A kind of method for authenticating user identity, device and mediumTechnical field
The present invention relates to Network Communicate Security technical field more particularly to a kind of method for authenticating user identity, device and JieMatter.
Background technique
Background that this section is intended to provide an explanation of the embodiments of the present invention set forth in the claims or context.HereinDescription recognizes it is the prior art not because not being included in this section.
With the rapid development of mobile communication technology with the arrival in mobile multimedia epoch, shifting of the mobile phone as people's indispensabilityDynamic means of communication evolves into a mobile information collection and processing platform from simple call tool to intelligent development.In current mobile internet era, mobile phone serves as important role as a kind of common terminal.
In traditional application based on C/S (Client/Server, client/server) framework, generally answered by clientIt is cooperated with program and server-side application and provides service for user.Client application, which refers to, is mounted on terminalOn, and information exchange can be carried out with the server of network side, it is run by the mutual cooperation with server-side application, isUser provides the client application of service.Wherein, client can be the browser of webpage, or be installed on movementTerminal, such as mobile phone, the client etc. installed in tablet computer etc..
The premise that user obtains server service provided is to log in by input authentication information and provide the clothes of respective serviceBusiness device.After user logins successfully, in order to avoid the authentication information of invalid user stealing legitimate user pretends to be legitimate user to log in, protectDemonstrate,prove the data safety of legitimate user, in the prior art, the use when server of network side can also be logged in further according to userBrowser User Agent (user agent) information or the modes such as the terminal device model that uses of user body is carried out to userPart certification, to identify whether login user is legitimate user.But according to this identity identifying method, if legitimate user is moreWhen changing the login services device such as browser or terminal, server can not accurately be identified, and user identity authentication result is caused to be depositedIn certain erroneous judgement.
Summary of the invention
The embodiment of the present invention provides a kind of method for authenticating user identity, device and medium, to improve user identity authenticationAs a result accuracy accurately identifies the legal login behavior of user.
In a first aspect, providing a kind of method for authenticating user identity characterized by comprising
Strategy receives the user identity authentication that network functional entity is sent with charging regulation function entity PCRF and requests, describedFirst user's signatory mark and destination network addresses mark are carried in user identity authentication request;
The PCRF searches the target network from the corresponding relationship of the network address of storage mark and user's signatory markNetwork address identifies corresponding second user signatory mark;
The PCRF the first user signatory mark and second user signatory mark;
The PCRF returns to comparison result to the network functional entity.
Wherein, the network functional entity mark is also carried in the user identity authentication request;And
In the PCRF from the corresponding relationship of the network address of storage mark and user's signatory mark, the target is searchedNetwork address identifies before corresponding second user signatory mark, further includes:
The PCRF, which is identified according to network functional entity to signing information storage SPR, confirms that the network functional entity possessesUser identity authentication search access right.
Optionally, the network address mark and the corresponding relationship of user's signatory mark obtain in accordance with the following methods:
The PCRF receives the credit control request that gateway is sent, in the credit control request with carrying networkLocation mark and user's signatory mark, wherein the network address is identified as the gateway in user's signatory mark pairIt is the user equipment distribution when user equipment answered initially adheres to network;
The PCRF is stored between the network address mark carried in the credit control request and user's signatory markCorresponding relationship.
Optionally, user's signatory mark includes international mobile subscriber identity IMSI or mobile subscriber's integrated serviceDigital network Mobile Subscriber International ISDN Number.
Optionally, strategy receives the user identity authentication that network functional entity is sent with charging regulation function entity PCRF and asksIt asks, specifically includes:
Strategy is received network functional entity with charging regulation function entity PCRF and is sent using Authentication Authorization request AAR signalingUser identity authentication request.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
The PCRF returns to comparison result to the network functional entity, specifically includes:
The PCRF returns to comparison result to the network functional entity using Authentication Authorization response AAA signaling.
Second aspect provides a kind of method for authenticating user identity, comprising:
Network functional entity sends user identity authentication request, the user to strategy and charging regulation function entity PCRFFirst user's signatory mark and destination network addresses mark are carried in ID authentication request;
Receive the identity authentication result that the PCRF is returned for user identity authentication request.
Optionally, network functional entity sends user identity authentication request to strategy and charging regulation function entity PCRF,It specifically includes:
Network functional entity is requested using the user identity authentication that Authentication Authorization request AAR signaling is sent;And
The identity authentication result that the PCRF is returned for user identity authentication request is received, is specifically included:
Receive the authentication that the PCRF is returned for user identity authentication request using Authentication Authorization response signaling AAAAs a result.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
The third aspect provides a kind of user identity authentication device, comprising:
First receiving unit, for receiving the user identity authentication request of network functional entity transmission, the user identityFirst user's signatory mark and destination network addresses mark are carried in certification request;
Searching unit, for being identified in the corresponding relationship with user's signatory mark from the network address of storage, described in lookupDestination network addresses identify corresponding second user signatory mark;
Comparing unit is used for the first user signatory mark and second user signatory mark;
Response unit, for returning to comparison result to the network functional entity.
Optionally, the network functional entity mark is also carried in the user identity authentication request;And
Described device, further includes:
Authenticating unit, for being closed in the searching unit from the network address of storage mark is corresponding with user's signatory markIn system, before searching the corresponding second user signatory mark of the destination network addresses mark, identified according to network functional entityConfirm that the network functional entity possesses user identity authentication search access right to signing information storage SPR.
Optionally, the user identity authentication device, further includes:
Second receiving unit receives the credit control request that gateway is sent, carries in the credit control requestNetwork address mark and user's signatory mark, wherein the network address is identified as the gateway and contracts in the userIt identifies when corresponding user equipment initially adheres to network as user equipment distribution;
Storage unit, for store carried in the credit control request network address mark and user's signatory mark itBetween corresponding relationship.
Optionally, user's signatory mark includes international mobile subscriber identity IMSI or mobile subscriber's integrated serviceDigital network Mobile Subscriber International ISDN Number.
Optionally, first receiving unit is specifically used for receiving network functional entity using Authentication Authorization request AAR letterEnable the user identity authentication request sent.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
Optionally, the response unit is specifically used for utilizing Authentication Authorization response AAA signaling to the network functional entityReturn to comparison result.
Fourth aspect provides a kind of user identity authentication device, comprising:
Transmission unit, for sending user identity authentication request, the use to strategy and charging regulation function entity PCRFFirst user's signatory mark and destination network addresses mark are carried in the ID authentication request of family;
Receiving unit, the identity authentication result returned for receiving the PCRF for user identity authentication request.
Optionally, the transmission unit, the user identity authentication for being sent using Authentication Authorization request AAR signaling are askedIt asks;
The receiving unit utilizes Authentication Authorization response signaling for user identity authentication request for receiving the PCRFThe identity authentication result that AAA is returned.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
5th aspect, provides a kind of computing device, including at least one processing unit and at least one storage unit,Wherein, the storage unit is stored with computer program, when described program is executed by the processing unit, so that the processingUnit executes step described in any of the above-described method.
6th aspect, provides a kind of computer-readable medium, is stored with the computer program that can be executed by PCRF, works as instituteProgram is stated when running on PCRF, so that the PCRF executes step described in any of the above-described method.
In method for authenticating user identity provided in an embodiment of the present invention, device and medium, network functional entity need intoUser identity authentication request is sent to PCRF when row user identity authentication, PCRF is according to the first user's signatory mark wherein carriedDescribed in being searched in the network address mark of itself storage and the corresponding relationship of user's signatory mark with destination network addresses markDestination network addresses identify corresponding second contracted user mark, by comparing the first signatory mark and the second signatory mark whetherUnanimously come to carry out authentication to user, authentication carried out to user due to eliminating the reliance on browser and terminal models,It when user replaces browser or terminal device still is able to that legitimate user is recognized accurately, provides user identity authentication knotThe accuracy of fruit.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specificationIt obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanationSpecifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hairBright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is PCC configuration diagram;
Fig. 2 a is the method for authenticating user identity implementation process diagram implemented according to the side PCRF of embodiment of the present invention;
Fig. 2 b is that the method for authenticating user identity implemented according to the network functional entity side of embodiment of the present invention implements streamJourney schematic diagram;
Fig. 3 a is the structural schematic diagram for the user identity authentication device implemented according to the side PCRF of embodiment of the present invention;
Fig. 3 b is the structure for the user identity authentication device implemented according to the network functional entity side of embodiment of the present inventionSchematic diagram;
Fig. 4 is the structural schematic diagram according to the PCRF of embodiment of the present invention.
Specific embodiment
In order to improve the accuracy of user identity authentication result, the embodiment of the invention provides a kind of user identity authentication sidesMethod, device and medium.
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described hereinPreferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hairThe feature in embodiment and embodiment in bright can be combined with each other.
In order to provide the user with the service of differentiation, and 3GPP (3rd Generation Partnership Project,Third generation partnership project) it is introduced in EPS (Evolved Packet System, Evolved Packet Core system) networkPCC (Policy Control and Charging, policy control and charging) framework.PCC framework is from terminal, wireless, coreThe end-to-end equipment such as net carries out the management of bearing resource, and can be associated with charging policy, using based on gate and QosThe policy control that (Quality of Service, service quality) controls and the charging control function based on stream, realize dataThe differentiation of business, fining control, more perfect control means are provided for operator, obtain the marketing, migration efficiencySufficient network techniques support.
Embodiment one,
It is as shown in Figure 1 PCC configuration diagram, including AF (Application Function, application function), PCEF(Policy and Charging Enforcement Function, strategy and charge execution function), PCRF (Policy andCharging Rules Function, strategy and charging regulation function entity), SPR (Subscription ProfileRepository, signing information storage), OCS (Online Charging System, online charging system) and OFCSNetwork elements such as (Offline Charging System, off-line accounting systems).Wherein, the interface between SPR and PCRF connects for SpMouthful, AF and the interface between PCRF are Rx interface, and the interface between PCRF and PCEF is Gx interface, between PCEF and OCSInterface is Gy interface, and the interface between PCRF and OFCS is Gz interface.
Wherein, PCRF and PCEF is the key network element for realizing PCC function.In practical application, PCRF and service operation are supportedSystem is communicated, and the function comprising policy control decision and based on flow based charging control is provided to PCEF about business data flowDetection, gate are based on QoS and are based on the network control function of flow based charging (in addition to diameter credit control), can be with business, user, positionSet, multiple dimensions such as accumulative usage amount, access style, time are trigger condition, generation business control rule be handed down to PCEF intoRow executes.PCEF is located at gateway, such as GGSN (Gateway GPRS the Support Node, gateway GPRS Zhi Chijie of GPRSPoint) gateway, EPS P-GW (Packet Data Network Gateway, packet data gateway), communicated with business side,The functions such as the detection, strategy execution comprising business data flow and the charging based on stream.
AF functional entity is to provide Application Service Element, mainly to IP-CAN (IP-Connectivity AccessNetwork) behavior of user face carries out dynamic strategy/charging control.OCS function provides the credit based on user and business data flowControl function.OFCS function provides the billing function based on user and business data flow.
SPR includes information relevant to all contracted users or signing, and the signing information that SPR is provided includes (eachPDN's (Packet Data Network)): the business that contracted user allows;The priority of each permission business;The QoS that contracted user allowsInformation;The accounting-related information of contracted user's business, such as access style, location information and access times;The type of contracted userDeng.
Terminal device the PGW/GGSN in initially attachment network can distribute IP address for user, and carry in CCR-IPCRF, DRA are sent in (Credit Control Request-Initial, credit control request-are initial) message(Diameter Routing Agent, route agent's node) can pass through CCR-I and CCA-I (Credit ControlAnswer-Initial, Credit Control Answer-are initial) obtain the IP address and corresponding PGW and PCRF of user.
Based on this, the embodiment of the invention provides a kind of method for authenticating user identity, may include following as shown in Figure 2 aStep:
S21, PCRF receive the user identity authentication that network functional entity is sent and request, in the user identity authentication requestCarry first user's signatory mark and destination network addresses mark.
When it is implemented, user can send when accessing network functional entity (Function) to network functional entityThe request of TCP (Transmission Control Protocol, transmission control protocol) link setup or HTTP (HypertextTransfer Protocol, hypertext transfer protocol) request message, network functional entity can by TCP link setup request andThe IP address and user's signatory mark of HTTP request message acquisition user.
Wherein, if there is no NAT (Network Address Translation, network address translation) equipment, the IPAddress is public network IP, directly addressable to arrive corresponding DRA and PCRF;If there is NAT, network functional entity obtains user's public networkIP and port numbers can uniquely confirm that user is corresponding by public network IP (general to carry in IP-domain-ID) and private network IPDRA, and corresponding PCRF can be addressed to by Diameter signaling network.
When it is implemented, user's signatory mark can be (mobile for IMSI (international mobile subscriber identity) or MSISDNUser's ISDN) number etc..
It should be noted that network functional entity involved in the embodiment of the present invention can be, but not limited to include AF(Application Function Application Function), AS (Application Server application server), AAC(Application Access Control application access control), SCEF (Service Capability ExposureFunction, opening service capability network) and ability open platform etc..
When it is implemented, network functional entity can be, but not limited to utilize AAR (Authorization-The request of Authenticaion-Request Authentication Authorization) signaling transmission subscriber authentication request.In order to realize to user identityCertification can be by Specific-Action AVP (Attribute Value Pair, attribute in the embodiment of the present inventionValue to) in carry specific action (specific action), as USER_INFO_COMPARE_REPORT (user information comparisonReport), for indicating the request for checking whether user information is consistent.It include that network functional entity obtains in AAR requestUser equipment IP address (public network address) or information such as IP-domain-ID (IP domain identifier) and to be verifiedSubscription-Id (user's signatory mark).
S22, PCRF search the target network from the corresponding relationship of the network address of storage mark and user's signatory markNetwork address identifies corresponding second user signatory mark.
Wherein, the network address mark of PCRF storage and the corresponding relationship of user's signatory mark are to obtain in accordance with the following methods: the PCRF receives the credit control request that gateway is sent, and carries network address mark in the credit control requestKnow and user's signatory mark, wherein it is corresponding in user's signatory mark that the network address is identified as the gatewayIt is the user equipment distribution when user equipment initially adheres to network;The PCRF is stored to be carried in the credit control requestNetwork address mark user's signatory mark between corresponding relationship.I.e. in initially attachment network, gateway is set user equipmentStandby (PGW/GGSN) is that user equipment distributes IP address, and Network Management Equipment is by the IP address distributed for the user equipment and the userEquipment corresponds to corresponding user's signatory mark carrying and is sent to PCRF in CCR-I message, and PCRF thereby is achieved the user and setCorresponding relationship and storage of the standby network address mark with user's signatory mark.
PCRF is after receiving the user identity authentication request of network functional entity transmission, according to the target wherein carriedNetwork address mark searches target network among the corresponding relationship of network address mark and user's signatory mark that itself is storedIdentify corresponding second user signatory mark.
S23, the PCRF the first user signatory mark and second user signatory mark.
S24, the PCRF return to comparison result to the network functional entity.
When it is implemented, PCRF can use AAA (Authorization-Authenticaion-Answer Authentication AuthorizationResponse) signaling to network functional entity return comparison result.If comparison result is consistent, illustrate that active user is legal useFamily illustrates that active user may be for illegal user, in this step, PCRF is to network function reality if comparison result is inconsistentWhether body returns to comparison result, allow user to access according to comparison result by network functional entity.Specifically, if comparison resultUnanimously, then allow user to access, if comparison result is inconsistent, user's access or network functional entity root can be refusedConfirmation message is sent to corresponding user according to IMSI or MSISDN, to confirm whether currently logged on user is legitimate user etc.Deng to this without limiting in the embodiment of the present invention.
Embodiment two,
In order to guarantee the safety of user information, in the embodiment of the present invention, network functional entity can also be authenticated,The network functional entity that the authentication is passed is allowed to inquire the authentication information of user, if network functional entity does not have user identity authenticationSearch access right then returns to the mark inquired in vain to network functional entity.Wherein, each network functional entity inquiry user authentication letterThe permission of breath can store in SPR.
Based on this, network functional entity can also be carried in the user identity authentication request that network functional entity is sentMark, before executing step S12, can with the following steps are included:
The PCRF, which is identified according to network functional entity to SPR, confirms that the network functional entity possesses user identity authenticationSearch access right.
When it is implemented, if PCRF, which is identified according to network functional entity to SPR, confirms that the network functional entity does not haveUser identity authentication search access right, then can be by returning to the response message inquired in vain to network functional entity in AAA message.
In the embodiment of the present invention, in order to realize the certification to user identity, increased newly in Specific-Action AVPUSER_INFO_COMPARE_REPORT, the field indicates that network functional entity needs PCRF to return to user in AAR messageThe check results of Subscription-Id (user's signatory mark) corresponding relationship carried in IP address and message, further,In order to guarantee the safety of user information, the search access right of each platform is stored in SPR, PCRF takes in receiving AAR messageWith whether having permission verification user information to SPR inquiry corresponding network functional entity after USER_INFO_COMPARE_REPORTConsistency.If PCRF confirmation network functional entity has permission the consistency of verification user information, PCRF will pass through AAA messageTo network functional entity back-checking result (consistent, inconsistent), if PCRF confirmation network functional entity does not have authorization checkThe consistency of user information, then PCRF returns to " invalid inquiry " to network functional entity.
Correspondingly, the embodiment of the invention also provides a kind of network functional entity side implement method for authenticating user identity,As shown in Figure 2 b, it may comprise steps of:
S201, network functional entity send user identity authentication request to PCRF.
Wherein, first user's signatory mark and destination network addresses mark are carried in the user identity authentication request.
Optionally, network functional entity can use the user identity authentication request of AAR signaling transmission.For example, the useFamily ID authentication request may include in attribute value to the user information comparison report carried in Specific-Action AVPUSER_INFO_COMPARE_REPORT。
S202, the identity authentication result that the PCRF is returned for user identity authentication request is received.
It is alternatively possible to receive the authentication that the PCRF is returned for user identity authentication request using AAA signalingAs a result.
In method for authenticating user identity provided in an embodiment of the present invention, network functional entity is set by inquiring user to PCRFWhether the mapping relations of standby IP, IP domain (optional) and user's signatory mark belong to same user to carry out body to userPart verifying, due to eliminate the reliance on browser and terminal models to user carry out authentication, user replace browser orIt still is able to that legitimate user is recognized accurately when person's terminal device, provides the accuracy of user identity authentication result.
Based on the same inventive concept, a kind of user identity authentication device is additionally provided in the embodiment of the present invention, due to above-mentionedThe principle that device solves the problems, such as is similar to method for authenticating user identity, therefore the implementation of above-mentioned apparatus may refer to the reality of methodIt applies, overlaps will not be repeated.
It as shown in Figure 3a, is the structural schematic diagram of user identity authentication device provided in an embodiment of the present invention, comprising:
First receiving unit 31, for receiving the user identity authentication request of network functional entity transmission, user's bodyFirst user's signatory mark and destination network addresses mark are carried in part certification request;
Searching unit 32, for searching institute from the corresponding relationship of the network address of storage mark and user's signatory markIt states destination network addresses and identifies corresponding second user signatory mark;
Comparing unit 33 is used for the first user signatory mark and second user signatory mark;
Response unit 34, for returning to comparison result to the network functional entity.
Optionally, the network functional entity mark is also carried in the user identity authentication request;And
Described device, further includes:
Authenticating unit, for being closed in the searching unit from the network address of storage mark is corresponding with user's signatory markIn system, before searching the corresponding second user signatory mark of the destination network addresses mark, identified according to network functional entityConfirm that the network functional entity possesses user identity authentication search access right to signing information storage SPR.
Optionally, the user identity authentication device, further includes:
Second receiving unit receives the credit control request that gateway is sent, carries in the credit control requestNetwork address mark and user's signatory mark, wherein the network address is identified as the gateway and contracts in the userIt identifies when corresponding user equipment initially adheres to network as user equipment distribution;
Storage unit, for store carried in the credit control request network address mark and user's signatory mark itBetween corresponding relationship.
Optionally, user's signatory mark includes international mobile subscriber identity IMSI or mobile subscriber's integrated serviceDigital network Mobile Subscriber International ISDN Number.
Optionally, first receiving unit is specifically used for receiving network functional entity using Authentication Authorization request AAR letterEnable the user identity authentication request sent.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
Optionally, the response unit is specifically used for utilizing Authentication Authorization response AAA signaling to the network functional entityReturn to comparison result.
As shown in Figure 3b, the structural schematic diagram for the user identity authentication device implemented for network functional entity side, comprising:
Transmission unit 301, it is described for sending user identity authentication request to strategy and charging regulation function entity PCRFFirst user's signatory mark and destination network addresses mark are carried in user identity authentication request;
Receiving unit 302, the authentication knot returned for receiving the PCRF for user identity authentication requestFruit.
Optionally, the transmission unit, the user identity authentication for being sent using Authentication Authorization request AAR signaling are askedIt asks;
The receiving unit utilizes Authentication Authorization response signaling for user identity authentication request for receiving the PCRFThe identity authentication result that AAA is returned.
Optionally, the user identity authentication request includes attribute value to the use carried in Specific-Action AVPFamily information comparison report USER_INFO_COMPARE_REPORT.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, existImplement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.
After the method for authenticating user identity and device for describing exemplary embodiment of the invention, next, introducingThe computing device of another exemplary embodiment according to the present invention.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method orProgram product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, completeThe embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite hereReferred to as circuit, " module " or " system ".
In some possible embodiments, it is single can to include at least at least one processing for computing device according to the present inventionMember and at least one storage unit.Wherein, the storage unit is stored with program code, when said program code is describedWhen processing unit executes, so that the processing unit executes the exemplary implementations various according to the present invention of this specification foregoing descriptionStep in mode method for authenticating user identity.For example, the processing unit can execute step S21 as shown in Figure 2 a,PCRF receives the user identity authentication request that network functional entity is sent, and carries the first use in the user identity authentication requestFamily signatory mark and destination network addresses mark and step S22, PCRF identify and user's signatory mark from the network address of storageCorresponding relationship in, search the destination network addresses and identify corresponding second user signatory mark and step S23, describedPCRF the first user signatory mark and second user signatory mark;And step S24, the PCRF are to the networkFunctional entity returns to comparison result;Or step S201 shown in execution Fig. 2 b, network functional entity are advised to strategy and chargingThen functional entity PCRF sends user identity authentication request, and the first user signing mark is carried in the user identity authentication requestKnow and destination network addresses identify;And step S202, the reception PCRF are returned for user identity authentication requestIdentity authentication result.
The computing device 40 of this embodiment according to the present invention is described referring to Fig. 4.The calculating dress that Fig. 4 is shownSetting 40 is only an example, should not function to the embodiment of the present invention and use scope bring any restrictions.
As shown in figure 4, computing device 40 is showed in the form of universal computing device.The component of computing device 40 may includeBut be not limited to: at least one above-mentioned processing unit 41, at least one above-mentioned storage unit 42, the different system components of connection (includingStorage unit 42 and processing unit 41) bus 43.
Bus 43 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller,Peripheral bus, processor or the local bus using any bus structures in a variety of bus structures.
Storage unit 42 may include the readable medium of form of volatile memory, such as random access memory (RAM)421 and/or cache memory 422, it can further include read-only memory (ROM) 423.
Storage unit 42 can also include program/utility 425 with one group of (at least one) program module 424,Such program module 424 includes but is not limited to: operating system, one or more application program, other program modules andIt may include the realization of network environment in program data, each of these examples or certain combination.
Computing device 40 can also be communicated with one or more external equipments 44 (such as keyboard, sensing equipment etc.), may be used alsoEnable a user to the equipment interacted with computing device 40 communication with one or more, and/or with enable the computing device 40Any equipment (such as router, modem etc.) communicated with one or more of the other calculating equipment communicates.ThisKind communication can be carried out by input/output (I/O) interface 45.Also, computing device 40 can also pass through network adapter 46With one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, such as internet) communication.As shown, network adapter 46 is communicated by bus 43 with other modules for computing device 40.It will be appreciated that though figureIn be not shown, can in conjunction with computing device 40 use other hardware and/or software module, including but not limited to: microcode, equipmentDriver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup storage systemDeng.
In some possible embodiments, the various aspects of method for authenticating user identity provided by the invention can also be realIt is now a kind of form of program product comprising program code, it is described when described program product is run on a computing deviceThe exemplary embodiment party various according to the present invention that program code is used to that the computer equipment to be made to execute this specification foregoing descriptionStep in the method for authenticating user identity of formula, for example, the computer equipment can execute step as shown in Figure 2 aS21, PCRF receive the user identity authentication request that network functional entity is sent, and the is carried in user identity authentication requestOne user's signatory mark and destination network addresses mark and step S22, PCRF are contracted from the network address of storage mark with userIn the corresponding relationship of mark, search the destination network addresses identify corresponding second user signatory mark and step S23,The PCRF the first user signatory mark and second user signatory mark;And step S24, the PCRF are to describedNetwork functional entity returns to comparison result;Or step S201 shown in Fig. 2 b, network functional entity are executed to strategy and is countedTake regulation function entity PCRF and send user identity authentication request, carries the first user label in the user identity authentication requestAbout mark and destination network addresses mark;And step S202, the reception PCRF are returned for user identity authentication requestThe identity authentication result returned.
Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letterNumber medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example may be-but not limited to-electricity, magnetic, optical, electromagnetic, redThe system of outside line or semiconductor, device or device, or any above combination.The more specific example of readable storage medium storing program for executing(non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, random access memory(RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact discRead memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The program product for user identity authentication of embodiments of the present invention can be read-only using portable compact discMemory (CD-ROM) and including program code, and can run on the computing device.However, program product of the invention is unlimitedIn this, in this document, readable storage medium storing program for executing can be any tangible medium for including or store program, which can be referred toEnable execution system, device or device use or in connection.
Readable signal medium may include in a base band or as the data-signal that carrier wave a part is propagated, wherein carryingReadable program code.The data-signal of this propagation can take various forms, including --- but being not limited to --- electromagnetism letterNumber, optical signal or above-mentioned any appropriate combination.Readable signal medium can also be other than readable storage medium storing program for executing it is any canRead medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use orProgram in connection.
The program code for including on readable medium can transmit with any suitable medium, including --- but being not limited to ---Wirelessly, wired, optical cable, RF etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languagesCode, described program design language include object oriented program language-Java, C++ etc., further include conventionalProcedural programming language-such as " C " language or similar programming language.Program code can be fully in userIt calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculatingUpper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to farJourney calculates in the situation of equipment, and remote computing device can pass through the network of any kind --- including local area network (LAN) or extensivelyDomain net (WAN)-be connected to user calculating equipment, or, it may be connected to external computing device (such as utilize Internet serviceProvider is connected by internet).
It should be noted that although being referred to several unit or sub-units of device in the above detailed description, this strokeIt point is only exemplary not enforceable.In fact, embodiment according to the present invention, it is above-described two or moreThe feature and function of unit can embody in a unit.Conversely, the feature and function of an above-described unit canIt is to be embodied by multiple units with further division.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that orHint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desiredAs a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by oneStep is decomposed into execution of multiple steps.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer programProduct.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present inventionApply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) producesThe form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program productFigure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructionsThe combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programsInstruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produceA raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realThe device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spyDetermine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram orThe function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that countingSeries of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer orThe instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram oneThe step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basicProperty concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted asIt selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the artMind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologiesWithin, then the present invention is also intended to include these modifications and variations.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer programProduct.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present inventionApply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) producesThe form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program productFigure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructionsThe combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programsInstruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produceA raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realThe device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spyDetermine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram orThe function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that countingSeries of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer orThe instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram oneThe step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basicProperty concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted asIt selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the artMind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologiesWithin, then the present invention is also intended to include these modifications and variations.