WO2006081742A1 - A method for realizing the user information synchronization and authenticating the user end - Google Patents
A method for realizing the user information synchronization and authenticating the user end Download PDFInfo
- Publication number
- WO2006081742A1 WO2006081742A1 PCT/CN2006/000100 CN2006000100W WO2006081742A1 WO 2006081742 A1 WO2006081742 A1 WO 2006081742A1 CN 2006000100 W CN2006000100 W CN 2006000100W WO 2006081742 A1 WO2006081742 A1 WO 2006081742A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- bsf
- authentication
- user
- information
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present invention relates to the field of general authentication framework technology in the third generation wireless communication, and particularly relates to a method for realizing user information synchronization and authenticating a user terminal when a plurality of BSFs are included in the same home network.
- Background of the invention
- the universal authentication framework is a general structure used by various application service entities to complete the verification of the user identity, and the universal authentication framework can be used to check and verify the users of the application service.
- Identity may be a multicast/broadcast service, a user certificate service, an information immediate service, or an agent service.
- FIG. 1 shows the structure of the general framework.
- the universal authentication framework typically consists of a User Terminal (UE) 101, an entity (BSF) 102 performing UE Identity Initial Check Verification, a User Home Network Server (HSS) 103, and a Network Application Entity (NAF) 104.
- the BSF 102 is configured to mutually authenticate the identity with the user terminal 101, and simultaneously generate a shared key of the BSF 102 and the user terminal 101.
- the HSS 103 stores a profile file for describing user information, and the profile includes all the user identity and the like. The description information related to the user, and the HSS 103 also has the function of generating authentication vector information.
- a user When a user needs to use a certain service, if it knows that it needs to authenticate to the BSF, it directly interacts with the BSF to perform mutual authentication. Otherwise, the user first contacts the NAF corresponding to the service, if the NAF applies universal authentication.
- the framework requires the user to authenticate to the BSF, and then informs the user to apply the universal authentication framework for authentication, otherwise it handles it accordingly.
- the mutual authentication process between the UE and the BSF is:
- the UE passes the default domain name.
- BSF.MCC.MNC.3GPPnetwork.org sends a request for authentication to the BSF.
- the BSF After receiving the authentication request from the UE, the BSF first obtains the authentication information of the UE from the HSS, and the HSS returns a group to the BSF according to the identifier of the UE. Or multiple sets of reference vectors. Since each group of authentication vectors can only be used once, the HSS can return the authentication vector information that is used only once for the BSF, but from the perspective of saving interface signaling resources, the HSS usually returns multiple sets of authentication vectors to the BSF. The information is used for multiple authentications.
- the HSS returns the user description information of the user to the BSF while returning to the BSF authentication vector.
- the BSF performs mutual authentication by performing an authentication and key agreement protocol (AKA) with the UE based on the obtained authentication vector information.
- AKA authentication and key agreement protocol
- the UE and the BSF mutually authenticate the identity and simultaneously generate the shared key Ks.
- the BSF allocates a session transaction identifier (B-TID) to the UE, the format of the B-TID is RAND@BSF_server_domain_name, and the B-TID is associated with Ks, and has an expiration date. .
- B-TID session transaction identifier
- the UE After receiving the B-TID, the UE sends a connection request to the NAF.
- the B-TID is carried in the request message, and the UE side calculates the derived key Ks_NAF according to Ks.
- the NAF that has received the request confirms that the B-TID carried by the UE is not in the local area and then queries the BSF. After the BSF queries the B-TID, the BSF uses the same algorithm as the UE side to calculate the derived key Ks_NAF of the key Ks, and then gives the NAF.
- the successful response includes a B-TID required by the NAF, a derived key Ks_NAF corresponding to the B-TID, and an expiration date set by the BSF for the key, if necessary, Includes user description information for the user.
- the NAF After receiving the success response message of the BSF, the NAF considers that the UE is a BSF-authenticated UE, and the NAF and the UE also share the Ks-NAF derived from the Ks. The NAF and the UE perform communication protection through Ks-NAF in the subsequent communication process.
- the UE When the UE finds that the key Ks or Ks_NAF is about to expire, or the NAF requires the UE to re-authenticate to the BSF, the UE repeats the above steps to re-authenticate to the BSF to obtain a new Ks and B-TID.
- the above description is based on the case where only one BSF is included in the general authentication framework. Multiple BSFs can also be included in the common authentication framework to avoid bottlenecks caused by a BSF overload. In a general authentication framework, that is, in a home network, the existence of multiple BSFs has become a development trend.
- the UE sends a request for authentication to the BSF through the default domain name BSF.MCC.MNC.3GPPnetwork.org.
- the domain name is resolved to the actual BSF address by the Domain Name Resolution Server (DNS).
- DNS Domain Name Resolution Server
- the UE After the resolution of the DNS, the UE returns a BSF address, and the UE connects to the BSF according to the address, and performs subsequent operations; in the case of multiple BSFs, the DNS may return multiple BSF addresses.
- the DNS selects one of the multiple BSF addresses to be returned to the UE according to the pre-configured policy, and the UE connects to the UE according to the address.
- the multiple sets of authentication vectors for the UE are usually obtained in the BSF1, and the multiple groups are respectively assumed to be the authentication vector 1, the authentication vector 2, and the authentication.
- Vector 3 This is because in order to save interface signaling resources, the HSS usually returns multiple sets of authentication vector information to the BSF for multiple authentication purposes.
- the authentication vector group 1 is definitely used when the UE authenticates with the BSF1 because the order of use of the authentication vectors is limited, that is, it must be used in the order of the number of the authentication vectors.
- the UE When the UE needs to re-authenticate, if for some reason, for example, the UE does not receive the response of the BSF1 within a predetermined period of time after contacting the BSF1, the UE and the BSF2 The interaction is performed to perform mutual authentication, and the BSF2 still obtains multiple sets of authentication vectors for the UE from the HSS, assuming that the multiple groups are the authentication vector 4, the authentication vector 5, and the authentication vector 6, respectively. At this time, the authentication vector 4 is definitely used when the mutual authentication operation is performed. Since the numbering sequence of the applied authentication vector can be monitored in the UE, the UE must detect that the number of the currently applied authentication vector is not continuous with the previous number, which may result in authentication failure.
- the root cause of the authentication failure is due to the fact that the user information between the BSF1 and the BSF2 for the UE is not synchronized. It can be seen that it is very likely that a normal UE cannot use the service due to authentication due to the network side itself, and this phenomenon is unreasonable.
- the NAF since the format of the B-TID is RAND@BSF_server_domain_name, when the NAF queries the BSF for B-TID information after the authentication is passed, in the case of a BSF, the NAF only needs to go to the BSF in the home network. In the case of multiple BSFs, NAF randomly finds a BSF according to the domain name of the B-TID, and requests B-TID information from the BSF. If the BSF confirms that there is no information queried by the NAF, Then, the BSF that receives the request from the NAF will send a query request to other BSFs in the home network in turn until the information required by the NAF is queried, or until the BSFs in the home network are not found.
- an object of the present invention is to provide a method for synchronizing user information between multiple BSFs, so that user information of a TUE that initiates an authentication request is kept synchronized in different BSFs.
- Another object of the present invention is to provide a method for implementing an authentication method in the case of multiple BSFs to ensure that normal UEs can pass authentication.
- the multiple BSFs belong to the same home network, and the method includes the following steps:
- the user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal.
- the user terminal receives the information indicating that the first BSF cannot process the authentication request or determines that the response information from the first BSF is not received within a predetermined time, reselects a second BSF, and reselects the second BSF.
- the second BSF sends an authentication request, where the authentication request includes information identifying the first BSF, and the second BSF obtains and saves the user information of the user terminal from the first BSF according to the received authentication request.
- the obtaining, by the second BSF, the user information of the user terminal from the first BSF includes the following steps:
- the second BSF sends a query request for the IMPI of the user terminal to be queried to the first BSF, and the first BSF directly queries the user information of the user terminal according to the pre-stored relationship between the IMPI and the user information, and queries the user information of the user terminal. User information is returned to the second BSF; or,
- the second BSF sends a query request to the first BSF that includes the B-TID corresponding to the user terminal to be queried, and the first BSF first queries the IMPI of the user terminal according to the pre-stored correspondence between the B-TID and the IMPI, and then saves according to the pre-preservation. Corresponding relationship between the IMPI and the user information, querying the user information of the user terminal, and returning the queried user information to the second BSF.
- a method for realizing multiple BSFs when a user terminal UE needs to perform mutual authentication with a BSF The method for synchronizing the user information, the multiple BSFs belong to the same home network, and the method includes the following steps:
- the user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal. After the first BSF determines that the request cannot be processed by the user, the first BSF sends the request to the second B SF in the home network.
- the second BSF obtains and saves the user information of the UE from the proxy authentication request message.
- the method further includes: separately setting an identifier for multiple BSFs in the same home network; the identifier is a sequence number, or a number determined by a numbering rule of the home network, or a name recognizable by the home network.
- the user information is an authentication vector, a B-TID, information related to the B-TID, and description information of the user, or the user information is a B-TID, a B-TID-related information, and a description of the user. information.
- the method further includes: deleting, by the first BSF, the authentication vector in the user information saved by the first BSF. .
- the user terminal sends a right request to the first BSF that has performed the mutual authentication operation with the user terminal;
- the user terminal After receiving the information indicating that the first BSF cannot process the authentication request or determining that the response information from the first BSF is not received within a predetermined time, the user terminal reselects a second BSF and sends the second BSF to the second BSF. Sending an authentication request including identifying the first BSF information, and the second BSF obtains and saves the user end from the first BSF according to the received authentication request. End user information;
- the second BSF > obtains the authentication vector of the mutual authentication right according to the user information of the user terminal acquired from the first BSF, and performs mutual authentication operation with the user terminal.
- A2 The user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal, and the first BSF determines that the user cannot process the request, and provides the user to the second BSF in the home network.
- User information of the terminal and notifying the user terminal to perform mutual authentication in the second BSF;
- the user terminal sends an authentication request to the second BSF according to the received notification.
- the second BSF obtains the authentication vector of the mutual authentication right according to the user information of the user terminal provided by the first BSF, and the user The terminal performs mutual authentication operations.
- the obtaining, by the second BSF, the authentication vector of the current mutual authentication includes the following steps: the second BSF determines whether there is an unused authentication vector in the user information of the locally saved user terminal, and if yes, The unused authentication vector is used as the authentication vector of the mutual mutual right; otherwise, the second BSF obtains the authentication vector of the user terminal from the HSS, and uses the obtained authentication vector as the authentication of the mutual authentication right. Vector.
- the method further includes: setting an identifier for each of the multiple BSFs in the same home network in advance, and after the authentication succeeds, the domain name of the B-TID allocated by the BSF for the user terminal includes its own identification information;
- the identifiers set by the multiple BSFs in the network are sequential numbers, or numbers determined by the numbering rules of the home network, or names that the home network can recognize.
- the method further includes: when the NAF in the network queries the BSF for the B-TID information of the user terminal, the method further includes: according to the identifier of the BSF in the B-TID domain name, the NAF directly points to The BSF with the B-TID sends a request to query the B-TID.
- the step of the first BSF providing the user information of the user terminal to the second BSF in step A2 includes the following steps:
- the first 38 to the second proxy 88 transmits a request message including the user authentication information to the user terminal;
- the second BSF After the second BSF confirms that it can process the authentication request, it acquires and saves the user information of the user terminal in the end of the proxy authentication request, and returns a successful response to the first BSF.
- the step of informing the user terminal to perform mutual authentication in the second BSF according to step A2 includes the following steps:
- the first BSF receives a notification to the user terminal that the second BSF that can identify the second BSF information is authenticated for authentication.
- the user information is an authentication vector, a B-TID, information related to the B-TID, and description information of the user, or the user information is a B-TID, a B-TID-related information, and a description of the user. information.
- the present invention also provides a method for implementing an authentication method in the case of multiple BSFs. On the basis of user information synchronization, it is ensured that normal UEs can pass authentication.
- the present invention also provides an identifier for each of the multiple BSFs, and the domain name of the B-TID reflects the identity of the BSF, so that it can indicate which BSF is allocated by the B-TID, which facilitates the NAF search, thereby reducing The traffic between the BSFs speeds up the processing and saves network resources.
- Figure 1 shows the structure of the general authentication framework
- Embodiment 1 of the present invention is a schematic flow chart showing Embodiment 1 of the present invention.
- FIG. 3 is a schematic flow chart of a second embodiment to which the present invention is applied. Mode for carrying out the invention
- the idea of the present invention is: when the second BSF of the different last authentication is used when the user terminal re-authenticates, the second BSF can acquire the user from the first BSF that has performed the mutual authentication operation with the user terminal. User information of the terminal, thereby ensuring that the user information of the UE that initiated the authentication request is kept synchronized in different BSFs.
- the present invention also provides a method for implementing an authentication method in the case of multiple BSFs, which ensures that normal UEs can pass authentication.
- the present invention further sets an identifier for a plurality of BSFs, and the domain name of the B-TID reflects the BSF identifier, so that it can indicate which BSF is allocated by the B-TID, which facilitates NAF search and improves network processing. effectiveness.
- the UE finds that the key applied by itself is about to expire, or receives the information from the NAF that requires re-authentication, it performs the authentication operation again, that is, the condition for triggering the re-authentication is the same as the prior art. No longer detailed.
- FIG. 2 is a schematic flow chart showing the first embodiment of the present invention.
- multiple BSFs exist in the same home network, and the UE has successfully performed the mutual authentication operation with a certain BSF.
- the following is convenient for description, and the mutual authentication operation has been performed with a certain user terminal.
- the original BSF is referred to as a first BSF, denoted as BSFo
- a new BSF that is different from the first BSF and has not performed a mutual authentication operation with the user terminal is referred to as a second BSF, and is referred to as BSFn.
- Step 201 When the UE performs the mutual authentication operation again, it first sends an authentication request to the BSFo. Since the UE stores the information of the BSF that has performed the mutual authentication operation, the UE can It is enough to find the BSFo that successfully performed the mutual authentication operation last time. In this embodiment, since the BSFo determines that it cannot process the current request according to its current state, according to the previous configuration, no response is returned to the UE.
- step 202 is performed.
- Step 202 The UE selects a new BSF, that is, a BSF, that is different from the first BSF and does not perform a mutual authentication operation with the user terminal, and sends an authentication request to the BSF, where the authentication request includes the identifier that can be identified and executed by itself. BSFo information for mutual authentication operations.
- the method for the UE to select the BSFn is: the UE reselects an IP address from the IP addresses of the multiple BSFs that have been saved by the UE, and the BSF corresponding to the IP address is the BSFn; or the UE provides the default domain name of the BSF by the DNS. Returning the address of the BSF, the UE randomly selects a BSF address or uses the BSF corresponding to the address returned by the DNS to be BSFn.
- the information included in the authentication request that can identify the BSFo that has performed the mutual authentication operation with itself is the IP address of the BSFo. Or the identity of the BSFo that has been set.
- the identifier of the BSF that has been set may be the serial number of the bill, such as 1, 2, 3, etc., or may be a number determined by the numbering rule of the home network, or may be a name that the home network can recognize.
- Step 203 After receiving the authentication request of the IP address or the identifier of the BSFo from the UE, the BSFn sends the BSFo the user information of the UE that sends the authentication request, if the received authentication request includes the user identity identifier ( IMPI), the query request message also includes IMPI. If the received authentication request includes a B-TID, the query request message also includes B-TIDo.
- IMPI user identity identifier
- the user information includes an authentication vector, and a B-TID, information related to the B-TID and user description information; if there is no target for the UE in the BSFo
- the authentication vector used the user information includes a B-TID, information related to the B-TID, and user description information.
- Step 204 After receiving the query request from the BSFn, if the BSFo determines that the query request includes the IMPI, the BSFo directly queries the user information of the UE according to the pre-stored relationship between the IMPI and the user information, and if the query is determined, If the B-TID is included in the request, the IMPI of the UE is first queried according to the pre-stored correspondence between the B-TID and the IMPI, and the user information of the UE is queried according to the correspondence between the pre-stored IMPI and the user information. BSFo sends the obtained user information to BSFn.
- the BSFo immediately returns the user-saved authentication vector for the UE after the BSFn returns the user information, and other user information, such as the B-TID and the information related to the B-TID, It can be temporarily deleted, to facilitate the B-TID that the NAF query is still valid.
- the BSFo deletes the B-TID and related information for the UE. After all B-TIDs saved by the BSF for one IMPI, that is, one UE, are deleted, the BSFo deletes the IMPI and user description information of the UE, and does not completely save any description information of the UE.
- Step 205 After receiving the user information returned by the BSFo and saving, the BSFn determines whether there is an unused authentication vector in the user information. If yes, step 207 is performed; otherwise, step 206 is performed.
- Step 206 The BSFn requests the HSS for the authentication vector and the user description information of the UE.
- the user description information is requested to update the description information that may be transformed at the same time.
- Step 207 The BSFn performs a mutual authentication operation with the UE. After the authentication succeeds, the BSFn assigns the i3-TID to the UE.
- the BSFn can obtain the user information of the UE from the BSFo, the implementation is implemented.
- the user information of the UE requesting the authentication is synchronized in different BSFs, and the situation that normal users cannot pass the authentication is avoided.
- FIG. 3 is a schematic flow chart of a second embodiment to which the present invention is applied.
- multiple BSFs exist in the same home network, and the UE has successfully performed the mutual authentication operation with a certain BSF.
- the following is convenient for description, and the mutual authentication operation has been performed with a certain user terminal.
- the original BSF is referred to as a first BSF, denoted as BSFo
- a new BSF that is different from the first BSF and has not performed a mutual authentication operation with the user terminal is referred to as a second BSF, and is referred to as BSFn.
- Step 301 When the UE performs the mutual authentication operation again, it first sends an authentication request to the BSFo. Since the UE stores the information of the BSF that has performed the mutual authentication operation, the UE can find the BSFo that successfully performed the mutual authentication operation last time.
- Step 302 After receiving the authentication request from the UE, the BSFo determines that the authentication request cannot be processed by itself, for example, if the load is too heavy, for example, the BSFo is configured to notify the BSFn to authenticate the UE according to the pre-configuration. That is, a request message for proxy authentication is sent to the BSFn, and the request message includes user information of the UE.
- the user information includes an authentication vector, B-TID, information related to the B-TID, and user description information; if there is no unused for the UE in the BSFo
- the authentication vector the user information includes a B-TID, information related to the B-TID, and user description information.
- Step 303 After receiving the request message from the BSFo, the BSFn confirms that it can perform the operation, saves the end message information of the request message, and then returns a successful response message to the BSFo.
- Step 304 After receiving the success response message from the BSFn, the BSFo determines whether the user information sent to the BSFn includes an authentication vector, and if so, immediately deletes the authentication vector saved for the UE, and other users Information such as B-TID and B-TID related information can be temporarily deleted, so that the NAF query is still valid B-TID, when After the expiration of the validity period of the B-TID, the BSFo deletes the B-TID and related information for the UE. After all the B-TIDs saved by the BSF for one IMPI, that is, one UE, are deleted, the BSFo deletes the IMPI and the user description information of the UE, and does not completely save any description information of the UE.
- B-TID and B-TID related information can be temporarily deleted, so that the NAF query is still valid B-TID
- the BSFo notifies the UE to perform a mutual authentication operation to the BSFn, and the notification message includes the IP address of the BSFn.
- the notification may include the IP address of the BSFo or the identifier of the BSFo that has been set.
- the method for specifically setting the identifier of the BSF is the same as the method in the previous embodiment, and the description thereof will not be repeated here.
- Step 305 The UE sends an authentication request to the BSFn, where the authentication request is the same as the information included in the existing authentication request, and no information needs to be added.
- Step 306 After receiving the authentication request from the UE, the BSFn determines whether there is an unused authentication vector stored in the user information of the UE locally. If yes, step 307 is performed. Otherwise, step 308 is performed.
- Step 307 The BSFn requests the HSS for the authentication vector and the user description information of the UE.
- the user description information is requested to update the description information that may be transformed at the same time.
- Step 308 The BSFn performs a mutual authentication operation with the UE. After the authentication succeeds, the BSFn allocates a B-TID to the UE.
- the BSFn can obtain the user information of the UE from the BSFo, the user information of the UE that initiates the authentication request is synchronized in different BSFs, and the normal user cannot be authenticated.
- the BSF identifier can be reflected in the domain name of the B-TID, so that it can clearly indicate which BSF is allocated by the B-TID, which facilitates the NAF search. For example, suppose the identity of the BSFn to which the UE is connected is 11, and the B-TID assigned by the BSFn to the UE is expressed as RAND@11.BSF_servers_domain_name 0 In this way, when the NAF locates the BSF through the domain name of the B-TID, it is easy to find the BSF that stores the required information, and the BSF in the network is no longer required to search in turn, thereby improving the network processing efficiency.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
实现用户信息同步及对用户终端鉴权的方法 技术领域 Method for realizing user information synchronization and authenticating user terminal
本发明涉及第三代无线通信中的通用鉴权框架技术领域, 特别是指 在同一归属网内包含多个 BSF情况下, 实现用户信息同步及对用户终端 鉴权的方法。 发明背景 The present invention relates to the field of general authentication framework technology in the third generation wireless communication, and particularly relates to a method for realizing user information synchronization and authenticating a user terminal when a plurality of BSFs are included in the same home network. Background of the invention
在第三代无线通信标准中, 通用鉴权框架是多种应用业务实体使用 的一个用于完成对用户身份进行验证的通用结构, 应用通用鉴权框架可 实现对应用业务的用户进行检查和验证身份。 上述多种应用业务可以是 多播 /广播业务、 用户证书业务、 信息即时提供业务等, 也可以是代理业 务。 In the third generation wireless communication standard, the universal authentication framework is a general structure used by various application service entities to complete the verification of the user identity, and the universal authentication framework can be used to check and verify the users of the application service. Identity. The foregoing multiple application services may be a multicast/broadcast service, a user certificate service, an information immediate service, or an agent service.
图 1所示为通用鋈权框架的结构示意图。 通用鉴权框架通常由用户 终端 (UE ) 101、 执行 UE身份初始检查验证的实体(BSF ) 102、 用户 归属网络服务器(HSS ) 103和网络应用实体(NAF ) 104組成。 BSF 102 用于与用户终端 101互验证身份, 同时生成 BSF 102与用户终端 101的 共享密钥; HSS 103中存储有用于描述用户信息的描述(Profile )文件, 该 Profile中包括用户身份标识等所有与用户有关的描述信息,同时 HSS 103还兼有产生鉴权矢量信息的功能。 Figure 1 shows the structure of the general framework. The universal authentication framework typically consists of a User Terminal (UE) 101, an entity (BSF) 102 performing UE Identity Initial Check Verification, a User Home Network Server (HSS) 103, and a Network Application Entity (NAF) 104. The BSF 102 is configured to mutually authenticate the identity with the user terminal 101, and simultaneously generate a shared key of the BSF 102 and the user terminal 101. The HSS 103 stores a profile file for describing user information, and the profile includes all the user identity and the like. The description information related to the user, and the HSS 103 also has the function of generating authentication vector information.
用户需要使用某种业务时, 如果其知道需要到 BSF进行互鉴权, 则 直接与 BSF交互以进行互鉴权,否则,用户会首先和该业务对应的 NAF 联系,如果该 NAF应用通用鉴权框架且需要用户到 BSF进行身份验证, 则通知用户应用通用鉴权框架进行身份验证, 否则进行 它相应处理。 When a user needs to use a certain service, if it knows that it needs to authenticate to the BSF, it directly interacts with the BSF to perform mutual authentication. Otherwise, the user first contacts the NAF corresponding to the service, if the NAF applies universal authentication. The framework requires the user to authenticate to the BSF, and then informs the user to apply the universal authentication framework for authentication, otherwise it handles it accordingly.
UE 与 BSF 之间的互认证过程是: UE 通过缺省的域名 BSF.MCC.MNC.3GPPnetwork.org 向 BSF发出鉴权的请求, BSF接到来 自 UE的鉴权请求后, 首先到 HSS获取该 UE的鉴权信息, HSS根据该 UE的标识给 BSF返回一组或多组鉴杈矢量。 由于每一组鉴权矢量只能 使用一次, 因此 HSS可以给 BSF返回只够一次使用的鉴权矢量信息, 但从节省接口信令资源的角度考虑, HSS通常都会给 BSF返回多組鉴权 矢量信息以供多次鉴权使用, HSS在返回给 BSF鉴权矢量的同时,也给 BSF返回该用户的用户描述信息。 BSF根据所获取的鉴权矢量信息与 UE之间执行鉴权和密钥协商协议 ( AKA )进行互鉴权。 认证成功后, UE和 BSF之间互相认证了身份并且同时生成了共享密钥 Ks。之后, BSF 给 UE 分配一个会话事务标识 ( B-TID ) , 该 B-TID 的格式为 RAND@BSF— servers— domain— name, 且该 B-TID是与 Ks相关联的, 是 有有效期限的。 The mutual authentication process between the UE and the BSF is: The UE passes the default domain name. BSF.MCC.MNC.3GPPnetwork.org sends a request for authentication to the BSF. After receiving the authentication request from the UE, the BSF first obtains the authentication information of the UE from the HSS, and the HSS returns a group to the BSF according to the identifier of the UE. Or multiple sets of reference vectors. Since each group of authentication vectors can only be used once, the HSS can return the authentication vector information that is used only once for the BSF, but from the perspective of saving interface signaling resources, the HSS usually returns multiple sets of authentication vectors to the BSF. The information is used for multiple authentications. The HSS returns the user description information of the user to the BSF while returning to the BSF authentication vector. The BSF performs mutual authentication by performing an authentication and key agreement protocol (AKA) with the UE based on the obtained authentication vector information. After the authentication is successful, the UE and the BSF mutually authenticate the identity and simultaneously generate the shared key Ks. Afterwards, the BSF allocates a session transaction identifier (B-TID) to the UE, the format of the B-TID is RAND@BSF_server_domain_name, and the B-TID is associated with Ks, and has an expiration date. .
UE收到这个 B-TID后, 重新向 NAF发出连接请求, 该请求消息中 携带了该 B-TID, 同时 UE侧根据 Ks计算出衍生密钥 Ks—NAF。 接收到 请求的 NAF确认本地没有 UE携带的该 B-TID后向 BSF进行查询 , BSF 查询到该 B-TID后, 使用与 UE侧相同的算法计算密钥 Ks的衍生密钥 Ks_NAF, 然后给 NAF发送成功的响应消息,该成功的响应中包括 NAF 所需的 B-TID, 与该 B-TID对应的衍生密钥 Ks— NAF, 以及 BSF为该密 钥设置的有效期限,如果需要,还可以包括该用户的用户描述信息。 NAF 收到 BSF的成功响应消息后,就认为该 UE是经过 BSF认证的合法 UE, 同时 NAF和 UE也共享了由 Ks衍生的密钥 Ks— NAF。 NAF和 UE在后 面的通信过程中通过 Ks—NAF来进行通信保护。 After receiving the B-TID, the UE sends a connection request to the NAF. The B-TID is carried in the request message, and the UE side calculates the derived key Ks_NAF according to Ks. The NAF that has received the request confirms that the B-TID carried by the UE is not in the local area and then queries the BSF. After the BSF queries the B-TID, the BSF uses the same algorithm as the UE side to calculate the derived key Ks_NAF of the key Ks, and then gives the NAF. Sending a successful response message, the successful response includes a B-TID required by the NAF, a derived key Ks_NAF corresponding to the B-TID, and an expiration date set by the BSF for the key, if necessary, Includes user description information for the user. After receiving the success response message of the BSF, the NAF considers that the UE is a BSF-authenticated UE, and the NAF and the UE also share the Ks-NAF derived from the Ks. The NAF and the UE perform communication protection through Ks-NAF in the subsequent communication process.
当 UE发现密钥 Ks或 Ks—NAF即将过期, 或者, NAF要求 UE重 新到 BSF进行鉴权时, UE就会重复上述的步驟重新到 BSF进行鉴权, 以得到新的 Ks及 B-TID。 上述是以通用鉴权框架中只包含一个 BSF的情况进行说明的。在通 用鉴权框架中也可以包含多个 BSF,这样可以避免由于一个 BSF负荷过 重而出现的瓶颈现象。 在一个通用鉴权框架中, 即一个归属网中, 存在 多个 BSF已成为一种发展趋势。 When the UE finds that the key Ks or Ks_NAF is about to expire, or the NAF requires the UE to re-authenticate to the BSF, the UE repeats the above steps to re-authenticate to the BSF to obtain a new Ks and B-TID. The above description is based on the case where only one BSF is included in the general authentication framework. Multiple BSFs can also be included in the common authentication framework to avoid bottlenecks caused by a BSF overload. In a general authentication framework, that is, in a home network, the existence of multiple BSFs has become a development trend.
在一个通用鉴权框架中存在多个 BSF的处理过程,与只有一个 BSF 的处理过程基本相同。 以下只对不同之处对比说明。 There are multiple BSF processes in a common authentication framework, which is basically the same as that of only one BSF. The following only compares the differences.
UE通过缺省的域名 BSF.MCC.MNC.3GPPnetwork.org 向 BSF发出 鉴权的请求, 在网络的实际操作中, 域名通过域名解析服务器 (DNS ) 解析为实际的 BSF的地址。 在一个 BSF的情况下, 经过 DNS的解析后 给 UE返回一个 BSF的地址, UE根据该地址连接到 BSF, 并进行后续 操作; 在多个 BSF的情况下, DNS可以返回多个 BSF的地址, 以供 UE 随机选择一个, UE与其所选择的 BSF进行联系, 并进行后续操作; 或 者, DNS根据预先配置的策略, 选择多个 BSF地址中的一个 BSF地址 返回给 UE, UE根据该地址连接到某个 BSF, 并进行后续操作。 The UE sends a request for authentication to the BSF through the default domain name BSF.MCC.MNC.3GPPnetwork.org. In the actual operation of the network, the domain name is resolved to the actual BSF address by the Domain Name Resolution Server (DNS). In the case of a BSF, after the resolution of the DNS, the UE returns a BSF address, and the UE connects to the BSF according to the address, and performs subsequent operations; in the case of multiple BSFs, the DNS may return multiple BSF addresses. For the UE to randomly select one, the UE associates with the selected BSF, and performs subsequent operations. Alternatively, the DNS selects one of the multiple BSF addresses to be returned to the UE according to the pre-configured policy, and the UE connects to the UE according to the address. A BSF, and follow-up actions.
这样,如果一个归属网中存在多个 BSF在实际应用中会存在以下情 况: Thus, if there are multiple BSFs in a home network, the following situations will exist in the actual application:
假设一个归属网络中有三个 BSF, 其分别为 BSF1 , BSF2和 BSF3。 如果 BSF1与某 UE之间已执行了互鉴权,那么该 BSF1中通常已取得了 针对该 UE的多组鉴权矢量,假设该多组分别为鉴权矢量 1、鉴权矢量 2 和鉴权矢量 3。 这是因为为了节省接口信令资源, HSS通常都会给 BSF 返回多组鉴权矢量信息以供多次鉴权使用。 在该 UE与 BSF1进行鉴权 时肯定会使用鉴权矢量组 1 ,这是因为鉴权矢量的使用顺序是有限制的, 即必须按照鉴权矢量的编号顺序使用。 Suppose there are three BSFs in a home network, which are BSF1, BSF2 and BSF3. If the mutual authentication has been performed between the BSF1 and a certain UE, the multiple sets of authentication vectors for the UE are usually obtained in the BSF1, and the multiple groups are respectively assumed to be the authentication vector 1, the authentication vector 2, and the authentication. Vector 3. This is because in order to save interface signaling resources, the HSS usually returns multiple sets of authentication vector information to the BSF for multiple authentication purposes. The authentication vector group 1 is definitely used when the UE authenticates with the BSF1 because the order of use of the authentication vectors is limited, that is, it must be used in the order of the number of the authentication vectors.
当该 UE需要重新鉴权时, 如果由于某种原因, 比如, UE与 BSF1 联系后在一段预设的时间内没有得到 BSF1 的响应等, 该 UE与 BSF2 进行交互以执行互鉴权, 则该 BSF2仍会从 HSS中获取针对该 UE的多 组鉴权矢量, 假设该多组分别为鉴权矢量 4、 鉴权矢量 5和鉴权矢量 6。 此时进行互鉴权操作时肯定会使用鉴权矢量 4。 由于在 UE内能够监测 到所应用鉴权矢量的编号顺序, 因此, 此时 UE必然监测到当前所应用 的鉴权矢量的编号与前一次的编号不连续, 这样会导致鉴权失败。 而导 致鉴权失败的根本原因是由于 BSF1与 BSF2间的针对该 UE的用户信息 不同步而造成的。 由此可见, 很可能产生由于网络侧自身的原因, 使正 常的 UE不能通过鉴权而不能使用业务的现象,而这种现象是不合理的。 When the UE needs to re-authenticate, if for some reason, for example, the UE does not receive the response of the BSF1 within a predetermined period of time after contacting the BSF1, the UE and the BSF2 The interaction is performed to perform mutual authentication, and the BSF2 still obtains multiple sets of authentication vectors for the UE from the HSS, assuming that the multiple groups are the authentication vector 4, the authentication vector 5, and the authentication vector 6, respectively. At this time, the authentication vector 4 is definitely used when the mutual authentication operation is performed. Since the numbering sequence of the applied authentication vector can be monitored in the UE, the UE must detect that the number of the currently applied authentication vector is not continuous with the previous number, which may result in authentication failure. The root cause of the authentication failure is due to the fact that the user information between the BSF1 and the BSF2 for the UE is not synchronized. It can be seen that it is very likely that a normal UE cannot use the service due to authentication due to the network side itself, and this phenomenon is unreasonable.
再有, 由于 B-TID的格式为 RAND@BSF— servers— domain_name, 当 鉴权通过后 NAF向 BSF查询 B-TID信息时,在一个 BSF的情况下, NAF 只需向本归属网中的 BSF进行查询即可; 在多个 BSF的情况下, NAF 是根据 B-TID的域名随机查找到一个 BSF, 并向该 BSF请求 B-TID信 息,如果该 BSF确认本没有该 NAF所查询的信息,则该接收到来自 NAF 请求的 BSF将依次向本归属网中的其它 BSF发出查询请求, 直到查询 到该 NAF所需的信息为止, 或者, 直到本归属网中的 BSF均未找到为 止。 In addition, since the format of the B-TID is RAND@BSF_server_domain_name, when the NAF queries the BSF for B-TID information after the authentication is passed, in the case of a BSF, the NAF only needs to go to the BSF in the home network. In the case of multiple BSFs, NAF randomly finds a BSF according to the domain name of the B-TID, and requests B-TID information from the BSF. If the BSF confirms that there is no information queried by the NAF, Then, the BSF that receives the request from the NAF will send a query request to other BSFs in the home network in turn until the information required by the NAF is queried, or until the BSFs in the home network are not found.
由于多个 BSF 并没有区分的标识, 因而根据某一 B-TID 的域名 RAND@BSF一 servers— domain— name, 并不能识别出其是哪个 BSF 分配 的, 这样, 导致 NAF不能够迅速查找到正确的 BSF, 使得网络处理效 率低。 发明内容 Since multiple BSFs do not have different identifiers, according to the domain name RAND@BSF-servers-domain_name of a certain B-TID, it is not possible to identify which BSF is allocated. As a result, NAF cannot quickly find the correct one. The BSF makes network processing inefficient. Summary of the invention
有鉴于此,本发明的一个目的在于提供一种实现多个 BSF间的用户 信息同步的方法, 以使发起鉴权请求的 TUE的用户信息在不同的 BSF中 保持同步。 本发明的另一目的在于提供一种在多个 BSF的情况下实现鉴权方法 的方法, 以保证正常的 UE都能通过鉴权。 In view of this, an object of the present invention is to provide a method for synchronizing user information between multiple BSFs, so that user information of a TUE that initiates an authentication request is kept synchronized in different BSFs. Another object of the present invention is to provide a method for implementing an authentication method in the case of multiple BSFs to ensure that normal UEs can pass authentication.
为达到上述目的, 本发明的技术方案是这样实现的: In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种在用户终端 UE需要再次与 BSF执行互鉴权时实现多个 BSF间 的用户信息同步的方法, 所述多个 BSF属于同一归属网内, 该方法包括 以下步骤: A method for synchronizing user information between multiple BSFs when the user terminal UE needs to perform mutual authentication with the BSF again. The multiple BSFs belong to the same home network, and the method includes the following steps:
al、 用户终端向已经与该用户终端执行过互鉴权操作的第一 BSF发 送鉴权请求; Al. The user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal.
bl、用户终端接收到表明第一 BSF无法处理该鉴权请求的信息或者 确定在预定的时间内未接收到来自第一 BSF的响应信息后,重新选择一 个第二 BSF, 并向该重新选择的第二 BSF发送鉴权请求, 该鉴权请求中 包含识別第一 BSF的信息, 第二 BSF根据接收到的鉴权清求, 从第一 BSF中获取并保存该用户终端的用户信息。 Bl, the user terminal receives the information indicating that the first BSF cannot process the authentication request or determines that the response information from the first BSF is not received within a predetermined time, reselects a second BSF, and reselects the second BSF. The second BSF sends an authentication request, where the authentication request includes information identifying the first BSF, and the second BSF obtains and saves the user information of the user terminal from the first BSF according to the received authentication request.
其中, 步骤 M所述第二 BSF从第一 BSF中获取该用户终端的用户 信息包括以下步骤: The obtaining, by the second BSF, the user information of the user terminal from the first BSF includes the following steps:
第二 BSF向第一 BSF发送包含待查询用户终端的 IMPI的查询请求, 第一 BSF根据预先保存的 IMPI与用户信息的对应关系, 直接查询出该 用户终端的用户信息, 并将所查询的到的用户信息返回给第二 BSF; 或 者, The second BSF sends a query request for the IMPI of the user terminal to be queried to the first BSF, and the first BSF directly queries the user information of the user terminal according to the pre-stored relationship between the IMPI and the user information, and queries the user information of the user terminal. User information is returned to the second BSF; or,
第二 BSF向第一 BSF发送包含待查询用户终端对应的 B-TID的查 询请求, 第一 BSF根据预先保存的 B-TID与 IMPI的对应关系先查询出 该用户终端的 IMPI, 再根据预先保存的 IMPI与用户信息的对应关系, 查询出该用户终端的用户信息, 并将所查询的到的用户信息返回给第二 BSF。 The second BSF sends a query request to the first BSF that includes the B-TID corresponding to the user terminal to be queried, and the first BSF first queries the IMPI of the user terminal according to the pre-stored correspondence between the B-TID and the IMPI, and then saves according to the pre-preservation. Corresponding relationship between the IMPI and the user information, querying the user information of the user terminal, and returning the queried user information to the second BSF.
一种在用户终端 UE需要与 BSF执行互鉴权时实现多个 BSF间的用 户信息同步的方法, 所述多个 BSF属于同一归属网内, 该方法包括以下 步骤: A method for realizing multiple BSFs when a user terminal UE needs to perform mutual authentication with a BSF The method for synchronizing the user information, the multiple BSFs belong to the same home network, and the method includes the following steps:
a2、 用户终端向已经与该用户终端执行过互鉴权操作的第一 BSF发 送鉴权请求; 该第一 BSF判断出自身当前不能处理该请求后, 向归属网 中的第二 B SF发送包含该用户终端的用户信息的代理鉴权请求消息 ,然 后执行步骤 b2; A2. The user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal. After the first BSF determines that the request cannot be processed by the user, the first BSF sends the request to the second B SF in the home network. The proxy authentication request message of the user information of the user terminal, and then performing step b2;
b2、第二 BSF从代理鉴权请求消息中获取并保存该 UE的用户信息。 其中, 该方法进一步包括: 预先为同一归属网中的多个 BSF分别设 置标识;所述标识是顺序编号,或者是由归属网的编号规则决定的编号, 或者是归属网络能够识别的名称。 B2. The second BSF obtains and saves the user information of the UE from the proxy authentication request message. The method further includes: separately setting an identifier for multiple BSFs in the same home network; the identifier is a sequence number, or a number determined by a numbering rule of the home network, or a name recognizable by the home network.
其中, 所述用户信息为鉴权矢量、 B-TID、 与 B-TID相关的信息和 用户的描述信息, 或者, 所述用户信息为 B-TID、 与 B-TID相关的信息 和用户的描述信息。 The user information is an authentication vector, a B-TID, information related to the B-TID, and description information of the user, or the user information is a B-TID, a B-TID-related information, and a description of the user. information.
其中, 如果第一 BSF保存的用户信息内包含有鉴权矢量, 则在第二 BSF从第一 BSF中获取用户信息后, 进一步包括: 第一 BSF删除自身 保存的该用户信息中的鉴权矢量。 If the user information stored in the first BSF includes the authentication vector, after the second BSF obtains the user information from the first BSF, the method further includes: deleting, by the first BSF, the authentication vector in the user information saved by the first BSF. .
一种在多个 BSF的情况下且用户终端需要与 BSF执行互鉴权时实现 鉴权方法的方法, 所述多个 BSF属于同一归属网内, 该方法包括以下步 骤: A method for implementing an authentication method when a user terminal needs to perform mutual authentication with a BSF in the case of multiple BSFs, where the multiple BSFs belong to the same home network, and the method includes the following steps:
Al、 用户终端向已经与该用户终端执行过互鉴权操作的第一 BSF 发送 权请求; Al, the user terminal sends a right request to the first BSF that has performed the mutual authentication operation with the user terminal;
B1、用户终端接收到表明第一 BSF无法处理该鉴权请求的信息或者 确定在预定的时间内未接收到来自第一 BSF的响应信息后,重新选择一 个第二 BSF, 并向该第二 BSF发送包含识别第一 BSF信息的鉴权请求, 第二 BSF根据接收到的鉴权请求, 从第一 BSF中获取并保存该用户终 端的用户信息; B1. After receiving the information indicating that the first BSF cannot process the authentication request or determining that the response information from the first BSF is not received within a predetermined time, the user terminal reselects a second BSF and sends the second BSF to the second BSF. Sending an authentication request including identifying the first BSF information, and the second BSF obtains and saves the user end from the first BSF according to the received authentication request. End user information;
Cl、 第二 BSF >据从第一 BSF中获取的该用户终端的用户信息, 获取本次互鉴权的鉴权矢量, 并与用户终端执行互鉴权操作。 Cl, the second BSF > obtains the authentication vector of the mutual authentication right according to the user information of the user terminal acquired from the first BSF, and performs mutual authentication operation with the user terminal.
一种在多个 BSF的情况下且用户终端需要与 BSF执行互鉴权时实现 鉴权方法的方法, 所述多个 BSF属于同一归属网内, 该方法包括以下步 骤: A method for implementing an authentication method when a user terminal needs to perform mutual authentication with a BSF in the case of multiple BSFs, where the multiple BSFs belong to the same home network, and the method includes the following steps:
A2、 用户终端向已经与该用户终端执行过互鉴权操作的第一 BSF 发送鉴权请求, 该第一 BSF判断出自身当前不能处理该请求后, 向归属 网中的第二 BSF提供该用户终端的用户信息,并且通知用户终端到第二 BSF中进行互鉴权; A2: The user terminal sends an authentication request to the first BSF that has performed the mutual authentication operation with the user terminal, and the first BSF determines that the user cannot process the request, and provides the user to the second BSF in the home network. User information of the terminal, and notifying the user terminal to perform mutual authentication in the second BSF;
B2、 用户终端根据接收到的通知向第二 BSF发送鉴权请求; C2、 第二 BSF根据第一 BSF提供的该用户终端的用户信息, 获取 本次互鉴权的鉴权矢量, 并与用户终端执行互鉴权操作。 B2. The user terminal sends an authentication request to the second BSF according to the received notification. C2. The second BSF obtains the authentication vector of the mutual authentication right according to the user information of the user terminal provided by the first BSF, and the user The terminal performs mutual authentication operations.
其中, 所述第二 BSF获取本次互鉴权的鉴权矢量包括以下步驟: 第二 BSF判断本地保存的该用户终端的用户信息中是否有未使用的 鉴权矢量, 如果有, 则将该未使用的鉴权矢量作为本次互婆权的鉴权矢 量; 否则, 第二 BSF从 HSS获取该用户终端的鉴权矢量, 并将获取到 的鉴权矢量作为本次互鉴权的鉴权矢量。 The obtaining, by the second BSF, the authentication vector of the current mutual authentication includes the following steps: the second BSF determines whether there is an unused authentication vector in the user information of the locally saved user terminal, and if yes, The unused authentication vector is used as the authentication vector of the mutual mutual right; otherwise, the second BSF obtains the authentication vector of the user terminal from the HSS, and uses the obtained authentication vector as the authentication of the mutual authentication right. Vector.
其中, 该方法进一步包括: 预先为同一归属网中的多个 BSF分别设 置标识, 鉴权成功后, BSF为用户终端分配的 B-TID的域名中包含自身 的标识信息;所述预先为同一归属网中的多个 BSF分別设置的标识为顺 序编号, 或者为由归属网的编号规则决定的编号, 或者归属网络能够识 别的名称。 The method further includes: setting an identifier for each of the multiple BSFs in the same home network in advance, and after the authentication succeeds, the domain name of the B-TID allocated by the BSF for the user terminal includes its own identification information; The identifiers set by the multiple BSFs in the network are sequential numbers, or numbers determined by the numbering rules of the home network, or names that the home network can recognize.
其中, 当网络中的 NAF向 BSF查询某用户终端的 B-TID信息时, 该方法进一步包括: 根据 B-TID域名中的 BSF的标识, NAF直接向分 配该 B-TID的 BSF发送查询 B-TID的请求。 The method further includes: when the NAF in the network queries the BSF for the B-TID information of the user terminal, the method further includes: according to the identifier of the BSF in the B-TID domain name, the NAF directly points to The BSF with the B-TID sends a request to query the B-TID.
其中 , 步驟 A2所述第一 BSF向第二 BSF提供该用户终端的用户信 息包括以下步驟: The step of the first BSF providing the user information of the user terminal to the second BSF in step A2 includes the following steps:
21、第一38?向第二88?发送包含该用户终端的用户信息的代理 鉴权的请求消息; f ?? 21, the first 38 to the second proxy 88 transmits a request message including the user authentication information to the user terminal; F
A22 第二 BSF确认自身能够处理该鉴权请求后, 获取并保存代理 鉴权请求终中的该用户终端的用户信息, 向第一 BSF返回成功的响应。 A22 After the second BSF confirms that it can process the authentication request, it acquires and saves the user information of the user terminal in the end of the proxy authentication request, and returns a successful response to the first BSF.
其中, 步骤 A2所述通知用户终端到第二 BSF中进行互鉴权包括以 下步骤: The step of informing the user terminal to perform mutual authentication in the second BSF according to step A2 includes the following steps:
第一 BSF接收向用户终端返回包含能够识别第二 BSF信息的到第二 BSF进行鉴权的通知。 ' The first BSF receives a notification to the user terminal that the second BSF that can identify the second BSF information is authenticated for authentication. '
其中, 所述用户信息为鉴权矢量、 B-TID、 与 B-TID相关的信息和 用户的描述信息, 或者, 所述用户信息为 B-TID、 与 B-TID相关的信息 和用户的描述信息。 The user information is an authentication vector, a B-TID, information related to the B-TID, and description information of the user, or the user information is a B-TID, a B-TID-related information, and a description of the user. information.
应用本发明提供的实现多个 BSF间的用户信息同步的方法, 即使用 户终端再次鉴权时,使用了不同上次鉴权的第二 BSF, 该第二 BSF也能 够从已经与该用户终端执行过互鉴权操作的第一 BSF 中获取该用户终 端的用户信息, 从而保证了该发起鉴权请求的 UE的用户信息在不同的 BSF中保持同步。本发明还提供了一种在多个 BSF的情况下实现鉴权方 法的方法,在用户信息同步的基础上,保证了正常的 UE都能通过鉴权。 另夕卜,本发明还为多个 BSF分别设置了标识,在 B-TID的域名体现出了 BSF的标识,这样,能够指示出该 B-TID是哪个 BSF分配的,便于 NAF 查找, 从而减轻了 BSF之间的通信量, 加速了处理过程, 节省了网络资 源。 附图简要说明 Applying the method for synchronizing user information between multiple BSFs provided by the present invention, even if the user terminal re-authenticates, the second BSF with different last authentication is used, and the second BSF can be executed from the user terminal. The user information of the user terminal is obtained in the first BSF of the mutual authentication operation, so that the user information of the UE that initiates the authentication request is kept synchronized in different BSFs. The present invention also provides a method for implementing an authentication method in the case of multiple BSFs. On the basis of user information synchronization, it is ensured that normal UEs can pass authentication. In addition, the present invention also provides an identifier for each of the multiple BSFs, and the domain name of the B-TID reflects the identity of the BSF, so that it can indicate which BSF is allocated by the B-TID, which facilitates the NAF search, thereby reducing The traffic between the BSFs speeds up the processing and saves network resources. BRIEF DESCRIPTION OF THE DRAWINGS
图 1所示为通用鉴权框架的结构示意图; Figure 1 shows the structure of the general authentication framework;
图 2所示为应用本发明的实施例一的流程示意图; 2 is a schematic flow chart showing Embodiment 1 of the present invention;
图 3所示为应用本发明的实施例二的流程示意图。 实施本发明的方式 FIG. 3 is a schematic flow chart of a second embodiment to which the present invention is applied. Mode for carrying out the invention
下面结合附图及具体实施例再对本发明做进一步地详细说明。 The invention will be further described in detail below with reference to the drawings and specific embodiments.
本发明的思路是: 当用户终端再次鉴权时使用了不同上次鉴权的第 二 BSF时, 该第二 BSF能够从已经与该用户终端执行过互鉴权操作的 第一 BSF中获取该用户终端的用户信息,从而保证了该发起鉴权请求的 UE的用户信息在不同的 BSF中保持同步。 另外, 在用户信息同步的基 础上, 本发明还提供了一种在多个 BSF的情况下实现鉴权方法的方法, 保证了正常的 UE都能通过鉴权。 再有本发明还为多个 BSF分别设置了 标识,在 B-TID的域名体现出了 BSF的标识,这样,能够指示出该 B-TID 是哪个 BSF分配的, 便于 NAF查找, 提高了网络处理效率。 The idea of the present invention is: when the second BSF of the different last authentication is used when the user terminal re-authenticates, the second BSF can acquire the user from the first BSF that has performed the mutual authentication operation with the user terminal. User information of the terminal, thereby ensuring that the user information of the UE that initiated the authentication request is kept synchronized in different BSFs. In addition, on the basis of user information synchronization, the present invention also provides a method for implementing an authentication method in the case of multiple BSFs, which ensures that normal UEs can pass authentication. Further, the present invention further sets an identifier for a plurality of BSFs, and the domain name of the B-TID reflects the BSF identifier, so that it can indicate which BSF is allocated by the B-TID, which facilitates NAF search and improves network processing. effectiveness.
如果 UE发现自身所应用的密钥即将到期, 或者, 接收到来自 NAF 的要求自身重新鉴权的信息, 都会再次执行鉴权操作, 即触发再次鉴权 的条件与现有技术相同, 在此不再详细说明。 If the UE finds that the key applied by itself is about to expire, or receives the information from the NAF that requires re-authentication, it performs the authentication operation again, that is, the condition for triggering the re-authentication is the same as the prior art. No longer detailed.
图 2所示为应用本发明的实施例一的流程示意图。 在本实施例中, 在同一归属网中存在多个 BSF,且 UE已经与某个 BSF成功地执行过互 鉴权操作, 以下为叙述方便, 将已经与某个用户终端执行过互鉴权操作 的原 BSF称为第一 BSF, 记作 BSFo, 将不同于第一 BSF的未与该用户 终端执行过互鉴权操作的新 BSF称为第二 BSF, 记作 BSFn。 FIG. 2 is a schematic flow chart showing the first embodiment of the present invention. In this embodiment, multiple BSFs exist in the same home network, and the UE has successfully performed the mutual authentication operation with a certain BSF. The following is convenient for description, and the mutual authentication operation has been performed with a certain user terminal. The original BSF is referred to as a first BSF, denoted as BSFo, and a new BSF that is different from the first BSF and has not performed a mutual authentication operation with the user terminal is referred to as a second BSF, and is referred to as BSFn.
步驟 201 , 当 UE再次执行互鉴权操作时, 其首先向 BSFo发送鉴权 请求。 由于 UE中保存有执行过互鉴权操作的 BSF的信息, 因此 UE能 够找到上次成功执行过互鉴权操作的 BSFo。 在本实施例中, 由于 BSFo 根据自身当前的状态确定自身不能处理当前的请求, 则根据预先的配 置, 不给 UE返回任何响应。 Step 201: When the UE performs the mutual authentication operation again, it first sends an authentication request to the BSFo. Since the UE stores the information of the BSF that has performed the mutual authentication operation, the UE can It is enough to find the BSFo that successfully performed the mutual authentication operation last time. In this embodiment, since the BSFo determines that it cannot process the current request according to its current state, according to the previous configuration, no response is returned to the UE.
在预定的时间内, 如果 UE接收到来自 BSFo的成功响应信息, 则 按照现有流程继续进行后续操作, 结束本流程; 如果 UE 未得到来自 BSFo的响应, 则执行步骤 202。 If the UE receives the success response information from the BSFo, the process continues with the subsequent process, and the process ends. If the UE does not receive the response from the BSFo, step 202 is performed.
步驟 202, UE选择一个不同于第一 BSF的未与该用户终端执行过 互鉴权操作的新 BSF即 BSFn, 并向该 BSFn发送鉴权请求, 该鉴权请 求中包含能够识别已经与自身执行过互鉴权操作的 BSFo的信息。 Step 202: The UE selects a new BSF, that is, a BSF, that is different from the first BSF and does not perform a mutual authentication operation with the user terminal, and sends an authentication request to the BSF, where the authentication request includes the identifier that can be identified and executed by itself. BSFo information for mutual authentication operations.
上述 UE选择 BSFn的方法为: UE从自身已保存的多个 BSF的 IP 地址中重新选择一个 IP地址, 令该 IP地址所对应的 BSF为 BSFn; 或 者, UE提供 BSF的缺省域名, 由 DNS返回 BSF的地址, UE随机选择 一个 BSF的地址或者使用由 DNS进行选择后返回的地址所对应的 BSF 为 BSFn。 The method for the UE to select the BSFn is: the UE reselects an IP address from the IP addresses of the multiple BSFs that have been saved by the UE, and the BSF corresponding to the IP address is the BSFn; or the UE provides the default domain name of the BSF by the DNS. Returning the address of the BSF, the UE randomly selects a BSF address or uses the BSF corresponding to the address returned by the DNS to be BSFn.
在本实施例中 ,如果预先为同一归属网中的多个 BSF分别设置了标 识, 那么上述鉴权请求中包含的能够识别已经与自身执行过互鉴权操作 的 BSFo的信息为 BSFo的 IP地址或已设置的 BSFo的标识。 In this embodiment, if the identifiers are respectively set for multiple BSFs in the same home network, the information included in the authentication request that can identify the BSFo that has performed the mutual authentication operation with itself is the IP address of the BSFo. Or the identity of the BSFo that has been set.
已设置的 BSF的标识可以是筒单的顺序编号, 如 1、 2、 3等, 也可 以是由归属网的编号规则决定的编号, 还可以是归属网络能够识别的名 称。 The identifier of the BSF that has been set may be the serial number of the bill, such as 1, 2, 3, etc., or may be a number determined by the numbering rule of the home network, or may be a name that the home network can recognize.
步骤 203 , BSFn接收到来自 UE的包含 BSFo的 IP地址或标识的鉴 权请求后, 向 BSFo发送查询发送鉴权请求的 UE的用户信息, 如果接 收到的鉴权倚求中包含用户身份标识(IMPI ), 则查询请求消息中也包 含 IMPI, 如果接收到的鉴权请求中包含 B-TID, 则查询请求消息中也包 含 B-TIDo 如果 BSFo中有针对该 UE的未使用的養权矢量, 则上述用户信息 包含鉴权矢量, 和 B-TID, 与 B-TID相关的信息及用户描述信息; 如果 BSFo 中没有针对该 UE 的未使用的鉴权矢量, 则上述用户信息包含 B-TID, 与 B-TID相关的信息及用户描述信息。 Step 203: After receiving the authentication request of the IP address or the identifier of the BSFo from the UE, the BSFn sends the BSFo the user information of the UE that sends the authentication request, if the received authentication request includes the user identity identifier ( IMPI), the query request message also includes IMPI. If the received authentication request includes a B-TID, the query request message also includes B-TIDo. If there is an unused weighting vector for the UE in the BSFo, the user information includes an authentication vector, and a B-TID, information related to the B-TID and user description information; if there is no target for the UE in the BSFo The authentication vector used, the user information includes a B-TID, information related to the B-TID, and user description information.
步骤 204, BSFo接收到来自 BSFn的查询请求后, 如果判断出该查 询请求中包含 IMPI, 则根据预先保存的 IMPI与用户信息的对应关系, 直接查询出该 UE的用户信息, 如果判断出该查询请求中包含 B-TID, 则才^据预先保存的 B-TID与 IMPI的对应关系先查询出该 UE的 IMPI, 再根据预先保存的 IMPI与用户信息的对应关系,查询出该 UE的用户信 息, BSFo将所获取的用户信息发送给 BSFn。 Step 204: After receiving the query request from the BSFn, if the BSFo determines that the query request includes the IMPI, the BSFo directly queries the user information of the UE according to the pre-stored relationship between the IMPI and the user information, and if the query is determined, If the B-TID is included in the request, the IMPI of the UE is first queried according to the pre-stored correspondence between the B-TID and the IMPI, and the user information of the UE is queried according to the correspondence between the pre-stored IMPI and the user information. BSFo sends the obtained user information to BSFn.
如果用户信息中包含鉴权矢量, 则 BSFo给 BSFn返回用户信息后, 立刻删除自身保存的针对该 UE 的鉴权矢量, 而其它的用户信息, 如 B-TID及与 B-TID相关的信息则可以暂时不删除, 以方便 NAF查询仍 然有效的 B-TID, 当 B-TID的有效期到期后 BSFo再删除针对该 UE的 B-TID及相关信息。 当 BSF保存的针对一个 IMPI 即一个 UE的所有 B-TID都被删除后, BSFo再删除该 UE的 IMPI及用户描述信息, 彻底 不再保存该 UE的任何描述信息。 If the user information includes an authentication vector, the BSFo immediately returns the user-saved authentication vector for the UE after the BSFn returns the user information, and other user information, such as the B-TID and the information related to the B-TID, It can be temporarily deleted, to facilitate the B-TID that the NAF query is still valid. When the validity period of the B-TID expires, the BSFo deletes the B-TID and related information for the UE. After all B-TIDs saved by the BSF for one IMPI, that is, one UE, are deleted, the BSFo deletes the IMPI and user description information of the UE, and does not completely save any description information of the UE.
步骤 205, BSFn接收到 BSFo返回的用户信息并保存后, 判断该用 户信息中是否有未使用的鉴权矢量, 如果有, 则执行步骤 207, 否则执 行步骤 206。 Step 205: After receiving the user information returned by the BSFo and saving, the BSFn determines whether there is an unused authentication vector in the user information. If yes, step 207 is performed; otherwise, step 206 is performed.
步骤 206, BSFn向 HSS请求该 UE的鉴权矢量及用户描述信息。之 所以请求用户描述信息, 是为了同时更新可能发生变换的描述信息。 Step 206: The BSFn requests the HSS for the authentication vector and the user description information of the UE. The user description information is requested to update the description information that may be transformed at the same time.
步骤 207, BSFn与 UE执行互鉴权操作。 鉴权成功后, BSFn为 UE 分配 i3-TID。 Step 207: The BSFn performs a mutual authentication operation with the UE. After the authentication succeeds, the BSFn assigns the i3-TID to the UE.
至此, 由于 BSFn能够从 BSFo中获取该 UE的用户信息, 实现了发 起鉴权请求的 UE的用户信息在不同的 BSF中的同步, 同时避免了正常 的用户不能通过鉴权的情况。 At this point, since the BSFn can obtain the user information of the UE from the BSFo, the implementation is implemented. The user information of the UE requesting the authentication is synchronized in different BSFs, and the situation that normal users cannot pass the authentication is avoided.
图 3所示为应用本发明的实施例二的流程示意图。 在本实施例中, 在同一归属网中存在多个 BSF, 且 UE已经与某个 BSF成功地执行过互 鉴权操作, 以下为叙述方便, 将已经与某个用户终端执行过互鉴权操作 的原 BSF称为第一 BSF, 记作 BSFo, 将不同于第一 BSF的未与该用户 终端执行过互鉴权操作的新 BSF称为第二 BSF, 记作 BSFn。 FIG. 3 is a schematic flow chart of a second embodiment to which the present invention is applied. In this embodiment, multiple BSFs exist in the same home network, and the UE has successfully performed the mutual authentication operation with a certain BSF. The following is convenient for description, and the mutual authentication operation has been performed with a certain user terminal. The original BSF is referred to as a first BSF, denoted as BSFo, and a new BSF that is different from the first BSF and has not performed a mutual authentication operation with the user terminal is referred to as a second BSF, and is referred to as BSFn.
步骤 301 , 当 UE再次执行互鉴权操作时, 其首先向 BSFo发送鉴权 请求。 由于 UE中保存有执行过互鉴权操作的 BSF的信息, 因此 UE能 够找到上次成功执行过互鉴权操作的 BSFo。 Step 301: When the UE performs the mutual authentication operation again, it first sends an authentication request to the BSFo. Since the UE stores the information of the BSF that has performed the mutual authentication operation, the UE can find the BSFo that successfully performed the mutual authentication operation last time.
步骤 302, BSFo接收到来自 UE的鉴权请求后, 因为某种原因, 如 自身的负荷过重等, 确定自身不能再处理该鉴权请求, 则根据预先的配 置, 通知 BSFn对 UE进行鉴权, 即向 BSFn发出代理鉴权的请求消息, 该请求消息中包含了该 UE的用户信息。 Step 302: After receiving the authentication request from the UE, the BSFo determines that the authentication request cannot be processed by itself, for example, if the load is too heavy, for example, the BSFo is configured to notify the BSFn to authenticate the UE according to the pre-configuration. That is, a request message for proxy authentication is sent to the BSFn, and the request message includes user information of the UE.
如果 BSFo中有针对该 UE的未使用的鉴权矢量, 则用户信息中包 含鉴权矢量, B-TID, 与 B-TID相关的信息及用户描述信息; 如果 BSFo 中没有针对该 UE 的未使用的鉴权矢量, 则用户信息包含 B-TID, 与 B-TID相关的信息及用户描述信息。 If there is an unused authentication vector for the UE in the BSFo, the user information includes an authentication vector, B-TID, information related to the B-TID, and user description information; if there is no unused for the UE in the BSFo The authentication vector, the user information includes a B-TID, information related to the B-TID, and user description information.
步骤 303 , BSFn接收到来自 BSFo的请求消息, 确认自身能够执行 该操作后, 保存请求消息终端用户信息, 然后给 BSFo返回成功的响应 消息。 Step 303: After receiving the request message from the BSFo, the BSFn confirms that it can perform the operation, saves the end message information of the request message, and then returns a successful response message to the BSFo.
步骤 304, BSFo接收到来自 BSFn的成功响应消息后, 判断该已发 送给 BSFn的用户信息中是否包含鉴权矢量, 如果是, 立刻删除自身保 存的针对该 UE的鉴权矢量, 而其它的用户信息, 如 B-TID及与 B-TID 相关的信息则可以暂时不删除, 以方便 NAF查询仍然有效的 B-TID, 当 B-TID的有效期到期后 BSFo再删除针对该 UE的 B-TID及相关信息。 当 BSF保存的针对一个 IMPI即一个 UE的所有 B-TID都被删除后, BSFo 再删除该 UE的 IMPI及用户描述信息,彻底不再保存该 UE的任何描述 信息。 Step 304: After receiving the success response message from the BSFn, the BSFo determines whether the user information sent to the BSFn includes an authentication vector, and if so, immediately deletes the authentication vector saved for the UE, and other users Information such as B-TID and B-TID related information can be temporarily deleted, so that the NAF query is still valid B-TID, when After the expiration of the validity period of the B-TID, the BSFo deletes the B-TID and related information for the UE. After all the B-TIDs saved by the BSF for one IMPI, that is, one UE, are deleted, the BSFo deletes the IMPI and the user description information of the UE, and does not completely save any description information of the UE.
之后, BSFo通知 UE到 BSFn进行互鉴权操作, 该通知消息中包括 了 BSFn的 IP地址。 在本实施例中, 如果预先为同一归属网中的多个 BSF分别设置了标识,那么上述通知中可以包含 BSFo的 IP地址或已设 置的 BSFo的标识。 具体设置 BSF的标识的方法与上一实施例中的方法 相同, 在此不再重复描述。 Afterwards, the BSFo notifies the UE to perform a mutual authentication operation to the BSFn, and the notification message includes the IP address of the BSFn. In this embodiment, if the identifiers are respectively set for multiple BSFs in the same home network, the notification may include the IP address of the BSFo or the identifier of the BSFo that has been set. The method for specifically setting the identifier of the BSF is the same as the method in the previous embodiment, and the description thereof will not be repeated here.
步骤 305, UE向 BSFn发送鉴权请求, 该鉴权请求与现有的鉴权请 求中包含的信息相同, 不需增加任何信息。 Step 305: The UE sends an authentication request to the BSFn, where the authentication request is the same as the information included in the existing authentication request, and no information needs to be added.
步驟 306, BSFn接收到来自 UE的鉴权请求后, 判断本地保存的针 对该 UE的用户信息中是否有未使用的鉴权矢量, 如果有, 则执行步驟 307, 否则执行步骤 308 Step 306: After receiving the authentication request from the UE, the BSFn determines whether there is an unused authentication vector stored in the user information of the UE locally. If yes, step 307 is performed. Otherwise, step 308 is performed.
步驟 307, BSFn向 HSS请求该 UE的鉴权矢量及用户描述信息。之 所以请求用户描述信息, 是为了同时更新可能发生变换的描述信息。 Step 307: The BSFn requests the HSS for the authentication vector and the user description information of the UE. The user description information is requested to update the description information that may be transformed at the same time.
步驟 308, BSFn与 UE执行互鉴权操作。 鉴权成功后, BSFn为 UE 分配 B-TID。 Step 308: The BSFn performs a mutual authentication operation with the UE. After the authentication succeeds, the BSFn allocates a B-TID to the UE.
至此, 由于 BSFn能够从 BSFo中获取该 UE的用户信息, 实现了发 起鉴权请求的 UE的用户信息在不同的 BSF中的同步, 同时避免了正常 的用户不能通过鉴权的情况。 So far, since the BSFn can obtain the user information of the UE from the BSFo, the user information of the UE that initiates the authentication request is synchronized in different BSFs, and the normal user cannot be authenticated.
对于上述两个实施例,如果预先设置了 BSF的标识,则可以在 B-TID 的域名体现出 BSF的标识, 这样能够明确指示出该 B-TID是哪个 BSF 分配的, 便于 NAF查找。 例如, 假设 UE连接的 BSFn的标识为 11 , BSFn 为 UE 分 配 的 B-TID 表 示 为 RAND@11.BSF_servers_domain_name 0 这样, NAF在通过 B-TID的域 名定位 BSF时, 就艮容易找到保存有所需信息的 BSF, 而不再需要网络 中的 BSF依次进行查找, 提高了网络处理效率。 For the above two embodiments, if the identifier of the BSF is set in advance, the BSF identifier can be reflected in the domain name of the B-TID, so that it can clearly indicate which BSF is allocated by the B-TID, which facilitates the NAF search. For example, suppose the identity of the BSFn to which the UE is connected is 11, and the B-TID assigned by the BSFn to the UE is expressed as RAND@11.BSF_servers_domain_name 0 In this way, when the NAF locates the BSF through the domain name of the B-TID, it is easy to find the BSF that stores the required information, and the BSF in the network is no longer required to search in turn, thereby improving the network processing efficiency.
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡 在本发明的精神和原则之内, 所做的任何修改、 等同替换和改进, 均应 包含在本发明的保护范围之内。 The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalents, and improvements made within the spirit and scope of the present invention should be included in the present invention. Within the scope of protection.
Claims
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510007513.6 | 2005-02-05 | ||
| CNB2005100075136A CN100563156C (en) | 2005-02-05 | 2005-02-05 | Method for Realizing User Information Synchronization and User Terminal Authentication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2006081742A1 true WO2006081742A1 (en) | 2006-08-10 |
Family
ID=36776953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2006/000100 Ceased WO2006081742A1 (en) | 2005-02-05 | 2006-01-20 | A method for realizing the user information synchronization and authenticating the user end |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100563156C (en) |
| WO (1) | WO2006081742A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100466835C (en) * | 2006-09-22 | 2009-03-04 | 华为技术有限公司 | Identification method and authentication method of authentication device, communication system and device |
| CN101193424B (en) * | 2006-11-28 | 2010-10-13 | 中国移动通信集团公司 | An authentication method and device |
| CN109803261B (en) | 2017-11-17 | 2021-06-22 | 华为技术有限公司 | Authentication method, equipment and system |
| CN113596830B (en) * | 2021-07-27 | 2023-03-24 | 中国联合网络通信集团有限公司 | Communication method, communication apparatus, electronic device, storage medium, and program product |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2293989A1 (en) * | 2000-01-07 | 2001-07-07 | Sedona Networks Corporation | Distributed subscriber management |
| WO2003010669A1 (en) * | 2001-07-24 | 2003-02-06 | Barry Porozni | Wireless access system, method, signal, and computer program product |
| WO2004023712A1 (en) * | 2002-09-09 | 2004-03-18 | U.S. Encode Corporation | Systems and methods for secure authentication of electronic transactions |
-
2005
- 2005-02-05 CN CNB2005100075136A patent/CN100563156C/en not_active Expired - Fee Related
-
2006
- 2006-01-20 WO PCT/CN2006/000100 patent/WO2006081742A1/en not_active Ceased
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2293989A1 (en) * | 2000-01-07 | 2001-07-07 | Sedona Networks Corporation | Distributed subscriber management |
| WO2003010669A1 (en) * | 2001-07-24 | 2003-02-06 | Barry Porozni | Wireless access system, method, signal, and computer program product |
| WO2004023712A1 (en) * | 2002-09-09 | 2004-03-18 | U.S. Encode Corporation | Systems and methods for secure authentication of electronic transactions |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1815954A (en) | 2006-08-09 |
| CN100563156C (en) | 2009-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5651313B2 (en) | SIP signaling that does not require continuous re-authentication | |
| CN101127600B (en) | A method for user access authentication | |
| JP4768720B2 (en) | Method and system for managing user terminals accessing network by applying generic authentication architecture | |
| WO2005046118A1 (en) | A method for verifying the subscriber's validity | |
| WO2008006306A1 (en) | Method and device for deriving local interface key | |
| CN102547701A (en) | Authentication method and wireless access point as well as authentication server | |
| WO2013056619A1 (en) | Method, idp, sp and system for identity federation | |
| WO2014176997A1 (en) | Method and system for transmitting and receiving data, method and device for processing message | |
| WO2014117600A1 (en) | Dns-based method and system for user authentication and domain name access control | |
| WO2009155787A1 (en) | Terminal authentication method, system and server | |
| WO2006097041A1 (en) | A general authentication former and a method for implementing the authentication | |
| CN100591013C (en) | Authentication method and authentication system | |
| WO2011006320A1 (en) | Attachment method and system with identifier and location splitting in next generation network | |
| WO2011120365A1 (en) | Method and system for establishing connection between multi-homed terminals | |
| WO2009006854A1 (en) | Method and system for management authentication based on nass | |
| CN1921682B (en) | Enhancing the key agreement method in the general authentication framework | |
| WO2007147354A1 (en) | Method and system for retrieving service key | |
| WO2005074188A1 (en) | A method of obtaining the user identification for the network application entity | |
| WO2006081742A1 (en) | A method for realizing the user information synchronization and authenticating the user end | |
| CN110891067B (en) | A revocable multi-server privacy protection authentication method and system | |
| CN100525186C (en) | General authentication framework and method for renewing user safety describing information in BSF | |
| JPH11161618A (en) | Mobile computer management device, mobile computer device, and mobile computer registration method | |
| WO2011134134A1 (en) | METHOD, DEVICE AND SYSTEM FOR INTERWORKING BETWEEN WiFi NETWORK AND WiMAX NETWORK | |
| WO2008006309A1 (en) | Method and apparatus for determining service type of key request | |
| CN100563159C (en) | Universal authentication system and method for accessing network service applications in the system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 06705521 Country of ref document: EP Kind code of ref document: A1 |
|
| WWW | Wipo information: withdrawn in national office |
Ref document number: 6705521 Country of ref document: EP |