generated for the Group-Key 510 and another 128-bit key is generated for the Master-key 520, two keys are combined to generate a 256-bit Proxy authentication key 500. Will be.
  • the length of the Group-Key (510) and the length of the Master-key (520) may be determined according to the needs of the operator, the present invention, the Group-Key (510) and Master-key (520) for security purposes It is recommended that the length of the Group-Key 510 and the Length of the Master-key 520 be set so that the result of the Proxy authentication key 500 formed by combining the keys is at least 256 bits long.
  • FIG. 10 illustrates a process of an analysis key generation step performed by the Proxy-Server 200 before proceeding with the authentication and user information restoration step when the proxy authentication packet is received from the terminal 300.
  • the Proxy-Server 200 receives the initial setting information 400 from the Proxy-Manager 100 through the initial setting step after the start of the service, generates the OTP, and stores the generated initial setting information 400. 10 and OTP are updated when the authentication policy is changed to change the initial setting information 400 or when the OTP expires because the set OTP regeneration period is reached.
  • the Proxy-Server 200 generates and stores three OTPs, and when the Proxy authentication packet is received, generates the Proxy authentication key 500, which is a key for interpretation, and authenticates the Proxy authentication packet. Three OTPs are used sequentially.
  • the Proxy-Server 200 is ready to receive and authenticate the Proxy authentication packet and receives the Proxy authentication packet of Event3 of FIG. If this occurs, the proxy authentication key 500 is generated by the proxy authentication key 500 generation method described with reference to FIG. 9, and then the authentication and user information restoration steps are performed.
  • the Proxy-Server 200 When the Proxy-Server 200 generates the Proxy authentication key 500, the Proxy-Server 200 receives the Group-Key 510 using the Group Code 410 of the initial configuration information 400 received and stored. In the case of generating the master-key 520, but not the value of the terminal non-dependent items of the OTP in storage and the initial setting information 400 received and stored in the proxy authentication received from the terminal 300. UE-dependent information such as IP address extracted from the packet's Password field should also be used. Therefore, in the present embodiment of the present invention and FIG. 10, the generation of the proxy authentication key 500 is performed after receiving the packet for proxy authentication. However, the terminal-independent item is not used or terminal-independent items are not used depending on the needs of the operator. If the value 450 is shared with the Proxy-Server 200 in advance, the Proxy-Server 200 may also prepare and store three Proxy authentication keys 500 in advance and use them when receiving a packet for Proxy authentication.
  • the Proxy-Server 200 receives the Proxy authentication packet through the above steps and the Proxy Authentication Key 500 is created, the Proxy-Server proceeds with the authentication and user information restoration steps shown in FIG.
  • the Proxy-Server proceeds with the authentication and user information restoration steps shown in FIG.
  • the Proxy-Server 200 When the Proxy-Server 200 receives the Proxy authentication packet and generates the Proxy authentication key 500, the Proxy-Server 200 generates Code1 610 and Code2 620 in the Username and Password fields of the Proxy authentication packet as shown in FIG. Proceed with proxy authentication and user information extraction. The Proxy-Server 200 extracts values of terminal dependent items from Code2 620 to create a Proxy authentication key 500 to be used for this Proxy authentication attempt, and the terminal 300 is a Proxy such as Proxy-Server 200. The Random-Number required to check whether the authentication key 500 is shared is extracted.
  • the Proxy-Server 200 decrypts Code1 610 with the Proxy authentication key 500 and extracts the [Random-Number, UE-ID] combination.
  • the Proxy-Server 200 proceeds to check whether the Random-Number extracted from Code1 and the Random-Number extracted from Code2 are the same, and if the two Random-Number values are the same, the terminal 300 transmits an authentication success message. Establish a Proxy connection by sending to
  • the next proxy authentication key 500 is created using the following OTP information, and the necessary information is extracted again from the packet for proxy authentication, and the operation of matching the random number again is performed again. If the authentication attempts using the three OTPs and the proxy authentication key 500 have already failed, the Proxy-Server 200 records the terminal information and the authentication failure in a log, and transmits the Proxy authentication failure message to establish the Proxy connection. Reject.
  • the Proxy-Manager 100 starts service at the terminal 300 with strong line authentication, the terminal authentication is completed, and the authenticated terminal 300 uses the same Proxy authentication key 500 as the Proxy-Server 200.
  • the Proxy-Server 200 only checks whether the terminal 300 shares the same Proxy authentication key 500. It is a concept of the present invention to check whether the terminal 300 completes pre-authentication with the Proxy-Manager 100 so that the Proxy-Server 200 can be quickly completed without the subscriber information.
  • the MPTCP Aggregation Service System 1000 since the MPTCP Aggregation Service System 1000 uses two paths, two proxy authentication processes are performed per communication session. In addition, since the MPTCP Aggregation service system 1000 is serviced in a commercial network, the MPTCP Aggregation service system 1000 must deal with a large amount of subscriber information. However, the MPTCP Aggregation service system 1000 must provide a differentiated service for each subscriber due to the property of premium service. When the existing proxy authentication method is used in such an environment, there is a burden that the Proxy-Server 200 manages a large amount of subscriber information, and each time a proxy communication session is created, a contrast of the subscriber information and the session authentication request is performed. There is a problem that the service performance is greatly reduced because it has to proceed twice.
  • the present invention proposes a method of minimizing the performance degradation due to proxy authentication without requiring subscriber management for a situation where proxy authentication should be used in a commercial network in which a large amount of subscribers exist.
  • Proxy service such as
  • Proxy service can be provided without deterioration due to proxy authentication in commercial mobile network.

Abstract

A proxy authentication technique using a username/password specified in the standard specifications (RFC1928, RFC1929, etc.) of existing proxy server technologies is a method of authenticating by comparing subscriber information with information for authentication sent by a terminal, and therefore has the problems of the burden of the proxy server to manage a vast amount of subscriber information when used in an environment with a vast number of subscribers such as a commercial mobile network, and performance being significantly degraded due to proxy authentication. The present invention is an invention capable of solving the above-mentioned problem, and relates to a new proxy authentication system and an authentication method, in which, by confirming whether the same key value is used, instead of comparing subscriber information, for proxy authentication conducted during every proxy session, the proxy server can quickly conduct the proxy authentication without need to manage subscriber information, even in a commercial mobile network with a vast amount of subscriber information.

Description

프록시 서비스 제공을 위한 프록시 인증시스템 및 인증방법Proxy Authentication System and Authentication Method for Proxy Service
본 발명은 프록시 서비스 제공을 위한 프록시 인증시스템 및 인증방법에 관한 것으로, 더욱 상세하게는 매 proxy 세션마다 진행되는 Proxy 인증에 가입자정보의 대조를 사용하는 대신 동일한 키 값이 사용되는지를 확인하여 Proxy 인증을 수행하는 것으로, Proxy 인증을 빠르게 진행할 수 있으며 방대한 가입자를 가지는 상용 이동 망에서의 Proxy 인증 시 발생하는 성능저하도 최소화할 수 있는 프록시 서비스 제공을 위한 프록시 인증시스템 및 인증방법에 관한 것이다.The present invention relates to a proxy authentication system and an authentication method for providing a proxy service. More specifically, proxy authentication is performed by checking whether the same key value is used instead of matching subscriber information in proxy authentication performed every proxy session. The present invention relates to a proxy authentication system and an authentication method for providing a proxy service that can rapidly perform proxy authentication and minimize performance degradation that occurs during proxy authentication in a commercial mobile network with a large number of subscribers.
Proxy Server 기술은 송신되는 패킷이 수신측에 도착하기 전에 특정 Proxy Server를 거쳐가도록 하여 패킷에 대한 부가서비스를 제공할 수 있도록 하는 기술로서, 네트워크 서비스나 콘텐츠의 접근 정책의 적용, 사용자의 네트워크 사용률을 관측, 데이터의 유출 방지, MPTCP용 Aggregation Point 제공 등의 네트워크 사용자에게 차별적인 부가서비스를 제공하기 위해 사용된다.Proxy Server technology is a technology that provides additional services for a packet by passing a specific proxy server before the packet arrives at the receiving end. It is used to provide differentiated supplementary services to network users such as observation, data leakage prevention, and providing aggregation point for MPTCP.
Proxy Server 기술은 사용자에게 부가서비스를 제공하는 것이기에 특정 사용자에게만 제공해야 하는 경우가 있고, 이를 위해 Proxy Server 기술의 표준 규격 (RFC1928, RFC1929 등)에서는 Username/Password를 사용하는 사용자 인증 방법을 제시한다.Since Proxy Server technology provides additional services to users, it may be necessary to provide only to specific users. For this purpose, standard specifications (RFC1928, RFC1929, etc.) of Proxy Server technology provide a user authentication method using Username / Password.
그러나 이 Username/Password를 사용하는 사용자 인증 방법은 방대한 가입자 수를 다루는 상용 망에서 사용될 경우, 많은 가입자 정보를 관리하는 데이터베이스의 관리로 인한 관리 부담과 방대한 양의 정보와 대조를 해야 하는 Proxy 인증절차로 인한 Proxy서비스 제공성능의 저하가 발생하는 한계가 있다.However, this username / password user authentication method, when used in a commercial network that covers a large number of subscribers, is a proxy authentication procedure that must be contrasted with a large amount of information and the administrative burden of managing a database that manages a large number of subscriber information. There is a limit that the degradation of proxy service provisioning performance occurs.
또는 Proxy 서버가 인증에 필요한 정보(예: Username/Password)를 인증서버로 전달하여 인증 서버의 결과에 따라 해당 액세스를 허용하거나 거부하는 방식이 사용된다. 그러나 이러한 방식은 다수의 이동 단말로부터 액세스 여부를 실시간으로 결정해야 하는 경우에는 액세스 지연이 길고, 처리 성능이 떨어지므로 MPTCP 기반 aggregation 응용에는 적합하지 않다.Alternatively, the proxy server passes the information required for authentication (eg Username / Password) to the authentication server and allows or denies the access according to the result of the authentication server. However, this method is not suitable for MPTCP-based aggregation applications because the access delay is long and processing performance is deteriorated when it is necessary to determine whether access from a plurality of mobile terminals in real time.
[선행기술문헌][Preceding technical literature]
[특허문헌][Patent Documents]
한국공개특허공보 제10-2004-0036813호Korean Patent Publication No. 10-2004-0036813
본 발명은 상기한 문제점을 해결하기 위하여 안출된 것으로, 본 발명의 목적은 수백만 이상의 가입자를 가지고 있는 상용 이동 망에서 Proxy를 이용한 서비스제공 시 현존하는 Proxy 인증방법을 사용하면서도 수백만의 가입자에 대한 관리를 필요치 않도록 하여 가입자 수로 인한 Proxy 성능저하 및 가입자 관리 부담을 줄일 수 있는 프록시 서비스 제공을 위한 프록시 인증시스템 및 인증방법을 제공하는 것이다.The present invention has been made to solve the above problems, and an object of the present invention is to manage the management of millions of subscribers while using the existing proxy authentication method when providing a service using a proxy in a commercial mobile network having millions or more of subscribers. It is to provide proxy authentication system and authentication method for proxy service provision that can reduce proxy performance and subscriber management burden by the number of subscribers by not needing.
본 발명의 일실시예에 따른 프록시 서비스 제공을 위한 프록시 인증시스템은 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하는 Proxy-Manager; 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, Proxy 인증용 패킷을 구성하는 Username용 Code1과 Password용 Code2를 생성하고, 상기 Proxy 인증용 패킷을 상기 Proxy-Server로 송신하는 단말; 및 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, 가입자정보 없이 인증을 처리할 수 있도록 하는 해석용 키를 생성하며, 단말의 인증 요청 시 해석용 키를 이용하여 인증을 수행하고, 인증이 완료된 가입자의 정보를 복원 및 저장하는 Proxy-Server;를 포함하여 이루어질 수 있다.Proxy authentication system for providing a proxy service according to an embodiment of the present invention includes a Proxy-Manager for pre-authenticating subscribers and forwarding initial configuration information for proxy authentication without subscriber information to the terminal and the Proxy-Server; A terminal for generating a username code1 and a password code2 constituting a proxy authentication packet based on the initial configuration information received from the proxy-manager, and transmitting the proxy authentication packet to the proxy-server; And based on the initial configuration information received from the Proxy-Manager, generates an analysis key to enable authentication processing without subscriber information, perform authentication by using the analysis key in the authentication request of the terminal, authentication And a Proxy-Server for restoring and storing the information of the completed subscriber.
또한, 상기 초기설정정보는 각 단말 비종속적 코드 항목 및/또는 각 단말에 종속적인 코드 항목을 포함하는 사용코드리스트, Group Code, OTP(One Time Password; 이하 OTP) 생성용 Shared Secret, 및 Random-Number의 길이를 포함하되, 상기 사용코드리스트에 포함되는 각 코드 항목들 중 각 단말 비종속적 코드 항목에 있어서, 상기 코드 항목들의 값 중 네트워크로부터 수집할 수 없는 값이 포함된 경우 해당 코드 항목들의 값을 더 포함할 수 있다.The initial configuration information may include a usage code list including each terminal-independent code item and / or a code item dependent on each terminal, a group code, a shared secret for generating an One Time Password (OTP), and a random- Including the length of the number, each terminal non-dependent code item of each code item included in the use code list, the value of the code item if the value of the code item that can not be collected from the network is included It may further include.
또, 상기 Code2는 각 단말이 보관할 수 있는 단말 종속적인 코드 항목의 값 중에 상기 Proxy-Manager로부터 전달받은 상기 사용코드리스트에 포함된 코드 항목의 값, 및 상기 Random-Number의 길이만큼의 Random-Number로 이루어지며, 상기 Code1은 단말의 정보를 가지는 UE-ID와 상기 Random-Number를 합친 후 상기 초기설정정보를 기반으로 생성한 Proxy 인증키를 이용하여 암호화하여 생성될 수 있다.In addition, the code2 is a random-number equal to the length of the code item included in the use code list received from the proxy-manager and the length of the random number among the value of the terminal dependent code item that each terminal can store. Code1 may be generated by combining the UE-ID having the terminal information and the Random-Number and then encrypting using a Proxy authentication key generated based on the initial configuration information.
이때, 상기 Proxy 인증키는 Group-Key 및 Master-key를 포함하며, 상기 Group-Key는 상기 Group Code 기반으로 생성되고, 상기 Master-key는 상기 사용코드리스트에 포함된 OTP 생성용 Shared Secret을 기반으로 생성되는 OTP, 및 상기 사용코드리스트에 포함된 각 코드 항목들로 이루어질 수 있다.At this time, the proxy authentication key includes a Group-Key and a Master-key, the Group-Key is generated based on the Group Code, the Master-key is based on the Shared Secret for OTP generation included in the use code list OTP generated by, and may be composed of each code item included in the use code list.
또한, 상기 Proxy 인증키는 OTP 값의 재생성 주기 도달, 상기 Proxy-Manager로부터의 인증 정책 변경 수신, 사용코드리스트에 포함된 각 코드 항목들의 값 변동 중 어느 하나 이상의 이벤트가 발생될 때마다 갱신될 수 있다.In addition, the Proxy authentication key may be updated whenever one or more events occur, such as reaching a regeneration period of an OTP value, receiving an authentication policy change from the Proxy-Manager, or changing a value of each code item included in a use code list. have.
또, 상기 Proxy-Server는 상기 해석용 키가 상기 단말에서 상기 Code1의 암호화 시 사용한 Proxy 인증키와 동일한지를 확인함으로써, 가입자정보 없이 인증을 수행할 수 있다.In addition, the Proxy-Server may perform authentication without subscriber information by checking whether the analysis key is the same as the Proxy authentication key used when the terminal encrypts the Code1.
아울러, 상기 Proxy-Server는 상기 단말로부터 전송받은 Proxy 인증용 패킷의 Password 필드에 담긴 Code2에서 Random-Number를 추출하고, 상기 해석용 키를 이용해 상기 Proxy 인증용 패킷의 Username 필드에 저장된 정보를 복호화하여 복호화된 Code1을 추출한 후, 복호화한 Code1에서 추출한 Random-Number와 상기 Code2에서 추출한 Random-Number를 대조하는 것으로 상기 해석용 키가 상기 Proxy 인증키와 동일한지를 판단할 수 있다.In addition, the Proxy-Server extracts a Random-Number from Code2 contained in the Password field of the Proxy authentication packet received from the terminal, and decrypts the information stored in the Username field of the Proxy authentication packet using the analysis key. After extracting the decrypted Code1, it may be determined whether the analysis key is the same as the Proxy authentication key by comparing the Random-Number extracted from the decrypted Code1 and the Random-Number extracted from the Code2.
또, 상기 Proxy-Server는 상기 단말과의 시간 비동기로 인한 OTP 값의 차를 극복하기 위해 미리 설정된 다수의 시점에서의 OTP를 생성하여, 생성된 OTP 개수만큼 상기 해석용 키 생성 및 인증 시도를 진행할 수 있다.In addition, the Proxy-Server generates an OTP at a plurality of preset time points in order to overcome the difference in the OTP value due to time asynchronous with the terminal, and proceeds with the analysis key generation and authentication attempt by the number of generated OTPs. Can be.
본 발명의 일실시예에 따른 프록시 서비스 제공을 위한 프록시 인증방법은, Proxy-Manager가 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하는 초기설정 단계; 상기 단말이 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, Proxy 인증용 패킷에 사용되는 Code1과 Code2를 생성하는 송신 측 키 생성 단계; 상기 단말이 상기 Code1과 Code2를 각각 상기 Proxy 인증용 패킷의 Username 필드와 Password 필드에 담아 상기 Proxy-Server로 전송하는 인증 패킷 전송 단계; 단말의 인증 요청 시 상기 Proxy-Server가 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로 상기 인증 요청을 가입자정보 없이 처리할 수 있도록 하는 해석용 키를 생성하는 해석용 키 생성 단계; 및 상기 Proxy-Server가 단말의 인증요청을 처리하고, 인증 성공 시 인증이 완료된 가입자의 정보를 복원 및 저장하는 인증 및 사용자 정보 복원 단계;를 포함하여 이루어질 수 있다.In the proxy authentication method for providing a proxy service according to an embodiment of the present invention, the proxy-manager pre-authenticates a subscriber and initializes initial setting information for performing proxy authentication without subscriber information to the terminal and the proxy-server. step; A transmitter-side key generation step of generating, by the terminal, Code1 and Code2 used for a proxy authentication packet based on the initial configuration information received from the Proxy-Manager; An authentication packet transmission step of transmitting, by the terminal, the Code1 and Code2 to the Proxy-Server in the Username field and the Password field of the Proxy authentication packet, respectively; An analysis key generation step of generating an analysis key for allowing the Proxy-Server to process the authentication request without subscriber information based on the initial configuration information received from the Proxy-Manager when an authentication request is made by the terminal; And an authentication and user information restoration step in which the Proxy-Server processes the authentication request of the terminal and restores and stores the information of the subscriber which has been authenticated upon successful authentication.
또, 상기 송신 측 키 생성 단계에서 상기 Code2는, 각 단말이 보관할 수 있는 단말 종속적 값 중에 상기 Proxy-Manager로부터 전달받은 사용코드리스트에 포함된 코드 항목의 값, 및 상기 Proxy-Manager로부터 전달받은 Random-Number의 길이만큼의 Random-Number로 이루어지며, 상기 Code1은, 단말의 정보를 가지는 UE-ID와 상기 Random-Number를 합친 후 상기 초기설정정보를 기반으로 생성한 Proxy 인증키를 이용하여 암호화하여 생성될 수 있다.In the transmitting key generation step, the code2 includes a code item value included in a usage code list received from the proxy-manager among terminal-dependent values that each terminal can store, and a random received from the proxy-manager. It consists of a random number as long as the number of -Number, Code1 is encrypted by using the Proxy authentication key generated based on the initial configuration information after combining the UE-ID having the information of the terminal and the Random-Number Can be generated.
또한, 상기 Proxy 인증키는 Group-Key 및 Master-key를 포함하며, 상기 Group-Key는 Group Code 기반으로 생성되고, 상기 Master-key는 상기 초기설정정보에 포함된 OTP 생성용 Shared Secret을 기반으로 생성되는 OTP, 및 상기 사용코드리스트에 포함된 각 코드 항목들로 이루어질 수 있다.In addition, the proxy authentication key includes a Group-Key and Master-key, the Group-Key is generated based on the Group Code, the Master-key based on the Shared Secret for generating OTP included in the initial configuration information The generated OTP and each code item included in the usage code list may be included.
또한, 상기 해석용 키 생성 단계 및 상기 인증 및 사용자 정보 복원 단계는, 상기 Proxy-Server가 상기 단말과의 시간 비동기로 인한 OTP 값의 차를 극복하기 위해, 미리 설정된 다수의 시점에서 생성해놓은 OTP의 개수만큼 반복 수행되어 상기 단말의 인증을 시도할 수 있다.In addition, the analysis key generation step and the authentication and user information recovery step, the proxy-server of the OTP generated at a plurality of preset time points to overcome the difference in the OTP value due to time asynchronous with the terminal The number of times may be repeated to attempt authentication of the terminal.
아울러, 상기 인증 및 사용자 정보 복원 단계에서, 상기 해석용 키가 상기 단말에서 상기 Code1의 암호화 시 사용한 Proxy 인증키와 동일한지를 확인함으로써 가입자정보 없이 상기 단말의 인증을 수행할 수 있다.In addition, in the authentication and user information restoration step, the terminal can be authenticated without subscriber information by checking whether the analysis key is the same as the Proxy authentication key used when the terminal encrypts the Code1.
마지막으로, 상기 인증 및 사용자 정보 복원 단계는, 상기 단말이 전송한 Proxy 인증용 패킷의 Password 필드에 담긴 Code2에서 Random-Number를 추출하는 단계; 상기 해석용 키를 이용해 상기 Proxy 인증용 패킷의 Username 필드에 저장된 정보를 복호화하여 복호화된 Code1을 추출하고, 상기 복호화한 Code1에 포함된 Random-Number를 추출하는 단계; 상기 Code1에서 추출한 Random-Number와 상기 Code2에서 추출한 Random-Number를 대조하는 단계; 및 두 Random-Number가 일치하면 단말 인증을 완료하고, 인증이 완료된 단말의 사용자 정보를 상기 Proxy 인증 패킷으로부터 추출하여 각 Proxy 서비스 가입자들의 Proxy 서비스 사용량 및 사용패턴 정보모니터링을 위해 보관하는 단계;를 포함하여 이루어질 수 있다.Finally, the authentication and user information restoration step may include: extracting a Random-Number from Code2 contained in a Password field of a Proxy authentication packet transmitted from the terminal; Extracting the decrypted Code1 by decrypting the information stored in the Username field of the Proxy authentication packet by using the analysis key, and extracting a Random-Number included in the decrypted Code1; Contrasting the Random-Number extracted from Code1 with the Random-Number extracted from Code2; And when the two random numbers coincide, completing terminal authentication, and extracting user information of the authenticated terminal from the proxy authentication packet and storing them for monitoring proxy service usage and usage pattern information of each proxy service subscriber. Can be done.
본 발명의 실시예에 따르면 MPTCP Aggregation Point 등의 부가적인 네트워크서비스제공을 위해 사용되는 Proxy Server는 방대한 양의 가입자수를 가지고 있는 망에서 Proxy 서비스를 제공하면서도 다수의 가입자로부터 받는 다수의 Proxy 인증 요청을 빠르게 처리해야 한다. 본 발명의 경우, 가입자 수에 관계없이 일정한 Proxy 인증 성능을 제공하기에 위와 같은 방대한 양의 가입자 수를 가지는 망에서 사용될 시에도 Proxy 서비스 및 인증을 성능 저하 없이 제공할 수 있다.According to an embodiment of the present invention, the Proxy Server used to provide additional network services, such as MPTCP Aggregation Point, provides a number of Proxy authentication requests received from multiple subscribers while providing proxy services in a network having a large number of subscribers. You have to deal quickly. In the present invention, regardless of the number of subscribers to provide a constant proxy authentication performance, even when used in a network having a large number of subscribers, it is possible to provide a proxy service and authentication without degradation.
또한, 가입자 별로 차별화된 부가서비스를 제공하는 장비를 설치하는 경우 직면하는 큰 문제 중 하나가 가입자의 관리이다. 차별화된 서비스를 사용하기에 가입자 데이터베이스의 사용이 필수적인데, 로컬하게 가입자 정보를 관리하는 경우, 가입자정보에 대한 동기화를 신경 써야 하고, 외부서버에서 관리되는 가입자 정보를 사용하는 경우, 외부서버와의 통신으로 인한 성능저하를 감수해야 한다. 본 발명의 실시예에 따르면, MPTCP 사용을 통한 네트워크 속도 향상과 같은 가입자 별로 차별화된 네트워크 부가서비스가 Proxy Server를 통해서 전달되더라도, 본 발명의 인증개념을 사용하는 Proxy-Server는 가입자 인증에 가입자정보를 사용하지 않기에 가입자정보에 대한 관리 부담으로부터 자유로울 수 있다.In addition, one of the major problems faced when installing equipment that provides differentiated additional services for each subscriber is management of the subscriber. In order to use differentiated services, the use of subscriber database is essential. When managing subscriber information locally, care should be taken to synchronize subscriber information, and when using subscriber information managed by an external server, You must bear the performance penalty due to communication. According to an embodiment of the present invention, even if a differentiated network supplementary service for each subscriber, such as network speed improvement through MPTCP, is delivered through a proxy server, the proxy server using the authentication concept of the present invention uses subscriber information for subscriber authentication. Since it is not used, it can be freed from the management burden on subscriber information.
도 1은 본 발명의 프록시 인증시스템의 한 실시예인 MPTCP Aggregation 서비스 시스템의 전체 망의 구성도이다.1 is a configuration diagram of an entire network of an MPTCP Aggregation service system which is an embodiment of a proxy authentication system of the present invention.
도 2는 초기설정정보의 목록 및 설명이다.2 is a list and description of initial setting information.
도 3은 네트워크 지연 혹은 시간동기화 지연으로 발생하는 OTP의 차이를 해결하기 위한 Proxy-Server의 Proxy 인증키 생성의 특수사항에 대한 소개이다.FIG. 3 is an introduction to the Proxy Server's Proxy Authentication Key Generation for solving the difference in OTP caused by network delay or time synchronization delay.
도 4는 Proxy 인증키의 구성 및 설명이다.4 is a configuration and description of a proxy authentication key.
도 5는 Proxy 인증용 정보의 구성 및 설명이다.5 is a configuration and description of Proxy authentication information.
도 6은 초기설정 단계의 절차에 대한 기술이다.6 is a description of the procedure of the initial setup step.
도 7은 송신 측 키 생성 단계 및 인증 패킷 전송 단계의 절차에 대한 기술이다.7 is a description of the procedure of the sender key generation step and the authentication packet transmission step.
도 8은 Proxy 인증용 정보인 Code1과 Code2의 생성 방법에 대한 기술이다.8 illustrates a method of generating Code1 and Code2 which are proxy authentication information.
도 9는 Proxy 인증키 생성 방법에 대한 기술이다.9 is a description of a proxy authentication key generation method.
도 10은 해석용 키 생성 단계의 절차에 대한 기술이다.10 is a description of the procedure of the interpretation key generation step.
도 11은 인증 및 사용자 정보 복원 단계의 절차에 대한 기술이다.11 is a description of the procedure of the authentication and user information restoration step.
본 발명은 다양한 변환을 가할 수 있고 여러 가지 실시예를 가질 수 있는 바, 특정 실시예들을 도면에 예시하고 상세한 설명에 상세하게 설명하고자 한다. 그러나 이는 본 발명을 특정한 실시 형태에 대해 한정하려는 것이 아니며, 본 발명의 사상 및 기술 범위에 포함되는 모든 변환, 균등물 내지 대체물을 포함하는 것으로 이해되어야 한다. 본 발명을 설명함에 있어서 관련된 공지 기술에 대한 구체적인 설명이 본 발명의 요지를 흐릴 수 있다고 판단되는 경우 그 상세한 설명을 생략한다.As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all transformations, equivalents, and substitutes included in the spirit and scope of the present invention. In the following description of the present invention, if it is determined that the detailed description of the related known technology may obscure the gist of the present invention, the detailed description thereof will be omitted.
본 출원에서 사용한 용어는 단지 특정한 실시예를 설명하기 위해 사용된 것으로, 본 발명을 한정하려는 의도가 아니다. 단수의 표현은 문맥상 명백하게 다르게 뜻하지 않는 한, 복수의 표현을 포함한다. 본 출원에서, "포함하다" 또는 "구성된다" 등의 용어는 명세서상에 기재된 특징, 숫자, 단계, 동작, 구성요소, 부품 또는 이들을 조합한 것이 존재함을 지정하려는 것이지, 하나 또는 그 이상의 다른 특징들이나 숫자, 단계, 동작, 구성요소, 부품 또는 이들을 조합한 것들의 존재 또는 부가 가능성을 미리 배제하지 않는 것으로 이해되어야 한다.The terminology used herein is for the purpose of describing particular example embodiments only and is not intended to be limiting of the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. In the present application, the terms "comprise" or "consisting" are intended to indicate that there is a feature, number, step, operation, component, part, or combination thereof described in the specification, and one or more other It is to be understood that the present invention does not exclude the possibility of the presence or the addition of features, numbers, steps, operations, components, parts, or a combination thereof.
본 발명의 한 실시예는 특정 가입자의 단말이 상용 망에서 MPTCP(다중경로TCP: Multi-Path Transmission Control Protocol; 이하 MPTCP)용 Aggregation Point Proxy Server를 사용하여 MPTCP를 이용하여 MPTCP를 지원하지 않는 통상 서버와 통신하고자 할 때, Username/Password를 이용하여 특정 가입자의 단말에 대한 인증을 진행하면서도 Proxy-Server에서 방대한 가입자의 관리를 필요로 하지 않고 Proxy 성능의 저하를 초래하지 않는 프록시 인증시스템 및 인증방법이다.One embodiment of the present invention is a typical server that a terminal of a particular subscriber does not support MPTCP using MPTCP using an Aggregation Point Proxy Server for MPTCP (MPTCP) in a commercial network This is a proxy authentication system and authentication method that does not require extensive subscriber management in Proxy-Server and does not cause deterioration of proxy performance when proceeding with authentication of a specific subscriber's terminal using Username / Password. .
즉, 본 발명의 일실시예에 따른 프록시 인증시스템은 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하는 Proxy-Manager와, 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로 Proxy 인증용 패킷을 구성하는 Username용 Code1과 Password용 Code2를 생성하고 상기 Proxy 인증용 패킷을 상기 Proxy-Server로 송신하는 단말, 및 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로 가입자정보 없이 인증을 처리할 수 있도록 하는 해석용 키를 생성하며 단말의 인증 요청 시 해석용 키를 이용하여 인증을 수행하고 인증이 완료된 가입자의 정보를 복원 및 저장하는 Proxy-Server를 포함하여 이루어질 수 있다.That is, the proxy authentication system according to an embodiment of the present invention includes a Proxy-Manager for pre-authenticating subscribers and delivering initial configuration information for performing Proxy authentication without subscriber information to the terminal and the Proxy-Server, and from the Proxy-Manager. A terminal for generating Code1 for Username and Code2 for Password based on the received initial configuration information, and transmitting the Proxy authentication packet to the Proxy-Server, and the received from the Proxy-Manager Proxy-based key that generates analysis key that enables authentication processing without subscriber information based on initial setting information, performs authentication using analysis key when requesting authentication of terminal, and restores and stores information of the completed subscriber. It can be done by including Server.
또한, 상술한 인증시스템을 이용한 본 발명의 프록시 인증방법은 Proxy-Manager가 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하여 상기 초기설정정보를 단말과 Proxy-Server가 공유하도록 하는 초기설정 단계, 단말에서 Proxy 인증용 패킷에 사용할 Username 용 Code1과 Password용 Code2를 생성하는 송신 측 키 생성 단계, 단말이 상기 Code1과 Code2를 각각 상기 Proxy 인증용 패킷의 Username 필드와 Password 필드에 담아 Proxy-Server로 전송하는 인증 패킷 전송 단계, 단말의 인증 요청시 Proxy-Server가 단말의 인증요청을 가입자정보 없이 처리할 수 있는 해석용 키를 생성하는 해석용 키 생성 단계, 그리고 단말의 인증요청을 처리하고 인증이 완료된 가입자의 정보를 모니터링, 통계 등의 이후 동작을 위해 복원 및 저장하는 인증 및 사용자 정보 복원 단계를 포함한다.In addition, in the proxy authentication method of the present invention using the authentication system described above, the Proxy-Manager transmits initial configuration information for pre-authenticating subscribers and proceeding with proxy authentication without subscriber information to the terminal and the Proxy-Server to transmit the initial configuration information. Initial setup step for the terminal and the Proxy-Server to share, Step for generating a key on the sending side for generating the Code1 for the Username and Code2 for the password to be used for the packet for the proxy authentication, the terminal is the Proxy authentication packet for the Code1 and Code2 Authentication packet transmission step of sending to the Proxy-Server in Username and Password fields of the server, and generation of an analysis key that generates an analysis key that allows the Proxy-Server to process the authentication request of the terminal without subscriber information when the terminal requests authentication. Step, and process the authentication request of the terminal, and restore and save for later operations such as monitoring, statistics, information of the subscriber is completed authentication Authentication and a user information recovery method comprising.
상기 Proxy 인증 방법은 상기 Proxy-Server의 동작이 시작되면, Proxy-Server가 상기 Proxy-Manager에게 초기설정정보를 요청하고, Proxy-Manager가 요청에 대한 응답으로 Proxy-Server에 초기설정정보를 전달하는 것으로 상기 초기설정 단계의 일부를 진행한다.In the proxy authentication method, when the operation of the Proxy-Server starts, the Proxy-Server requests initial configuration information from the Proxy-Manager, and the Proxy-Manager delivers initial configuration information to the Proxy-Server in response to the request. The process proceeds to a part of the initial setting step.
상기 Proxy 인증 방법은 상기 단말의 동작이 시작되면, 단말이 상기 Proxy-Manager에게 선 인증을 요청하고, Proxy-Manager가 가입자의 인증을 진행 후, 인증된 가입자 단말에게 초기설정정보를 전달하는 것으로 상기 초기설정 단계의 일부를 진행한다. 이때 단말이 Proxy-Manager와 진행하는 선 인증은 Secure Tunnel, VPN 등의 보안중시의 강력한 보안 기법사용이 권장된다.In the proxy authentication method, when the operation of the terminal starts, the terminal requests pre-authentication from the Proxy-Manager, and after the Proxy-Manager proceeds with the authentication of the subscriber, the initial authentication information is transmitted to the authenticated subscriber station. Proceed with some of the initial setup steps. At this time, it is recommended to use strong security techniques such as Secure Tunnel and VPN for pre-authentication that the terminal proceeds with Proxy-Manager.
보다 바람직하게는 상기 Proxy-Manager가 상기 Proxy-Server와 상기 단말에 전달하는 상기 초기설정정보는 Group Code, OTP(One Time Password; 이하 OTP) 생성용 Shared Secret, 사용코드리스트, Random-Number의 길이를 포함하며, 추가적으로 상기 사용코드리스트에 포함되는 각 코드들 중 단말에 종속적이지 않고 네트워크상의 모든 단말이 공유하는 단말 비종속적 항목들의 값을 해당 값들이 Proxy-Server와 각 단말에 제대로 공유되는 않을 경우 추가로 보유한다. 사용코드리스트에 포함되는 각 코드항목은 MCC(Mobile Country Code)와 MNC(Mobile Network Code)같은 네트워크상의 모든 단말이 같은 값을 공유하면서 단말이 스스로 보관할 수 있는 정보인 단말 비종속적 항목이거나 IP Address, MSISDN, IMSI와 같은 각 단말이 보관할 수 있으면서도 각 단말에 종속적인 항목이며, 본 발명의 개념은 MCC, MNC, IP Address, MSISDN, IMSI에 사용코드를 한정하지 않고 본 발명의 개념을 사용하는 Operator의 필요에 따라 필요한 코드가 다수 선택되어 사용될 수 있도록 한다.More preferably, the initial configuration information delivered by the Proxy-Manager to the Proxy-Server and the terminal is a Group Code, Shared Secret for generating one time password (OTP), a usage code list, and a random-number length. In addition, among the codes included in the usage code list, the values of terminal-independent items which are not dependent on the terminal and are shared by all the terminals on the network are not properly shared between the Proxy-Server and each terminal. Hold in addition. Each code item included in the usage code list is information that can be stored by the terminal itself while all terminals on the network such as MCC (Mobile Country Code) and MNC (Mobile Network Code) share the same value, or IP address, Each terminal, such as MSISDN and IMSI, can be kept and is dependent on each terminal, and the concept of the present invention is not limited to the code used for MCC, MNC, IP Address, MSISDN, IMSI. If necessary, a number of necessary codes can be selected and used.
상기 초기설정 단계를 통해 상기 MP-Manager에서 단말의 선 인증이 완료되고, 단말과 상기 Proxy-Server가 같은 초기설정정보를 Proxy-Manager로부터 수신하여 공유하게 되면, 단말은 가입자 정보 없이 Proxy 인증을 완료 할 수 있도록 하기 위한 Proxy 인증용 정보(패킷)를 생성 할 준비를 마치게 된다.When the pre-authentication of the terminal is completed in the MP-Manager through the initial setting step, and the terminal and the Proxy-Server receive the same initial configuration information from the Proxy-Manager and share the same, the terminal completes the proxy authentication without subscriber information. You are ready to generate proxy authentication information (packets) to make it possible.
이 Proxy 인증용 정보는 Code1과 Code2의 2개의 Code로 완성되는데, Code2는 IP Address, MSISDN, IMSI와 같은 각 단말이 보관할 수 있는 단말 종속적 값 중에 Proxy-Manager로부터 전달 받은 사용코드리스트에 포함된 코드항목의 값과 Proxy-Manager로부터 전달받은 Random-Number의 길이만큼의 Random-Number로 이루어지며, Code1은 단말의 정보를 가지는 UE-ID와 Code2의 Random-Number를 합친 후, 상기 초기설정정보를 기반으로 생성한 Proxy 인증키를 이용하여 암호화하여 생성되게 된다. 이와 같이 단말이 Code1과 Code2를 작성하여 Proxy 인증용 정보의 생성을 완료하는 것으로 송신 측 키 생성 단계의 진행은 완료된다.This proxy authentication information is composed of two codes, Code1 and Code2. Code2 is a code included in the usage code list received from Proxy-Manager among the device-dependent values that each terminal can store, such as IP Address, MSISDN, and IMSI. It consists of the value of the item and the Random-Number equal to the length of the Random-Number received from the Proxy-Manager. Code1 is based on the initial configuration information after combining the UE-ID having the terminal information and the Random-Number of Code2. It is generated by encrypting using the proxy authentication key generated by. In this way, the terminal creates Code1 and Code2 to complete the generation of the proxy authentication information.
보다 바람직하게는 상기 단말은 상기 Proxy 인증키를 생성하기 위해서 초기설정정보를 2개의 그룹으로 나누어서 사용한다. 첫 번째 그룹은 인증 정책이 변경되지 않는 한 불변하는 그룹으로 단말이 Proxy-Manage와 선 인증을 완료하면 Proxy-Manager로부터 전달받게 되는 Group Code이며, Proxy-Manager로부터 수신한 Group-Code는 Group-Key를 만드는데 사용되어 Proxy 인증키의 일부분으로 구성하게 된다. 두 번째 그룹은 Proxy-Manager로부터 전달 받은 OTP 생성용 Shared Secret을 기반으로 생성되는 OTP와 Proxy-Manager로부터 전달 받은 사용코드리스트에 포함된 각 코드들로 이루어지며, 이 두 번째 그룹 각 코드의 값은 Proxy 인증키 재생성 이벤트마다 갱신된 후 키 생성에 사용되어 Proxy 인증키에서 상기 Group Code를 제외한 나머지 머지 부분의 키인 Master-key를 생성하는데 사용되게 된다. Proxy 인증키는 최소 256 bits의 크기가 권장되며, Proxy 인증키의 크기와 Group-Key의 크기, 그리고 상기 두 번째 그룹의 정보로 생성되는 Master-key의 크기는 각각 본 발명의 개념을 사용하는 Operator의 필요에 따라 결정 될 수 있다.More preferably, the terminal divides the initial configuration information into two groups to generate the proxy authentication key. The first group is an immutable group unless the authentication policy is changed. The group code is received from the Proxy-Manager when the terminal completes the Proxy-Manage and pre-authentication. The Group-Code received from the Proxy-Manager is the Group-Key. It is used to create a subset of the Proxy authentication keys. The second group consists of the codes included in the OTP generated based on the shared secret for generating the OTP received from the Proxy-Manager and the usage code list received from the Proxy-Manager. It is used to generate a key after being updated for each proxy authentication key regeneration event and used to generate a master-key which is a key of the remaining part except the group code in the proxy authentication key. It is recommended that the proxy authentication key be at least 256 bits in size. The size of the proxy authentication key, the size of the Group-Key, and the size of the Master-key generated from the information of the second group may be operators using the concept of the present invention. Can be decided according to your needs.
보다 더 바람직하게는 상기 Proxy 인증키 재생성 이벤트는 OTP 값의 재생성, Proxy-Manager로부터의 인증 정책 변경 수신, 상기 사용코드리스트에 포함된 각 코드들의 값 변동 때 마다 발동하게 되며, Proxy 인증키 재생성 이벤트가 발동 되면 새로운 Proxy 인증키를 이용한 Code1과 Code2 갱신도 이루어지게 된다.Even more preferably, the Proxy authentication key regeneration event is triggered when the OTP value is regenerated, the authentication policy change is received from the Proxy-Manager, and the value of each code included in the use code list is changed. When is invoked, Code1 and Code2 update using new Proxy authentication key is also performed.
상기 Code1과 Code2로 이루어진 최신 Proxy 인증용 정보의 생성 혹은 갱신이 완료 되면, 상기 단말은 Proxy-Server를 이용한 Proxy 서비스의 요청이 언제든 가능한 상태가 된다. 이 상태에서 단말에서 Proxy 서비스를 필요로 하는 패킷이 생성되게 되면, 단말은 Proxy 연결을 수립하기 위해 Proxy-Server와의 인증을 먼저 시도하게 되는데, 이 때 상기 송신 측 키 생성 단계에서 생성한 Code1과 Code2를 Proxy 인증 패킷의 Username 필드와 Password 필드에 담아 Proxy-Server로 보내는 것으로 인증 패킷 전송 단계를 수행한다. 이 인증 패킷의 대답으로 Proxy-Server로부터 인증을 받으면 해당 단말의 통신세션은 Proxy 서비스를 바로 이용할 수 있다.When the generation or update of the latest Proxy authentication information consisting of the Code 1 and the Code 2 is completed, the terminal may be able to request a proxy service using the Proxy-Server at any time. In this state, if a packet that requires a proxy service is generated at the terminal, the terminal first attempts authentication with the proxy server to establish a proxy connection. At this time, Code1 and Code2 generated at the sender key generation step are generated. Is sent to the Proxy-Server with the Username and Password fields of the Proxy authentication packet. If the authentication packet is authenticated by the proxy server in response to the authentication packet, the communication session of the terminal can use the proxy service immediately.
상기 인증 패킷 전송 단계를 통하여 단말이 Proxy 인증 패킷을 전달하면, 본 발명의 Proxy-Server는 가입자 데이터베이스에 접근하여 가입자 정보를 일일이 대조하는 대신, 해석용 키 생성 단계를 수행하여 가입자정보 없이 단말에 대한 Proxy 인증을 수행하기 위해 필요한 각 단말에 종속적인 해석용 키를 생성하게 된다.When the terminal transmits the proxy authentication packet through the authentication packet transmission step, the Proxy-Server of the present invention accesses the subscriber database and compares the subscriber information one by one. Generates an interpretation key that is dependent on each terminal needed to perform proxy authentication.
보다 바람직하게는 상기 Proxy-Server도 단말처럼 초기설정정보를 2개의 그룹으로 나누어서 사용하는데, Proxy 인증용 패킷을 수신하여 상기 해석용 키 생성 단계가 시작 되면, Proxy-Server는 Proxy-Manager로부터 미리 전달 받은 Group Code를 첫 번째 그룹으로 사용하여 Group-Key를 생성한 후 해석용 키의 일부분으로 사용하고, Proxy-Manager로부터 전달 받은 OTP 생성용 Shared Secret으로 미리 생성해둔 OTP와 Proxy-Manager로부터 미리 전달 받은 사용코드리스트에 포함된 각 단말 비종속적인 코드의 값 그리고 단말로부터 수신한 Proxy 인증 패킷의 Password 필드에 있는 Code2에서 추출한 각 단말 종속적인 값들을 두 번째 그룹으로 사용하여 해석용 키의 나머지 키를 생성하여서 해석용 키 생성 단계를 완료한다.More preferably, the Proxy-Server also divides the initial configuration information into two groups, like the terminal. When receiving the proxy authentication packet and starting the interpretation key generation step, the Proxy-Server forwards it from the Proxy-Manager in advance. Generate Group-Key using the received Group Code as the first group and use it as part of the analysis key, and receive it in advance from the OTP and Proxy-Manager created in advance as Shared Secret for OTP generation received from Proxy-Manager. The remaining key of the analysis key is generated by using the value of each terminal-independent code included in the usage code list and each terminal-dependent value extracted from Code2 in the Password field of the Proxy authentication packet received from the terminal as a second group. This completes the analysis key generation step.
보다 더 바람직하게는 상기 OTP는 OTP의 재생성 주기 때마다 생성되거나, Proxy-Manager의 인증 정책 변경으로 인해 새로운 OTP용 Shared Secrete을 수신하게 되면 생성된다.Even more preferably, the OTP is generated at every regeneration cycle of the OTP or when a new shared secret for OTP is received due to the change of the proxy-manager's authentication policy.
보다 더 바람직하게는 상기 사용코드리스트에 포함된 각 코드의 값은 Proxy-Manager의 인증 정책 변경으로 인해 새로운 사용코드리스트 및 사용코드리스트에 포함된 각 단말 비종속적인 코드의 값을 수신 할 경우, Proxy-Server가 보관하고 있는 사용코드리스트 및 각 코드의 값들을 갱신하게 된다.Even more preferably, when the value of each code included in the use code list receives a new use code list and a value of each terminal independent code included in the use code list due to the change of the proxy-manager authentication policy, The code list and values of each code are kept by Proxy-Server.
상기 해석용 키 생성 단계를 통해 가입자정보 없이 단말에 대한 Proxy 인증을 수행하기 위해 필요한 각 단말에 종속적인 해석용 키 생성이 완료되면, Proxy-Server는 상기 해석용 키를 이용하여 가입자정보와의 대조 없이 단말이 전송한 Proxy 인증 패킷에 대한 인증을 진행하고, 인증이 완료된 단말의 사용자 정보를 Proxy 인증 패킷으로부터 추출하여 각 Proxy서비스 가입자들의 Proxy 서비스 사용량 및 사용패턴 등의 정보모니터링을 위해 보관하는 것으로 인증 및 사용자 정보 복원 단계를 완료한다.When generation of an analysis key dependent on each terminal necessary to perform proxy authentication for a terminal without subscriber information through the interpretation key generation step, the Proxy-Server checks the subscriber information using the analysis key. It authenticates the proxy authentication packet transmitted by the terminal without any authentication, and extracts user information of the completed terminal from the proxy authentication packet and stores it for monitoring information such as proxy service usage and usage pattern of each proxy service subscriber. And the user information restoration step.
보다 바람직하게는 상기 Proxy-Server는 단말이 전송한 Proxy 인증 패킷의 Password 필드를 이용하여 단말이 보내온 Code2에서 Random-Number를 추출하고 상기 해석용 키 생성 단계에서 생성한 해석용 키를 이용해 Proxy 인증 패킷의 Username 필드에 저장된 정보를 복호화하여 복호화된 Code1을 추출한 후, 복호화한 Code1에서 추출한 Random-Number와 Code2에서 추출한 Random-Number를 대조하는 것으로 가입자정보 없이 단말의 Proxy 인증을 진행한다.More preferably, the Proxy-Server extracts a Random-Number from Code2 sent by the terminal using the Password field of the Proxy authentication packet transmitted by the terminal, and uses the analysis key generated in the analysis key generation step. After decrypting the information stored in the Username field of the extracted Decoded Code1, and then compares the Random-Number extracted from the decrypted Code1 and the Random-Number extracted from Code2 to proceed with the proxy authentication of the terminal without subscriber information.
즉, 복호화를 통해 Code1에서 추출한 Random-Number가 Code2를 통해 단말이 전달한 Random-Number와 같은 것을 확인하는 것으로 Proxy-Server에서 생성한 해석용 키가 단말의 Proxy 인증키와 동일하다는 것을 알 수 있고, 이 것은 해당 단말이 Proxy-Manager와 선 인증을 문제없이 완료하였다는 것을 의미하기에, Proxy-Server는 해당 단말의 사용자를 확인할 필요 없이 바로 Proxy 인증을 진행 할 수 있다.That is, it can be seen that the decryption key generated by the Proxy-Server is identical to the proxy authentication key of the terminal by verifying that the Random-Number extracted from Code1 is the same as the Random-Number delivered by the terminal through Code2 through decryption. This means that the terminal completed the pre-authentication with the Proxy-Manager without any problem, so that the Proxy-Server can immediately proceed with the Proxy authentication without checking the user of the terminal.
보다 더 바람직하게는 상기 Proxy-Server는 단말과의 시간 비동기로 인한 OTP값의 차를 극복하기 위해 미리 설정된 다수의 시점에서의 OTP를 생성할 수 있다. 일예로, 최대 3회 OTP를 생성할 수 있으며, Proxy 인증 패킷 수신 시, 3번의 Proxy 인증키 생성 및 인증 시도를 진행할 수 있다. 이때, 3개의 Proxy 인증키는 각각 현 시점의 OTP, 1회 전 시점의 OTP, 그리고 1회 후 시점의 OTP일 수 있으며, Proxy 인증 요청 혹은 Proxy 인증 실패 시 해석용 키 생성 단계와 인증 및 사용자 정보 복원 단계를 반복하면서 각각 3번에 걸쳐 생성되고 인증이 시도된다.More preferably, the Proxy-Server may generate the OTP at a plurality of preset time points in order to overcome the difference in the OTP value due to time asynchronous with the terminal. For example, up to three OTPs may be generated, and upon receiving a proxy authentication packet, three proxy authentication keys may be generated and authentication attempts may be performed. At this time, the three proxy authentication keys may be OTP at the present time, OTP at one time before, and OTP at one time after, respectively.In case of proxy authentication request or proxy authentication failure, an analysis key generation step and authentication and user information are performed. Repeated restoration steps are generated three times each and authentication is attempted.
이때 OTP 생성 주기는 단말과 Proxy-Server간에 가능한 시간차와 Network Delay로 인한 패킷 수신 Delay 보다는 커야 하며, 패킷도청으로 인해 Proxy 인증보안이 무효화 되지 않을 정도의 주기가 설정 되어야 한다. OTP 생성 주기도 본 발명을 사용하는 Operator의 필요에 따라 설정 될 수 있다,At this time, the OTP generation period must be larger than the time difference between the terminal and the Proxy-Server and the packet reception delay due to the network delay, and a period in which the proxy authentication security is not invalidated due to packet eavesdropping should be set. OTP generation period can also be set according to the needs of the operator using the present invention,
본 발명은 위 과정을 통해서, Proxy-Server가 단말의 사용자 정보를 대조하는 대신 단말이 동일한 Proxy 인증키(해석용 키)를 사용하는지를 확인하여 단말이 Proxy-Manager와 선 인증을 완료하였는지를 확인하는 방식을 사용하기에, Proxy-Server가 가입자 정보관리를 할 필요가 없도록 하고, 가입자 수에 따른 단말인증성능의 변화를 제거하여 방대한 양의 가입자가 존재하는 상용 이동 망에서도 성능저하 없이 Proxy를 통한 네트워크 서비스를 제공할 수 있도록 한다.Through the above process, the Proxy-Server checks whether the terminal uses the same Proxy authentication key (interpretation key) instead of checking the user information of the terminal, and confirms whether the terminal has completed pre-authentication with the Proxy-Manager. The Proxy-Server eliminates the need for the subscriber information management and eliminates the change in the terminal authentication performance according to the number of subscribers. To provide.
이하, 첨부된 도면을 참조하여 본 발명의 필요정보 및 개념을 설명하고 본 발명의 바람직한 실시 예를 진행단계별로 상세하게 기술한다. 도 1은 본 발명의 프록시 인증시스템의 한 실시예인 MPTCP Aggregation 서비스시스템(1000)의 망 구성도이다. 본 발명의 프록시 인증시스템 개념을 적용한 MPTCP Aggregation 서비스시스템(1000)은 가입자 정보관리의 부담 없이 빠르게 가입자를 식별하여 차별적으로 MPTCP Aggregation을 제공할 수 있다. 즉, MPTCP Aggregation 서비스시스템(1000)은 도 1에서 보듯이, 각 단말(300)을 선 인증하고 인증된 각 단말(300)과 Proxy-Server(200)에 초기설정정보(400)를 전달하는 Proxy-Manager(100), Proxy-Manager(100)로 부턴 공유된 초기설정정보(400)로 각 단말의 인증요청 때마다 단말에서 생성된 Proxy 인증키(500)와 동일한 해석용 키(500)를 생성하여 단말을 빠르게 인증하는 Proxy-Server(200), 그리고 Proxy-Server(200)가 제공하는 MPTCP Aggregation 서비스를 사용하는 단말들(300)로 구성된다.Hereinafter, the necessary information and concept of the present invention will be described with reference to the accompanying drawings, and preferred embodiments of the present invention will be described in detail for each step. 1 is a network diagram of an MPTCP Aggregation Service System 1000, which is an embodiment of a proxy authentication system of the present invention. The MPTCP Aggregation Service System 1000, which applies the concept of proxy authentication system of the present invention, can quickly identify subscribers and provide MPTCP Aggregation differentially without burdening subscriber information management. That is, the MPTCP Aggregation Service System 1000, as shown in Figure 1, the proxy for pre-authenticating each terminal 300, and forwards the initial configuration information 400 to each of the authenticated terminal 300 and Proxy-Server (200) The manager 100 generates the same analysis key 500 as the Proxy authentication key 500 generated by the terminal whenever the authentication request of each terminal is shared with the initial configuration information 400 shared by the Proxy-Manager 100. By using the Proxy-Server (200) to quickly authenticate the terminal, and the terminal 300 using the MPTCP Aggregation service provided by the Proxy-Server (200).
본 발명의 개념을 사용한 일실시예에 따른 MPTCP Aggregation 서비스시스템(1000)은 상기 Proxy-Server(200)와 상기 단말(300)들이 시작되었을 때, 상기 Proxy-Manager(100)에 선 인증 후 가입자정보의 보관 없이 Proxy 인증 요청을 빠르게 진행할 수 있도록 하는 초기설정정보(400)를 인증된 각 단말(300)과 Proxy-Server(200)가 공유하도록 하여서 상용 이동망과 같은 거대한 가입자정보가 사용되는 환경에서 MPTCP Aggregation 서비스시스템(1000)과 같이 Path수에 따라 각각 Proxy 인증 횟수가 증가하는 서비스가 제공되더라도, 가입자정보의 보관없이 가입자 수에 영향을 받지 않고 일정한 속도로 인증절차를 처리할 수 있다는 기술적 특징을 가진다.In the MPTCP Aggregation Service System 1000 according to an embodiment using the concept of the present invention, when the Proxy-Server 200 and the terminals 300 are started, the subscriber information after pre-authentication with the Proxy-Manager 100 is performed. MPTCP in an environment where huge subscriber information such as a commercial mobile network is used, by allowing each of the authenticated terminals 300 and the Proxy-Server 200 to share the initial configuration information 400 that allows the proxy authentication request to proceed quickly without the need for storage. Although the Aggregation Service System 1000 provides a service in which the number of proxy authentications is increased according to the number of paths, the authentication procedure can be processed at a constant rate without being affected by the number of subscribers without storing subscriber information. .
MPTCP 기술의 활용을 통해서 단말(300)이 이득을 얻으려면, 단말(300)이 TCP 연결을 하는 서버가 MPTCP기능을 보유하고 있어야 하는데, 현 상용 망에 존재하는 통상서버들은 신기술인 MPTCP를 보유하고 있지 않다. 그렇기에, 단말(300)의 MPTCP기능을 활용할 수 있도록 하기 위해 단말(300)이 고속 Back-Born망에 위치하는 MPTCP기능을 보유한 Proxy-Server(200)와 Proxy 통신을 하도록 하여서 MPTCP의 이득을 얻을 수 있도록 하는 시스템인 MPTCP Aggregation 서비스시스템(1000)이 제공된다.In order for the terminal 300 to benefit from the use of the MPTCP technology, the server to which the terminal 300 makes a TCP connection must have the MPTCP function. The conventional servers existing in the commercial network have the new technology MPTCP. Not. Therefore, in order to utilize the MPTCP function of the terminal 300, the terminal 300 can obtain a benefit of MPTCP by allowing the proxy-server to communicate with the Proxy-Server 200 having the MPTCP function located in a high-speed back-borne network. An MPTCP Aggregation Service System 1000 is provided.
그러나 이 시스템의 특성상 이 서비스에 가입된 특정 가입자에게만 서비스가 제공되어야 하는데, 가입자 식별을 위해 기존 Proxy 인증을 사용할 경우, Proxy-Server(200)가 상용 망의 거대한 가입자 정보를 관리하여야 하고, Proxy 인증요청 때마다 각 MPTCP의 Path별로 가입자 정보를 각각 대조해야 하는 Proxy 인증방식으로 인해 가입자 수가 많을수록 Proxy 인증 성능의 저하가 초래되어 MPTCP 기술활용을 통한 이득이 저하되는 문제가 있다.However, due to the characteristics of this system, the service should be provided only to specific subscribers subscribed to this service. When using existing Proxy authentication for subscriber identification, Proxy-Server (200) must manage huge subscriber information of commercial network, and Proxy authentication Due to the proxy authentication method in which subscriber information must be collated for each path of MPTCP for each request, the larger the number of subscribers, the lower the proxy authentication performance and the lower the gain through the utilization of MPTCP technology.
이와 같은 문제를 해결한 것이 본 발명의 개념을 사용한 일실시예에 따른 MPTCP Aggregation 서비스시스템(1000)이며, 이 MPTCP Aggregation 서비스시스템(1000)은 본 발명의 개념을 활용하여 가입자 정보를 대조하는 대신 Proxy 인증을 요청하는 단말(300)이 Proxy-Server(200)와 동일한 Proxy 인증키(500)를 사용하는지를 확인하는 것으로 Proxy 인증요청을 처리하여서 가입자정보의 보관없이 가입자 수에 영향을 받지 않고 일정하고 빠른 속도로 인증절차를 처리할 수 있도록 하여 MPTCP 기술활용을 통한 이득이 저하되는 것을 방지한다.Solving such a problem is the MPTCP Aggregation service system 1000 according to an embodiment using the concept of the present invention, and the MPTCP Aggregation service system 1000 utilizes the concept of the present invention instead of collating subscriber information. By checking whether the terminal 300 requesting authentication uses the same Proxy authentication key 500 as the Proxy-Server 200, it processes the Proxy authentication request, thereby maintaining a constant and rapid rate without being affected by the number of subscribers without storing subscriber information. It allows the authentication process to be processed at a speed, thereby preventing the gain from using the MPTCP technology from being lowered.
도 2는 본 발명에 따른 초기설정정보(400)의 구성을 나타낸 것이다. 초기설정정보(400)는 MPTCP Aggregation 서비스시스템(1000)에 가입된 각 가입자의 단말(300) 혹은 Proxy-Server(200)가 초기화할 때 Proxy-Manager(100)로부터 전달 받는 정보로 Operator에 의해 인증정책이 수정되지 않는 한 불변하는 정보들이며, 선 인증이 완료된 가입자 단말(300)과 Proxy-Server(200)간에 Proxy 인증을 빠르게 수행하기 위한 본 발명의 Proxy 인증 절차진행에 필요한 정보들이다.2 shows a configuration of initial setting information 400 according to the present invention. The initial configuration information 400 is information received from the Proxy-Manager 100 when the terminal 300 or the Proxy-Server 200 of each subscriber subscribed to the MPTCP Aggregation Service System 1000 is authenticated by the Operator. Unless the policy is modified, the information is unchanged, and information necessary for proceeding with the proxy authentication procedure of the present invention for quickly performing proxy authentication between the subscriber terminal 300 and the Proxy-Server 200 where pre-authentication is completed.
도 2에서 보듯이, 본 발명에 따른 초기설정정보(400)는 “Group Code”(410), “OTP용 Shared Secret”(420), “사용코드리스트”(430), “Random-Number의 길이”(440), “각 단말 비종속적 항목들의 값”(450)로 구성된다. As shown in Figure 2, the initial configuration information 400 according to the present invention is a "Group Code" (410), "OTP Shared Secret" (420), "Use Code List" (430), "Random-Number length 440, “value of each terminal independent item” 450.
“Group Code”(410)는 Proxy-Manager에서 생성되어 사용되는 코드로 선 인증이 완료된 단말과 Proxy-Server에 전달되어서 Proxy 인증키(500)의 일부인 Group-Key(510)으로 사용된다. “OTP용 Shared Secret”(420) 또한 Proxy-Manager가 생성하여서 선 인증이 완료된 단말과 Proxy-Server에 전달하는 값으로, 각 단말과 Proxy-Server에서 Proxy 인증키(500)의 일부인 Master-Key(520)생성을 위한 정보 중 하나인 One Time Password(이하 OTP)를 현재시간 기반으로 생성하면서도 단말들과 Proxy-Server가 동일한 OTP를 생성할 수 있도록 하는 정보이다. Master-Key(520)의 생성에 OTP가 사용되는 이유는 패킷도청을 통해 인증되지 않은 단말이 MPTC Aggregation 서비스와 같은 Proxy-Server(200)의 기능을 부당하게 사용하는 것을 방지하기 위해서이다. 그러면서도 인증된 단말(300)들과 Proxy-Server(200)는 같은 Proxy 인증키(500)를 공유하여야 하기 때문에 인증된 단말(300)들과 Proxy-Server(200)는 같은 OTP를 가질 수 있도록 하여야 하고, 이를 위해 본 발명의 개념은 동일한 OTP용 Shared Secret(420)을 인증된 단말(300)들과 Proxy-Server(200)에 전달하여 OTP를 계산하게 한다. 인증된 단말(300)들과 Proxy-Server(200)에 동일한 OTP용 Shared Secret(420)사용된다 하여도, 네트워크 지연 혹은 시간동기화의 지연 등으로 인해 단말에서 전송한 Proxy 인증 패킷이 Proxy-Server에 도달 하였을 때 Proxy-Server와 다른 Proxy 인증키(500)를 사용하고 있게 되는 경우가 있다. 이와 같은 문제에 대응하기 위한 방법은 도 3에서 명시되어 있으며 아래문단에서 이후에 설명된다. The “Group Code” 410 is a code generated and used by the Proxy-Manager and is transmitted to the terminal and the Proxy-Server where the pre-authentication is completed and used as the Group-Key 510 which is part of the Proxy authentication key 500. “Shared Secret for OTP” (420) is also a value generated by the Proxy-Manager and transmitted to the terminal and Proxy-Server where pre-authentication is completed, and Master-Key (part of Proxy authentication key 500 in each terminal and Proxy-Server). While generating one time password (hereinafter referred to as OTP), which is one of information for generation, based on the current time, the UE and the Proxy-Server can generate the same OTP. The reason why the OTP is used to generate the master-key 520 is to prevent an unauthenticated terminal from using an eavesdropping packet unfairly using a function of the Proxy-Server 200 such as the MPTC aggregation service. Yet, since the authenticated terminals 300 and the Proxy-Server 200 must share the same Proxy authentication key 500, the authenticated terminals 300 and the Proxy-Server 200 should have the same OTP. In order to accomplish this, the concept of the present invention delivers the same shared secret 420 for the OTP to the authenticated terminals 300 and the Proxy-Server 200 to calculate the OTP. Even when the same shared secret 420 for OTP is used in the authenticated terminals 300 and the Proxy-Server 200, the Proxy authentication packet transmitted from the terminal is transmitted to the Proxy-Server due to network delay or delay in time synchronization. When it arrives, there is a case where Proxy-Server and a different Proxy authentication key 500 are used. A method for coping with this problem is specified in FIG. 3 and described later in the paragraph below.
“사용코드리스트”(430)는 어떤 항목의 정보들이 Proxy 인증키(500)의 일부인 Master-Key(520)생성을 위한 정보로 사용되는지를 목록으로 전달하는데, 단말(300)들과 Proxy-Server(200)가 동일한 항목의 정보들로 Master-Key(520)를 생성하여야만 단말(300)들과 Proxy-Server(200)가 동일한 Proxy 인증키(500)를 공유할 수 있고 본 발명의 동일한 Proxy 인증키(500)를 사용하는지를 확인하는 것으로 Proxy 인증요청을 처리를 가입자정보 없이 빠르게 처리한다는 개념이 구현될 수 있기에 Proxy-Manager(100)가 인증이 완료된 단말(300)들과 Proxy-Server(200)에 전달하는 정보이다.The “use code list” 430 transmits a list of information of which items are used as information for generating a master-key 520 that is part of the proxy authentication key 500. The terminal 300 and the proxy-server The terminal 300 and the Proxy-Server 200 can share the same Proxy authentication key 500 when the 200 generates the Master-Key 520 with the same item information, and the same Proxy authentication of the present invention. Since the concept of quickly processing the proxy authentication request without subscriber information may be implemented by checking whether the key 500 is used, the Proxy-Manager 100 may authenticate the terminals 300 and the Proxy-Server 200. Information to pass on.
전달하는 항목에는 “단말 비종속적 항목”과 “단말 종속적” 항목의 2 종류가 있다. “단말 비종속적 항목”은 MNC와 MCC같은 네트워크가 공유하는 정보이기에 모든 단말이 동일한 정보를 가지는 항목을 말한다. 그렇기에 “단말 비종속적 항목”들은 단말(300)이 Proxy-Server(200)에 전달할 필요 없이 Proxy-Server(200)가 보관하고 있으면 되는 항목들이다. 통상적으로, “단말 비종속적 항목”에 대한 정보는 단말(300)과 Proxy-Server(200)도 네트워크로부터 수집할 수 있으나, 특정 “단말 비종속적 항목”에대한 정보의 수집이 어려운 경우, 해당 정보에 한하여 Proxy-Manager(100)는 “각 단말 비종속적 항목들의 값”(450)을 이용하여 선 인증이 완료된 각 단말(300)과 Proxy-Server(200)에 해당 정보가 공유 될 수 있도록 한다. “단말 종속적 항목”은 IP Address, MSISDN과 같은 각 단말이 서로 다른 정보를 가지는 항목으로, 본 발명의 인증절차수행 시 Proxy 인증 패킷에 포함되어 전달되어 선 인증이 완료된 각 단말(300)과 Proxy-Server(200)에 공유되는 정보이다.There are two types of items to be delivered: "terminal independent" and "terminal dependent". "Terminal independent item" refers to an item that all terminals have the same information because the information is shared by the network, such as MNC and MCC. Thus, the "terminal independent items" are items that the Proxy-Server 200 needs to store without the terminal 300 having to transmit them to the Proxy-Server 200. Typically, the terminal 300 and the Proxy-Server 200 may also collect information on the “terminal independent item” from the network, but when collecting information on a specific “terminal independent item” is difficult, the corresponding information Only the Proxy-Manager 100 can use the "value of each terminal non-dependent items" (450) so that the corresponding information can be shared between each terminal 300 and the Proxy-Server (200) that pre-authentication is completed. "Terminal dependent item" is an item in which each terminal has different information such as IP address and MSISDN, and each terminal 300 and Proxy- which have been pre-authenticated by being included in the Proxy authentication packet when the authentication procedure of the present invention is performed. Information shared by the server 200.
“Random-Number의 길이”(440)는 본 발명의 Proxy 인증과정에서 가입자정보 대신에 대조에 사용되어서 단말(300)과 Proxy-Server(200)가 동일한 Proxy 인증키(500)를 사용하는지 확인하는데 사용되는 정보의 길이를 Proxy-Server(200)와 단말(300)이 공유 할 수 있도록 하기 위해 전달하는 정보로, Proxy 인증용 정보(600)를 구성하는 Code1(610)과 Code2(620)을 생성할 때 단말이 생성하여 사용한다. Proxy 인증 요청 처리 때, Proxy-Server(200)는 Code2(620)에서 Random-Number 정보를 수집하여야 하기 때문에, 단말(300)들과 Proxy-Server(200)는 동일한 Random-Number의 길이를 사용하여야 하고, 그렇기에 Proxy-Manager(100)가 “Random-Number의 길이”(440)정보를 각 인증이 완료된 단말(300)들과 Proxy-Server(200)에 전달한다. 다만, Random-Number 자체가 Code2의 마지막 항목이기에, Proxy-Server(200)는 Code2에서 “단말 종속적 항목” 정보를 모두 제외하는 것으로 Random-Number의 길이를 추론할 수는 있다. “각 단말 비종속적 항목들의 값”(450)은 위에서 설명하였듯이 특정 정보의 수집이 어려운 “단말 비종속적 항목”에 한하여 Proxy-Manager(100)가 각 인증이 완료된 단말(300)과 Proxy-Server(200)에 해당 정보가 공유 될 수 있도록 하기 위해 사용하는 필드이다."Random-Number Length" (440) is used to check instead of subscriber information in the Proxy authentication process of the present invention to determine whether the terminal 300 and the Proxy-Server (200) uses the same Proxy authentication key (500) As the information transmitted to allow the Proxy-Server 200 and the terminal 300 to share the length of the information used, Code1 610 and Code2 620 constituting the proxy authentication information 600 are generated. When the terminal is created and used. Since Proxy-Server 200 should collect Random-Number information from Code2 620 when processing Proxy authentication request, terminals 300 and Proxy-Server 200 should use the same Random-Number length. In this case, the Proxy-Manager 100 transmits the “Random-Number Length” 440 information to the terminals 300 and the Proxy-Server 200 where each authentication is completed. However, since the Random-Number itself is the last item of Code2, the Proxy-Server 200 can infer the length of the Random-Number by excluding all of the “terminal dependent item” information from Code2. As described above, the value of each terminal-independent item 450 indicates that the terminal 300 and the Proxy-Server (for which the authentication is completed) are performed by the Proxy-Manager 100 only for the "terminal-independent item" which is difficult to collect specific information. This field is used to allow the information to be shared.
도 3은 단말(300)과 Proxy-Server(200)가 공유하는 OTP 생성용 Shared Secret(420)을 사용하여 생성한 OTP에 네트워크 지연 혹은 시간동기화의 지연 등으로 인해 같은 시간대인데도 불구하고 동일하지 않은 Proxy 인증키(500)가 생성될 수 있는 문제에 대한 본 발명의 대응책이다. 단말(300)과 Proxy-Server(200)의 시간 동기화가 이루어져도 네트워크 지연이 발생하면 Proxy 인증 패킷 작성 때에 단말(300)에서 Proxy 인증키(500) 생성용으로 사용한 OTP가, Proxy 인증 패킷이 Proxy-Server(200)에 도착하였을 때 Proxy-Server(200)가 사용하고 있는 OTP와 다를 수 있다. 마찬가지로 단말(300)과 Proxy-Server(200)의 시간 동기화에 지연이 발생하면, Network 지연이 최소라 하여도, 동 시간대에 생성하는 OTP가 다르기에, 인증 받은 단말(300)이어도 단말(300)의 Proxy 인증키(500)가 Proxy-Server(200)의 Proxy 인증키(500)와 다를 수 있다. 이를 해결하기 위해서 본 발명은 Proxy-Server(200)가 도 3과 같이 3개의 OTP를 보관하고 있다가 3개의 Proxy 인증키(500)를 Proxy 인증 패킷 수신 시 생성하여, 단말(300)의 Proxy 인증요청을 거부하기 전에 3개의 각 Proxy 인증키(500)에 대한 인증시도를 진행하도록 하여서 단말(300)과 Proxy-Server(200)사이의 네트워크 혹은 시간동기화에서 지연이 발생하더라고 OTP 생성 주기의 3배만큼의 여유시간을 제공하게 된다.3 is not the same in spite of the same time zone due to network delay or time synchronization delay in OTP generated using the OTP generation Shared Secret 420 shared between the terminal 300 and the Proxy-Server 200. It is a countermeasure of the present invention to the problem that Proxy authentication key 500 may be generated. If a network delay occurs even when time synchronization between the terminal 300 and the Proxy-Server 200 occurs, the OTP used for generating the Proxy authentication key 500 by the terminal 300 when the Proxy authentication packet is generated, When the server arrives at the server 200, it may be different from the OTP used by the proxy server 200. Similarly, if there is a delay in time synchronization between the terminal 300 and the Proxy-Server 200, even if the network delay is minimal, since the OTP generated in the same time zone is different, even if the terminal 300 is authenticated, the terminal 300 Proxy authentication key 500 may be different from Proxy authentication key 500 of Proxy-Server 200. In order to solve this problem, in the present invention, the Proxy-Server 200 stores three OTPs as shown in FIG. 3, and then generates three Proxy authentication keys 500 when the Proxy authentication packet is received. Before rejecting the request, the authentication attempt for each of the three proxy authentication keys 500 is performed so that a delay occurs in the network or time synchronization between the terminal 300 and the Proxy-Server 200. It will provide as much time as possible.
이때 OTP 생성주기는 본 발명을 사용하는 Operator의 필요에 따라 설정 될 수 있으며, 서비스가 제공되는 네트워크의 상태에 맞추어서 OTP의 사용목적인 패킷도청으로 인한 키 도난을 방지 할 수 있도록 짧으면서도, 네트워크 지연과 사용되는 시간동기화 방식에 의한 지연에 대응할 수 있을 만큼 긴 시간이 권장된다. 시간동기화 방식 또한 본 발명을 사용하는 Operator의 필요에 따라 선택될 수 있으며, 제 3의 서버를 통한 시간동기화나 Proxy-Server(200)와 단말(300)간의 직접적인 시간동기화 방식이 Operator의 필요에 따라 선택될 수 있다.At this time, the OTP generation cycle can be set according to the needs of the operator using the present invention. The OTP generation cycle can be set according to the state of the network in which the service is provided. A time that is long enough to cope with the delay caused by the time synchronization scheme used is recommended. The time synchronization method may also be selected according to the needs of the operator using the present invention, and time synchronization through a third server or a direct time synchronization method between the Proxy-Server 200 and the terminal 300 may be performed according to the needs of the operator. Can be selected.
도 4는 본 발명의 Proxy-Server(200)와 단말(300)이 Proxy-Manager(100)로부터 수신한 초기설정정보(400)들을 기반으로 생성하여서 동일하게 공유하게 되는 Proxy 인증키(500)의 구성과 설명이다. 도 4와 본 문단은 Proxy 인증키(500)의 각 구성요서에 대해서만 설명을 진행하며, Proxy 인증키(500)의 자세한 생성 절차 및 사용 예는 이 후 섹션에서 본 발명 실시예의 각 진행단계를 서술하면서 설명한다. Proxy 인증키(500)는 Group-Key(510)와 Master-key(520)의 2개의 Key로 구성되어 있다. Group-Key(510)는 Proxy-Manager(100)로부터 수신한 Group Code(410)를 기반으로 생성하는 키로서 본 발명을 사용하는 Operator의 필요에 따라 Key-Generation을 Group Code(410)에 사용하여 생성되거나 Group Code(410)가 그대로 Proxy 인증키(500)의 일부인 Group-Key(510)로 사용될 수 있고, Operator의 필요에 따라 그 Group-Key(510)의 길이는 설정될 수 있다. Master-key(520)는 OTP 생성용 Shared Secret(420)을 통핸 만들어진 OTP와 사용코드리스트(430)에 명시된 항목들의 값을 합한 값을 기반으로 생성된다. Master-key(520)는 Group-Key(510)와 함께 Proxy 인증키(500)의 일부분을 구성하며, Group-Key(510)와 마찬가지로 본 발명을 사용하는 Operator의 필요에 따라 Master-key(520) 길이도 설정될 수 있다. 그러나 본 발명은 Proxy 인증키(500) 전체길이를 최소 256bit로 권장한다.4 is a proxy authentication key 500 of the Proxy-Server 200 and the terminal 300 of the present invention to share the same by generating based on the initial configuration information 400 received from the Proxy-Manager (100) Configuration and explanation. 4 and this paragraph describe only the respective components of the Proxy authentication key 500, and detailed creation procedures and usage examples of the Proxy authentication key 500 describe each progress step of the embodiment of the present invention in a later section. Explain. Proxy authentication key 500 is composed of two keys, Group-Key (510) and Master-key (520). The Group-Key 510 is a key generated based on the Group Code 410 received from the Proxy-Manager 100 and uses Key-Generation in the Group Code 410 according to the needs of the Operator using the present invention. The generated or Group Code 410 may be used as the Group-Key 510 which is part of the Proxy authentication key 500 as it is, and the length of the Group-Key 510 may be set according to the needs of the operator. The master-key 520 is generated based on the sum of the values of the items specified in the OTP and the use code list 430 generated through the shared secret 420 for generating the OTP. The Master-key 520 together with the Group-Key 510 constitutes a part of the Proxy authentication key 500, and like the Group-Key 510, the Master-key 520 according to the needs of the operator using the present invention. The length can also be set. However, the present invention recommends the total length of the proxy authentication key 500 to be at least 256 bits.
도 5는 본 발명이 가입자정보 없이도 빠르게 Proxy 인증요청을 처리할 수 있도록 실질적으로 사용되는 Proxy 인증용 정보(600)의 구성과 설명이다. Proxy-Server(200)와 단말(300)은 Proxy-Manager(100)와 강력한 선 인증을 진행 후 동일하게 수신하는 초기설정정보(400)를 이용하여 같은 Proxy 인증키(500)를 생성하고 공유하며, 이렇게 공유한 같은 Proxy 인증키(500)를 Proxy 인증 패킷의 정보에 담아서 전달하여 Proxy-Server(200)와 단말(300)이 서로 같은 키를 공유하는지를 확인하는 것으로 Proxy-Server(200)는 단말(300)의 인증을 가입자 정보 없이 빠르게 처리하게 된다.5 is a configuration and description of the proxy authentication information 600 which is actually used so that the present invention can quickly process a Proxy authentication request without subscriber information. The Proxy-Server 200 and the terminal 300 generate and share the same Proxy authentication key 500 by using the initial configuration information 400 that is identically received after the strong line authentication with the Proxy-Manager 100. The Proxy-Server 200 checks whether the Proxy-Server 200 and the terminal 300 share the same key by transmitting the same Proxy authentication key 500 shared in the Proxy authentication packet. Authentication of the 300 is quickly processed without subscriber information.
이때 패킷도청으로 인한 Proxy 인증키(500)의 외부노출을 막고 단말(300)의 정보를 Proxy-Server(200)에 전달할 수 있도록 하기 위해, 본 발명의 개념은 단말(300)이 Proxy 인증키(500)를 기반으로 단말(300)의 정보를 암호화하여 Proxy 인증용 정보(600)를 작성한 후 Proxy 인증용 패킷의 Username 필드와 Password 필드에 삽입하여 전달하고, Proxy 인증용 패킷을 수신한 Proxy- Server(200)가 전달 받은 Proxy 인증용 정보(600)들을 보관 중인 3개의 OTP와 초기설정정보(400)를 기반으로 생성한 3개의 Proxy 인증키(500)를 이용하여 순차적으로 복호화하여 같은 Proxy 인증키(500)가 사용되는 것으로 판명되면 인증을 완료하고 같은 Proxy 인증키(500)가 사용되지 않는 것으로 판명되면 인증을 거부하게 한다.In this case, in order to prevent the external exposure of the proxy authentication key 500 due to packet eavesdropping and to transmit the information of the terminal 300 to the Proxy-Server 200, the concept of the present invention is that the terminal 300 uses the Proxy authentication key ( Proxy-Server which encrypts the information of the terminal 300 and prepares the proxy authentication information 600, inserts it into the Username field and the Password field of the Proxy authentication packet, and transfers the received packet. The same proxy authentication key is decrypted sequentially by using three proxy authentication keys 500 generated based on three OTPs and initial configuration information 400 storing the proxy authentication information 600 received by the 200. If 500 is found to be used, authentication is completed and if the same Proxy authentication key 500 is found not to be used, the authentication is rejected.
이 과정에서 사용되는 Proxy 인증용 정보(600)는 Code1(610)과 Code2(620)를 가지게 되는데, 도 5에서 설명되었듯이 Code1(610)은 Proxy 인증용 정보(600) 생성시에 생성된 Random-Number와 단말정보인 UE-ID를 합한 후, Proxy 인증키(500)로 암호화한 값이고 Code2(620)는 단말에 종속적인 코드와 상기 Random-Number 값을 뭉친 값이다. Code1(610)은 Proxy 인증용 패킷의 Username 필드를 이용하여 Proxy-Server(200)에 전달되고, Code2(620)는 Proxy 인증용 패킷의 Password 필드를 이용하여 Proxy-Server(200)에 전달된다.Proxy authentication information 600 used in this process will have Code1 610 and Code2 620. As described in FIG. 5, Code1 610 is random generated when Proxy authentication information 600 is generated. After adding -Number and UE-ID, which is terminal information, the value is encrypted with Proxy authentication key 500 and Code2 620 is a value that combines the terminal-dependent code and the Random-Number value. Code1 610 is transmitted to the Proxy-Server 200 using the Username field of the Proxy authentication packet, and Code2 620 is transmitted to the Proxy-Server 200 using the Password field of the Proxy authentication packet.
이렇게 Proxy-Server(200)에 전달된 Code1(610)과 Code2(620)는 동일한 Random-Number를 공유하면서도 Code1(610)은 Proxy 인증키(500)로 암호화 되어 있고 Code2(620)는 암호화 되어 있지 않기에, Proxy-Server(200)가 Code1(610)을 복호화시킨 후 추출한 Random-Number와 Code2(620)으로부터 추출한 Random-Number를 대조하여, 단말(300)과 Proxy-Server(200)가 같은 Proxy 인증키(500)를 사용하는지 확인할 수 있도록 하여, Proxy-Server(200)가 단말에 대한 인증을 가입자 정보 없이 빠르게 진행할 수 있도록 한다. Code1 610 and Code2 620 delivered to Proxy-Server 200 share the same Random-Number while Code1 610 is encrypted with Proxy authentication key 500 and Code2 620 is not encrypted. Since the Proxy-Server 200 decodes Code1 610 after decoding the Code1 610, the Proxy-Server 200 compares the Random-Number extracted from the Code2 620, and the terminal 300 and the Proxy-Server 200 have the same Proxy. It is possible to check whether the authentication key 500 is used, so that the Proxy-Server 200 can quickly perform authentication for the terminal without subscriber information.
더하여, 본 발명의 개념에서 복호화 된 Code1(610)은 단말정보인 UE-ID를 포함하고 있기에 Proxy-Server(200)가 가입자 정보를 보관하지 않은 상태에서도 자신의 서비스를 사용하는 가입자가 누구인지에 대한 정보를 얻을 수 있도록 한다.In addition, Code1 610, which is decrypted in the concept of the present invention, includes UE-ID, which is terminal information, to determine who is using a subscriber's service even when Proxy-Server 200 does not store subscriber information. To get information.
위와 같은 방식을 통해서 본 발명의 개념은 강력하지만 가입자 수에 따라 많은 시간과 자원을 소모하는 고성능인증 방식을 Proxy-Server(200)와 단말(300)의 서비스 사용이 시작될 때만 Proxy-Manager(100)와의 선 인증으로 진행하도록 하고, 인증된 단말(300)과 Proxy-Server(200)가 같은 초기설정정보(400)을 기반으로 동일한 Proxy 인증키(500)을 생성할 수 있도록 한 후, Proxy서비스 사용 때 진행되는 Proxy 인증절차에서 동일한 Proxy 인증키(500)를 기반으로 작성된 Proxy 인증용 정보(600)를 이용하여 Proxy-Server(200)가 가입자정보 없이 빠르게 선 인증이 완료된 단말(300)을 Proxy 인증으로 식별하고 서비스를 바로 제공할 수 있도록 한다.Although the concept of the present invention is strong through the above method, the Proxy-Manager 100 may use the high-performance authentication method that consumes a lot of time and resources depending on the number of subscribers when the service of the Proxy-Server 200 and the terminal 300 starts. Proceed to pre-authentication with the client and allow the authenticated terminal 300 and the Proxy-Server 200 to generate the same Proxy authentication key 500 based on the same initial configuration information 400 and then use the Proxy service. In the Proxy authentication process that proceeds when the Proxy-Server (200) using the Proxy authentication information (600) created based on the same Proxy authentication key 500, the Proxy-Server (200) is quickly authenticated the terminal 300, the pre-authentication is completed without the subscriber information Identify and provide services immediately.
여기까지가 본 발명을 이해하기 위해 필요한 정보와 개념의 설명이었으며, 이후 문단과 도면들은 발명의 바람직한 실시 예 중 하나인 MPTCP Aggregation 서비스시스템(1000)을 이용하여 본 발명의 진행단계 설명한다.Until now, the information and concepts required for understanding the present invention have been described, and the following paragraphs and drawings describe the progress of the present invention using the MPTCP Aggregation service system 1000, which is one of the preferred embodiments of the present invention.
본 발명의 첫 번째 단계는 초기설정 단계며, 도 6은 초기설정 단계의 자세한 절차를 표시한다. 초기설정 단계는 본 발명의 각 구성요소가 시작될 때 본 발명개념의 동작을 위해 필요한 정보를 초기화하기 위한 단계로, Proxy-Server(200)와 단말(300)에 대한 시간소비가 크지만 강력한 선 인증을 진행한 후 가입자 정보의 사용 없이 빠르게 Proxy 인증을 진행해 줄 수 있는 본 발명의 동작을 위해 필요한 초기설정정보(400)를 Proxy-Server(200)와 가입자 단말(300)에 공유시키기 위한 절차이다.The first step of the present invention is the initial setting step, Figure 6 shows the detailed procedure of the initial setting step. The initial setting step is to initialize the information necessary for the operation of the present invention when each component of the present invention is started, the time-consuming but strong line authentication for the Proxy-Server (200) and the terminal (300) This is a procedure for sharing the initial configuration information 400 necessary for the operation of the present invention, which can rapidly proceed with proxy authentication without using subscriber information, to the Proxy-Server 200 and the subscriber station 300.
도 6에서 보듯이 본 발명의 각 구성요소는 시작 될 때 Proxy-Manager(100)와 인증을 수행하고, Proxy-Manager(100)로부터 초기설정정보(400)를 수신한다. 첫 번째 절차에서 Proxy-Server(200)가 시작되면, Proxy-Server(200)는 Proxy-Manager(100)와 인증을 진행한 후에, 두 번째 절차로 수신한 초기설정정보를(400)보관해 둔다. 세 번째 절차는 단말(300)에서 Proxy-Server(200)가 제공하는 MPTCP Aggregation 서비스 사용을 시작하면 진행되며, 서비스시작과 동시에 서비스의 사용을 위해 Proxy-Manager(100)와 선 인증을 절차를 진행한다. 이 선 인증은 본 발명의 빠른 인증이 아닌 통상적인 인증 절차이며, 단말(300)이 서비스 가입자인지를 확인하기 위한 절차로, 본 발명의 개념을 사용하는 Operator의 필요에 따라 인증방식이 선택될 수 있다. 이 단말(300)과 Proxy-Manager(100)가 진행하는 선 인증은 통신 때마다 발생하는 Proxy 인증과는 달리 주기적으로 하거나 서비스 시작 시에 한번만 진행하면 되는 인증이게 시간을 많이 소모하지만 보안성능이 뛰어난 인증방식의 사용이 권장된다. 본 발명의 개념에선 이 선 인증이 실제로 가입자를 인증하는 것이고, 본 발명의 개념이 소개하는 가입자 정보 없이 빠르게 Proxy 인증을 진행하는 방식은 Proxy 인증을 요청한 단말(300)이 선 인증 과정을 완료하였는지 만을 확인하여 빠른 Proxy 인증을 제공하는 것이다.As illustrated in FIG. 6, each component of the present invention performs authentication with the Proxy-Manager 100 and receives initial configuration information 400 from the Proxy-Manager 100. When the Proxy-Server (200) is started in the first procedure, the Proxy-Server (200) after the authentication with the Proxy-Manager (100), and stores the initial configuration information (400) received in the second procedure . The third procedure proceeds when the terminal 300 starts to use the MPTCP Aggregation service provided by the Proxy-Server 200, and proceeds with pre-authentication with the Proxy-Manager 100 for use of the service at the same time as the service starts. do. This pre-authentication is not a quick authentication of the present invention, but is a normal authentication procedure, and is a procedure for confirming whether the terminal 300 is a service subscriber, and an authentication method may be selected according to the needs of an operator using the concept of the present invention. have. Unlike the proxy authentication that occurs every time, the terminal 300 and the proxy-manager 100 proceed with the line authentication, which requires a periodic or one-time authentication at the start of the service. The use of authentication methods is recommended. In the concept of the present invention, this pre-authentication actually authenticates the subscriber, and the method of rapidly proxieing the proxy without the subscriber information introduced by the concept of the present invention only determines whether the terminal 300 requesting the proxy authentication has completed the pre-authentication process. Check and provide fast proxy authentication.
단말(300)이 도 6의 세 번째 절차로 Proxy-Manager(100)와 선 인증을 완료하면, 단말(300)은 도 6의 네 번째 절차로 초기설정정보(400)를 Proxy-Manager(100)로부터 제공받게 된다. 단말(300)은 이렇게 수신한 초기설정정보(400)를 기반으로 생성한 Proxy 인증키(500)와 Random-Number로 Proxy 인증용 정보(600)를 생성하여 Proxy 통신 세션마다 진행하는 Proxy 인증 절차에 사용하도록 하여서, Proxy-Server(200)가 Proxy 인증을 요청한 단말(300)이 자신과 동일한 Proxy 인증키(500)를 사용하는지만 확인하는 것으로 빠른 인증을 진행할 있도록 한다. 초기설정 단계 이후의 Proxy 인증까지의 절차는 이 후 도면과 문단에서 상세히 설명한다.When the terminal 300 completes pre-authentication with the Proxy-Manager 100 in the third procedure of FIG. 6, the terminal 300 transmits the initial configuration information 400 to the Proxy-Manager 100 in the fourth procedure of FIG. 6. Will be provided by The terminal 300 generates the proxy authentication information 500 based on the received initial configuration information 400 and the proxy authentication information 600 using the random number, and performs the proxy authentication procedure for each proxy communication session. By using it, the Proxy-Server 200 allows the terminal 300 to request Proxy authentication to proceed with quick authentication by checking only using the same Proxy authentication key 500 as its own. The procedure up to Proxy authentication after the initial configuration step is described in detail later in the drawings and paragraphs.
도 7은 본 발명의 두 번째 단계인 송신 측 키 생성 단계부터 세 번째 단계인 인증 패킷 전송 단계까지의 절차를 표현한다. MPTCP Aggregation 서비스를 사용하는 단말(300)은 도 6의 초기설정 단계를 완료하여 초기설정정보(400)를 수신 후 보관하는데, 이렇게 보관된 초기설정정보(400)는 도 7의 절차를 통해 Proxy 인증키(500)와 Proxy 인증용 정보(600)를 생성하는데 사용된다.7 illustrates a procedure from the second key generation step of the present invention to the third authentication packet transmission step. The terminal 300 using the MPTCP Aggregation service completes the initial setting step of FIG. 6 and receives and stores the initial setting information 400. The stored initial setting information 400 is stored in the proxy authentication procedure of FIG. It is used to generate a key 500 and information 600 for proxy authentication.
우선 초기설정 단계를 통해 인증이 완료된 단말은 인증정책에 따른 초기설정정보(400)를 수신한 상황이고, 이 초기설정정보(400)를 이용해 바로 도 7에 표시된 Proxy 인증키(500)와 Proxy 인증용 정보(600)를 생성하는 절차에 들어가게 된다. 이를 위해 단말은 수신한 초기설정정보(400)에 포함된 OTP 생성용 Shared Secret(420)을 이용하여 OTP를 생성하고, 이렇게 생성한 OTP와 함께 초기설정정보(400)의 Group Code(410)와 사용코드리스트(430) 각 항목의 값을 이용하여 Proxy 인증키(500)를 생성하고 보관하게 된다. 이 Proxy 인증키(500)생성의 상세한 방법은 다음 문단에서 도 9의 설명과 함께 자세히 기술된다.First, the terminal, which has been authenticated through the initial setting step, has received the initial setting information 400 according to the authentication policy, and using the initial setting information 400, the proxy authentication key 500 and the proxy authentication shown in FIG. 7 immediately. The procedure for generating the usage information 600 is entered. To this end, the terminal generates an OTP using the shared secret 420 for generating the OTP included in the received initial setting information 400, and the group code 410 of the initial setting information 400 together with the generated OTP. The proxy authentication key 500 is generated and stored using the value of each item of the usage code list 430. The detailed method of generating the Proxy authentication key 500 is described in detail with the description of FIG. 9 in the following paragraph.
이렇게 Proxy 인증키(500)가 생성되면 단말(300)은 Code1(610)과 Code2(620)의 생성방법을 설명하는 도 8의 방식으로 Random-Number를 생성하고, Proxy-Server(200)가 MPTCP Aggregation 서비스제공 중에 보관하여야 하는 단말 및 가입자 정보를 포함하는 UE-ID와 뭉친 후, 위에서 생성한 Proxy 인증키(500)를 이용해 암호화하여서 Code1(610)을 생성하고, 사용코드리스트(430) 항목 중 단말 종속적인 항목의 값과 Code1(610)생성에 사용된 Random-Number와 동일한 값을 뭉쳐서 Code2(620)을 생성한다.When the proxy authentication key 500 is generated in this way, the terminal 300 generates a random number in the manner of FIG. 8 illustrating a method of generating Code 1 610 and Code 2 620, and the Proxy-Server 200 MPTCP. After aggregating with the UE-ID including the terminal and subscriber information to be stored during the aggregation service provision, Code1 (610) is generated by encrypting using the Proxy authentication key (500) generated above, and among the use code list (430) items. Code2 620 is generated by combining the value of the terminal-dependent item and the same value as the Random-Number used to generate Code1 610.
Code1(610)과 Code2(620)를 생성할 때, Code2(620)에서 Random-Number의 위치는 Proxy-Server(200)가 Random-Number의 길이에 대한 정보가 없어도 Random-Number를 Code2(620)으로부터 추출하고 Random-Number의 길이를 가능할 수 있도록 도 8과 같이 각 항목의 길이정보가 공개된 단말 종속적인 항목의 값들 이후에 뭉쳐지는 것이 추천된다. 마찬가지로 Code1(610)을 생성하기 위해 Random-Number와 UE-ID를 뭉칠 때는 도 8처럼 Random-Number를 UE-ID전에 위치하도록 하여서, Proxy-Server(200)가 UE-ID의 정확한 길이를 알지 못하여도 Code2에서 추출한 Random-Number의 길이를 이용하여 UE-ID를 추출할 수 있게 하는 것을 추천한다. 더하여, 본 발명의 개념은 Proxy 인증 패킷의 인증이 최대한 빠르게 되는 것을 목표하기에 Code2(620)의 정보를 암호화 없이 전달하는 것으로 설명하나, 이는 Operator의 필요에 따라 어떤 암호화 방식을 사용하더라도 문제는 없다.When generating Code1 610 and Code2 620, the position of Random-Number in Code2 620 is set to Random-Number even if Proxy-Server 200 does not have information about the length of Random-Number. It is recommended that the length information of each item is aggregated after the values of the published terminal dependent items so that the length of each item can be extracted from the random number. Similarly, when the Random-Number and the UE-ID are combined to generate Code1 610, the Random-Number is placed before the UE-ID as shown in FIG. 8, so that the Proxy-Server 200 does not know the exact length of the UE-ID. It is recommended to be able to extract the UE-ID by using the length of the Random-Number extracted in Code2. In addition, the concept of the present invention is described as transferring the information of Code2 620 without encryption in order to make the authentication of the Proxy authentication packet as quick as possible, but this is not a problem using any encryption method according to the needs of the operator. .
이렇게 Proxy 인증키(500)와 Code1(610), 그리고 Code2(620)가 생성되면, 단말(300)은 이후의 Proxy 인증 패킷을 위해 이 정보들을 보관하는데, 이 정보들은 도 7에 명시된 바와 같이 3 종류에 Event로 인해 재생성 과정을 거치게 된다.When the proxy authentication key 500, Code1 610, and Code2 620 are generated in this way, the terminal 300 stores this information for subsequent Proxy authentication packets. Event of type causes regeneration process.
첫 번째 Event는 인증정책의 변경인데, Operator의 필요에 따라 인증정책이 변경되게 되면, Proxy-Server(200)들과 단말(300)들은 변경된 인증정책에 맞는 초기설정정보(400)를 새로이 수신하게 되고, 초기설정정보(400)에 변경이 있었기에, 위에 설명한 OTP를 생성하고 Proxy 인증키(500) 생성하여 Code1(610)과 Code2(620)를 생성하고 보관하는 절차를 다시 수행하게 된다. 초기설정정보(400)에는 OTP 생성용 Shared Secret(420)까지 포함되어 있기에 OTP 생성부터 다시 진행하게 되는 것이다.The first event is the change of the authentication policy, when the authentication policy is changed according to the needs of the operator, the Proxy-Server (200) and the terminal (300) to receive a new initial configuration information 400 according to the changed authentication policy. In addition, since there was a change in the initial setting information 400, the above-described process of generating the OTP and generating the Proxy authentication key 500 to generate and store the Code 1 (610) and the Code 2 (620). Since the initial setting information 400 includes the shared secret 420 for generating the OTP, the OTP is generated again.
두 번째 Event는 OTP의 재생성 주기가 도달하는 경우로, 본 발명이 패킷도청에 대한 대비책으로 사용하는 OTP의 재 생성주기가 도달할 때 발동되는 Event이다. OTP가 재생성 되기에 OTP를 포함한 정보로 생성한 Proxy 인증키(500)는 사용기간이 만료되게 되고, 단말(300)은 새로이 Proxy 인증키(500)와 Code1(610), 그리고 Code2(620)를 생성하고 보관하는 절차를 진행하게 되는 것이다.The second event is when the regeneration cycle of the OTP is reached, which is triggered when the regeneration cycle of the OTP, which the present invention uses as a countermeasure against packet eavesdropping, arrives. Since the OTP is regenerated, the proxy authentication key 500 generated with the information including the OTP expires, and the terminal 300 newly generates the proxy authentication key 500, Code1 (610), and Code2 (620). The process of creating and archiving is going on.
마지막 Event는 Proxy 인증키(500) 생성에 사용된 단말 종속적 정보가 변경되면 발생한다. 단말 종속적 정보 중에는 단말의 IP-Address와 같은 단말 이동성으로 인해 변경될 수 있는 정보가 포함될 수 있으며, 이 단말 종속적 정보의 변경은 기존 Proxy 인증키(500)의 만료를 의미하기에 새로이 Proxy 인증키(500)와 Code1(610), 그리고 Code2(620)를 생성하고 보관하는 절차를 진행하게 되는 것이다.The last event occurs when the terminal dependent information used to generate the proxy authentication key 500 is changed. The terminal dependent information may include information that may be changed due to terminal mobility, such as IP-Address of the terminal, and the change of the terminal dependent information may mean the expiration of the existing Proxy authentication key 500, and thus, a new Proxy authentication key ( 500), Code1 (610), and Code2 (620) will be created and stored.
이와 같은 절차 혹은 Event로 Code1(610)과 Code2(620)가 생성되어서 단말(300)에 보관 중인 상태가 되면, 단말은(300)은 언제든 Proxy 통신을 본 발명의 개념을 사용하여 시작 할 수 있게 된다. 이 상태에서 단말에서 MPTCP Aggregation 서비스를 이용하는 통신이 시작되게 되면, 해당 통신은 Proxy통신이 되고, 해당 Proxy통신이 서비스 가입자의 단말에서 시작된 것이 맞는지를 인증하는 Proxy 인증절차가 시작되게 된다.When the code 1 610 and the code 2 620 are generated and stored in the terminal 300 as the procedure or the event, the terminal 300 can start the proxy communication at any time using the concept of the present invention. do. In this state, when the communication using the MPTCP Aggregation service is started in the terminal, the communication becomes a proxy communication, and the proxy authentication procedure for authenticating whether the corresponding proxy communication is started from the terminal of the service subscriber is started.
이 때 단말은 도 7에 명시된 바와 같이 미리 생성 해 놓은 Code1(610)과 Code2(620)를 각각 Proxy 인증 패킷의 Username와 Password 필드에 삽입하여 전달하는 것으로 인증 패킷 전송 단계까지 완료하게 된다. 이후 단말(300)이 Proxy-Server(200)로부터 인증 성공을 전달받으면 Proxy 통신을 진행할 수 있는 것이고, 인증실패를 전달 받으면, Proxy 통신이 진행되지 않게 되는 것이다.At this time, the terminal inserts Code1 610 and Code2 620, which are generated in advance in the Username and Password fields of the Proxy authentication packet, as described in FIG. Thereafter, when the terminal 300 receives the authentication success from the Proxy-Server 200, the proxy 300 may proceed with the proxy communication. If the terminal 300 receives the authentication failure, the proxy 300 does not proceed.
한편, 현 실시 예에서는 Random-Number를 미리 생성하여 Code1(610)과 Code2(620)를 미리 생성하고 보관하였으나, Operator의 필요에 따라 Random-Number의 생성을 Proxy 통신을 시작하는 시점에 진행하는 것 또한 가능하다. 이 경우, 단말(300)은 Proxy 인증키(500)까지만 생성해서 보관하고 있다가, Proxy 통신 시작으로 인해 Proxy 인증 패킷이 제작될 때 Random-Number을 생성하고 Code1(610)과 Code2(620)을 생성하여 Proxy 인증 패킷에 사용하게 된다. 이 방식은 Proxy 인증 패킷 생성에 시간과 자원이 좀 더 필요하게 되나, 패킷 도청으로 인한 단말(300)의 Random-Number 유출을 방지할 수 있다.Meanwhile, in the present embodiment, the Random-Number is generated in advance, and Code1 610 and Code2 620 are generated and stored in advance, but the Random-Number is generated at the time of starting the proxy communication according to the needs of the operator. It is also possible. In this case, the terminal 300 generates and stores only the proxy authentication key 500, and generates a random number when a proxy authentication packet is produced due to the start of proxy communication, and generates Code1 610 and Code2 620. It is generated and used for Proxy authentication packet. This method requires more time and resources to generate Proxy authentication packets, but can prevent the random number leakage of the terminal 300 due to packet eavesdropping.
위와 같이 단말(300)의 Proxy 인증 패킷이 Proxy-Server(200)로 전달되면, Proxy-Server는 해석용 키 생성 단계와 인증 및 사용자 정보 복원 단계를 거쳐서 단말(300)의 Proxy 인증을 진행한다. 그러나 본 문단에선 Proxy-Server(200)의 Proxy 인증 절차 설명하기 전에 먼저 도 9를 이용하여 Proxy 인증키(500) 생성방법을 상세하게 설명하고자 한다.When the Proxy authentication packet of the terminal 300 is transmitted to the Proxy-Server 200 as described above, the Proxy-Server performs the Proxy authentication of the terminal 300 through a key generation step for interpretation, authentication, and user information restoration. However, in this paragraph, first, the proxy authentication key 500 will be described in detail with reference to FIG. 9 before explaining the proxy authentication procedure of the Proxy-Server 200.
도 9에서 보듯이 Proxy 인증키(500)는 Group-Key(510)와 Master-key(520)의 조합으로 이루어진다. 이 Group-Key(510)와 Master-key(520)는 각각 Proxy-Manager(100)와 선 인증 후 단말(300)과 Proxy-Server(200)가 수신한 초기설정정보(400) 각 항목의 값을 기반으로 생성된다.As shown in FIG. 9, the proxy authentication key 500 is a combination of a Group-Key 510 and a Master-key 520. The Group-Key (510) and the Master-key (520) are the values of each item of the initial setting information (400) received by the terminal 300 and the Proxy-Server 200 after the pre-authentication with the Proxy-Manager 100, respectively. Is generated based on
Group-Key(510)의 경우, 초기설정정보(400) 중 Group Code(410)를 기반으로 생성되는데, 이 때 사용하는 Key-Generation 모듈은 특정 지어지지 않으며 Operator가 필요에 따라 선택할 수 있다.The Group-Key 510 is generated based on the Group Code 410 of the initial setting information 400. The Key-Generation module used at this time is not specified and can be selected by the operator as needed.
Master-key(520)경우, 초기설정정보(400) 중 OTP 생성용 Shared Secret(420)을 기반으로 생성된 OTP와 사용코드리스트(430)에 명시된 각 항목의 값을 기반으로 생성되는데, Group-Key(510)와 마찬가지로 Master-key(520) 생성을 위해 사용되는 Key-Generation 모듈도 특정 지어지지 않으며 Operator가 필요에 따라 선택할 수 있다. Group-Key(510)와 Master-key(520)가 각각 다른 Key-Generation 모듈을 사용할 수도 있는 것이다.In the case of the master-key 520, the OTP generated based on the shared secret 420 for generating the OTP among the initial setting information 400 and the value of each item specified in the use code list 430 are generated. Like the Key 510, the Key-Generation module used for generating the Master-key 520 is not specified and can be selected by the Operator as needed. The Group-Key 510 and the Master-key 520 may use different Key-Generation modules.
Master-key(520)는 Group-Key(510)와는 다르게 사용코드리스트(430)에 명시된 각 항목의 값을 여럿 사용 할 수 있으나, 어떤 항목을 사용할지는 Operator가 필요에 따라 결정 할 수 있다. Operator가 사용코드리스트(430)명시하여 Master-key(520)생성에 사용하고자 하는 정보가 없다면, 초기설정정보(400)에서 사용코드리스트(430)와 각 단말 비종속적 항목들의 값(450)이 완전히 배제될 수도 있는 것이다. 다만 Master-key(520) 작성을 위해선 반드시 하나 이상의 정보가 필요하고, OTP가 패킷도청에 대한 방지책으로 선택된 것이기에, OTP 값은 Master-key(520) 생성 시에 반드시 포함되어야 한다. OTP 값의 생성방식은 도 9에서 명시한 바와 같이 Time-based One-time Password Algorithm(RFC 6238)의 방식이 권장되나, 공유한 Shared-Secret으로 동일한 시간에 생성시 동일한 OTP값이 나오는 방식에 한해서 Operator가 필요에 따라 자유로이 선택할 수 있다.Unlike the Group-Key 510, the Master-key 520 may use a plurality of values of each item specified in the use code list 430, but the Operator may decide which item to use. If there is no information that the operator wants to use in generating the master-key 520 by specifying the use code list 430, the use code list 430 and the value 450 of each terminal-independent item are set in the initial setting information 400. It may be completely excluded. However, at least one information is required to prepare the master-key 520, and since OTP is selected as a protection against packet eavesdropping, the OTP value must be included when generating the master-key 520. As the method of generating the OTP value, as shown in FIG. 9, the time-based One-time Password Algorithm (RFC 6238) method is recommended. Can be freely selected as needed.
또한, 사용코드리스트(430)의 항목 중에 MNC와 같은 각 단말 비종속적 항목들이 포함 될 수 있는데, 단말(300)과 Proxy-Server(200)는 이 값들에 대한 정보를 네트워크에서 수집하거나 초기설정정보(400)의 단말 비종속적 항목들의 값(450)을 통해 수집할 수 있다.In addition, among the items of the usage code list 430, each terminal-independent item such as an MNC may be included. The terminal 300 and the proxy-server 200 collect information on these values from the network or initialize information. The terminal non-dependent items of 400 may be collected through the value 450.
위와 같은 방식으로 초기설정정보(400)를 기반으로 하는 Group-Key(510)와 Master-key(520)가 생성되면, 이 2개의 키는 하나로 뭉쳐져서 Proxy 인증키(500)를 생성하게 된다. 즉, Group-Key(510)용으로 128bit의 키가 생성되고, Master-key(520)용으로 또 다른 128bit의 키가 생성되면, 2개의 키가 뭉쳐져서 256bit의 Proxy 인증키(500)가 생성되는 것이다. 이 때, Group-Key(510)의 길이와 Master-key(520)의 길이는 Operator의 필요에 따라 결정 될 수 있으나, 본 발명은 보안을 위해 Group-Key(510)와 Master-key(520)가 뭉쳐져서 만들어진 Proxy 인증키(500) 결과물은 최소 256bit 길이의 키가 되도록 Group-Key(510)의 길이와 Master-key(520)의 길이가 설정되도록 하는 것을 권장한다.When the Group-Key 510 and the Master-key 520 are generated based on the initial setting information 400 in the above manner, the two keys are combined into one to generate the Proxy authentication key 500. That is, when a 128-bit key is generated for the Group-Key 510 and another 128-bit key is generated for the Master-key 520, two keys are combined to generate a 256-bit Proxy authentication key 500. Will be. At this time, the length of the Group-Key (510) and the length of the Master-key (520) may be determined according to the needs of the operator, the present invention, the Group-Key (510) and Master-key (520) for security purposes It is recommended that the length of the Group-Key 510 and the Length of the Master-key 520 be set so that the result of the Proxy authentication key 500 formed by combining the keys is at least 256 bits long.
도 10은 단말(300)로부터 Proxy 인증용 패킷을 수신하였을 때 Proxy-Server(200)가 인증 및 사용자 정보 복원 단계를 진행하기 전에 수행하는 해석용 키 생성 단계의 과정을 설명한다.10 illustrates a process of an analysis key generation step performed by the Proxy-Server 200 before proceeding with the authentication and user information restoration step when the proxy authentication packet is received from the terminal 300.
Proxy-Server(200)는 서비스 시작 후, 초기설정 단계를 통하여 Proxy-Manager(100)로부터 초기설정정보(400)를 수신하여 OTP까지 생성한 후에 보관하여 두는데, 이렇게 보관한 초기설정정보(400)와 OTP는 도 10에서 표시하였듯이 인증정책이 변경되어서 초기설정정보(400)에 변화가 있거나 설정된 OTP 재생성 주기에 도달하여서 OTP가 만료 되었을 때 갱신되게 된다.The Proxy-Server 200 receives the initial setting information 400 from the Proxy-Manager 100 through the initial setting step after the start of the service, generates the OTP, and stores the generated initial setting information 400. 10 and OTP are updated when the authentication policy is changed to change the initial setting information 400 or when the OTP expires because the set OTP regeneration period is reached.
이때 위 도 3에서 기술하였듯이 Proxy-Server(200)는 3개의 OTP를 생성하여 보관하고 있다가 Proxy 인증 패킷을 수신할 때 해석용 키인 Proxy 인증키(500)를 생성하고 Proxy 인증 패킷을 인증하는 작업에 3개의 OTP를 순차적으로 사용한다.At this time, as described in FIG. 3 above, the Proxy-Server 200 generates and stores three OTPs, and when the Proxy authentication packet is received, generates the Proxy authentication key 500, which is a key for interpretation, and authenticates the Proxy authentication packet. Three OTPs are used sequentially.
위와 같이 도 10의 Event1과 Event2를 통해서 초기설정정보(400)와 OTP를 보관하게 되면, Proxy-Server(200)는 Proxy 인증 패킷을 수신하여 인증할 준비가 되고 도 10의 Event3인 Proxy 인증 패킷 수신이 발생하면, 도 9로 설명한 Proxy 인증키(500) 생성방법으로 Proxy 인증키(500)를 생성한 후, 다음 단계인 인증 및 사용자 정보 복원 단계를 진행하게 된다.When the initial configuration information 400 and OTP are stored through Event1 and Event2 of FIG. 10 as described above, the Proxy-Server 200 is ready to receive and authenticate the Proxy authentication packet and receives the Proxy authentication packet of Event3 of FIG. If this occurs, the proxy authentication key 500 is generated by the proxy authentication key 500 generation method described with reference to FIG. 9, and then the authentication and user information restoration steps are performed.
Proxy-Server(200)가 Proxy 인증키(500)를 생성할 때, Proxy-Server(200)는 수신하여 보관중인 초기설정정보(400)의 Group Code(410)를 이용하여 Group-Key(510)를 생성하지만 Master-key(520)를 생성하는 경우엔 보관 중인 OTP와 수신하여 보관중인 초기설정정보(400)의 단말 비종속적 항목들의 값(450)들뿐 아니라 단말(300)로부터 수신한 Proxy 인증 패킷의 Password 필드에서 추출한 IP Address와 같은 단말 종속적 정보의 값도 이용하여야 한다. 그렇기에 본 발명의 현 실시예와 도 10에서는 Proxy 인증키(500)의 생성을 Proxy 인증용 패킷 수신 이후 진행하는 것으로 설명하였으나, Operator의 필요에 따라 단말 비종속적 항목이 사용되지 않거나 단말 비종속적 항목들의 값(450)이 미리 Proxy-Server(200)와 공유되었다면 Proxy-Server(200)는 3개의 Proxy 인증키(500)또한 미리 작성하여 보관하였다가 Proxy 인증용 패킷 수신 시 바로 사용되도록 할 수도 있다.When the Proxy-Server 200 generates the Proxy authentication key 500, the Proxy-Server 200 receives the Group-Key 510 using the Group Code 410 of the initial configuration information 400 received and stored. In the case of generating the master-key 520, but not the value of the terminal non-dependent items of the OTP in storage and the initial setting information 400 received and stored in the proxy authentication received from the terminal 300. UE-dependent information such as IP address extracted from the packet's Password field should also be used. Therefore, in the present embodiment of the present invention and FIG. 10, the generation of the proxy authentication key 500 is performed after receiving the packet for proxy authentication. However, the terminal-independent item is not used or terminal-independent items are not used depending on the needs of the operator. If the value 450 is shared with the Proxy-Server 200 in advance, the Proxy-Server 200 may also prepare and store three Proxy authentication keys 500 in advance and use them when receiving a packet for Proxy authentication.
위 단계를 거쳐서 Proxy-Server(200)가 Proxy 인증용 패킷을 수신한 상태에서 Proxy 인증키(500)의 작성이 완료된 상태이면, Proxy-Server는 도 11에 표현된 인증 및 사용자 정보 복원 단계를 진행하여 가입자 정보 없이 단말(300) 대해 빠른 Proxy 인증을 진행할 수 있고, 서비스사용자 별 서비스 사용량 추적 등의 Operator용 편의기능을 위한 서비스사용자의 가입자 정보 추출 및 보관을 진행할 수 있다.If the Proxy-Server 200 receives the Proxy authentication packet through the above steps and the Proxy Authentication Key 500 is created, the Proxy-Server proceeds with the authentication and user information restoration steps shown in FIG. By fast proxy authentication for the terminal 300 without the subscriber information, it is possible to proceed to extract and store the subscriber information of the service user for the convenience functions for the operator, such as service usage tracking for each service user.
Proxy-Server(200)는 Proxy 인증용 패킷을 수신하고 Proxy 인증키(500)생성이 완료되면 도 11과 같이 Proxy 인증용 패킷의 Username 필드와 Password 필드에서 Code1(610)과 Code2(620)을 각각 추출하여 Proxy 인증 및 사용자정보 추출을 진행한다. Proxy-Server(200)는 Code2(620)에서 단말 종속적 항목들의 값을 추출하여 이번 Proxy 인증 시도에 사용할 Proxy 인증키(500)를 작성하고, 단말(300)이 Proxy-Server(200)와 같은 Proxy 인증키(500)를 공유하는지 확인하는데 필요한 Random-Number를 추출한다.When the Proxy-Server 200 receives the Proxy authentication packet and generates the Proxy authentication key 500, the Proxy-Server 200 generates Code1 610 and Code2 620 in the Username and Password fields of the Proxy authentication packet as shown in FIG. Proceed with proxy authentication and user information extraction. The Proxy-Server 200 extracts values of terminal dependent items from Code2 620 to create a Proxy authentication key 500 to be used for this Proxy authentication attempt, and the terminal 300 is a Proxy such as Proxy-Server 200. The Random-Number required to check whether the authentication key 500 is shared is extracted.
또한, Proxy-Server(200)는 Code1(610)을 Proxy 인증키(500)로 복호화하여 [Random-Number, UE-ID]조합을 추출한다. Proxy-Server(200)는 이렇게 필요 정보가 추출되면Code1에서 추출한 Random-Number와 Code2에서 추출한 Random-Number가 같은지 대조하는 작업을 진행하고, 두 Random-Number 값이 같으면 인증 성공 메시지를 단말(300)에 송신하면서 Proxy 연결을 수립한다.In addition, the Proxy-Server 200 decrypts Code1 610 with the Proxy authentication key 500 and extracts the [Random-Number, UE-ID] combination. When the necessary information is extracted, the Proxy-Server 200 proceeds to check whether the Random-Number extracted from Code1 and the Random-Number extracted from Code2 are the same, and if the two Random-Number values are the same, the terminal 300 transmits an authentication success message. Establish a Proxy connection by sending to
그러나, 두 Random-Number 값이 다를 경우, 다음 OTP 정보를 사용하여 다음 Proxy 인증키(500)를 작성하고, Proxy 인증용 패킷에서 필요정보를 다시 추출하여 Random-Number를 대조하는 작업을 다시 진행하는데, 만약 이미 3개의 OTP와 Proxy 인증키(500)를 이용한 인증시도가 모두 실패한 경우, Proxy-Server(200)는 단말정보와 인증 실패를 로그에 기록하고, Proxy 인증실패 메시지를 송신하여서 Proxy연결을 거부한다.However, if the two random-number values are different, the next proxy authentication key 500 is created using the following OTP information, and the necessary information is extracted again from the packet for proxy authentication, and the operation of matching the random number again is performed again. If the authentication attempts using the three OTPs and the proxy authentication key 500 have already failed, the Proxy-Server 200 records the terminal information and the authentication failure in a log, and transmits the Proxy authentication failure message to establish the Proxy connection. Reject.
이와 같이 Proxy-Manager(100)가 강력한 선 인증으로 단말(300)에서 서비스를 시작할 때 단말인증을 완료하고, 인증된 단말(300)이 Proxy-Server(200)와 동일한 Proxy 인증키(500)를 생성할 수 있도록 하여서, Proxy-Server(200)와 단말(300)이 Proxy 인증을 진행할 때, Proxy-Server(200)가 단말(300)이 같은 Proxy 인증키(500)를 공유하는지 만을 확인하는 것으로 단말(300)이 Proxy-Manager(100)와의 선 인증을 완료하였는지 확인하여 Proxy-Server(200)가 가입자 정보 없이 빠르게 Proxy 인증이 완료될 수 있도록 하는 것이 본 발명의 개념이다.As such, when the Proxy-Manager 100 starts service at the terminal 300 with strong line authentication, the terminal authentication is completed, and the authenticated terminal 300 uses the same Proxy authentication key 500 as the Proxy-Server 200. By generating the proxy, when the Proxy-Server 200 and the terminal 300 proceeds with Proxy authentication, the Proxy-Server 200 only checks whether the terminal 300 shares the same Proxy authentication key 500. It is a concept of the present invention to check whether the terminal 300 completes pre-authentication with the Proxy-Manager 100 so that the Proxy-Server 200 can be quickly completed without the subscriber information.
도 1에서 보듯이 MPTCP Aggregation 서비스시스템(1000)은 2개의 Path를 사용하기에, 통신 세션 하나당 2번의 Proxy 인증 과정을 거치게 된다. 더불어 MPTCP Aggregation 서비스시스템(1000)은 상용 망에 서비스되기 때문에 방대한 가입자 정보를 다루어야 하면서도, 프리미엄 서비스라는 속성으로 인해 가입자 별로 차별적으로 서비스가 제공 되야 한다. 이와 같은 환경에서 기존 Proxy 인증 방식이 사용되게 되면, Proxy-Server(200)가 방대한 양의 가입자 정보를 관리해야 하는 부담이 있고, Proxy통신세션이 생성될 때마다 방대한 가입자 정보와 세션 인증 요청의 대조를 2번 진행해야 하여서 서비스 성능이 크게 하락하는 문제가 있다.As shown in FIG. 1, since the MPTCP Aggregation Service System 1000 uses two paths, two proxy authentication processes are performed per communication session. In addition, since the MPTCP Aggregation service system 1000 is serviced in a commercial network, the MPTCP Aggregation service system 1000 must deal with a large amount of subscriber information. However, the MPTCP Aggregation service system 1000 must provide a differentiated service for each subscriber due to the property of premium service. When the existing proxy authentication method is used in such an environment, there is a burden that the Proxy-Server 200 manages a large amount of subscriber information, and each time a proxy communication session is created, a contrast of the subscriber information and the session authentication request is performed. There is a problem that the service performance is greatly reduced because it has to proceed twice.
본 발명은 이와 같이 방대한 양의 가입자가 존재하는 상용 망에서 Proxy 인증을 사용해야 하는 상황에 대해 가입자 관리를 필요로 하지 않으면서 Proxy 인증으로 인하 성능저하를 최소화 하는 방법을 제시하여 MPTCP Aggregation 서비스시스템(1000)과 같은 Proxy서비스가 상용 이동 망에서의 Proxy 인증으로 인한 성능저하 없이 제공 될 수 있도록 한다.The present invention proposes a method of minimizing the performance degradation due to proxy authentication without requiring subscriber management for a situation where proxy authentication should be used in a commercial network in which a large amount of subscribers exist. Proxy service such as) can be provided without deterioration due to proxy authentication in commercial mobile network.
본 발명은 상기한 실시예에 한정되지 아니하며, 적용범위가 다양함은 물론이고, 청구범위에서 청구하는 본 발명의 요지를 벗어남이 없이 다양한 변형 실시가 가능한 것은 물론이다.The present invention is not limited to the above-described embodiments, and the scope of application is not limited, and various modifications can be made without departing from the gist of the present invention as claimed in the claims.
[부호의 설명][Description of the code]
1000 : MPTCP Aggregation 서비스시스템1000: MPTCP Aggregation Service System
100 : Proxy-Manager100: Proxy-Manager
200 : Proxy-Server200: Proxy-Server
300 : 단말300: terminal
400 : 초기설정정보400: Initial setting information
410 : Group Code 420 : OTP용 Shared Secret410: Group Code 420: Shared Secret for OTP
430 : 사용코드리스트 440 : Random-Number의 길이430: Code Listing 440: Length of Random-Number
450 : 각 단말 비종속적 항목들의 값450: value of each terminal independent item
500 : Proxy 인증키500: Proxy authentication key
510 : Group-Key 520 : Master-Key510: Group-Key 520: Master-Key
600 : Proxy 인증용 정보600: Proxy authentication information
610 : Code1 620 : Code2610: Code1 620: Code2

Claims (14)

  1. 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하는 Proxy-Manager;Proxy-Manager for pre-authenticating the subscriber and forwarding initial configuration information for proxy authentication without subscriber information to the terminal and the Proxy-Server;
    상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, Proxy 인증용 패킷을 구성하는 Username용 Code1과 Password용 Code2를 생성하고, 상기 Proxy 인증용 패킷을 상기 Proxy-Server로 송신하는 단말; 및A terminal for generating a username code1 and a password code2 constituting a proxy authentication packet based on the initial configuration information received from the proxy-manager, and transmitting the proxy authentication packet to the proxy-server; And
    상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, 가입자정보 없이 인증을 처리할 수 있도록 하는 해석용 키를 생성하며, 단말의 인증 요청 시 해석용 키를 이용하여 인증을 수행하고, 인증이 완료된 가입자의 정보를 복원 및 저장하는 Proxy-Server;Based on the initial configuration information received from the Proxy-Manager, generates an analysis key to enable authentication processing without subscriber information, performs authentication using the analysis key in the authentication request of the terminal, the authentication is Proxy-Server for restoring and storing the information of the completed subscriber;
    를 포함하여 이루어지는 프록시 서비스 제공을 위한 프록시 인증시스템.Proxy authentication system for providing a proxy service comprising a.
  2. 제 1항에 있어서,The method of claim 1,
    상기 초기설정정보는,The initial setting information,
    각 단말 비종속적 코드 항목 및/또는 각 단말에 종속적인 코드 항목을 포함하는 사용코드리스트, Group Code, OTP(One Time Password; 이하 OTP) 생성용 Shared Secret, 및 Random-Number의 길이를 포함하되,A usage code list including each terminal-independent code item and / or code item dependent on each terminal, a Group Code, a shared secret for generating an One Time Password (OTP), and a random-number,
    상기 사용코드리스트에 포함되는 각 코드 항목들 중 각 단말 비종속적 코드 항목에 있어서, 상기 코드 항목들의 값 중 네트워크로부터 수집할 수 없는 값이 포함된 경우 해당 코드 항목들의 값을 더 포함하여 이루어지는 프록시 서비스 제공을 위한 프록시 인증시스템.In the terminal-dependent code item of each code item included in the usage code list, if the value of the code item that cannot be collected from the network further comprises a value of the corresponding code item Proxy authentication system for provisioning.
  3. 제 2항에 있어서,The method of claim 2,
    상기 Code2는,Code2 is,
    각 단말이 보관할 수 있는 단말 종속적인 코드 항목의 값 중에 상기 Proxy-Manager로부터 전달받은 상기 사용코드리스트에 포함된 코드 항목의 값, 및 상기 Random-Number의 길이만큼의 Random-Number로 이루어지며,It consists of the value of the code item included in the usage code list received from the Proxy-Manager from the value of the terminal-dependent code item that can be stored by each terminal, and the Random-Number as long as the length of the Random-Number,
    상기 Code1은,Code1 is
    단말의 정보를 가지는 UE-ID와 상기 Random-Number를 합친 후 상기 초기설정정보를 기반으로 생성한 Proxy 인증키를 이용하여 암호화하여 생성되는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.The proxy authentication system for providing a proxy service, characterized in that generated by encrypting using a proxy authentication key generated based on the initial configuration information after combining the UE-ID having the information of the terminal and the Random-Number.
  4. 제 3항에 있어서,The method of claim 3, wherein
    상기 Proxy 인증키는,The Proxy authentication key is
    Group-Key 및 Master-key를 포함하며,Includes Group-Key and Master-key,
    상기 Group-Key는 상기 Group Code 기반으로 생성되고,The Group-Key is generated based on the Group Code,
    상기 Master-key는 상기 사용코드리스트에 포함된 OTP 생성용 Shared Secret을 기반으로 생성되는 OTP, 및 상기 사용코드리스트에 포함된 각 코드 항목들로 이루어지는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.The master-key is a proxy authentication system for providing a proxy service, characterized in that the OTP generated based on the shared secret for generating the OTP included in the use code list, and each code item included in the use code list .
  5. 제 3항에 있어서,The method of claim 3, wherein
    상기 Proxy 인증키는,The Proxy authentication key is
    OTP 값의 재생성 주기 도달, 상기 Proxy-Manager로부터의 인증 정책 변경 수신, 사용코드리스트에 포함된 각 코드 항목들의 값 변동 중 어느 하나 이상의 이벤트가 발생될 때마다 갱신되는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.Providing a proxy service, characterized in that each time one or more of the occurrence of the regeneration period of the OTP value, receiving the authentication policy change from the Proxy-Manager, changes in the value of each code item included in the usage code list occurs Proxy authentication system.
  6. 제 1항에 있어서,The method of claim 1,
    상기 Proxy-Server는,The Proxy-Server,
    상기 해석용 키가 상기 단말에서 상기 Code1의 암호화 시 사용한 Proxy 인증키와 동일한지를 확인함으로써, 가입자정보 없이 인증을 수행하는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.The proxy authentication system for providing a proxy service, characterized in that authentication is performed without subscriber information by checking whether the analysis key is the same as the proxy authentication key used when the terminal encrypts the Code1.
  7. 제 6항에 있어서,The method of claim 6,
    상기 Proxy-Server는,The Proxy-Server,
    상기 단말로부터 전송받은 Proxy 인증용 패킷의 Password 필드에 담긴 Code2에서 Random-Number를 추출하고, 상기 해석용 키를 이용해 상기 Proxy 인증용 패킷의 Username 필드에 저장된 정보를 복호화하여 복호화된 Code1을 추출한 후, 복호화한 Code1에서 추출한 Random-Number와 상기 Code2에서 추출한 Random-Number를 대조하는 것으로 상기 해석용 키가 상기 Proxy 인증키와 동일한지를 판단하는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.After extracting Random-Number from Code2 contained in the Password field of the Proxy authentication packet received from the terminal, extracting the decrypted Code1 by decrypting the information stored in the Username field of the Proxy authentication packet using the analysis key, And comparing the Random-Number extracted from the decrypted Code1 with the Random-Number extracted from the Code2 to determine whether the analysis key is the same as the Proxy authentication key.
  8. 제 6항에 있어서,The method of claim 6,
    상기 Proxy-Server는,The Proxy-Server,
    상기 단말과의 시간 비동기로 인한 OTP 값의 차를 극복하기 위해 미리 설정된 다수의 시점에서의 OTP를 생성하여, 생성된 OTP 개수만큼 상기 해석용 키 생성 및 인증 시도를 진행하는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증시스템.Proxy service, characterized in that to generate the OTP at a plurality of preset time points in order to overcome the difference of the OTP value due to the time asynchronous with the terminal, the analysis key generation and authentication attempt as the number of generated OTP Proxy authentication system for provisioning.
  9. Proxy-Manager가 가입자를 선 인증하고 가입자 정보 없이 Proxy 인증을 진행하기 위한 초기설정정보를 단말과 Proxy-Server로 전달하는 초기설정 단계;An initial setting step of transmitting, by the Proxy-Manager to the terminal and the Proxy-Server, initial configuration information for pre-authenticating the subscriber and performing proxy authentication without the subscriber information;
    상기 단말이 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로, Proxy 인증용 패킷에 사용되는 Code1과 Code2를 생성하는 송신 측 키 생성 단계;A transmitter-side key generation step of generating, by the terminal, Code1 and Code2 used for a proxy authentication packet based on the initial configuration information received from the Proxy-Manager;
    상기 단말이 상기 Code1과 Code2를 각각 상기 Proxy 인증용 패킷의 Username 필드와 Password 필드에 담아 상기 Proxy-Server로 전송하는 인증 패킷 전송 단계;An authentication packet transmission step of transmitting, by the terminal, the Code1 and Code2 to the Proxy-Server in the Username field and the Password field of the Proxy authentication packet, respectively;
    단말의 인증 요청 시 상기 Proxy-Server가 상기 Proxy-Manager로부터 전달받은 상기 초기설정정보를 기반으로 상기 인증 요청을 가입자정보 없이 처리할 수 있도록 하는 해석용 키를 생성하는 해석용 키 생성 단계; 및An analysis key generation step of generating an analysis key for allowing the Proxy-Server to process the authentication request without subscriber information based on the initial configuration information received from the Proxy-Manager when an authentication request is made by the terminal; And
    상기 Proxy-Server가 단말의 인증요청을 처리하고, 인증 성공 시 인증이 완료된 가입자의 정보를 복원 및 저장하는 인증 및 사용자 정보 복원 단계;An authentication and user information restoration step in which the Proxy-Server processes the authentication request of the terminal and restores and stores the information of the subscriber which has been authenticated upon successful authentication;
    를 포함하여 이루어지는 프록시 서비스 제공을 위한 프록시 인증방법.Proxy authentication method for providing a proxy service comprising a.
  10. 제 9항에 있어서,The method of claim 9,
    상기 송신 측 키 생성 단계에서,In the transmitting key generation step,
    상기 Code2는, 각 단말이 보관할 수 있는 단말 종속적 값 중에 상기 Proxy-Manager로부터 전달받은 사용코드리스트에 포함된 코드 항목의 값, 및 상기 Proxy-Manager로부터 전달받은 Random-Number 길이 만큼의 Random-Number로 이루어지며,Code2 is a value of a code item included in a usage code list received from the Proxy-Manager among terminal dependent values that each terminal can store, and a Random-Number equal to a Random-Number length received from the Proxy-Manager. Done,
    상기 Code1은, 단말의 정보를 가지는 UE-ID와 상기 Random-Number를 합친 후 상기 초기설정정보를 기반으로 생성한 Proxy 인증키를 이용하여 암호화하여 생성되는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증방법.The code1 is generated by encrypting using a proxy authentication key generated based on the initial configuration information after combining the UE-ID having the terminal information and the random number and generating the proxy authentication for providing a proxy service. Way.
  11. 제 10항에 있어서,The method of claim 10,
    상기 Proxy 인증키는,The Proxy authentication key is
    Group-Key 및 Master-key를 포함하며,Includes Group-Key and Master-key,
    상기 Group-Key는 Group Code 기반으로 생성되고,The Group-Key is generated based on Group Code,
    상기 Master-key는 상기 초기설정정보에 포함된 OTP 생성용 Shared Secret을 기반으로 생성되는 OTP, 및 상기 사용코드리스트에 포함된 각 코드 항목들로 이루어지는 프록시 서비스 제공을 위한 프록시 인증방법.The master-key is a proxy authentication method for providing a proxy service comprising an OTP generated based on the OTP generation Shared Secret included in the initial configuration information, and each code item included in the use code list.
  12. 제 9항에 있어서,The method of claim 9,
    상기 해석용 키 생성 단계 및 상기 인증 및 사용자 정보 복원 단계는,The analyzing key generation step and the authentication and user information recovery step,
    상기 Proxy-Server가 상기 단말과의 시간 비동기로 인한 OTP 값의 차를 극복하기 위해, 미리 설정된 다수의 시점에서 생성해놓은 OTP의 개수만큼 반복 수행되어 상기 단말의 인증을 시도하는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증방법.In order to overcome the difference in the OTP value due to time asynchronous with the terminal, the Proxy-Server repeatedly performs as many as the number of OTPs created at a plurality of preset time points, and attempts to authenticate the terminal. Proxy authentication method to provide.
  13. 제 9항에 있어서,The method of claim 9,
    상기 인증 및 사용자 정보 복원 단계에서,In the authentication and user information restoration step,
    상기 해석용 키가 상기 단말에서 상기 Code1의 암호화 시 사용한 Proxy 인증키와 동일한지를 확인함으로써 가입자정보 없이 상기 단말의 인증을 수행하는 것을 특징으로 하는 프록시 서비스 제공을 위한 프록시 인증방법.Proxy authentication method for providing a proxy service, characterized in that for performing the authentication of the terminal without subscriber information by confirming whether the analysis key is the same as the proxy authentication key used in the encryption of the code1 in the terminal.
  14. 제 13항에 있어서,The method of claim 13,
    상기 인증 및 사용자 정보 복원 단계는,The authentication and user information restoration step,
    상기 단말이 전송한 Proxy 인증용 패킷의 Password 필드에 담긴 Code2에서 Random-Number를 추출하는 단계;Extracting a Random-Number from Code2 contained in a Password field of a Proxy authentication packet transmitted by the terminal;
    상기 해석용 키를 이용해 상기 Proxy 인증용 패킷의 Username 필드에 저장된 정보를 복호화하여 복호화된 Code1을 추출하고, 상기 복호화한 Code1에 포함된 Random-Number를 추출하는 단계;Extracting the decrypted Code1 by decrypting the information stored in the Username field of the Proxy authentication packet by using the analysis key, and extracting a Random-Number included in the decrypted Code1;
    상기 Code1에서 추출한 Random-Number와 상기 Code2에서 추출한 Random-Number를 대조하는 단계; 및Contrasting the Random-Number extracted from Code1 with the Random-Number extracted from Code2; And
    두 Random-Number가 일치하면 단말 인증을 완료하고, 인증이 완료된 단말의 사용자 정보를 상기 Proxy 인증 패킷으로부터 추출하여 각 Proxy 서비스 가입자들의 Proxy 서비스 사용량 및 사용패턴 정보모니터링을 위해 보관하는 단계;When the two random numbers coincide, completing terminal authentication, extracting user information of the authenticated terminal from the Proxy authentication packet, and storing the extracted proxy information for monitoring proxy service usage and usage pattern information of each Proxy service subscriber;
    를 포함하여 이루어지는 프록시 서비스 제공을 위한 프록시 인증방법.Proxy authentication method for providing a proxy service comprising a.
PCT/KR2017/003364 2016-06-30 2017-03-28 Proxy authentication system and authentication method for providing proxy service WO2018004114A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2016-0082721 2016-06-30
KR1020160082721A KR101837150B1 (en) 2016-06-30 2016-06-30 Proxy authentication system and method for providing proxy service

Publications (2)

Publication Number Publication Date
WO2018004114A2 true WO2018004114A2 (en) 2018-01-04
WO2018004114A3 WO2018004114A3 (en) 2018-09-07

Family

ID=60786986

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2017/003364 WO2018004114A2 (en) 2016-06-30 2017-03-28 Proxy authentication system and authentication method for providing proxy service

Country Status (2)

Country Link
KR (1) KR101837150B1 (en)
WO (1) WO2018004114A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019239108A1 (en) * 2018-06-15 2019-12-19 Iothic Ltd Decentralised authentication
CN112749182A (en) * 2019-10-30 2021-05-04 深圳市傲冠软件股份有限公司 Method, audit terminal, device and storage medium for agent access to Oracle database
US11432357B2 (en) * 2018-02-06 2022-08-30 Huawei Technologies Co., Ltd. Multipath establishment method and apparatus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8788802B2 (en) 2005-09-29 2014-07-22 Qualcomm Incorporated Constrained cryptographic keys
KR100957183B1 (en) * 2008-08-05 2010-05-11 건국대학교 산학협력단 Method for authenticating mobile node in the proxy mobile ip network
SG10201608067QA (en) * 2011-09-29 2016-11-29 Amazon Tech Inc Parameter based key derivation
KR101297648B1 (en) * 2011-12-29 2013-08-19 고려대학교 산학협력단 Authentication method between server and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11432357B2 (en) * 2018-02-06 2022-08-30 Huawei Technologies Co., Ltd. Multipath establishment method and apparatus
WO2019239108A1 (en) * 2018-06-15 2019-12-19 Iothic Ltd Decentralised authentication
CN112703702A (en) * 2018-06-15 2021-04-23 艾欧特可有限公司 Distributed authentication
US20210167963A1 (en) * 2018-06-15 2021-06-03 Iothic Ltd Decentralised Authentication
CN112749182A (en) * 2019-10-30 2021-05-04 深圳市傲冠软件股份有限公司 Method, audit terminal, device and storage medium for agent access to Oracle database
CN112749182B (en) * 2019-10-30 2023-01-31 深圳市傲冠软件股份有限公司 Method for accessing Oracle database by proxy, audit terminal, device and computer readable storage medium

Also Published As

Publication number Publication date
KR20180003196A (en) 2018-01-09
KR101837150B1 (en) 2018-03-09
WO2018004114A3 (en) 2018-09-07

Similar Documents

Publication Publication Date Title
US8245039B2 (en) Extensible authentication protocol authentication and key agreement (EAP-AKA) optimization
FI106604B (en) A method for protecting subscriber identity
JP3105361B2 (en) Authentication method in mobile communication system
FI106605B (en) authentication method
US20070189537A1 (en) WLAN session management techniques with secure rekeying and logoff
US20060059344A1 (en) Service authentication
Liu et al. Toward a secure access to 5G network
WO2019132272A1 (en) Id as blockchain based service
CN110858969A (en) Client registration method, device and system
WO2011081242A1 (en) Key authentication method for binary cdma
WO2018004114A2 (en) Proxy authentication system and authentication method for providing proxy service
WO2019182377A1 (en) Method, electronic device, and computer-readable recording medium for generating address information used for transaction of blockchain-based cryptocurrency
MXPA05009804A (en) Wlan session management techniques with secure rekeying and logoff.
WO2020067734A1 (en) Non-address network equipment and communication security system using same
CN109347836B (en) IPv6 network node identity safety protection method
CN108400967B (en) Authentication method and authentication system
JP2006345150A (en) Terminal device and authentication device
JP4677784B2 (en) Authentication method and system in collective residential network
WO2013176502A1 (en) Method for providing mobile communication provider information and device for performing same
CN113038459A (en) Private information transmission method and device, computer equipment and computer readable medium
WO2023008940A1 (en) Method and system for securely handling re-connection of client devices to a wireless network
CN114268499B (en) Data transmission method, device, system, equipment and storage medium
WO2023249320A1 (en) Dds communication method, device and system
EP3439260B1 (en) Client device ticket
EP3836589A1 (en) Method for authenticating a secure element at the level of an authentication server, corresponding secure element and authentication server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17820391

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17820391

Country of ref document: EP

Kind code of ref document: A2