CN101005701A - Connection set-up method - Google Patents
Connection set-up method Download PDFInfo
- Publication number
- CN101005701A CN101005701A CNA200610057098XA CN200610057098A CN101005701A CN 101005701 A CN101005701 A CN 101005701A CN A200610057098X A CNA200610057098X A CN A200610057098XA CN 200610057098 A CN200610057098 A CN 200610057098A CN 101005701 A CN101005701 A CN 101005701A
- Authority
- CN
- China
- Prior art keywords
- naf
- type
- request message
- authentication
- type information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention reveals two methods. The one of them is: UE sends the message about the type of authentication key supported by itself to NAF; if the NAF detects the UE's authentication key type doesn't meet its own requirement, it denies building connection with UE. Another one of them is: the NAF actively sends the message about the type of authentication key supported by itself to UE; the UE detects the type of its own authentication key is not consistent with one supported by NAF, it denies building connection with NAF.
Description
Technical field
The present invention relates to terminal access technology field, be specifically related to be applied in the connection method for building up under the general authentication framework.
Background technology
In third generation wireless communication standard, general authentication framework (GAA) is the subscriber authentication structure that multiple applied business entity uses, applied business can be multicast/broadcast business, user certificate business, information provides business etc. immediately, also can be agent service.
Fig. 1 is the structural representation of GAA, as shown in Figure 1, GAA is made up of guiding authentication server entity (BSF) 102, user attaching server (HSS) 103 and the network application entity (NAF) 104 of user terminal (UE) 101, the checking of execution user identity initial inspection usually.BSF 102 is used for carrying out identity with UE 101 and verifies mutually, generates the shared key of BSF 102 and UE 101 simultaneously; Storage is used to describe description (Profile) file of user profile among the HSS 103, and HSS 103 also has the function that produces authentication information concurrently simultaneously.Interface between each entity as shown in Figure 1.
Fig. 2 is the existing flow chart that connects under GAA, and as shown in Figure 2, its concrete steps are as follows:
Step 201:UE determines to visit certain NAF.
Step 202:UE judges that self whether preserving this NAF requires to use GAA to carry out the information of authentication, if, execution in step 205; Otherwise, execution in step 203.
Step 203:UE sends connection request message to NAF.
Step 204:NAF returns response message to UE after receiving connection request message, and this response message carries the indication information that requires UE and BSF to carry out the GAA authentication process.
Step 205:UE and BSF carry out GAA authentication and cipher key agreement process, and authentication is passed through, and generate a shared key K s between UE and the BSF.
UE and BSF utilize this Ks to derive NAF association key (NAF Specific Key) that UE and NAF carry out secure communication.
Because the attribute difference of the subscriber identification module (SIM) that different UEs is used card, the GAA authentication of carrying out between UE and the BSF is also different with cipher key agreement process, and the type of the Ks of generation and NAF association key is also different.Particularly,, then carry out 2G universal guiding authentication architecture (GBA) process between UE and the BSF, generate the Ks_NAF of 2G if UE uses the 2G SIM card; If UE use to support the 3G subscription integrated circuit card (UICC) of GBA, then carry out the GBA_U process between UE and the BSF, generate being applied in the Ks_int_NAF on the UICC and being applied in Ks_ext_NAF on the mobile device (ME) of 3G; If UE uses the 3G UICC card do not support GBA, then carry out the GBA process, generate the Ks_NAF on the ME of being applied in of 3G.
Step 206:UE sends the application request message of carrying temporary identity sign (B-TID) to NAF.
After step 207:NAF receives application request message, send the secret key request message of carrying B-TID to BSF.
After step 208:BSF receives secret key request message, find corresponding Ks according to B-TID, and calculate the NAF association key according to Ks, the GAA KI type information that this NAF association key and UE are used is carried in the key response message and returns to NAF.
The GAA KI type that UE uses can be that 2G GBA key, GBA_U produce be applied in that key, GBA or GBA_U on the UICC produce be applied in any one or combination in the key on the ME.
After step 209:NAF received key response message, the GAA KI type information that the UE that carries according to this key response message uses judged whether the GAA KI type that UE uses meets oneself requirement, if return connection to UE and set up message; Otherwise, refusal UE connection request.
In actual applications, some NAF does not allow to use the UE visit self of 2G GBA, from said process as can be seen, when NAF does not support 2G GBA, owing to use the UE of 2G GBA and do not know that NAF does not support 2G GBA, so this UE still can initiate connection request to NAF, and because UE does not notify NAF self to use 2G GBA when initiating connection request, thereby after this NAF can inquire about UE to BSF and whether uses 2G GBA, confirms indication if BSF returns, and then NAF returns connection refused message to UE; In addition, concerning the UE of a legal use 2G GBA, if when NAF initiates connection request, also do not produce the required Ks of NAF association key, then this UE also will carry out GAA authentication and the cipher key agreement process of once obtaining Ks earlier with BSF.Clearly, these signalling interactive process have caused the wasting of resources of Ua and Zn interface and UE and BSF.Especially present stage is so that have a large amount of 2G user's existence in a very long time, these users might send a large amount of connection requests to the NAF that does not support 2GGBA, NAF receives that whenever a connection request all will send the one query request to BSF like this, BSF will once search Ks and calculate the process of NAF association key, and this has caused a large amount of wastes of system resource undoubtedly.
Summary of the invention
In view of this, main purpose of the present invention is to provide the connection method for building up, and when closing NAF and require with the KI type mismatch that uses at UE, NAF can in time disconnect and being connected of UE, to reduce system resource waste.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of connection method for building up, this method comprises:
A, UE send the request message of the KI type information that carries this UE use to NAF;
After B, NAF receive request message, judge whether the KI type that UE uses meets this NAF requirement, if carry out the follow-up process of foundation that is connected with UE; Otherwise, refusal UE connection request, process ends.
The KI type information that the described UE of steps A uses obtains by following steps: the client on the UE is used to obtain the instruction of using associated documents with UICC to UICC or SIM transmission, afterwards, the command status indication information that returns according to UICC or SIM and use the KI type information that the associated documents content information determines that UE uses with UICC.
The KI type of using as described UE is during as 2G GBA, and the KI type information that described UE uses comprises: the 2G KI version information that the using location information of the KI that UE uses and UE use.
Steps A described request message is connection request message, further comprises before the described steps A: UE judges that self whether preserving NAF requires to use GAA to carry out the information of authentication, if carry out the follow-up process of foundation that is connected with NAF; Otherwise, execution in step A.
Described UE and NAF adopt HTTP digest authentication mode, and the KI type information that described UE uses is carried in user agent's head of connection request message.
The KI type information that described UE uses is carried in the request header or entity head of connection request message.
Steps A described request message is application request message, further comprises before the described steps A: UE and BSF carry out authentication and cipher key agreement process, authentication by and the acquisition key after, go to steps A.
Described UE and NAF adopt HTTP(Hypertext Transport Protocol) digest authentication mode, and the KI type information that described UE uses is carried in user agent's head of application request message,
Perhaps, the KI type information that described UE uses is carried in the domain name parameters of application request message,
Perhaps, the KI type information of described UE use is carried in the request header or entity head of application request message.
Described UE and NAF adopt pre-Transport Layer Security (PSK TLS) authentication mode of sharing, described application request message is a client key exchange message, and the KI type information that described UE uses is carried in wildcard _ identity _ indication (psk_identity_hint) parameter of client key exchange message.
UE and BSF further comprise after carrying out authentication and cipher key agreement process: generate and be used to indicate the temporary identity of the KI type that UE uses to identify (B-TID),
And the described UE of steps A sends the request message that carries the KI type information that self uses to NAF and comprises: UE will indicate the B-TID that self uses the KI type information to be carried at and send to NAF in the application request message.
UE and BSF further comprise after carrying out authentication and cipher key agreement process: generate the B-TID of the KI type that is used to indicate the UE use,
And the KI type information that the described UE of steps A uses obtains by following steps:
Client on the UE reads the value of B-TID, determines the KI type information that UE uses by the identifier that detects the expression KI type that contains among the B-TID.
Described UE and BSF further comprise before carrying out authentication and cipher key agreement process:
UE judges that self whether preserving NAF requires to use GAA to carry out the information of authentication, if carry out authentication and cipher key agreement process with BSF; Otherwise, send the connection request message of carrying the KI type information that self uses to NAF, after NAF receives connection request message, judge whether the KI type that UE uses meets oneself requirement, if meet, notice UE uses GAA to carry out authentication, UE and BSF carry out authentication and cipher key agreement process afterwards, if do not meet, refusal UE connection request, process ends.
Described UE and BSF further comprise before carrying out authentication and cipher key agreement process:
UE judges that self whether preserving NAF requires to use GAA to carry out the information of authentication, if carry out authentication and cipher key agreement process with BSF; Otherwise, send connection request message to NAF, after NAF receives connection request message, return to UE and to portably use that GAA carries out the indication information of authentication and self supports the connection response message of KI type information, after UE receives connection response message, judge that the KI type self used is whether consistent with the KI type that NAF supports, if it is consistent, carry out authentication and cipher key agreement process with BSF, if inconsistent, process ends.
The described NAF of step B judges whether the KI type of UE use meets oneself requirement and be: NAF judges whether the KI type that UE uses is not 2G GBA key.
A kind of connection method for building up, this method comprises:
NAF sends the KI type information of self supporting to UE, after UE receives the KI type information of NAF support, judge whether the KI type of self using is consistent with the KI type of NAF support, if carry out the follow-up process of foundation that is connected with NAF; Otherwise, process ends.
Described UE and NAF adopt HTTP digest authentication mode,
Described NAF sends the KI type information of self supporting to UE and comprises: NAF is carried at the KI type information of self supporting in the domain name parameters of 401 unauthorized response messages and sends to UE.
Described UE and NAF adopt PSK TLS authentication,
Described NAF sends the KI type information of self supporting to UE and comprises: NAF is carried at the KI type information of self supporting in the psk_identity_hint parameter that server key exchanges messages and sends to UE.
Described NAF sends the KI type information of self supporting to UE and comprises: after NAF receives the connection request message that UE sends, the KI type information of self supporting is carried in the head response of connection response message or the entity head sends to UE.
UE judges KI type that whether the KI type self used support with NAF is consistent and is: UE judges whether NAF supports 2G GBA.
Described UE further comprises before judging that KI type that whether the KI type self used support with NAF is consistent:
Client on the UE reads the value of B-TID, determines the KI type that UE uses by the identifier that detects the expression KI type that contains among the B-TID.
Described UE carries out the follow-up process of foundation that is connected with NAF and comprises:
UE and BSF carry out authentication and cipher key agreement process, process finishes, generate a B-TID who is used to indicate the KI type that UE selects, UE is carried at this B-TID and sends to NAF in the application request message, after NAF receives this application request message, judge whether the KI type that UE selects meets oneself requirement, if send the secret key request message of carrying B-TID to BSF; Otherwise, refusal UE connection request, this flow process finishes.
Compared with prior art, a kind of UE of passing through of method provided by the present invention initiatively sends the KI type information that self uses to NAF, closes oneself requirement if NAF detects the KI type mismatch of UE use, and then refusal connects with UE; Another kind of initiatively send the KI type information of self supporting,, then do not connect with NAF if UE detects the KI Type-Inconsistencies of the KI type self used and NAF support to UE by NAF.The present invention has avoided closing the key related news reciprocal process of carrying out when NAF requires at the KI type mismatch that UE uses, and reaches BSF and searches the process of sharing key and calculating the NAF association key, has reduced system resource waste.Particularly, UE can send the KI type information that self uses when NAF initiates to require to indicate whether to use GAA to carry out the connection request of authentication; Also can after executing authentication process, in the application request message that sends to NAF, carry the KI type information that self uses; When NAF indicates whether to use GAA to carry out the connection request of authentication in the requirement of receiving the UE initiation, initiatively return the KI type information of self supporting to UE.
Description of drawings
Fig. 1 is the structural representation of GAA;
Fig. 2 is the existing flow chart that connects under GAA;
Fig. 3 is the flow chart of the specific embodiment one of first kind of method that connects provided by the invention under GAA;
Fig. 4 is the flow chart of the specific embodiment two of first kind of method that connects provided by the invention under GAA;
Fig. 5 is the flow chart of the specific embodiment of second kind of method that connects provided by the invention under GAA.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The invention provides two kinds and connect method for building up, first kind core concept is: the GAA KI type that UE proactive notification NAF self uses, if detecting the GAA KI type mismatch of UE use, NAF closes oneself requirement afterwards, and then refusal connects with UE; Second kind core concept is: the GAA KI type that NAF proactive notification UE self supports, if detecting the GAA KI type mismatch that self uses, UE closes the NAF requirement, and then do not connect with NAF.
Fig. 3 is the flow chart of the specific embodiment one of first kind of method that connects under GAA provided by the invention, in the present embodiment, UE is after judging that self not preserving NAF requires to use GAA to carry out the information of authentication, indicate whether to use GAA to carry out carrying the GAA KI type information that self uses in the connection request message of authentication to the requirement that NAF sends, as shown in Figure 3, its concrete steps are as follows:
Step 301:UE determines to visit certain NAF.
Step 302:UE judges that self whether preserving this NAF requires to use GAA to carry out the information of authentication, if, execution in step 306; Otherwise, execution in step 303.
Step 303:UE sends the connection request message of carrying the GAA KI type information that self uses to NAF.
Here, UE is before sending connection request message, client on the UE need be obtained the GAA KI type information that UE uses, particularly, if UE is connected with the Secure Hypertext Transfer Protocol (HTTPs) that is connected to that NAF sets up, then the KI type that only needs the HTTPs client to learn that UE uses gets final product, and concrete mode can be:
Client on mode one, the UE sends the UICC instruction to UICC or SIM, to require to read the EFDIR file that being used under the MF file deposit UICC application identities (AID), afterwards, if receive the state indication of indicator mistake or only receive SIM application identities symbol, judge that then UE uses the 2GGBA key; If receive SIM application identities symbol and IP Multimedia System subscriber identification module (ISIM) application identities symbol simultaneously, or receive SIM application identities symbol and global system for mobile communications subscriber identification module (USIM) application identities symbol simultaneously, judge that then UE does not use 2G GBA key.
Client on mode two, the UE sends the ADF file that requires to return USIM application and ISIM application to UICC or SIM, if receive the indicator mistake or indicate all non-existent state indication of any one ADF file, judges that then UE uses 2G GBA key; If receive any one ADF fileinfo, judge that then UE does not use 2G GBA key.
UE can pass through following dual mode, and the GAA KI type information that self uses is carried in the connection request message:
Mode one, if adopt HTTP(Hypertext Transport Protocol) summary (digest) authentication mode between UE and the NAF, then UE can be by will being that different values is represented the GBA KI type that UE uses to product (product) parameter setting in the user agent (useragent) of the connection request message that NAF the sends head: if UE uses 2G GBA, then setting the product parameter value is: 3GPP-gba-2G, and corresponding user agent value is: [email protected]; [email protected]; If UE uses the key on the UICC, then set the product parameter value and be: 3GPP-gba-UICC, corresponding user agent value is: [email protected]; If UE uses the key on the ME, then set the product parameter value and be: 3GPP-gba, corresponding user agent value is: [email protected] can be seen:, represent that then UE does not use 2G GBA if do not comprise 3GpP-gba-2G in the user agent head.
Here, when UE uses 2G GBA, the value of user agent is set at: [email protected]; [email protected] reason as follows: support HTTP R6 version NAF can't discern " 3GPP-gba-2G ", and can discern " 3GPP-gba ", read the value of user agent: [email protected] as described NAF; [email protected] the time, only can read self discernible " [email protected] ", and " 3GPP-gba-2G " that self can't discern skipped, because [email protected] only is used to represent that the KI that UE uses is applied in ME, and can't represent that the KI that UE uses is 2G or 3G, therefore, after the NAF of support HTTP R6 version receives connection request message, can directly go to step 305.
Mode two, in the message header of connection request message, increase the request header or the entity head of the GAA KI type that an expression UE supports.As: a newly-increased user type (usertype) header field, if UE uses 2G GBA, then the value with request header or entity head is made as: 2G.
Here, owing to,, will think that it is an entity head, and the entity head that can not discern will be left in the basket if receiving terminal is received the request header that can not discern according to HTTP R6 version.Therefore, when the NAF that supports HTTP R6 version received the connection request message of the GAA KI type that expression UE uses in request header or entity head, this request header or entity head will be left in the basket, the direct execution in step 305 of NAF; And when the NAF of version after the support HTTP R6 receives the connection request message of the GAA KI type that expression UE uses in request header or entity head, owing to self can discern this request header or entity head, then direct execution in step 304.
After step 304:NAF receives connection request message, judge whether the GAA KI type that UE uses meets oneself requirement, if, execution in step 305; Otherwise, refusal UE connection request as: return the refusal connection message to UE, this flow process finishes.
Here, NAF judges whether the GAA KI type of UE use meets oneself requirement and be specially: NAF judges whether the KI type of self supporting comprises the KI type that UE uses, if comprise, judge that then the GAA KI type that UE uses meets oneself requirement; If do not comprise, judge that then the GAA KI type mismatch that UE uses closes oneself requirement.
Step 305:NAF returns connection response message to UE, and this connection response message is carried the indication information that requires UE and BSF to carry out the GAA authentication process.
Step 306:UE and BSF carry out GAA authentication and cipher key agreement process, and authentication is passed through, and generate a shared key K s between UE and the BSF.
Further, when UE and BSF finish in authentication and cipher key agreement process, generates a B-TID who is used to indicate the KI type of UE selection.As: when UE uses 2G GBA key, the value of B-TID can be made as: Base64code (RAND)+" 2G KI type identifier ” @BSF domain name, as: Base64code (RAND)+" 2G ” @BSF domain name.Like this, when the client on the UE need be learnt the GAA KI type of UE use, the value that only need read B-TID gets final product, because the value of RAND is 128, so last character of Base64code (RAND) is "=", therefore, as long as the character "=" of B-TID back is predefined 2G KI type identifier, support 2G GBA with regard to decidable UE.
Step 307:UE sends the application request message of carrying B-TID to NAF.
Further, this application request message is carried the KI type information that UE selects, after this, after NAF receives this application request message, judge whether the KI type that UE selects meets oneself requirement, if send the secret key request message of carrying B-TID to BSF; Otherwise, return connection refused message to UE, this flow process finishes.
Particularly, UE is before sending application request message, client on the UE can be obtained the KI type information that UE selects by dual mode: UE is before sending connection request message in a kind of and the step 303, and the process that the client on the UE is obtained the GAA KI type information that UE uses is identical; Another kind is that UE can indicate the value of the B-TID of the KI type that UE selects to obtain by can be used for of reading that UE and BSF generate when authentication and cipher key agreement process finish, and detailed process is seen step 306.
UE can be carried at the KI type information that UE selects in the application request message by following three kinds of modes:
Mode one, if adopt the HTTP digest authentication between UE and the NAF, be that different values is represented the KI type that UE selects then: if UE uses 2G GBA key by product parameter setting with the user agent head of UE in the application request message that NAF sends, then setting the product parameter value is: 3GPP-gba-2G, and corresponding user agent value is: [email protected]; [email protected]; If UE uses the key on the UICC, then set the product parameter value and be: 3GPP-gba-UICC, corresponding user agent value is: [email protected]; If UE uses the key on the ME, then set the product parameter value and be: 3GPP-gba, corresponding user agent value is: [email protected], if do not comprise 3GPP-gba-2G in the user agent head, show that then UE does not use 2G GBA key.
In addition, can assign to represent the KI type that UE selects by the realm parameter value first half that is provided with in the application request message, the product parameter value is similar with being provided with: if UE uses 2G GBA key, then set realm parameter value first half and be: [email protected]; [email protected]; If UE uses the key on the UICC, then set domain name (realm) parameter value and be: [email protected]; If UE uses the key on the ME, then set realm parameter value first half and be: [email protected], if do not comprise 3GPP-gba-2G in the realm parameter value, show that then UE does not use 2G GBA key.
Can also be by in the message header of application request message, increasing a request header or an entity head of representing the GAA KI type that UE selects.As: a newly-increased user type (usertype) header field, if UE selects 2G GBA key, then the value with request header or entity head is made as: 2G.
Mode two, if adopt Transport Layer Security (PSK TLS) authentication mode of sharing based on pre-between UE and the NAF, then UE is client key exchange (ClientKeyExchange) message to the application request message that NAF sends, by wildcard _ identity _ indication (psK_identity_hint) parameter setting with ClientKeyExchange message is that different values is represented the Key Tpe that UE uses: the realm parameter value is similar with setting, if UE uses 2G GBA key, then setting psK_identity_hint parameter value first half is: 3GPP-gba-2G, and the psK_identity_hint parameter value is: the 3GPP-gba@NAF domain name; The 3GPP-gba-2G@NAF domain name; If UE uses the key on the UICC, then set psK_identity_hint parameter value first half and be: 3GPP-gba-UICC; If UE uses the key on the ME, then set psk_identity_hint parameter value first half and be: 3GPP-gba.Equally, if the psK_identity_hint parameter value does not comprise 3GPP-gba-2G, show that then UE does not use 2G GBA key.
Mode three, in application request message, carry the B-TID of the KI type that an indication UE selects.The concrete value of B-TID is identical with step 307.
After step 308:NAF receives application request message, send the secret key request message of carrying B-TID to BSF.
After step 309:BSF receives secret key request message, find corresponding Ks according to B-TID, and calculate the NAF association key according to Ks, the GAA KI type information that this NAF association key and UE are used is carried in the key response message and returns to NAF.
After step 310:NAF receives key response message, judge whether the GAA KI type that UE uses meets oneself requirement, if return connection to UE and set up message; Otherwise, return connection refused message to UE.
Fig. 4 is the flow chart of the specific embodiment two of first kind of method that connects under GAA provided by the invention, in the present embodiment, UE is after executing GAA authentication and cipher key agreement process with BSF, in the application request message that NAF sends, carry the GAA KI type information that self uses, as shown in Figure 4, its concrete steps are as follows:
Step 401:UE determines to visit certain NAF.
Step 402:UE judges that self whether preserving this NAF requires to use GAA to carry out the information of authentication, if, execution in step 405; Otherwise, execution in step 403.
Step 403:UE sends connection request message to NAF.
Step 404:NAF returns connection response message to UE after receiving connection request message, and this connection response message is carried the indication information that requires UE and BSF to carry out the GAA authentication process.
Step 405:UE and BSF carry out GAA authentication and cipher key agreement process, and authentication is passed through, and generate a shared key K s between UE and the BSF.
Identical with step 306, further, when UE and BSF finish in authentication and cipher key agreement process, generates a B-TID who is used to indicate the KI type of UE selection.
Step 406:UE sends the application request message of carrying the KI type information of self selecting to NAF.
Here, the client on the UE can be obtained the KI type information that UE selects by the mode identical with step 307.
UE can be carried at the KI type information that UE selects in the application request message by the three kind modes identical with step 307.
It is pointed out that then application request message need be carried B-TID simultaneously if UE is carried at the KI type information that UE selects in the application request message by first kind in the step 307 or the second way.
After step 407:NAF receives application request message, judge whether the KI type that UE selects meets oneself requirement, if, execution in step 408; Otherwise, return connection refused message to UE, this flow process finishes.
Step 408:NAF sends the secret key request message of carrying B-TID to BSF.
After step 409:BSF receives secret key request message, find corresponding Ks according to B-TID, and calculate the NAF association key according to Ks, the GAA KI type information that this NAF association key and UE are used is carried in the key response message and returns to NAF.
After step 410:NAF receives key response message, judge whether the GAA KI type that UE uses meets oneself requirement, if return connection to UE and set up message; Otherwise, return connection refused message to UE.
Fig. 5 is the flow chart of the specific embodiment of second kind of method that connects under GAA provided by the invention, in the present embodiment, NAF is after the requirement of receiving the UE transmission indicates whether to use GAA to carry out the connection request message of authentication, use GAA to carry out carrying the GAA KI type information of self supporting in the connection response message of authentication returning to UE, as shown in Figure 5, its concrete steps are as follows:
Step 501:UE determines to visit certain NAF.
Step 502:UE judges that self whether preserving this NAF requires to use GAA to carry out the information of authentication, if, execution in step 506; Otherwise, execution in step 503.
Step 503:UE sends connection request message to NAF.
Step 504:NAF returns connection response message to UE after receiving connection request message, and this connection response message is carried the indication information that requires UE and BSF to carry out the GAA authentication process, carries the GAA KI type information of self supporting simultaneously.
The GAA KI type that NAF supports can be that 2G GBA key, GBA_U produce be applied in that key, GBA or GBA_U on the UICC produce be applied in a kind of or combination in any in the key on the ME.
NAF can be carried at the GAA KI type information of self supporting in the connection response message by following three kinds of modes:
Mode one, if adopt HTTP digest authentication mode between UE and the NAF, then the connection response message returned to UE of NAF is 401 unauthorizeds response (401 Unauthorized Response) message, and NAF is by being that different values is represented the different GBA KI types self supported with domain name (realm) parameter setting in the 401 unauthorized response messages: if NAF supports 2G GBA key, then set the realm parameter value and be: the 3GPP-bootstrapping@NAF domain name; The 3GPP-bootstrapping-2G@NAF domain name, as: the realm parameter value is: [email protected]; [email protected], perhaps be: the 3GPP-bootstrapping-2G@NAF domain name; If NAF does not support 2G GBA key, then set the realm parameter value and must comprise 3GPP-bootstrapping-3G, as the realm parameter value be: the 3GPP-bootstrapping@NAF domain name; The 3GPP-bootstrapping-3G@NAF domain name, or be: the 3GPP-bootstrapping-UICC@NAF domain name; The 3GPP-bootstrapping-3G@NAF domain name; If NAF supports to be applied in the key on the UICC, then set the realm parameter value and be: the 3GPP-bootstrapping-UICC@NAF domain name, as: the realm parameter value is: [email protected]; If NAF supports to be applied in the key on the ME, then set the realm parameter value and be: the 3GPP-bootstrapping@NAF domain name, as: the value of realm parameter is: [email protected] as can be seen:, if do not comprise 3GPP-bootstrapping-3G in the realm parameter value, represent that then NAF supports 2G GBA.
Mode two, if adopt PSK TLS authentication mode between UE and the NAF, then the connection response message returned to UE of NAF is server key exchange (ServerKeyExchange) message, NAF is that different values represents that NAF supports different GBA KI types by the psK_identity_hint parameter setting with this ServerKeyExchange message, the realm parameter value is similar with setting, when NAF supported 2G GBA key, setting psK_identity_hint parameter value was: the 3GPP-bootstrapping@NAF domain name; The 3GPP-bootstrapping-2G@NAF domain name perhaps is: the 3GPP-bootstrapping-2G@NAF domain name; When NAF does not support 2G GBA key, set the psK_identity_hint parameter value and must comprise 3GPP-bootstrapping-3G, as: setting the psk_identity_hint parameter value is: the 3GPP-bootstrapping@NAF domain name; The 3GPP-bootstrapping-3G@NAF domain name perhaps is: the 3GPP-bootstrapping-UICC@NAF domain name; The 3GPP-bootstrapping-3G@NAF domain name; When NAF supports to be applied in key GBA_U on the UICC, set the psk_identity_hint parameter value and be: the 3GPP-bootstrapping-UICC@NAF domain name; When NAF supports that GBA is applied in key on the ME, set the psK_identity_hint parameter value and be: the 3GPP-bootstrapping@NAF domain name.Equally as can be seen:, if do not comprise 3GPP-bootstrapping-3G in the psk_identity_hint parameter value, represent that then NAF supports 2G GBA.
Mode three, in the message header of connection response message, increase the head response or the entity head of the GAA KI type that an expression NAF supports.
When the UE that supports HTTP R6 version received the connection response message of the GAA KI type that expression NAF supports in head response or entity head, this head response or entity head will be left in the basket, the direct execution in step 506 of UE; And when the NAF of version after the support HTTP R6 receives the connection response message of the GAA KI type that expression NAF supports in head response or entity head, owing to self can discern this head response or entity head, then direct execution in step 505.
Step 505:UE receives connection response message, judges whether the GAA KI type of self using is consistent with the GAA KI type of NAF support, if, execution in step 506; Otherwise this flow process finishes.
Here, the client on the UE can be obtained the GAA KI type information that UE uses by the mode identical with step 303.
Step 506:UE and BSF carry out GAA authentication and cipher key agreement process, and authentication is passed through, and generate a shared key K s between UE and the BSF.
Identical with step 306, further, when UE and BSF finish in authentication and cipher key agreement process, generates a B-TID who is used to indicate the KI type of UE selection.
Step 507:UE sends the application request message of carrying B-TID to NAF.
Further, this application request message is carried the KI type information that UE selects, after this, after NAF receives this application request message, judge whether the KI type that UE selects meets oneself requirement, if send the secret key request message of carrying B-TID to BSF; Otherwise, return connection refused message to UE, this flow process finishes.
Here, the client on the UE can be obtained the KI type information that UE selects by the mode identical with step 307.
UE can be carried at the KI type information that UE selects in the application request message by the three kind modes identical with step 307.
After step 508:NAF receives application request message, send the secret key request message of carrying B-TID to BSF.
After step 509:BSF receives secret key request message, find corresponding Ks according to B-TID, and calculate the NAF association key according to Ks, the GBA KI type information that this NAF association key and UE are used is carried in the key response message and returns to NAF.
After step 510:NAF receives key response message, judge whether the GBA KI type that UE uses meets oneself requirement, if return connection to UE and set up message; Otherwise, return connection refused message to UE.
It must be noted that, having provided UE respectively in Fig. 3~5 illustrated embodiments indicates whether to use GAA to carry out carrying the GAA KI type information that self uses in the connection request message of authentication in the requirement that sends to NAF, UE carries the GAA KI type information that self uses in the application request message that NAF sends after executing the GAA authentication process with BSF, NAF carries out carrying in the connection response message of authentication three kinds of modes of the GAA KI type information of self supporting at the use GAA that returns to UE, in actual applications, these three kinds of modes can be used any two or three all using wherein simultaneously.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (21)
1, a kind of connection method for building up is characterized in that, this method comprises:
A, user terminal UE send the request message of the KI type information that carries this UE use to network application entity NAF;
After B, NAF receive request message, judge whether the KI type that UE uses meets this NAF requirement, if carry out the follow-up process of foundation that is connected with UE; Otherwise, refusal UE connection request, process ends.
2, the method for claim 1, it is characterized in that, the KI type information that the described UE of steps A uses obtains by following steps: the client on the UE is used to obtain the instruction of using associated documents with UICC to custom IC card UICC or subscriber identification module SIM transmission, afterwards, the command status indication information that returns according to UICC or SIM and use the KI type information that the associated documents content information determines that UE uses with UICC.
3, the method for claim 1, it is characterized in that, the KI type of using as described UE is during as 2G universal guiding authentication architecture GBA, and the KI type information that described UE uses comprises: the 2G KI version information that the using location information of the KI that UE uses and UE use.
4, the method for claim 1, it is characterized in that, steps A described request message is connection request message, further comprise before the described steps A: UE judges that self whether preserving NAF requires to use general authentication framework GAA to carry out the information of authentication, if carry out the follow-up process of foundation that is connected with NAF; Otherwise, execution in step A.
5, method as claimed in claim 4 is characterized in that, described UE and NAF adopt HTML (Hypertext Markup Language) HTTP digest authentication mode, and the KI type information that described UE uses is carried in user agent's head of connection request message.
6, method as claimed in claim 4 is characterized in that, the KI type information that described UE uses is carried in the request header or entity head of connection request message.
7, the method for claim 1, it is characterized in that steps A described request message is application request message, further comprise before the described steps A: UE and guiding authentication server entity B SF carry out authentication and cipher key agreement process, authentication by and obtain key after, go to steps A.
8, method as claimed in claim 7 is characterized in that, described UE and NAF adopt HTTP digest authentication mode, and the KI type information that described UE uses is carried in user agent's head of application request message,
Perhaps, the KI type information that described UE uses is carried in the domain name parameters of application request message,
Perhaps, the KI type information of described UE use is carried in the request header or entity head of application request message.
9, method as claimed in claim 7, it is characterized in that, described UE and NAF adopt the pre-Transport Layer Security PSKTLS authentication mode of sharing, described application request message is a client key exchange message, and the KI type information that described UE uses is carried in the wildcard _ identity _ indication psk_identity_hint parameter of client key exchange message.
10, method as claimed in claim 7 is characterized in that, UE and BSF further comprise after carrying out authentication and cipher key agreement process: generate and be used to indicate the temporary identity of the KI type that UE uses to identify B-TID,
And the described UE of steps A sends the request message that carries the KI type information that self uses to NAF and comprises: UE will indicate the B-TID that self uses the KI type information to be carried at and send to NAF in the application request message.
11, method as claimed in claim 7 is characterized in that, UE and BSF further comprise after carrying out authentication and cipher key agreement process: generate the B-TID of the KI type that is used to indicate the UE use,
And the KI type information that the described UE of steps A uses obtains by following steps:
Client on the UE reads the value of B-TID, determines the KI type information that UE uses by the identifier that detects the expression KI type that contains among the B-TID.
12, method as claimed in claim 7 is characterized in that, described UE and BSF further comprise before carrying out authentication and cipher key agreement process:
UE judges that self whether preserving NAF requires to use GAA to carry out the information of authentication, if carry out authentication and cipher key agreement process with BSF; Otherwise, send the connection request message of carrying the KI type information that self uses to NAF, after NAF receives connection request message, judge whether the KI type that UE uses meets oneself requirement, if meet, notice UE uses GAA to carry out authentication, UE and BSF carry out authentication and cipher key agreement process afterwards, if do not meet, refusal UE connection request, process ends.
13, method as claimed in claim 7 is characterized in that, described UE and BSF further comprise before carrying out authentication and cipher key agreement process:
UE judges that self whether preserving NAF requires to use GAA to carry out the information of authentication, if carry out authentication and cipher key agreement process with BSF; Otherwise, send connection request message to NAF, after NAF receives connection request message, return to UE and to portably use that GAA carries out the indication information of authentication and self supports the connection response message of KI type information, after UE receives connection response message, judge that the KI type self used is whether consistent with the KI type that NAF supports, if it is consistent, carry out authentication and cipher key agreement process with BSF, if inconsistent, process ends.
As claim 1,4 or 7 described methods, it is characterized in that 14, the described NAF of step B judges whether the KI type of UE use meets oneself requirement and be: NAF judges whether the KI type that UE uses is not 2G GBA key.
15, a kind of connection method for building up is characterized in that, this method comprises:
NAF sends the KI type information of self supporting to UE, after UE receives the KI type information of NAF support, judge whether the KI type of self using is consistent with the KI type of NAF support, if carry out the follow-up process of foundation that is connected with NAF; Otherwise, process ends.
16, method as claimed in claim 15 is characterized in that, described UE and NAF adopt HTTP digest authentication mode,
Described NAF sends the KI type information of self supporting to UE and comprises: NAF is carried at the KI type information of self supporting in the domain name parameters of 401 unauthorized response messages and sends to UE.
17, method as claimed in claim 15 is characterized in that, described UE and NAF adopt the PSKTLS authentication,
Described NAF sends the KI type information of self supporting to UE and comprises: NAF is carried at the KI type information of self supporting in the psk_identity_hint parameter that server key exchanges messages and sends to UE.
18, method as claimed in claim 15, it is characterized in that, described NAF sends the KI type information of self supporting to UE and comprises: after NAF receives the connection request message that UE sends, the KI type information of self supporting is carried in the head response of connection response message or the entity head sends to UE.
19, method as claimed in claim 15 is characterized in that, UE judges KI type that whether the KI type self used support with NAF is consistent and is: UE judges whether NAF supports 2GGBA.
20, method as claimed in claim 15 is characterized in that, described UE further comprises before judging that KI type that whether the KI type self used support with NAF is consistent:
Client on the UE reads the value of B-TID, determines the KI type that UE uses by the identifier that detects the expression KI type that contains among the B-TID.
21, method as claimed in claim 15 is characterized in that, described UE carries out the follow-up process of foundation that is connected with NAF and comprises:
UE and BSF carry out authentication and cipher key agreement process, process finishes, generate a B-TID who is used to indicate the KI type that UE selects, UE is carried at this B-TID and sends to NAF in the application request message, after NAF receives this application request message, judge whether the KI type that UE selects meets oneself requirement, if send the secret key request message of carrying B-TID to BSF; Otherwise, refusal UE connection request, this flow process finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610057098XA CN100479570C (en) | 2006-01-18 | 2006-03-17 | Connection set-up method, system, network application entity and user terminal |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610001521.4 | 2006-01-18 | ||
| CN200610001521 | 2006-01-18 | ||
| CNB200610057098XA CN100479570C (en) | 2006-01-18 | 2006-03-17 | Connection set-up method, system, network application entity and user terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101005701A true CN101005701A (en) | 2007-07-25 |
| CN100479570C CN100479570C (en) | 2009-04-15 |
Family
ID=38704499
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610057098XA Active CN100479570C (en) | 2006-01-18 | 2006-03-17 | Connection set-up method, system, network application entity and user terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100479570C (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102917351A (en) * | 2011-08-05 | 2013-02-06 | ***通信集团公司 | Method and device for realizing application in user identification card and user identification card |
| CN103001940A (en) * | 2007-10-05 | 2013-03-27 | 交互数字技术公司 | Techniques for setting up secure local password by means of WTRU (Wireless Transmit Receive Unit) |
| CN104735037A (en) * | 2013-12-24 | 2015-06-24 | ***通信集团公司 | Network authentication method, device and system |
| CN107306251A (en) * | 2016-04-20 | 2017-10-31 | ***通信有限公司研究院 | A kind of information authentication method and gateway device |
| CN107852570A (en) * | 2015-07-01 | 2018-03-27 | 三星电子株式会社 | The method for establishing connection between devices |
| CN112311884A (en) * | 2020-10-30 | 2021-02-02 | 奇安信科技集团股份有限公司 | Network communication security identification method and device, electronic equipment and storage medium |
| CN114143016A (en) * | 2020-08-14 | 2022-03-04 | 中兴通讯股份有限公司 | Authentication method based on general guide architecture GBA and corresponding device |
-
2006
- 2006-03-17 CN CNB200610057098XA patent/CN100479570C/en active Active
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001940A (en) * | 2007-10-05 | 2013-03-27 | 交互数字技术公司 | Techniques for setting up secure local password by means of WTRU (Wireless Transmit Receive Unit) |
| CN102917351A (en) * | 2011-08-05 | 2013-02-06 | ***通信集团公司 | Method and device for realizing application in user identification card and user identification card |
| CN102917351B (en) * | 2011-08-05 | 2015-04-01 | ***通信集团公司 | Method and device for realizing application in user identification card and user identification card |
| CN104735037A (en) * | 2013-12-24 | 2015-06-24 | ***通信集团公司 | Network authentication method, device and system |
| CN104735037B (en) * | 2013-12-24 | 2018-11-23 | ***通信集团公司 | A kind of method for network authorization, apparatus and system |
| CN107852570A (en) * | 2015-07-01 | 2018-03-27 | 三星电子株式会社 | The method for establishing connection between devices |
| US10602559B2 (en) | 2015-07-01 | 2020-03-24 | Samsung Electronics Co., Ltd. | Method for establishing connection between devices |
| CN107852570B (en) * | 2015-07-01 | 2021-01-12 | 三星电子株式会社 | Method for establishing connection between devices |
| CN107306251A (en) * | 2016-04-20 | 2017-10-31 | ***通信有限公司研究院 | A kind of information authentication method and gateway device |
| CN114143016A (en) * | 2020-08-14 | 2022-03-04 | 中兴通讯股份有限公司 | Authentication method based on general guide architecture GBA and corresponding device |
| CN112311884A (en) * | 2020-10-30 | 2021-02-02 | 奇安信科技集团股份有限公司 | Network communication security identification method and device, electronic equipment and storage medium |
| CN112311884B (en) * | 2020-10-30 | 2024-05-28 | 奇安信科技集团股份有限公司 | Network communication security identification method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100479570C (en) | 2009-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102017677B (en) | Access through non-3GPP access networks | |
| US8572708B2 (en) | Method and arrangement for integration of different authentication infrastructures | |
| CN102550001B (en) | User identity management for permitting interworking of a bootstrapping architecture and a shared identity service | |
| US11659621B2 (en) | Selection of IP version | |
| EP1860906B1 (en) | A general authentication form and a method for implementing the authentication | |
| EP2103078B1 (en) | Authentication bootstrapping in communication networks | |
| CN100479570C (en) | Connection set-up method, system, network application entity and user terminal | |
| JP2012511268A (en) | Terminal device, method and apparatus for setting terminal device | |
| EP3815401A1 (en) | Security management for service access in a communication system | |
| MX2007012043A (en) | Generic key-decision mechanism for gaa. | |
| EP2210435A1 (en) | Method, apparatus and computer program product for providing key management for a mobile authentication architecture | |
| CN111132305B (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
| CN113994633B (en) | Authorization of a set of network functions in a communication system | |
| CN104486460B (en) | Application server address acquisition methods, equipment and system | |
| US11789803B2 (en) | Error handling framework for security management in a communication system | |
| RU2537275C2 (en) | Smart card security feature profile in home subscriber server | |
| CN111093196B (en) | Method for 5G user terminal to access 5G network, user terminal equipment and medium | |
| CN104935557A (en) | Method and device for controlling local network access | |
| KR102103320B1 (en) | Mobile terminal, network node server, method and computer program | |
| US20160234685A1 (en) | Methods and Devices for Processing Identification Information | |
| CN102035811A (en) | Method, device and system for realizing IMS (International Mobile Subscriber) registration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |