CN1812322A - Right discriminating system and processing method - Google Patents

Abstract

Translated fromChinese

本发明公开了一种鉴权系统，包括：签约信息存储器，与鉴权实体相连，用于存储访问端的签约信息，并向鉴权实体提供对应于访问端的鉴权信息；访问端，与鉴权实体相连，用于向鉴权实体发起鉴权；鉴权实体，分别与签约信息存储器和访问端相连，用于根据签约信息存储器提供的鉴权信息，与访问端进行互鉴权。本发明还公开了一种鉴权处理方法，访问端向鉴权实体发送携带有访问端标识的鉴权请求；鉴权实体收到鉴权请求后，请求签约信息存储器提供对应于访问端标识的鉴权信息；签约信息存储器根据访问端标识获取鉴权信息并提供给鉴权实体，鉴权实体根据收到的鉴权信息与访问端进行互鉴权，满足网络运营商的安全需求和业务需求，提供安全可靠的通信网络。

The invention discloses an authentication system, comprising: a subscription information storage, connected with an authentication entity, used for storing the subscription information of an access terminal, and providing authentication information corresponding to the access terminal to the authentication entity; the access terminal, connected with the authentication entity The entity is connected to initiate authentication to the authentication entity; the authentication entity is connected to the subscription information storage and the access terminal respectively, and is used to perform mutual authentication with the access terminal according to the authentication information provided by the subscription information storage. The invention also discloses an authentication processing method. The access terminal sends an authentication request carrying the identifier of the access terminal to the authentication entity; Authentication information; the signing information storage obtains authentication information according to the identifier of the access terminal and provides it to the authentication entity, and the authentication entity performs mutual authentication with the access terminal according to the received authentication information to meet the security needs and business needs of network operators , providing a safe and reliable communication network.

Description

Translated fromChinese

一种鉴权系统及处理方法An authentication system and processing method

技术领域technical field

本发明涉及鉴权技术，特别是指一种鉴权系统及处理方法。The invention relates to authentication technology, in particular to an authentication system and processing method.

背景技术Background technique

随着宽带网络的发展，移动通信将不仅仅局限于传统的语音通信，结合音频、视频、图片和文本等多种媒体类型的多媒体业务将逐渐开展起来，通过与呈现(presence)业务，短消息业务、网页(WEB)浏览业务、定位业务、推送(PUSH)业务、文件共享业务等数据业务的结合，可满足用户的多种需求。With the development of broadband network, mobile communication will not only be limited to traditional voice communication, but multimedia services combining audio, video, picture and text and other media types will be gradually developed, through and presence (presence) service, short message The combination of business, webpage (WEB) browsing service, positioning service, push (PUSH) service, file sharing service and other data services can meet various needs of users.

在多种应用的推动下，第三代合作伙伴计划(3GPP，3rd GenerationPartnership Project)标准组织推出了基于网际协议(IP)的多媒体子系统(IMS，IP Multimedia Subsystem)架构，目的是在通信网络中提供标准化的开放结构来实现多种多样的多媒体应用。Driven by a variety of applications, the 3rd Generation Partnership Project (3GPP, 3rd Generation Partnership Project) standard organization has launched an Internet Protocol (IP)-based multimedia subsystem (IMS, IP Multimedia Subsystem) architecture, the purpose of which is to Provide a standardized open structure to realize a variety of multimedia applications.

图1示出了IMS架构示意图，如图1所示，在3GPP的R5(Release 5)阶段，引入了IP多媒体子系统域，简称IMS，IMS叠加在分组交换网络之上，由呼叫会话管理功能(CSCF，Call Session Control Function)、媒体网关控制功能(MGCF，Media Gateway Control Function)、媒体资源功能(MRF，Multimedia Resource Function)和归属签约用户服务器(HSS，HomeSubscriber Server)等功能实体组成。其中，CSCF根据实现的不同功能，又可分为服务CSCF(S-CSCF)、代理CSCF(P-CSCF)和查询CSCF(I-CSCF)三个逻辑实体，S-CSCF是IMS的业务交换中心，用于执行会话控制、维持会话状态、管理用户信息、生成计费信息，等等；P-CSCF是终端用户接入IMS的接入点，用于完成用户注册、进行服务质量(QoS)控制和安全管理，等等；I-CSCF用于实现路由查找，如IMS域内及IMS域之间的互通，对S-CSCF的分配进行管理，对外部网络和其他IMS域隐藏网络的拓补结构和配置，生成计费信息，等等。MGCF实现控制网关的功能，用于实现IMS网络与其他网络之间的互通；MRF提供媒体资源，如收放音、对终端用户之间传输的信息进行编解码和多媒体会议桥等，MRF包括媒体资源功能控制(MRFC，Multimedia Resource Function Controller)和(MRFP，MultimediaResource Function Processor)。HSS为用户信息数据库，存储有IMS网络中用户的签约数据和配置信息等。Figure 1 shows a schematic diagram of the IMS architecture. As shown in Figure 1, in the R5 (Release 5) phase of 3GPP, the IP Multimedia Subsystem domain, referred to as IMS, was introduced. IMS is superimposed on the packet switching network, and the call session management function (CSCF, Call Session Control Function), Media Gateway Control Function (MGCF, Media Gateway Control Function), Media Resource Function (MRF, Multimedia Resource Function) and Home Subscriber Server (HSS, HomeSubscriber Server) and other functional entities. Among them, CSCF can be divided into three logical entities according to different functions realized: Serving CSCF (S-CSCF), Proxy CSCF (P-CSCF) and Inquiring CSCF (I-CSCF). S-CSCF is the business switching center of IMS , used to perform session control, maintain session state, manage user information, generate billing information, etc.; P-CSCF is the access point for terminal users to access IMS, and is used to complete user registration and perform quality of service (QoS) control and security management, etc.; I-CSCF is used to implement route lookup, such as intercommunication within and between IMS domains, manage the allocation of S-CSCF, and hide network topology and topology from external networks and other IMS domains configuration, generating billing information, etc. The MGCF implements the function of the control gateway, which is used to realize the intercommunication between the IMS network and other networks; the MRF provides media resources, such as audio playback, encoding and decoding of information transmitted between end users, and multimedia conference bridges. MRF includes media Resource function control (MRFC, Multimedia Resource Function Controller) and (MRFP, Multimedia Resource Function Processor). The HSS is a user information database, which stores subscription data and configuration information of users in the IMS network.

由于IMS的结构做到了与底层承载网络无关，因此，3GPP定义的IMS架构也可应用于3GPP定义的分组域网络之外的其他分组网络之上，如3GPP2定义的分组网络、无线局域网(WLAN)、下一代网络(NGN)等，实现了与用户使用的终端类型的无关性以及与接入网络类型的无关性，这样，不限制IMS只应用于与3GPP相关的网络和应用上，其他类型的接入网络和承载网络的业务和应用也可通过IMS架构来实现。Since the structure of IMS is independent of the underlying bearer network, the IMS architecture defined by 3GPP can also be applied to other packet networks other than the packet domain network defined by 3GPP, such as the packet network defined by 3GPP2, wireless local area network (WLAN) , Next Generation Network (NGN), etc., realize the independence of the terminal type used by the user and the independence of the access network type. In this way, IMS is not limited to only be applied to 3GPP-related networks and applications, and other types of The services and applications of the access network and bearer network can also be realized through the IMS architecture.

IMS中提供了很多部件(Enabler)，能够为很多具体应用所共用，如presence业务、群组管理(Group Management)业务、会议(Conference)业务、用户证书业务等等；IMS还提供了一些承载能力，如多媒体广播多播业务(MBMS，Multimedia Broadcast & Multicast Service)，用以支持应用层多种多样的具体实现。IMS provides many components (Enablers), which can be shared by many specific applications, such as presence services, group management (Group Management) services, conference (Conference) services, user certificate services, etc.; IMS also provides some bearer capabilities , such as Multimedia Broadcast & Multicast Service (MBMS, Multimedia Broadcast & Multicast Service), to support various implementations of the application layer.

基于以上所述的IMS架构，用户或应用服务器(AS，Application Server)可与实现业务的AS进行通信，以实现相应业务。在用户或AS等访问端访问其他AS时，应对访问端进行鉴权，以确保被访问的AS的安全性，但目前并未提出相应的鉴权系统结构及相应的处理流程，如果未经鉴权的访问端对访问的AS进行恶意攻击，则会使被访问的AS陷于瘫痪，无法确保正常业务的进行；或未经鉴权的非法访问端非法使用访问的AS上的资源，则会为运营商带来不可估计的损失。因此，由于对访问端鉴权机制的不健全，导致被访问的AS处于极大的安全隐患之中。Based on the above-mentioned IMS architecture, a user or an application server (AS, Application Server) can communicate with an AS that implements services to implement corresponding services. When a user or an access terminal such as an AS accesses another AS, the access terminal should be authenticated to ensure the security of the accessed AS. However, no corresponding authentication system structure and corresponding processing flow have been proposed so far. If the authorized access terminal maliciously attacks the accessed AS, the accessed AS will be paralyzed, and normal business cannot be guaranteed; Operators bring immeasurable losses. Therefore, due to the unsound authentication mechanism of the access terminal, the visited AS is in a great security risk.

发明内容Contents of the invention

有鉴于此，本发明的一个目的在于提供一种鉴权系统，本发明的另一目的在于提供一种鉴权处理方法，使得访问端必须通过鉴权后才能访问业务实体，以提供高度安全可靠的通信网络。In view of this, an object of the present invention is to provide an authentication system, and another object of the present invention is to provide an authentication processing method, so that the access terminal can only access the business entity after passing the authentication, so as to provide high security and reliability. communication network.

为了达到上述目的，本发明提供了一种鉴权系统，该系统包括：In order to achieve the above object, the present invention provides an authentication system, which includes:

签约信息存储器，与鉴权实体相连，用于存储访问端的签约信息，并向鉴权实体提供对应于访问端的鉴权信息；The subscription information storage is connected to the authentication entity, and is used to store the subscription information of the access terminal, and provide the authentication entity with authentication information corresponding to the access terminal;

访问端，与鉴权实体相连，用于向鉴权实体发起鉴权；The access terminal is connected to the authentication entity and is used to initiate authentication to the authentication entity;

鉴权实体，分别与签约信息存储器和访问端相连，用于根据签约信息存储器提供的鉴权信息，与访问端进行互鉴权。The authentication entity is connected to the subscription information storage and the access terminal respectively, and is used for mutual authentication with the access terminal according to the authentication information provided by the subscription information storage.

该系统进一步包括：业务实体，分别与鉴权实体和访问端相连，用于与通过鉴权的访问端建立连接，提供业务应用。The system further includes: a service entity, which is respectively connected to the authentication entity and the access terminal, and is used to establish a connection with the authenticated access terminal and provide service applications.

所述业务实体与鉴权实体通过N接口相连，和/或所述业务实体与访问端通过A接口相连。The service entity is connected to the authentication entity through the N interface, and/or the service entity is connected to the access terminal through the A interface.

所述签约信息存储器与鉴权实体通过H接口相连，和/或所述鉴权实体与访问端通过B接口相连。The subscription information storage is connected to the authentication entity through the H interface, and/or the authentication entity is connected to the access terminal through the B interface.

所述签约信息存储器为HSS，或为扩展的HSS，或为用于存储签约信息的数据库。The subscription information storage is an HSS, or an extended HSS, or a database for storing subscription information.

所述访问端为用户，或为应用服务器，或为以上二者的组合。The access terminal is a user, or an application server, or a combination of the above two.

本发明还提供了一种鉴权处理方法，该方法包含：The present invention also provides an authentication processing method, which includes:

A、访问端向鉴权实体发送携带有访问端标识的鉴权请求；鉴权实体收到鉴权请求后，请求签约信息存储器提供对应于访问端标识的鉴权信息；签约信息存储器根据访问端标识获取鉴权信息并提供给鉴权实体，鉴权实体根据收到的鉴权信息与访问端进行互鉴权。A. The access terminal sends an authentication request carrying the identifier of the access terminal to the authentication entity; after the authentication entity receives the authentication request, it requests the subscription information storage to provide authentication information corresponding to the identifier of the access terminal; The identification obtains the authentication information and provides it to the authentication entity, and the authentication entity performs mutual authentication with the access terminal according to the received authentication information.

步骤A中所述签约信息存储器根据访问端标识获取鉴权信息为：签约信息存储器根据访问端标识生成鉴权信息，或签约信息存储器根据访问端标识，查找与所述访问端标识相对应的鉴权信息。In step A, the subscription information storage acquires the authentication information according to the access terminal identification: the subscription information storage generates authentication information according to the access terminal identification, or the subscription information storage searches for the authentication information corresponding to the access terminal identification according to the access terminal identification. rights information.

步骤A中所述请求签约信息存储器提供对应于访问端标识的鉴权信息之前，进一步包括：鉴权实体根据访问端标识，判断当前发起鉴权请求的访问端是用户还是应用服务器，如果是用户，则请求用户签约信息存储器提供对应于用户标识的鉴权信息；如果是应用服务器，则请求应用服务器签约信息存储器提供对应于应用服务器标识的鉴权信息。Before requesting the subscription information storage in step A to provide the authentication information corresponding to the identifier of the access terminal, it further includes: the authentication entity judges whether the access terminal currently initiating the authentication request is a user or an application server according to the identifier of the access terminal. , then request the user subscription information storage to provide authentication information corresponding to the user ID; if it is an application server, request the application server subscription information storage to provide authentication information corresponding to the application server ID.

互鉴权成功，所述步骤A之后进一步包括：Mutual authentication succeeds, further include after step A:

B、鉴权实体为访问端分配会话事务标识。B. The authentication entity assigns a session transaction identifier to the access terminal.

所述步骤B之后进一步包括：访问端向业务实体发送携带有会话事务标识的连接请求，业务实体与访问端建立连接。After the step B, it further includes: the access terminal sends a connection request carrying a session transaction identifier to the service entity, and the service entity establishes a connection with the access terminal.

所述步骤A之前进一步包括：访问端向业务实体发送连接请求，业务实体收到连接请求后，判断访问端是否通过鉴权，如果是，则与访问端建立连接；否则，通知访问端到鉴权实体进行鉴权，然后执行步骤A。Before the step A, it further includes: the access terminal sends a connection request to the service entity, and after the service entity receives the connection request, it judges whether the access terminal passes the authentication, and if so, establishes a connection with the access terminal; otherwise, notifies the access terminal to the authentication The authority entity performs authentication, and then performs step A.

所述业务实体判断访问端是否通过鉴权为：业务实体判断收到的连接请求中是否携带有会话事务标识，如果是，则与访问端建立连接；否则，通知访问端到鉴权实体进行鉴权，然后执行步骤A。The business entity judges whether the access terminal is authenticated as follows: the business entity judges whether the received connection request carries a session transaction identifier, and if so, establishes a connection with the access terminal; otherwise, notifies the access terminal to authenticate to the authentication entity. right, and then perform step A.

所述业务实体与访问端建立连接之前，进一步包括：业务实体根据会话事务标识判断访问端是否通过鉴权，如果是，则与访问端建立连接；否则，拒绝与访问端建立连接。Before the service entity establishes a connection with the access terminal, it further includes: the service entity judges whether the access terminal has passed the authentication according to the session transaction identifier, and if so, establishes a connection with the access terminal; otherwise, refuses to establish a connection with the access terminal.

所述业务实体判断访问端是否通过鉴权为：业务实体判断会话事务标识是否合法，即业务实体首先判断是否存储有所述会话事务标识，如果是，则与访问端建立连接；否则，向鉴权实体查询所述会话事务标识的合法性，根据鉴权实体返回的结果确定所述会话事务标识的合法性。Whether the business entity judges whether the access terminal is authenticated is as follows: the business entity judges whether the session transaction identifier is legal, that is, the service entity first judges whether the session transaction identifier is stored, and if so, establishes a connection with the access terminal; The authorization entity queries the validity of the session transaction identifier, and determines the validity of the session transaction identifier according to the result returned by the authentication entity.

根据本发明提出的方案，既能够对用户也能够对AS进行鉴权，还可以同时对用户和AS进行鉴权，从而确保无论对用户还是AS，在使用业务实体提供的业务能力时，都是合法且经过授权的，以保证网络的可运营和可管理，确保正常业务的服务质量，使得运营商的利益不会受到损失，满足网络运营商更广泛的安全需求和业务需求，提供高度安全可靠的通信网络。According to the solution proposed by the present invention, both the user and the AS can be authenticated, and the user and the AS can also be authenticated at the same time, so as to ensure that no matter whether the user or the AS uses the service capabilities provided by the service entity, they are all Legal and authorized, to ensure the operability and manageability of the network, ensure the service quality of normal business, so that the interests of operators will not be lost, meet the wider security needs and business needs of network operators, and provide high security and reliability communication network.

附图说明Description of drawings

图1示出了IMS架构示意图；Figure 1 shows a schematic diagram of the IMS architecture;

图2示出了本发明中鉴权系统结构示意图；Fig. 2 shows a schematic structural diagram of the authentication system in the present invention;

图3示出了本发明中鉴权流程图。Fig. 3 shows a flow chart of authentication in the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚，下面结合附图对本发明作进一步的详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings.

图2示出了本发明中鉴权系统结构示意图，如图2所示，鉴权系统包括鉴权实体、业务实体和签约信息存储器，其中，签约信息存储器用于存储访问端的签约信息，并向鉴权实体提供对应于访问端的鉴权信息；访问端用于向鉴权实体发起鉴权；鉴权实体用于根据签约信息存储器提供的鉴权信息，与访问端进行互鉴权；业务实体用于与通过鉴权的访问端建立连接，提供业务应用。各种业务应用均可通过以上所述的鉴权系统对访问端进行鉴权，业务实体即为能够提供各种业务应用的网络实体。签约信息存储器通过H接口与鉴权实体相连，鉴权实体通过B接口与访问端相连，鉴权实体通过N接口与业务实体相连，业务实体通过A接口与访问端相连。以上所述签约信息存储器、鉴权实体、业务实体、访问端之间还可通过IP网络相连。以上所述访问端可为用户或AS。以上所述签约信息存储器可为HSS、扩展的HSS、存储访问端签约信息的数据库或存储器等。扩展的HSS是对现有HSS进行扩展，由于现有的HSS中通常只存储有用户的签约信息，因此可对现有HSS进行扩展，使扩展后的HSS既能够存储用户的签约信息，也能够存储AS的签约信息。鉴权实体可为网络中的网关部件，用于对所连接的外网的各种功能实体实施鉴权过程。以上所述业务实体可为网络中提供不同业务应用的实体，如各种AS。Fig. 2 shows a schematic structural diagram of the authentication system in the present invention. As shown in Fig. 2, the authentication system includes an authentication entity, a service entity, and a subscription information storage, wherein the subscription information storage is used to store the subscription information of the access terminal, and to The authentication entity provides authentication information corresponding to the access terminal; the access terminal is used to initiate authentication to the authentication entity; the authentication entity is used to perform mutual authentication with the access terminal according to the authentication information provided by the subscription information storage; the service entity uses To establish a connection with the authenticated access terminal and provide business applications. Various business applications can authenticate the access terminal through the above-mentioned authentication system, and a business entity is a network entity that can provide various business applications. The subscription information storage is connected to the authentication entity through the H interface, the authentication entity is connected to the access terminal through the B interface, the authentication entity is connected to the service entity through the N interface, and the service entity is connected to the access terminal through the A interface. The above-mentioned subscription information storage, authentication entity, service entity, and access terminal can also be connected through an IP network. The access terminal mentioned above can be a user or an AS. The above-mentioned subscription information storage may be HSS, extended HSS, database or storage for storing access terminal subscription information, and the like. The extended HSS is an extension of the existing HSS. Since the existing HSS usually only stores the user's subscription information, the existing HSS can be extended so that the extended HSS can not only store the user's subscription information, but also Store the signing information of the AS. The authentication entity can be a gateway component in the network, and is used to implement the authentication process for various functional entities connected to the external network. The service entities mentioned above may be entities that provide different service applications in the network, such as various ASs.

图3示出了本发明中鉴权流程图，如图3所示，鉴权的实现过程包括以下步骤：Fig. 3 has shown authentication flowchart in the present invention, and as shown in Fig. 3, the realization process of authentication comprises the following steps:

步骤301～步骤302：访问端向业务实体发送连接请求，业务实体收到连接请求后，判断相应访问端是否通过鉴权，如果是，则执行步骤309；否则，执行步骤303。Steps 301 to 302: The access terminal sends a connection request to the service entity. After the service entity receives the connection request, it judges whether the corresponding access terminal has passed the authentication. If yes, executestep 309; otherwise, executestep 303.

如果访问端通过鉴权实体的鉴权，则鉴权实体会为访问端分配会话事务标识，因此，业务实体收到访问端发送的业务请求后，可通过判断该业务请求中是否携带有会话事务标识，来判断相应访问端是否通过鉴权，如果业务请求中没有携带会话事务标识，则业务实体确定相应访问端未通过鉴权；如果业务请求中携带有会话事务标识，则业务实体判断该会话事务标识是否合法，如果是，则业务实体确定相应访问端已通过鉴权，否则，业务实体确定相应访问端未通过鉴权。业务实体判断会话事务标识是否合法的过程可为：业务实体判断自身是否存储有相应会话事务标识，如果业务实体自身存储有相应会话事务标识，则确定相应会话事务标识合法；如果业务实体自身未存储相应会话事务标识，则向鉴权实体查询相应会话事务标识的合法性，根据鉴权实体返回的信息确定相应会话事务标识是否合法。If the access terminal passes the authentication of the authentication entity, the authentication entity will assign a session transaction identifier to the access terminal. Therefore, after the service entity receives the service request sent by the access terminal, it can judge whether the service request carries a session transaction ID to determine whether the corresponding access terminal has passed the authentication. If the service request does not carry the session transaction identifier, the business entity determines that the corresponding access terminal has not passed the authentication; if the service request carries the session transaction identifier, the service entity judges that the session Whether the transaction identifier is legal, if so, the business entity determines that the corresponding access terminal has passed the authentication, otherwise, the business entity determines that the corresponding access terminal has not passed the authentication. The process for the business entity to judge whether the session transaction ID is legal can be: the business entity judges whether it has stored the corresponding session transaction ID, and if the business entity itself stores the corresponding session transaction ID, then determines that the corresponding session transaction ID is legal; if the business entity itself does not store the corresponding session transaction ID. According to the corresponding session transaction identifier, query the legality of the corresponding session transaction identifier from the authentication entity, and determine whether the corresponding session transaction identifier is legal according to the information returned by the authentication entity.

访问端通过鉴权后，鉴权实体可向业务实体提供为相应访问端分配的会话事务标识，由业务实体进行存储；或业务实体中预先存储一些合法的会话事务标识。After the access terminal passes the authentication, the authentication entity can provide the service entity with the session transaction identifier assigned to the corresponding access terminal, which is stored by the service entity; or some legal session transaction identifiers are pre-stored in the service entity.

步骤303：业务实体通知相应访问端到鉴权实体进行鉴权。Step 303: The service entity notifies the corresponding access terminal to authenticate with the authentication entity.

步骤304～步骤307：访问端向鉴权实体发送携带有访问端标识的鉴权请求。鉴权实体收到鉴权请求后，请求签约信息存储器提供对应于访问端标识的鉴权信息；签约信息存储器根据访问端标识获取鉴权信息，如签约信息存储器根据访问端标识生成签约信息，或签约信息存储器查找与访问端标识相对应的鉴权信息，然后向鉴权实体提供该鉴权信息；鉴权实体收到鉴权信息后，根据该鉴权信息与访问端进行互鉴权。互鉴权成功后，鉴权实体为访问端分配会话事务标识。以上所述鉴权信息可为鉴权三元组、鉴权五元组等。Steps 304 to 307: the access terminal sends an authentication request carrying the access terminal identifier to the authentication entity. After the authentication entity receives the authentication request, it requests the subscription information storage to provide authentication information corresponding to the access terminal identifier; the subscription information storage obtains the authentication information according to the access terminal identifier, for example, the subscription information storage generates the subscription information according to the access terminal identifier, or The subscription information storage searches for the authentication information corresponding to the identifier of the access terminal, and then provides the authentication information to the authentication entity; after receiving the authentication information, the authentication entity performs mutual authentication with the access terminal according to the authentication information. After mutual authentication succeeds, the authentication entity assigns a session transaction identifier to the access terminal. The aforementioned authentication information may be an authentication triplet, an authentication quintuple, and the like.

另外，访问端和鉴权实体的互鉴权成功后，鉴权实体可生成密钥，并向访问端提供该密钥，在后续访问端与业务实体之间进行通信的过程中，可通过该密钥或由该密钥衍生的密钥对通信内容进行保护。如果密钥具有使用期限，则在密钥即将过期时，访问端重新向鉴权实体发起鉴权，或业务实体通知访问端重新与鉴权实体进行互鉴权。In addition, after the mutual authentication between the access terminal and the authentication entity is successful, the authentication entity can generate a key and provide the key to the access terminal. During the subsequent communication between the access terminal and the service entity, the The key or a key derived from the key protects the content of the communication. If the key has a validity period, when the key is about to expire, the access terminal initiates authentication to the authentication entity again, or the service entity notifies the access terminal to perform mutual authentication with the authentication entity again.

步骤308～步骤309：访问端向业务实体发送携带有会话事务标识的连接请求，业务实体根据会话事务标识判断访问端是否通过鉴权，如果是，则执行步骤310；否则，执行步骤311。Steps 308 to 309: the access terminal sends a connection request carrying a session transaction identifier to the service entity, and the service entity judges whether the access terminal has passed the authentication according to the session transaction identifier, and if so, executesstep 310; otherwise, executesstep 311.

业务实体可通过判断会话事务标识是否合法来判断相应访问端是否通过鉴权，如果是，则业务实体确定相应访问端已通过鉴权，否则，业务实体确定相应访问端未通过鉴权。业务实体判断会话事务标识是否合法的过程可为：业务实体判断自身是否存储有相应会话事务标识，如果业务实体自身存储有相应会话事务标识，则确定相应会话事务标识合法；如果业务实体自身未存储相应会话事务标识，则向鉴权实体查询相应会话事务标识的合法性，根据鉴权实体返回的信息确定相应会话事务标识是否合法。The business entity can determine whether the corresponding access terminal has passed the authentication by judging whether the session transaction identifier is legal. If so, the business entity determines that the corresponding access terminal has passed the authentication; otherwise, the business entity determines that the corresponding access terminal has not passed the authentication. The process for the business entity to judge whether the session transaction ID is legal can be: the business entity judges whether it has stored the corresponding session transaction ID, and if the business entity itself stores the corresponding session transaction ID, then determines that the corresponding session transaction ID is legal; if the business entity itself does not store the corresponding session transaction ID. According to the corresponding session transaction identifier, query the legality of the corresponding session transaction identifier from the authentication entity, and determine whether the corresponding session transaction identifier is legal according to the information returned by the authentication entity.

步骤310：业务实体与相应访问端建立连接，进行通信。Step 310: The service entity establishes a connection with the corresponding access terminal to communicate.

步骤311：业务实体拒绝与相应访问端建立连接。此时，访问端可再次向鉴权实体发起鉴权，由步骤304开始。Step 311: The service entity refuses to establish a connection with the corresponding access terminal. At this time, the access terminal can initiate authentication to the authentication entity again, and the procedure starts fromstep 304 .

如果访问端在向业务实体发送连接请求之前，直接向鉴权实体发起鉴权，则鉴权流程可从步骤304开始。If the access terminal directly initiates authentication to the authentication entity before sending the connection request to the service entity, the authentication process may start fromstep 304 .

下面分别以用户和AS的鉴权过程对本发明的实现过程作进一步描述。The implementation process of the present invention will be further described below with the authentication process of the user and the AS respectively.

用户需要使用业务时，如果用户能够确定使用相应业务之前需要与鉴权实体进行互鉴权，则向鉴权实体发送携带有用户标识的鉴权请求；如果用户不能确定使用相应业务之前需要与鉴权实体进行互鉴权，则可向鉴权实体发送携带有用户标识的鉴权请求，也可向业务实体发送连接请求，业务实体收到连接请求后，确定相应用户未通过鉴权，通知相应用户到鉴权实体进行鉴权，然后相应用户向鉴权实体发送携带有用户标识的鉴权请求。以上所述的用户标识可为用户永久身份标识(IMPI)，IMPI可直接存储于用户使用的终端，也可通过对国际移动签约用户标识(IMSI，International MobileSubscriber Identity)进行转换获得。When the user needs to use the service, if the user can determine that mutual authentication with the authentication entity is required before using the corresponding service, an authentication request carrying the user ID will be sent to the authentication entity; If the authorization entity performs mutual authentication, it can send an authentication request carrying the user ID to the authentication entity, or send a connection request to the service entity. After receiving the connection request, the service entity determines that the corresponding user has not passed the authentication and notifies the corresponding The user goes to the authentication entity for authentication, and then the corresponding user sends an authentication request carrying the user ID to the authentication entity. The above-mentioned user identity can be the permanent identity of the user (IMPI), and the IMPI can be directly stored in the terminal used by the user, or can be obtained by converting the International Mobile Subscriber Identity (IMSI).

鉴权实体收到鉴权请求后，请求存储用户签约信息的HSS、或数据库、或存储器等提供对应于用户标识的鉴权信息；存储用户签约信息的HSS、或数据库、或存储器等获取鉴权信息，然后向鉴权实体提供该鉴权信息；鉴权实体收到鉴权信息后，根据该鉴权信息与用户进行互鉴权。互鉴权成功后，鉴权实体为用户分配会话事务标识。After the authentication entity receives the authentication request, it requests the HSS, or database, or storage, which stores the user subscription information, to provide authentication information corresponding to the user ID; the HSS, or database, or storage, which stores the user subscription information, obtains the authentication information. information, and then provide the authentication information to the authentication entity; after the authentication entity receives the authentication information, it performs mutual authentication with the user according to the authentication information. After mutual authentication succeeds, the authentication entity assigns a session transaction identifier to the user.

用户和鉴权实体的互鉴权成功后，鉴权实体可生成密钥，并向用户提供该密钥，在后续用户与业务实体之间进行通信的过程中，可通过该密钥或由该密钥衍生的密钥对通信内容进行保护。After the mutual authentication between the user and the authentication entity is successful, the authentication entity can generate a key and provide the key to the user. In the subsequent communication process between the user and the business entity, the key can be passed or the The key derived from the key protects the content of the communication.

用户与鉴权实体互鉴权成功后，向业务实体发送携带有会话事务标识的连接请求，业务实体可进一步根据会话事务标识判断用户是否通过鉴权，如果是，则业务实体与相应用户建立连接，进行通信；否则，业务实体拒绝与相应用户建立连接。此时，用户可再次向鉴权实体发起鉴权。After the mutual authentication between the user and the authentication entity is successful, the connection request carrying the session transaction identifier is sent to the service entity, and the service entity can further judge whether the user has passed the authentication according to the session transaction identifier. If yes, the service entity establishes a connection with the corresponding user , to communicate; otherwise, the business entity refuses to establish a connection with the corresponding user. At this point, the user can initiate authentication to the authentication entity again.

AS需要访问业务实体时，如AS需要访问其他AS，如果AS能够确定访问业务实体之前需要与鉴权实体进行互鉴权，则向鉴权实体发送携带有AS标识的鉴权请求；如果AS不能确定使用相应业务之前需要与鉴权实体进行互鉴权，则可向鉴权实体发送携带有用户标识的鉴权请求，也可向业务实体发送连接请求，业务实体收到连接请求后，确定相应AS未通过鉴权，通知相应AS到鉴权实体进行鉴权，然后相应AS向鉴权实体发送携带有AS标识的鉴权请求。When the AS needs to visit the service entity, for example, the AS needs to visit other ASs, if the AS can determine that mutual authentication with the authentication entity is required before visiting the service entity, it will send an authentication request carrying the AS identity to the authentication entity; if the AS cannot If it is determined that mutual authentication with the authentication entity is required before using the corresponding service, an authentication request carrying a user ID can be sent to the authentication entity, or a connection request can be sent to the service entity. After receiving the connection request, the service entity determines the corresponding If the AS fails the authentication, it notifies the corresponding AS to the authentication entity for authentication, and then the corresponding AS sends an authentication request carrying the AS identity to the authentication entity.

每个AS的应用/业务标识是其所属运营商网络分配的，因此，可认为应用/业务标识就是其对应的AS的永久标识，将应用/业务标识作为AS标识；但是，随着网络的不断发展，应用/业务标识也可能会在使用过程中被伪冒和篡改，因此，运营商也可通过为每个AS指定设备标识的方法来唯一标识相应AS的身份，设备标识与AS一一对应，在一个运营商网络中能够保证其唯一性，即使不同运营商网络中的AS，也可以通过增加运营商网络标识确保其唯一性，这样，也可将对应于相应AS的设备标识作为AS标识，该设备标识可进一步包括运营商网络标识。另外，还可将应用/业务标识和设备标识的组合作为AS标识。The application/service ID of each AS is assigned by the operator network to which it belongs. Therefore, it can be considered that the application/service ID is the permanent ID of its corresponding AS, and the application/service ID is used as the AS ID; however, as the network continues to With the development, the application/service identifier may also be counterfeited and tampered during use. Therefore, the operator can also uniquely identify the identity of the corresponding AS by specifying a device identifier for each AS. The device identifier corresponds to the AS one by one. , its uniqueness can be guaranteed in an operator network. Even ASs in different operator networks can ensure their uniqueness by adding operator network identifiers. In this way, the device identifier corresponding to the corresponding AS can also be used as the AS identifier , the device identifier may further include an operator network identifier. In addition, the combination of the application/service identifier and the device identifier can also be used as the AS identifier.

AS和鉴权实体的互鉴权成功后，鉴权实体可生成密钥，并向AS提供该密钥，在后续AS与业务实体之间进行通信的过程中，可通过该密钥或由该密钥衍生的密钥对通信内容进行保护。After the mutual authentication between the AS and the authentication entity is successful, the authentication entity can generate a key and provide the key to the AS. During the subsequent communication between the AS and the service entity, the key can be passed or the The key derived from the key protects the content of the communication.

鉴权实体收到鉴权请求后，请求存储AS签约信息的HSS、或增强HSS、或数据库、或存储器等提供对应于AS标识的鉴权信息；存储AS签约信息的HSS、或增强HSS、或数据库、或存储器等获取鉴权信息，然后向鉴权实体提供该鉴权信息；鉴权实体收到鉴权信息后，根据该鉴权信息与AS进行互鉴权。互鉴权成功后，鉴权实体为AS分配会话事务标识。After receiving the authentication request, the authentication entity requests the HSS, or enhanced HSS, or database, or storage, which stores AS subscription information, to provide authentication information corresponding to the AS identity; the HSS, or enhanced HSS, or The database or memory obtains the authentication information, and then provides the authentication information to the authentication entity; after receiving the authentication information, the authentication entity performs mutual authentication with the AS according to the authentication information. After mutual authentication succeeds, the authentication entity assigns a session transaction identifier to the AS.

AS与鉴权实体互鉴权成功后，向业务实体发送携带有会话事务标识的连接请求，业务实体可进一步根据会话事务标识判断AS是否通过鉴权，如果是，则业务实体与相应AS建立连接，进行通信；否则，业务实体拒绝与相应AS建立连接。此时，AS可再次向鉴权实体发起鉴权。After the mutual authentication between the AS and the authentication entity is successful, it sends a connection request carrying the session transaction identifier to the service entity. The service entity can further judge whether the AS has passed the authentication according to the session transaction identifier. If so, the service entity establishes a connection with the corresponding AS , to communicate; otherwise, the service entity refuses to establish a connection with the corresponding AS. At this point, the AS can initiate authentication to the authentication entity again.

本发明中，鉴权实体既能够完成与用户的互鉴权过程，也能够完成与AS的互鉴权过程，因此，如果用户和AS的签约信息存储于不同的签约信息存储器，如用户的签约信息存储于用户签约信息存储器，如HSS，AS的签约信息存储于AS签约信息存储器，如扩展的HSS，这样，鉴权实体收到鉴权请求后，首先需要根据鉴权请求中携带的标识，判断当前发起鉴权的是用户还是AS，如果为用户，则请求用户签约信息存储器提供相应用户的鉴权信息；如果为AS，则请求AS签约信息存储器提供相应AS的鉴权信息。In the present invention, the authentication entity can not only complete the mutual authentication process with the user, but also complete the mutual authentication process with the AS. Therefore, if the subscription information of the user and the AS is stored in different subscription information storages, such as the subscription The information is stored in the user subscription information storage, such as HSS, and the AS subscription information is stored in the AS subscription information storage, such as the extended HSS. In this way, after receiving the authentication request, the authentication entity first needs to, according to the identity carried in the authentication request, Judging whether it is the user or the AS that currently initiates the authentication, if it is the user, then request the user subscription information storage to provide the authentication information of the corresponding user; if it is the AS, then request the AS subscription information storage to provide the authentication information of the corresponding AS.

由于AS和用户相比，各自均有各自的特点，如AS相对是静态配置的，而用户则具有漫游和可移动的特性，因此，在具体处理鉴权的过程中，会存在一些差异，因此也需要鉴权实体对当前发起鉴权的是用户还是AS进行判断。Compared with users, ASs have their own characteristics. For example, ASs are relatively statically configured, while users are roaming and mobile. Therefore, there will be some differences in the specific process of authentication. Therefore, It is also necessary for the authentication entity to judge whether it is the user or the AS that currently initiates the authentication.

如果AS标识与用户标识的组成格式是相同或基本相同的，如应用/业务标识或设备标识与IMPI的组成格式是相同的，则鉴权实体只要能够识别类似应用/业务标识、或设备标识、或IMPI这种组成格式即可。如果AS标识与用户标识的组成格式是不同的，则鉴权实体必须能够识别IMPI的组成格式，以及应用/业务标识或设备标识的组成格式。If the composition format of the AS identity and the user identity is the same or basically the same, for example, the composition format of the application/service identity or device identity is the same as that of the IMPI, the authentication entity only needs to be able to identify similar application/service identity or device identity, Or the composition format of IMPI is enough. If the composition format of the AS identity and the user identity are different, the authentication entity must be able to recognize the composition format of the IMPI and the composition format of the application/service identity or equipment identity.

以上所述访问端与鉴权实体的互鉴权过程与现有中的鉴权方式相同，因此本发明中不再赘述。The above-mentioned mutual authentication process between the access terminal and the authentication entity is the same as the existing authentication method, so it will not be repeated in the present invention.

总之，以上所述仅为本发明的较佳实施例而已，并非用于限定本发明的保护范围。In a word, the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.

Claims (15)

1, a kind of right discriminating system is characterized in that, this system comprises:

The CAMEL-Subscription-Information memory links to each other with authentication entity, is used for the CAMEL-Subscription-Information of memory access end, and provides authentication information corresponding to access end to authentication entity;

Access end links to each other with authentication entity, is used for initiating authentication to authentication entity;

Authentication entity links to each other with access end with the CAMEL-Subscription-Information memory respectively, and the authentication information that provides according to the CAMEL-Subscription-Information memory is provided, and carries out mutual authentication with access end.

2, system according to claim 1 is characterized in that, this system further comprises: Business Entity, link to each other with access end with authentication entity respectively, and be used for connecting with access end by authentication, service application is provided.

3, system according to claim 2 is characterized in that, described Business Entity links to each other by the N interface with authentication entity, and/or described Business Entity links to each other by the A interface with access end.

4, method according to claim 1 is characterized in that, described CAMEL-Subscription-Information memory links to each other by H interface with authentication entity, and/or described authentication entity links to each other by B interface with access end.

According to the arbitrary described system of claim 1 to 4, it is characterized in that 5, described CAMEL-Subscription-Information memory is HSS, or the HSS for expanding, or for being used to store the database of CAMEL-Subscription-Information.

According to the arbitrary described system of claim 1 to 4, it is characterized in that 6, described access end is the user, or be application server, or be above the two combination.

7, a kind of authentication processing method is characterized in that, this method comprises:

A, access end send the authentication request that carries the access end sign to authentication entity; After authentication entity was received authentication request, request CAMEL-Subscription-Information memory provided the authentication information corresponding to the access end sign; The CAMEL-Subscription-Information memory obtains authentication information and offers authentication entity according to the access end sign, and authentication entity carries out mutual authentication according to authentication information and the access end received.

8, method according to claim 7, it is characterized in that, the memory of CAMEL-Subscription-Information described in the steps A obtains authentication information according to the access end sign: the CAMEL-Subscription-Information memory generates authentication information according to the access end sign, or the CAMEL-Subscription-Information memory identifies according to access end, searches with described access end and identifies corresponding authentication information.

9, method according to claim 7, it is characterized in that, the CAMEL-Subscription-Information of request described in steps A memory provides before the authentication information that identifies corresponding to access end, further comprise: authentication entity identifies according to access end, the access end of judging current initiation authentication request is user or application server, if the user, then ask the user signing contract information memory that authentication information corresponding to user ID is provided; If application server, then ask application server CAMEL-Subscription-Information memory that authentication information corresponding to application server identifier is provided.

10, method according to claim 7 is characterized in that, authentication success mutually further comprises after the described steps A:

B, authentication entity are access end assign sessions Transaction Identifier.

11, method according to claim 10 is characterized in that, further comprises after the described step B: access end sends the connection request that carries conversation affair mark to Business Entity, and Business Entity and access end connect.

12, method according to claim 7 is characterized in that, further comprise before the described steps A: access end sends connection request to Business Entity, after Business Entity is received connection request, judge that whether access end is by authentication, if then connect with access end; Otherwise the notice access end carries out authentication to authentication entity, then execution in step A.

13, method according to claim 12 is characterized in that, described Business Entity judges that whether access end by authentication is: Business Entity judges in the connection request of receiving whether carry conversation affair mark, if then connect with access end; Otherwise the notice access end carries out authentication to authentication entity, then execution in step A.

14, according to claim 11 or 13 described methods, it is characterized in that, before described Business Entity and access end connect, further comprise: Business Entity judges according to conversation affair mark whether access end passes through authentication, if then connect with access end; Otherwise refusal connects with access end.

15, method according to claim 14, it is characterized in that, described Business Entity judges that whether access end by authentication is: Business Entity judges whether conversation affair mark is legal, be that Business Entity at first judges whether to store described conversation affair mark, if then connect with access end; Otherwise, the legitimacy of inquiring about described conversation affair mark to authentication entity, the result who returns according to authentication entity determines the legitimacy of described conversation affair mark.

Images