Background technique
With global information and the communication technology (ICT, Information and Communication Technology)The fast development of industry (including telecommunications service, information service, the combination of IT service and application), network security and information peaceOne of key problem concerned by people is had become entirely.How reliably to be authenticated, to protect information, finance, trade secretEtc. key areas safety, become one of the most important technology of communication and information industry.
Currently, there are many kinds of the authentications of industry prevalence, following most basic four kinds can be summarized as: one isThe security mechanism of user name+password (static and dynamic), wherein dynamic password generally includes short message password, dynamic token (usuallyBased on time synchronizing method, generate new password at a certain time interval), handset token (pass through mobile phone client softwareGenerate dynamic password) etc.;General internet business generallys use static password authentication, and bank and payment class business generally useDynamic password;Second is digital certificate authentication (USBKEY), and the authentication mode is usually taken in the Internet bank;The third is to be based onThe authentication mode of shared key, such as universal guiding authenticate (GBA, Generic BootstrappingAuthentication), i.e., based on shared key in mobile Universal Integrated Circuit Card (UICC) and home subscriber server (HSS)The authentication mode of K, such as China Mobile's mobile phone TV services use this authentication mode;4th kind is recognizing based on biological characteristicCard: such as fingerprint, iris, face.In general, system will use the combination of above-mentioned multiple authentication modes, that is, often say mostly becauseElement certification, to increase the security intensity of certification.
Network layer network element is logically completely separate with layer network is applied in traditional OSI7 layers of structure of network, networkThe connection that layer is mainly responsible for network is established and is deleted;Application layer is mainly responsible for the foundation and deletion of service application, in traditional sideThere are the agreement process of identification safety authentication, and not cross-reference for two layers of this in case respectively.Currently, above-mentioned all existing authenticating partiesCase is realized in application layer.Moreover, existing authentication there is a problem of using complexity, for example, for USBKEY mode,It just must additionally carry U-shield;For another example, for the mode of dynamic short message password, realization is more complicated, and user needs to wait 5~20It is inputted after second according still further to the short message password of short massage notice, reduces user experience.
Based on above-mentioned authentication, existing government and enterprises' application is all the authentication realized in application layer, such as emptyQuasi- dedicated network (VPN), digital certificate etc., security level is lower, is easy to be cracked.And existing recognizing for garden userCard, needs generally to use in the various terminals of different hardware platform and operating system, and adaptation Comparision is cumbersome, certification effectRate is low, reduces user experience.
Summary of the invention
In order to solve the above technical problem, the present invention provides a kind of safety certifying method and authentication servers, canSimply and efficiently realize certification, and security classification is high.
In order to reach the object of the invention, the present invention provides a kind of safety certifying methods, comprising: establishes carrying in terminal and connectsIn connecing, User Status is activated by authentication server;
In end-user access Campus Networks in application, application server carries out user identity by authentication serverCertification.
It is described to be established in bearer connection in terminal, include: by authentication server activation User Status
It is described to establish the packet gateway in bearer connection in terminal, dynamic IP addressing is distributed for legitimate user, and judge to askAsk whether the terminal for establishing bearer connection is garden network users, if so, the authentication server into Campus Networks issues noteVolume request, and the IP address of the international mobile subscriber identity IMSI of terminal and distribution are carried to authentication server;
The authentication server can complete user's activation according to IMSI, store the IP address.
The authentication server can complete user's activation according to IMSI
The authentication server determines whether terminal user belongs to authentication service according to the IMSI of the terminalThe legitimate user of the affiliated Campus Networks of device, if so, authentication username password, with confirm the corresponding terminal user of IMSI whether with askUser name matching in asking;Whether and it is correct to verify the corresponding password of user name.
After the completion of certification, if matching and correct, authenticate success, the authentication server by the IP address withIMSI, employee information are associated, and register response to packet gateway return as the information that succeeds in registration.
It is described by authentication server to user identity carry out certification include:
The IP address received is carried and is sent to authentication server in application access request by the application server;After the authentication server completes certification, by the corresponding user information of the IP address, application server is returned to;
The password of the self terminal user in application server future submits to authentication server, the authentication clothesBusiness device verify to password and verification result is returned to application server.
It is described terminal user disconnect Campus Networks when, this method further include:
The packet gateway sends de-registration request to authentication server, wherein carrying the IMSI of terminal, IP address;
The authentication server removes IP address and the IMSI of the terminal of itself preservation, user information is associated withSystem, and returned to the packet gateway and nullify response;
The packet gateway returns to terminal and nullifies response, so that terminal disconnects Campus Networks.
The present invention also provides a kind of authentication servers to activate User Status for establishing in bearer connection in terminal;In end-user access Campus Networks in application, being authenticated to user identity.
The authentication server includes at least authentication module, authentication module, wherein
Authentication module completes user's activation according to terminal IMSI for receiving the registration request from packet gatewayAnd IP address with shadow is stored, safety certification is carried out to user terminal and to packet gateway return authentication result;
Authentication module, for receive from application server application access request when, according to authentication moduleAuthentication result, complete further certification after, return to the corresponding user information of the IP address to application server;Come receivingWhen the password that self-application server is submitted, verification result is returned to application server after verifying.
The authentication module is also used to receiving the de-registration request from packet gateway, removes the request of itself preservationThe IP address and IMSI, user information of the terminal of cancellation, and returned to packet gateway and nullify response.
The authentication server is the authentication server in the Campus Networks of the side IT.
Compared with prior art, technical scheme offer is included in terminal and establishes in bearer connection, is recognized by authenticationIt demonstrate,proves server and activates User Status;In end-user access Campus Networks in application, application server passes through authentication serverUser identity is authenticated.Safety certifying method through the invention, safety certification are completed by the equipment in network, are reducedThe participation of user, hence it is evident that improve authentication efficiency, save the user authentication time, it is often more important that, by with carrier classCampus Networks (referring to the organized network such as government, enterprise, public utilities) carry out safety certification activation, have reached telecommunications level securityI.e. present invention employs SIM card+authentication server authentications for authentication level, hence it is evident that improves user experience.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specificationIt obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by specification, rightSpecifically noted structure is achieved and obtained in claim and attached drawing.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present inventionEmbodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the applicationFeature can mutual any combination.
Fig. 1 is the flow chart of safety certifying method of the present invention, as shown in Figure 1, the present invention is applied to use mobile terminal SIMIn the scene of card, such as the data card of the equipment such as mobile phone, PAD, laptop, PC.The following steps are included:
Step 100: being established in bearer connection in terminal, User Status is activated by authentication server.
In this step, terminal and by communication network, including base station, mobile management unit (MME), gateway (SGW),Packet gateway (LGW/PGW), establishes bearer connection with network, and in existing bearer connection establishment process, Campus Networks are usedFamily, in the present invention can authentication server into Campus Networks issue certification request.Campus Networks refer to government, enterprise, publicThe organized network such as cause.
Fig. 2 is the flow chart for the embodiment that terminal establishes bearer connection in safety certifying method of the present invention, as shown in Fig. 2,Include:
Step 200: user's booting, triggering terminal (UE) adhere to the process of network, and UE sends network attachment request to MME(Attach Request) message.Herein, it if UE has adhered to success, needs first to initiate separation process, then initiates attachedProcess.
Default bearing process is established in step 201:MME triggering, sends session request (Create Session to SGWRequest) message.
Session request (Create Session Request) message is forwarded to LGW/PGW by step 202:SGW.
Step 203~step 204:LGW/PGW is that legitimate user distributes dynamic IP addressing, and judges that request is established carrying and connectedWhether the terminal connect is garden network users, is asked if so, authentication server of the LGW/PGW into Campus Networks issues registrationIt asks, and the IP address of the international mobile subscriber identity of terminal (IMSI) and distribution is carried to authentication server, and reflectUser's activation can be completed according to IMSI by weighing certificate server, store the IP address.
In this step, Campus Networks refer to the organized network such as government, enterprise, public utilities.Garden user refer to such as withFamily is arranged to the gardens such as APN network users.In this step, authentication server can be the authentication in the Campus Networks of the side ITCertificate server (Authentication Server).From this step as it can be seen that carrying out attachment in terminal establishes the same of bearer connectionWhen, the activation of carrier class safety certification is carried out by Campus Networks, so that entire safety certification is provided with higher security level.
Step 205: meanwhile, LGW/PGW returns to conversational response (Create Session Response) message to SGW,The IP address of distribution is carried in conversational response message.
The conversational response received (Create Session Response) message is transmitted to MME by step 206:SGW.
Step 207:MME adheres to the attachment for successfully, sending the IP address for carrying distribution to UE and responds (AttachAccept) message.After user adheres to successfully, i.e. completion terminal bearer connection is established.
Fig. 3 is the flow chart of the embodiment of Campus Networks certification in safety certifying method of the present invention, as shown in figure 3, LGW/PGWCertification request is issued to authentication server to specifically include:
Step 300: terminal user sends registration request to LGW/PGW, and LGW/PGW is by the IMSI of the terminal and IP of distributionAddress carries and is sent to authentication server in the registration request.
Further, the corresponding account of terminal and encrypted message are also carried in a registration request message.
Step 301: authentication server carries out safety certification to user terminal.It specifically includes:
Firstly, determining whether terminal user belongs to the conjunction of the affiliated Campus Networks of authentication server according to the IMSI of terminalMethod user, if so, further authentication username password, with confirm the corresponding terminal user of IMSI whether with the user in requestName matching;Whether and it is correct to verify the corresponding password of user name.
After the completion of certification, if authenticated successfully, i.e., above-mentioned inspection is correct, then such as by IP address and IMSI, employee informationEmployee's work number is associated, and registers response to LGW/PGW return as the information that succeeds in registration;Otherwise, it returns and registers to LGW/PGWResponse is registration failure information.
For step 302:LGW/PGW according to the registration reply message of acquisition, whether confirmation terminal can secure accessing Campus Networks.
The IP address carrying of distribution is returned to UE by step 303:LGW/PGW in the registration response, so that garden is added in UENet.
From step 100 as can be seen that in safety certifying method provided by the invention, garden network users every time terminal withWhen establishing carrying between network, on the one hand LGW/PGW will distribute dynamic IP addressing for user terminal on the other hand will also be to mirrorIt weighs certificate server and initiates the request of activation User Status, while the IP address of the IMSI of terminal and distribution are pushed to authentication and recognizedIt demonstrate,proves server and carries out safety certification.It realizes while terminal adhere to and establishes bearer connection, by with carrier classCampus Networks carry out safety certification, so that entire safety certification is provided with higher security level.
Step 101: in end-user access Campus Networks in application, application server passes through authentication server to userIdentity is authenticated.In this step, application server can be the application server in the Campus Networks of the side IT(Application Server).
The specific implementation of this step is as shown in Figure 4, comprising:
Step 400: terminal is initiated to carry the application of own IP address to the application server of Campus Networks by Transmission Control ProtocolAccess request, to request access Campus Networks.
Step 401: the IP address received is carried and is sent to authentication clothes in application access request by application serverBusiness device is authenticated.
Step 402: after authentication server completes certification, by the corresponding user information of the IP address such as employee's work number,Return to application server.
Step 403: the user information received such as employee's work number and certification page are pushed to terminal by application server.
Step 404: user passes through certification page at the terminal, according to user information typing password, and submits to using clothesBusiness device.
Step 405: the password of acquisition is submitted to authentication server by application server.
Step 406: authentication server, which verifies the password received, returns to application service for verification resultDevice.How to be a common technical means of those skilled in the art using the realization of password realization certification, which is not described herein again.
Step 407: it is authenticated successfully in verification result display, i.e., when password is corresponding and correct with user information, application serviceCampus Networks application page is pushed to terminal by device.
In Fig. 4, Campus Networks application can be mentioned according to the information such as user name pre-registered, the information such as IMSI in conjunction with Campus NetworksThe IMSI and IP address information of confession, so that it may judge the corresponding true user information such as member of the IP address of each terminal userWork information or user name etc.;And Campus Networks application can require cipher authentication to user by true username information, with completeAt user identity authentication.
From step 101 as it can be seen that in user terminal access Campus Networks in application, system has been obtained for user identity, only needPassword confirming is carried out, without inputting account information, certification and existing way one of the application service grade to user identity againIt causes.And the Campus Networks with carrier class in step 100 carry out safety certification activation, much higher than the safety certification of general Campus NetworksGrade, the safety certification of the 3G and 4G cellular mobile communication technology relied primarily on, so that entire safety certification is provided with moreHigh security level.
When terminal user leaves Campus Networks, the method for the present invention further include:
Step 102: when terminal user disconnects Campus Networks, user identity being unregistered by authentication server.Specific implementation is as shown in Figure 5, comprising:
Step 500: terminal user sends de-registration request to LGW/PGW, and LGW/PGW is by the IMSI of the terminal and IP of distributionAddress carries and is sent to authentication server in de-registration request.
Step 501~step 502: the IP address and IMSI, user information that authentication server removes itself preservation are such asThe incidence relation of employee's work number, and returned to LGW/PGW and nullify response.
Step 503:LGW/PGW is returned to UE and is nullified response, so that UE disconnects Campus Networks.
Safety certifying method through the invention, safety certification are completed by the equipment in network, reduce the participation of user,Authentication efficiency is significantly improved, the user authentication time is saved, it is often more important that, pacified by the Campus Networks with carrier classFull certification activation, has reached carrier class safety certification level i.e. SIM card+authentication server authentication, hence it is evident thatImprove user experience.
Fig. 6 is the composed structure schematic diagram of authentication server of the present invention, as shown in fig. 6, for holding in terminal foundationIt carries in connection, activates User Status;In end-user access Campus Networks in application, being authenticated to user identity.It includes at leastAuthentication module, authentication module, wherein
Authentication module is completed user according to the IMSI of terminal and is swashed for receiving the registration request from packet gatewayIt lives and stores the IP address with shadow, safety certification is carried out to user terminal and to packet gateway return authentication result;
Authentication module is also used to receiving the de-registration request from packet gateway, and the request for removing itself preservation is nullifiedTerminal IP address and IMSI, user information, and to packet gateway return nullify response.
Authentication module, for receive from application server application access request when, according to authentication moduleAuthentication result, complete further certification after, return to the corresponding user information of the IP address to application server;Come receivingWhen the password that self-application server is submitted, verification result is returned to application server after verifying.
The above, preferred embodiments only of the invention, is not intended to limit the scope of the present invention.It is all thisWithin the spirit and principle of invention, any modification, equivalent substitution, improvement and etc. done should be included in protection model of the inventionWithin enclosing.