CN111050314B - Client registration method, device and system - Google Patents
Client registration method, device and system Download PDFInfo
- Publication number
- CN111050314B CN111050314B CN201910774037.2A CN201910774037A CN111050314B CN 111050314 B CN111050314 B CN 111050314B CN 201910774037 A CN201910774037 A CN 201910774037A CN 111050314 B CN111050314 B CN 111050314B
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- identity
- registration server
- party application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a client registration method, device and system. The method comprises the following steps: the user terminal performs authentication and key negotiation based on a user data system based on a user identification module SIM and a registration server; if authentication and key agreement are successful, the registration server determines a user identity according to the mobile user identity and generates a security token associated with the user identity; the user terminal acquires the security token transmitted by the registration server; the user terminal carries out security authentication with the registration server based on the security token, and transmits a third party application identifier of a third party application client to the registration server; if the security authentication is successful, the registration server provides registration information comprising a third party user identifier or/and a user token for the user terminal, so that the third party application client can realize operations such as quick and safe identity authentication, and the use experience of the user can be greatly improved.
Description
[ field of technology ]
The present invention relates to the field of communications technologies and the field of internet technologies, and in particular, to a client registration method, device, and system.
[ background Art ]
A universal subscriber identity module (USIM, universal Subscriber Identity Module) for 3G or more networks and an IP multimedia service identity module (IP multimedia services identity module, ISIM) for IMS networks are IC integrated circuit devices used by a communications carrier to authenticate the identity of subscribers, conforming to the 3GPP standard specifications.
The eSIM is used as an embedded SIM card, and is characterized in that user data and encryption information on the SIM card are transferred to another hardware carrier of user terminal equipment from the original stored physical SIM card; the soft SIM realizes the function of the SIM by replacing a physical SIM card in a pure software mode, and the user data and the key information are safely stored.
In any SIM card type, the SIM card stores the mobile subscriber identifier and key information of the subscriber, and for convenience of description, the module storing the identity identifier and key information of the subscriber of the mobile communication network is referred to as "subscriber identity module SIM". Accordingly, the home subscriber server HSS (home subscriber server ) and the unified data management (unified data management, UDM) are subscriber data systems of the mobile communication network, in which mobile subscriber identification and key information corresponding to those in the subscriber identity module SIM are stored.
With the widespread use of a user intelligent terminal (such as a smart phone), a user may install a large number of third party application clients on the user intelligent terminal, and when the third party application clients are used, authentication information of the end user is often required to be acquired, and then identity authentication and application service acquisition can be realized for the third party application server, where the authentication information usually needs to be manually input or preconfigured by the end user, for example, inputting an account number and a corresponding password, preconfigured shared secret keys, and the like, but these operations are relatively complicated and affect the use experience of the user.
[ invention ]
The invention mainly aims to provide a method, a device and a system for registering a client, and aims to provide a method, a device and a system for safely and automatically acquiring registration information for a third party application client running in a user terminal, so that registration information comprising a third party user identifier, a user token and the like can be automatically acquired for the third party application client, and further the technical problem that the use of the existing third party application client in the processes of registering an account number, acquiring the user token, authenticating the user identity and the like is complicated, and the use experience of a user is affected is solved.
In order to achieve the above purpose, the present invention provides the following technical solutions:
in a first aspect, a client registration method is provided, applied to a user terminal running a third party application client, and the method includes:
based on a user identification module SIM and a registration server, performing authentication and key negotiation based on a user data system, and if the authentication and key negotiation is successful, acquiring a security token transmitted by the registration server;
performing security authentication with the registration server based on the security token;
transmitting a third party application identifier to the registration server, wherein the third party application identifier is an identifier of the third party application client;
and after the security authentication is successful, receiving registration information and services provided by the registration server for the third party application client.
Preferably, the user terminal is connected with the registration server through a data network.
Preferably, the data network comprises the internet or the mobile internet.
Preferably, the user terminal accesses the mobile internet through a mobile data connection, a WiFi connection or/and a WLAN connection.
Preferably, the movement data includes 3G movement data, 4G movement data, 5G movement data, or 6G movement data.
Preferably, the authentication and key negotiation based on the user data system based on the subscriber identity module SIM and the registration server includes:
acquiring a mobile user identifier of the Subscriber Identity Module (SIM);
sending an authentication and key agreement request to the registration server, wherein the authentication and key agreement request comprises the mobile user identifier;
receiving an authentication and key agreement challenge message sent by the registration server, wherein the authentication and key agreement challenge message comprises a random number (RAND) and an authentication token (AUTN);
sending an authentication request to the Subscriber Identity Module (SIM), wherein the authentication request comprises the random number (RAND) and the authentication token (AUTN);
receiving a return value of the Subscriber Identity Module (SIM), wherein the return value comprises an expected response value (RES);
transmitting an authentication and key agreement challenge response message to the registration server, the authentication and key agreement challenge response message including a first expected response value, the first expected response value being generated based on the expected response value RES;
receiving an authentication and key negotiation success response message sent by the registration server, wherein the authentication and key negotiation success response message is sent after the registration server verifies that the first expected response value is valid;
And acquiring the security token transmitted by the registration server.
Preferably, the user data system is a home subscriber server HSS, and:
the subscriber identity module SIM is a universal subscriber identity module USIM, and the mobile subscriber identity is an International Mobile Subscriber Identity (IMSI); or the subscriber identity module SIM is an IP multimedia service identity module ISIM, and the mobile subscriber identity is an IP multimedia private identity IMPI;
the first expected response value is the expected response value RES; or, the first expected response value is a hash value generated after hash calculation of the expected response value RES.
Preferably, the user data system manages UDM for unified users, and:
the subscriber identity module SIM is a universal subscriber identity module USIM, and the mobile subscriber identity is a subscriber permanent identity SUPI;
the first expected response value is an expected response value RES generated based on the expected response value RES; or, the first expected response value is a hash value generated after hash calculation of the expected response value RES.
Preferably, the sending the authentication and key agreement request to the registration server further includes:
Encrypting the user permanent identification SUPI to generate a user hidden identification SUCI;
and in the authentication and key negotiation request sent to the registration server, the user hidden identifier SUCI is used as the mobile user identifier.
Preferably, said receiving said security token passed by said registration server comprises:
the authentication and key negotiation success response message comprises the security token, and the security token is obtained from the authentication and key negotiation success response message; or alternatively, the process may be performed,
and after receiving the authentication and key agreement success response message, receiving the security token sent by the registration server.
Preferably, the security authentication based on the security token and the registration server includes:
sending a security authentication request to the registration server, the security authentication request including the security token;
and if the registration server verifies that the security token is valid, determining that the security authentication is successful.
Preferably, said communicating the third party application identification to the registration server includes:
transmitting a third party application identifier to the registration server in the security authentication process; or alternatively, the process may be performed,
And transmitting a third party application identification to the registration server after the security authentication process and before the registration information and services provided by the registration server for the third party application client are received.
Preferably, the receiving registration information and services provided by the registration server for the third party application client includes:
receiving a third party user identifier transmitted by the registration server, wherein the third party user identifier is used for identifying a user identity in the third party application client; or/and the combination of the two,
and receiving a user token sent by the registration server, wherein the user token is used for the authentication of the third party application client for accessing the corresponding third party application server.
Preferably, after said delivering the third party application identifier to the registration server and after said successful security authentication, and before said receiving registration information and services provided by the registration server for the third party application client, further comprises:
authorization information confirmed by the end user is sent to the registration server.
Preferably, the transmitting authorization information confirmed by the end user to the registration server includes:
Receiving an application authorization request message sent by the registration server;
displaying an application authorization verification interface;
receiving authorization information input by a terminal user in the application authorization verification interface;
and if the authorization information indicates confirmation authorization, sending an application authorization response message to the registration server, wherein the application authorization response message is an application authorization confirmation message.
In a second aspect, a client registration method is provided and applied to a registration server, and the method includes:
based on authentication and key negotiation between a user data system and a user terminal and based on a user identification module (SIM), if the authentication and key negotiation is successful, determining a user identity according to a mobile user identity, generating a security token, establishing an association relationship between the security token and the user identity, and transmitting the security token to the user terminal, wherein the mobile user identity is the mobile user identity of the user identification module (SIM);
based on the association relation, carrying out security authentication with the user terminal, and acquiring the user identity;
acquiring a third party application identifier transmitted by the user terminal, wherein the third party application identifier is an identifier of a third party application client operated in the user terminal;
And after the security authentication is successful, providing registration information and service for the user terminal according to the user identity and the third party application identity, wherein the registration information and service are provided for the third party application client.
Preferably, the registration server is connected with the user terminal through a data network.
Preferably, the data network comprises the internet or the mobile internet.
Preferably, the authentication and key negotiation based on the user data system and the user terminal based on the user identification module SIM includes:
receiving an authentication and key negotiation request sent by the user terminal, wherein the authentication and key negotiation request comprises the mobile user identifier;
sending an authentication request to the user data system, wherein the authentication request comprises the mobile user identification;
receiving an authentication response fed back by the user data system, wherein the authentication response comprises a random number (RAND), an authentication token (AUTN) and a second expected response value;
sending an authentication and key agreement challenge message to the user terminal, the authentication and key agreement challenge message comprising the random number RAND and the authentication token AUTN;
Receiving an authentication and key negotiation challenge response message sent by the user terminal, wherein the authentication and key negotiation challenge response message comprises a first expected response value;
validating the first expected response value based on the second expected response value;
if the first expected response value is verified to be effective, determining a user identity according to the mobile user identity, generating a security token, establishing an association relation between the security token and the user identity, transmitting the security token to the user terminal, and sending a response message of successful authentication and key negotiation to the user terminal.
Preferably, said verifying said first expected response value based on said second expected response value comprises:
the first expected response value is plaintext, whether the second expected response value is consistent with the first expected response value or not is compared, and if so, the first expected response value is determined to be valid; or alternatively, the process may be performed,
and if the first expected response value is the hash value after hash calculation, calculating the second expected response value by using the same hash calculation mode to generate a hash value, comparing whether the two hash values are consistent, and if so, determining that the first expected response value is effective.
Preferably, the determining the user identity according to the mobile user identity includes:
determining the mobile user identity as the user identity; or alternatively, the process may be performed,
acquiring a corresponding MSISDN according to the mobile user identification, and determining the corresponding MSISDN as the user identification; or alternatively, the process may be performed,
the method comprises the steps of establishing an association relation between a mobile user identifier and a user identity in advance, and acquiring the user identity from the association relation between the mobile user identifier and the user identity according to the mobile user identifier.
Preferably, the generating the security token and establishing the association relationship between the security token and the user identity comprises:
using a randomly generated global unique character string as the security token, and establishing an association relationship between the security token and the user identity; or alternatively, the process may be performed,
and encrypting the information comprising the user identity mark based on a preset key by using a symmetric encryption algorithm, and taking the encrypted ciphertext as the security token.
Preferably, said transferring said security token to said user terminal comprises:
the authentication and key agreement success response message comprises the security token so that the user terminal obtains the security token; or alternatively, the process may be performed,
And after the authentication and key agreement success response message is sent, the security token is sent to the user terminal.
Preferably, the user data system is a home subscriber server HSS, and:
the mobile user identifier is an international mobile user identifier IMSI or an IP multimedia private identifier IMPI;
the second desired response value is a desired response value XRES.
Preferably, the user data system manages UDM for unified users, and:
the mobile user identifier is a user permanent identifier SUPI;
the second expected response value is an expected response value XRES.
Preferably, the mobile user identifier is a user hidden identifier sui generated by encrypting the user permanent identifier sui, the user hidden identifier sui is used as the mobile user identifier included in the authentication request sent to the user data system, the authentication response further includes the user permanent identifier sui obtained by decrypting the user hidden identifier sui by the user data system, and the user permanent identifier sui obtained by decrypting is used as the mobile user identifier in the subsequent step.
Preferably, the performing security authentication with the user terminal based on the association relationship includes:
Receiving a security authentication request sent by the user terminal, wherein the security authentication request comprises the security token;
and if the security token is verified to be valid and the user identity is obtained, determining that the security authentication is successful.
Preferably, said verifying that the security token is valid and obtaining the associated user identity comprises:
if the randomly generated global unique character string is used as the security token, searching the security token in the association relation between all the stored security tokens and the user identity, and acquiring the user identity associated with the security token; if the user identity is found, determining that the security token is verified to be effective, and determining that the associated user identity is the user identity; if not, determining to verify that the security token is invalid; or alternatively, the process may be performed,
if a ciphertext obtained by encrypting information comprising user identity marks based on a preset key by using a symmetric encryption algorithm is used as a security token, decrypting the security token based on the preset key by using the same symmetric encryption algorithm, and obtaining the user identity marks in the decrypted plaintext; if the user identity can be successfully decrypted and obtained, determining that the security token is valid, and determining that the user identity obtained after the successful decryption is the user identity; if not, determining to verify that the security token is invalid.
Preferably, the obtaining the third party application identifier transferred by the user terminal includes:
in the security authentication process, receiving a third party application identifier transmitted by the user terminal; or alternatively, the process may be performed,
and after the security authentication process and before the registration information and services are provided for the user terminal according to the user identity and the third party application identity, receiving the third party application identity transmitted by the user terminal.
Preferably, the providing registration information and services to the user terminal according to the user identity and the third party application identity includes:
acquiring a third party user identifier corresponding to the user identifier and the third party application identifier, and transmitting the third party user identifier to the user terminal so that the third party user identifier is used for identifying a user identity in the third party application client; or/and the combination of the two,
generating a user token associated with the user identity and the third party application identity, and delivering the user token to the user terminal so that the user token is used for accessing an authentication of a corresponding third party application server in the third party application client.
Preferably, the obtaining the third party user identifier corresponding to the user identifier and the third party application identifier includes:
searching a corresponding third party user identifier according to the user identity identifier and the third party application identifier;
if the corresponding third party user identifier is found, determining the found corresponding third party user identifier as the third party user identifier;
if the corresponding third party user identification is not found, a unique third party user identification is created, the unique third party user identification is determined to be the third party user identification, and the corresponding relation between the user identification and the third party application identification as well as the unique third party user identification is established, so that the unique third party user identification can be found according to the user identification and the third party application identification.
Preferably, the generating a user token associated with the user identity and the third party application identity comprises:
using a randomly generated globally unique string as the user token;
and establishing an association relation between the user token and the user identity and the third-party application identity so that the user identity and the third-party application identity can be obtained according to the user token.
Preferably, after receiving the third party application identifier transferred by the user terminal and after the security authentication is successful, and before providing registration information and services to the user terminal according to the user identity identifier and the third party application identifier, the method further comprises:
acquiring the authorization information which is sent by the user terminal and confirmed by the terminal user, and if the authorization information which is sent by the user terminal and confirmed by the terminal user is acquired, executing the registration information and the service which are provided for the user terminal according to the user identity and the third party application identity.
Preferably, the acquiring the authorization information sent by the user terminal and confirmed by the end user includes:
sending an application authorization request message to the user terminal;
receiving an application authorization response message sent by the user terminal;
and if the application authorization response message is an application authorization confirmation message, executing the step of providing registration information and services for the user terminal according to the user identity and the third party application identity.
Preferably, the application authorization request message includes:
a third party application name, wherein the third party application name is a third party application name corresponding to the third party application identifier; or/and the combination of the two,
And the mobile user name is the mobile user name corresponding to the user identity.
In a third aspect, a client registration apparatus is provided, where the client registration apparatus is applied to a user terminal running a third party application client, and includes: the method comprises the steps of applying the first aspect to a user terminal running a third party application client, and executing a program stored in the memory.
There is provided a client registration apparatus, the client registration apparatus being applied to a registration server, comprising: a memory, a processor for running a program stored in the memory, the program when run performing a method comprising the second aspect as applied to any one of the registration servers.
There is provided a client registration system, characterized in that the client registration system includes: a user terminal and a registration server; the user terminal comprises the client registration device applied to the user terminal running with the third party application client; the registration server comprises the client registration device applied to the registration server.
There is provided a storage medium having stored therein a program for implementing a method comprising the above first aspect applied to any one of the user terminals running a third party application client.
There is provided a storage medium having stored therein a program for implementing the method of any one of the application to a registration server including the above second aspect.
The invention realizes that the user terminal automatically acquires the registration information comprising the third party user identification, the user token and the like for the third party application client based on the user data system based on the user identification module SIM and the registration server, and the brought beneficial effects at least comprise: in the first aspect, the technical problems that the use of the existing third party application client in the processes of registering an account number, acquiring a user token, authenticating user identity and the like is complicated, and the use experience of a user is affected are solved, and the whole process does not need the user to input or only inputs a small amount of information, so that the use experience of the user is improved; in the second aspect, if the user identification module SIM is the same, even if the user identification module SIM is replaced on other user terminals, the same third party user identification can be automatically obtained for the same third party application client; in the third aspect, the SIM is used as a necessary component of a user in a mobile communication network, and is applied to the identity authentication field of application services such as the Internet, the mobile Internet and the like, so that the investment of the user in the identity authentication field is reduced, and the efficiency of an application service provider for acquiring the user is also improved; according to the fourth aspect, the registration server can be used as a service platform for providing registration information, the registration information is safely and efficiently provided for identity authentication of application services such as the Internet and the mobile Internet by the user terminal, and service fusion of a communication network, the Internet and the mobile Internet is promoted.
[ description of the drawings ]
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic view of an implementation environment according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a first embodiment of a client registration method provided by the present invention;
fig. 3 is a schematic flow chart of a second embodiment of a client registration method provided by the present invention;
FIG. 4 is a flow chart of an embodiment of a client security authentication process provided by the present invention;
FIG. 5 is a flowchart of a first embodiment of a client registration information providing process according to the present invention;
FIG. 6 is a flowchart of a second embodiment of a client registration information providing process according to the present invention;
fig. 7 is a flowchart of an embodiment of an authentication and key negotiation process provided by the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
[ detailed description ] of the invention
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
1. Related noun terminology
For ease of understanding, certain terms are referred to and described herein.
Mobile subscriber identity: an identity for uniquely identifying a subscriber identity module SIM, the mobile subscriber identity comprising: international mobile subscriber identity (international mobile subscriber identification number, IMSI), or IP multimedia private identity (IP multimedia private identity, IMPI), or user permanent identity (5G subscription permanent identifier,SUPI), or user hidden identity (SUbscription concealed identifier, sui) as a result of encrypting the user permanent identity.
MSISDN: the mobile subscriber ISDN number (Mobile Subscriber ISDN Number), the number to be dialed for calling a mobile subscriber and the receiving number, known as the mobile telephone number, for sending a short message to a mobile subscriber.
User identity identification: the identification used for long-term identification of the user identity includes a mobile user identity, an MSISDN, or other identification that can be used for long-term identification of the user identity.
Third party application identification: the third party application identifier is used for uniquely identifying the third party application server and identifying a third party application client corresponding to the third party application server.
Signature encryption algorithm: an encryption algorithm for encrypting the authenticity of the real information is meant, and only a sender of the information can generate a digital string which cannot be forged by others, and the digital string is also a valid proof for sending the authenticity of the information to the sender of the information, for example, a message authentication code (such as a hash-based message authentication code HMAC, a cipher block chaining message authentication code CBC-MAC, a galois message authentication code GMAC, and the like), a hash function containing key encryption, an RSA-based digital scheme (such as RSA-PSS), a Digital Signature Algorithm (DSA), an elliptic curve digital signature algorithm, and the like.
Symmetric encryption algorithm: refers to encryption algorithms that encrypt and decrypt using the same key, such as triple data encryption standard (Triple Data Encryption Standard, DES), advanced encryption standard (Advanced Encryption Standard, AES), etc.
Authentication and key agreement mechanism: english is called AKA (authentication and key agreement, AKA) for short, based on challenge response mechanism, the identity authentication between the terminal user and the mobile communication network is completed, and meanwhile, the communication encryption key is negotiated based on the identity authentication. Currently, the authentication and key agreement mechanism for 3G/4G mobile communication networks is generally referred to as AKA, while the authentication and key agreement mechanism for 5G mobile communication networks is referred to as 5G AKA, and in order to distinguish and avoid confusion, in the embodiment of the present invention, the authentication and key agreement mechanism for 3G/4G mobile communication networks is referred to as 3G/4G AKA, and the authentication and key agreement mechanism for 5G mobile communication networks is referred to as 5G AKA, and the authentication and key agreement mechanism includes 3G/4G AKA and 5G AKA, unless otherwise specified.
User data system: a system for storing mobile subscriber identities, mobile subscriber keys (K), AKA related algorithms and authenticating an end user etc. in a mobile communication network, also called subscriber subscription server, comprises in particular a home subscriber server (home subscriber server, HSS) and a unified data management (unified data management, UDM).
Subscriber identity module, SIM: for storing applications including mobile subscriber identity, mobile subscriber key (K), home network, AKA related algorithms, etc. for an end user, the end user implementing identity authentication to the mobile communication network based on a subscriber identity module SIM, in particular comprising a global subscriber identity module (universal subscriber identity module, USIM) and an IP multimedia services identity module (IP multimedia services identity module, ISIM).
Token: the credentials used to securely authenticate or access the protected resource are typically a string of characters. Based on the difference that tokens may be used for security authentication or access to protected resources, in embodiments of the present invention, tokens are distinguished as security tokens, user tokens, and the like.
2. Schematic diagram of implementation environment structure
Referring to fig. 1, a schematic structural diagram of an implementation environment related to a client registration method according to an embodiment of the present invention is shown. The implementation environment comprises a registration server, a user terminal and a third party application client.
The registration server: the system is connected with the user terminal through a network and is used for carrying out authentication and key agreement with the user terminal, carrying out security authentication on the user terminal and providing registration information and services for the user terminal; is connected to the user data system via a network for sending authentication requests and acquisition request results to the user data system, which comprises a home subscriber server (home subscriber server, HSS) or/and a unified data management (unified data management, UDM). The registration server is typically provided by a communication carrier.
User terminal: the user terminal accesses a network and performs data connection with the registration server in a wired or wireless mode through WLAN, wiFi, mobile data (including 3G/4G/5G/6G mobile data), LAN, fixed broadband and the like, wherein the network comprises the data network such as the Internet, mobile Internet and the like. The user terminal is an intelligent terminal device which can be inserted into, embedded in or externally connected with a user identification module (SIM) and supports reading of the SIM, and is usually a smart phone, and also can be a smart television, a set top box, a tablet computer, a portable computer, a desktop computer, a smart watch and the like.
Third party application client: an application running in the operating system of the user terminal is provided by a third party application service provider.
It will be appreciated that in an actual implementation environment, one, more or a large number of user terminals may be included, where each user terminal may run one or more third party application clients provided by different third party application servers, where each third party application client is respectively used to access a corresponding third party application server, so as to obtain service application data and services provided by the corresponding third party application server.
In the actual implementation environment, there should be a third party application server. The third party application server is provided by a third party application service provider and is used for being connected with a corresponding third party application client through a network to provide business application data and services required by a user, such as information, shopping, social contact and the like, for the third party application client; the registration server is used for obtaining or verifying registration information of the third party application client, such as information of a third party user identifier, a user token and the like, from the registration server through network connection.
Those skilled in the art will appreciate that the implementation environment configuration shown in fig. 1 is not limiting of the implementation environment and may include more or fewer components than shown, or certain components may be combined, or a different arrangement of components.
3. Embodiment one of client registration method
Referring to fig. 2, a flowchart of a first embodiment of a client registration method according to the present invention is shown, and the method may be used in the implementation environment shown in fig. 1. The method may include:
step 201, the user terminal performs authentication and key negotiation with the registration server, if the authentication and key negotiation are successful, the registration server establishes an association relationship between the security token and the user identity, and the user terminal acquires the security token.
The SIM connected with the user terminal stores a mobile user identifier, a mobile user key (K) and an AKA related algorithm, and correspondingly, the mobile user identifier, the mobile user key (K) corresponding to the mobile user identifier and the AKA related algorithm are stored in the user data system connected with the registration server.
Therefore, the user terminal performs authentication and key negotiation based on the user data system through an authentication and key negotiation mechanism based on the user identification module SIM, wherein if the authentication and key negotiation is successful, the registration server determines the user identity according to the mobile user identity, generates a security token, establishes an association relation between the security token and the user identity, and transmits the security token to the user terminal, and the mobile user identity is the identity of the user identification module SIM. Correspondingly, the user terminal acquires the security token transmitted by the registration server.
In the implementation of establishing the association relationship between the security token and the user identity, the association relationship between the security token and the user identity can be established on the registration server, or the information comprising the user identity can be encrypted to generate the security token, so that the user identity can be obtained according to the security token.
Specifically, the authentication and key negotiation between the ue and the registration server may include various embodiments, and in an embodiment of the authentication and key negotiation process, an embodiment for implementing the authentication and key negotiation between the ue and the registration server is provided.
And 202, the user terminal performs security authentication based on the association relationship between the security token and the registration server.
After the user terminal successfully performs authentication and key negotiation with the registration server, the user terminal performs security authentication on the registration server based on the obtained security token; the registration server verifies the security token and obtains the associated user identity from the association between the user identity and the security token according to the security token.
Specifically, the security authentication between the user terminal and the registration server may include various embodiments, and in the embodiment of the client security authentication process, an embodiment for implementing the security authentication between the user terminal and the registration server is provided.
Step 203, the user terminal transmits the third party application identifier of the third party application client to the registration server.
The third party application identifier is an identifier of a third party application client running in the user terminal and is also an identifier of a third party application server corresponding to the third party application client.
The user terminal obtains the third party application identifier. For example, the third party application client software installation package is stored in a built-in manner and is stored in a configuration file after installation, and the user terminal acquires the third party application identifier from the configuration file; or the request is obtained after the third party application client sends the request to the corresponding third party application server, and the request is obtained from the third party application client by the user terminal or is sent to the user terminal by the third party application client.
The user terminal transmits the acquired third party application identifier to the registration server, so that the registration server can provide registration information and services for the third party application client according to the third party application identifier.
Step 204, after the security authentication is successful, the registration server provides registration information and services provided for the third party application client to the user terminal.
After the security authentication is successful, the registration server provides registration information and services provided for a third party application client corresponding to the third party application identifier to the user terminal according to the third party application identifier transmitted by the user terminal and according to the acquired user identity identifier.
Accordingly, after determining that the security authentication is successful and transmitting the third party application identifier to the registration server, the user terminal receives registration information and services provided by the registration server for the third party application client, and transmits the received registration information and services to the third party application client.
It should be noted that, the step 203 of transmitting the third party application identifier to the registration server by the user terminal may be performed simultaneously in the process of performing security authentication between the user terminal and the registration server in step 202, or may be performed after the security authentication between the user terminal and the registration server is successful in step 204, that is, before the registration server provides the registration information and the service provided for the third party application client to the user terminal, for example, in the security authentication process, the security authentication request sent by the user terminal to the registration server further includes the third party application identifier; or after the security authentication is successful, a session state or an authentication token is maintained between the user terminal and the registration server, and the user terminal transmits a third party application identifier to the registration server according to the session state or the authentication token.
In particular, the providing of registration information and services by the registration server to the third party application client running in the user terminal may include a variety of implementations, provided in the first client registration information providing process example and the second client registration information providing process example, for implementing the implementation of providing registration information for the third party application client running in the user terminal.
It can be seen from the foregoing that, in the method provided in this embodiment, through authentication and key negotiation between the user terminal and the registration server, the user terminal performs security authentication based on the obtained security token and the registration server, and the user terminal transmits the third party application identifier to the registration server, so that the registration server provides registration information and services for the third party application client running in the user terminal, and the whole process does not need the user to input registration information, thereby improving the use experience of the user.
4. Embodiment two of client registration method
Referring to fig. 3, a flowchart of a second embodiment of a client registration method provided by the present invention is shown, and the method may be used in the implementation environment shown in fig. 1. As a more preferred embodiment provided based on the first embodiment of the client registration method, the present embodiment further implements an authorization confirmation procedure of the end user.
The method of the implementation is based on the first embodiment of the client registration method, after the user terminal transmits the third party application identifier to the registration server and the registration server determines that the security authentication is successful, and before the registration server provides the registration information and the service provided for the third party application client to the user terminal, the user terminal sends the authorization information confirmed by the terminal user to the registration server, and the registration server receives the authorization information confirmed by the terminal user, which is sent by the user terminal. The method specifically comprises the following steps:
And a, the registration server sends an application authorization request message to the user terminal.
When the user terminal carries out security authentication based on the security token and the registration server based on the association relationship, the registration server acquires the user identity associated with the security token. The registration server may include, in the application authorization request message, according to the user identity and according to the acquired third party application identity transmitted by the user terminal:
or/and a third party application name, wherein the name is used for identifying the third party application client and the third party application server, the corresponding relation between the third party application identifier and the third party application name is prestored on the registration server, and the registration server searches and acquires the corresponding third party application name in the corresponding relation according to the third party application identifier.
Or/and a mobile user name, wherein the name is used for identifying the mobile user, the corresponding relation between the user identity and the mobile user name is prestored on a registration server, and the registration server searches and acquires the corresponding mobile user name in the corresponding relation according to the user identity.
Accordingly, the user terminal receives the application authorization request message sent by the registration server.
And b, displaying an application authorization verification interface by the user terminal.
After receiving the application authorization request message sent by the registration server, the user terminal invokes and displays an application authorization verification interface to inquire whether the terminal user agrees to authorize the third party application.
On the displayed application authorization verification interface, a third party application name or/and a mobile user name included in the application authorization request message may be displayed, specifically:
third party application names, namely names of a third party application client and a third party application server to be authorized;
the mobile user name, i.e. the mobile user name to be authorized.
After displaying the application authorization verification interface, the end user may enter authorization information indicating confirmation of authorization or indicating cancellation of authorization.
Optionally, a security verification code input box may be included on the displayed application authorization verification interface to query the end user for the security verification code. The security verification code is used for further verifying the authorization of the terminal user, and correspondingly, the corresponding relation between the user identity and the security verification code is prestored on the registration server.
And c, the user terminal receives the authorization information input by the terminal user in the application authorization verification interface.
The user authenticates the interface according to the displayed application authorization, and inputs (including triggers) authorization information in the interface indicating confirmation of authorization or cancellation of authorization. Accordingly, the user terminal receives authorization information input by the user in the application authorization verification interface.
And d, the user terminal sends an application authorization response message to the registration server, wherein the application authorization response message is an application authorization confirmation message or an application authorization cancellation message.
The user terminal executes corresponding operations according to the authorization information input by the terminal user, and the operations comprise:
if the authorization information is authorization information indicating confirmation of authorization, the application authorization response message transmitted from the user terminal to the registration server is an application authorization confirmation message.
Optionally, if the displayed application authorization verification interface further includes a security verification code input box, and the authorization message input by the end user and received by the user terminal includes a security verification code, the application authorization confirmation message sent by the user terminal to the registration server further includes the security verification code.
If the authorization information is authorization information indicating that the authorization is canceled, the application authorization reply message transmitted from the user terminal to the registration server is an application authorization cancellation message.
And e, the registration server receives the application authorization response message sent by the user terminal and executes corresponding operation.
The registration server receives an application authorization response message sent by the user terminal, wherein the application authorization response message is an application authorization confirmation message or an application authorization cancellation message.
The registration server executes corresponding operations according to the application authorization response message, including:
if the application authorization response message is an application authorization confirmation message, continuing to execute the subsequent steps, namely continuing to execute the process that the registration server provides registration information and services provided for the third party application client to the user terminal.
Optionally, a correspondence between the user identity and the security verification code is pre-stored on the registration server, if the security verification code is included in the application authorization confirmation message received by the registration server, the registration server searches and obtains the corresponding security verification code in the correspondence according to the user identity, and compares whether the two security verification codes are consistent or not: if the two steps are consistent, continuing to execute the subsequent steps; if not, ending the flow, and not executing the subsequent steps.
If the application authorization response message is an application authorization cancellation message, the process is ended, and no subsequent steps are executed.
According to the method provided by the embodiment, on the basis of the first embodiment of the client registration method, a process for enabling the terminal user to confirm the authorization is added, by adding the process, registration information and services provided by the third party application client can be more confirmed to be authorized by the terminal user, and the situation that the registration information and services are provided for the unnecessary third party application client due to misoperation and the like is avoided.
5. Client security authentication process embodiment
Referring to fig. 4, a flowchart of an embodiment of a client security authentication process provided by the present invention is shown, and the embodiment may be used in the implementation environment shown in fig. 1. The embodiment takes the user terminal and the registration server as an example after authentication and key negotiation are successful, and specifically includes:
step 401. The user terminal sends a security authentication request to the registration server, the security authentication request comprising a security token.
In the authentication and key negotiation process of the user terminal and the registration server, if the authentication and key negotiation is successful, the registration server generates a security token for the user terminal, establishes an association relationship between the security token and the user identity, transmits the security token to the user terminal, and the user terminal acquires the security token.
The user terminal uses the security token as authentication information, sends a security authentication request to the registration server, and includes the security token in the security authentication request so that the registration server can verify the security token.
Accordingly, the registration server receives a security authentication request sent by the user terminal, and acquires a security token in the security authentication request.
Step 402, the registration server verifies whether the security token is valid and obtains the associated user identity.
The registration server verifies whether the security token is valid, obtains an associated user identity from an association of the security token with the user identity according to the security token, and uses the user identity to identify the user identity in providing registration information and services for the third party application client, wherein the association of the security token with the user identity is established when the security token is generated.
Corresponding to various embodiments which can be included in the process of generating the security token by the registration server in the authentication and key negotiation process, the corresponding embodiments for verifying the security token by the registration server comprise:
In a first embodiment, corresponding to an embodiment that the registration server uses a randomly generated globally unique character string as a security token, the registration server searches whether the security token exists in the association relationship between all the stored security tokens and the user identity, and searches whether the security token has the associated user identity; if yes, determining that the security token is effective, and acquiring a user identity associated with the security token; if not, determining that the security token is invalid.
In the second embodiment, corresponding to the embodiment that the registration server uses a symmetric encryption algorithm to encrypt the ciphertext obtained by encrypting the information including the user identity as the security token based on the preset key, the registration server uses the same symmetric encryption algorithm and the same preset key to decrypt the security token, and obtains the user identity in the decrypted plaintext. If the user identity can be successfully decrypted and obtained, the security token is determined to be effective, and the user identity in the plaintext is obtained; if not, determining that the security token is invalid.
For example, taking AES as an example of a symmetric encryption algorithm for generating a security token, the decryption method may be expressed as: m=aes_denrypt (s, k), where m is the decrypted result value, i.e. the decrypted plaintext, k is the decryption key, i.e. the preset key used in generating the security token, aes_denrypt is the decryption algorithm, and s is the ciphertext, i.e. the security token.
Step 403, the registration server determines whether the security authentication is successful according to the verification result of the security token.
The registration server determines whether the security authentication is successful according to the verification result of the security token, and executes corresponding operations, including:
if the security token is determined to be valid, the security authentication is determined to be successful.
If the security token is determined to be invalid, the security authentication is determined to fail.
After determining that the security authentication is successful, the registration server may provide registration information and services to the user terminal, may also maintain a session state with the user terminal to receive information transferred by the user terminal, or generate an authentication token for the user terminal, or the like. Accordingly, the user terminal receives registration information and services provided by the registration server, or passes information to the registration server through a session state maintained with the registration server or a received authentication token.
After determining that the security authentication fails, the registration server transmits a registration failure response message to the user terminal. Accordingly, the user terminal receives the registration failure response message sent by the registration server.
In summary, the method provided in this embodiment is mainly based on the security token generated by the user terminal and the registration server in the authentication and key negotiation process to perform security authentication, and after determining that the security authentication is successful, corresponding registration information and services can be provided for the user terminal and the third party application client running on the user terminal.
6. Client registration information providing procedure embodiment one
Referring to fig. 5, a flowchart of a first embodiment of a client registration information providing process provided by the present invention is shown, and the method may be used in the implementation environment shown in fig. 1. The registration server of the embodiment provides registration information for a third party application client running in the user terminal, wherein the registration information comprises a third party user identifier.
In order for the registration server to provide corresponding registration information and services for the third party application client running in the user terminal, the user terminal needs to transmit the third party application identifier of the third party application client to the registration server.
In particular, the user terminal transferring the third party application identifier to the registration server may include various embodiments, for example, may include:
in a first embodiment, during the client security authentication process, the user terminal transmits the third party application identifier to the registration server, and the registration server receives the third party application identifier.
The user terminal transmits the third party application identifier to the registration server, and the third party application identifier may be sent to the registration server in a single sending request, or may be combined in other sending requests to send the third party application identifier to the registration server.
For example, taking the above embodiment of the client security authentication process as an example, the security authentication request in step 401 may be incorporated, that is, the security authentication request sent to the registration server further includes a third party application identifier, so that the registration server obtains the third party application identifier in the received security authentication request.
In a second embodiment, after the client security authentication is successful and before the registration server provides the registration information and services to the user terminal, the user terminal transmits the third party application identification to the registration server through a session state or authentication token maintained with the registration server.
For example, taking the above-mentioned embodiment of the client security authentication procedure as an example, after the user terminal and the registration server perform security authentication successfully, a session state or an authentication token is maintained between the user terminal and the registration server, and the user terminal transmits the third party application identifier to the registration server through the session state or the authentication token.
After the user terminal transmits the third party application identifier to the registration server and the registration server determines that the security authentication is successful, the registration server may provide the third party application client running in the user terminal with registration information including the third party user identifier, where the implementation process of the registration server determining that the security authentication is successful may refer to the client security authentication process embodiment. Particular embodiments of the registration server providing third party user identification may include:
Step 501, the registration server obtains a corresponding third party user identifier according to the user identifier and the third party application identifier.
Corresponding to the above embodiment of the client security authentication process, the user identity is a user identity obtained according to the security token.
The registration server obtains a corresponding third party user identifier according to the user identity identifier and the third party application identifier, and specifically may include:
step 501a, the registration server searches the corresponding third party user identifier according to the user identifier and the third party application identifier.
And storing the account corresponding relation between the user identity and the third party application identity and the third party user identity on the registration server, namely searching the corresponding third party user identity in the account corresponding relation according to the user identity and the third party application identity.
And the registration server searches the corresponding third party user identification in the account corresponding relation according to the user identification and the third party application identification.
If the corresponding third party user identity is found, it is indicated that the registration server has created a third party user identity for the third party application identity for the user identity, and the registration server obtains the corresponding third party user identity and then performs step 502 or step 503 described below.
If no corresponding third party user identity is found, it is indicated that the registration server has not created a third party user identity for the third party application identity for the user identity, and the following step 501b is performed.
Step 501b. The registration server creates a unique third party user identity.
The registration server creates a new user identifier, where the new user identifier is a unique identifier in all third party user identifiers on the registration server, or may be a unique identifier in all third party user identifiers corresponding to the third party application identifier in the account corresponding relationship described in step 501a, and then uses the new user identifier as a third party user identifier.
Step 501c, the registration server establishes and stores the correspondence between the user identity and the third party application identity and the third party user identity.
The registration server adds the corresponding relation between the user identity and the third party application identifier and the third party user identifier in the corresponding relation of the account described in step 501a, that is, the third party user identifier can be searched and obtained in the corresponding relation of the account according to the user identity and the third party application identifier.
In step 501a, step 501b and step 501c, the registration server may pre-establish an application user relationship table for the third party application identifier, where a one-to-one correspondence between the user identifier and the third party user identifier is stored in the application user relationship table. The registration server searches the third party user identifier in the application user relationship table according to the user identity identifier, if the third party user identifier is not found, a unique third party user identifier is created, the one-to-one correspondence relationship between the user identity identifier and the third party user identifier is newly added in the application user relationship table, and if the third party user identifier is found, the third party user identifier is obtained.
In step 501a, step 501b and step 501c, the registration server may pre-establish a mobile user relationship table for the user identity, where a one-to-one correspondence between the third party application identifier and the third party user identifier is stored in the mobile user relationship table. The registration server searches the third party user identifier in the mobile user relationship table according to the third party application identifier, if the third party user identifier is not found, a unique third party user identifier is created, the one-to-one correspondence relationship between the third party application identifier and the third party user identifier is newly added in the mobile user relationship table, and if the third party user identifier is found, the third party user identifier is obtained.
Step 502. The registration server communicates the third party user identity to the user terminal.
The registration server communicates the third party user identity to the user terminal, e.g. the third party user identity is included in a registration success response message sent by the registration server to the user terminal.
Step 503. The user terminal receives the third party user identification transferred by the registration server.
The user terminal receives the third party user identifier transmitted by the registration server, for example, receives a registration success response message sent by the registration server, and acquires the third party user identifier in the registration success response message.
For another example, steps 502 and 503 may also be that after the user terminal and the registration server perform security authentication successfully, the session state or the authentication token is maintained, and the user terminal sends a request for obtaining the third party user identifier to the registration server through the session state or the authentication token, and the registration server feeds back the third party user identifier, and the user terminal receives and obtains the third party user identifier.
After the user terminal receives the third party user identification, the user terminal transmits the third party user identification to a third party application client corresponding to the third party application identification. Thus, the third party application client can automatically acquire the third party user identification for accessing the third party application server.
In the above embodiment, the third party user identifier is obtained for the third party application client running in the user terminal. The brought effects at least include: in the first aspect, the third party user identification is automatically acquired for the third party application client, so that the input operation of a terminal user is reduced, and the use experience of the user is improved; in the second aspect, if the user identification module SIM is the same, even if the user identification module SIM is replaced on other user terminals, the same third party user identification can be automatically obtained for the same third party application client; in the third aspect, the third party application server corresponding to the third party application client can only acquire the third party user identification related to the third party application client, but cannot acquire the mobile user identification, so that the privacy of the user can be effectively protected from being revealed.
7. Client registration information providing procedure embodiment two
Referring to fig. 6, a flowchart of a second embodiment of a client registration information providing process provided by the present invention is shown, and the method may be used in the implementation environment shown in fig. 1. The registration server of the embodiment provides registration information for a third party application client running in the user terminal, the registration information comprising a user token generated for the third party application client running in the user terminal.
In order for the registration server to provide corresponding registration information and services for the third party application client running in the user terminal, the user terminal needs to transmit the third party application identifier corresponding to the third party application client to the registration server. The specific implementation may refer to the first embodiment of the above-mentioned client registration information providing process, which is not described herein again.
After the user terminal transmits the third party application identifier to the registration server and the registration server determines that the security authentication is successful, the registration server may provide registration information including a user token for the third party application client running in the user terminal, where the implementation process of the registration server determining that the security authentication is successful may refer to the client security authentication process embodiment. Particular embodiments of providing a user token by a registration server may include:
step 601. The registration server generates a user token.
The registration server generates a user token that is unique and of sufficient length and sufficient randomness to make it difficult to guess and crack.
Step 602, the registration server associates the user token with the user identity and the third party application identity.
The registration server establishes an association relationship between the user token and the user identity and the third party application identity, so that the user identity and the third party application identity which are associated can be searched and obtained according to the user token, whether the user token is a user token applied to a third party application server corresponding to the third party application identity or not is determined according to the third party application identity, and the user identity is determined according to the user identity, so that continuous service is provided for the same user.
For example, after the third party application server receives an authentication request including a user token sent by a user terminal, the third party application server forwards the user token to a registration server, the registration server obtains an associated user identity and a third party application identity in the association relationship according to a security token in the authentication request, if the associated third party application identity is consistent with the third party application identity of the third party application server, the registration server feeds back information indicating authentication success to the third party application server, and the registration server determines a user identity according to the associated user identity, for example, determines a third party user identity according to the associated user identity and the third party application identity, and provides the third party user identity to the third party application server for binding the user identity and the like.
It should be noted that a cleaning mechanism should be further provided, and for the user token that has failed, the corresponding association relationship should be cleaned timely, for example, after the user token is verified once, the corresponding association relationship of the user token is deleted, or a validity period is set for the user token, and the corresponding association relationship of the user token that has passed the validity period is deleted timely according to the validity period. The specific cleaning mechanism is not described in detail herein.
Step 603. The registration server passes the user token to the user terminal.
The registration server passes the user token to the user terminal, e.g. the user token is included in a registration success response message sent by the registration server to the user terminal.
Step 604. The user terminal receives the user token passed by the registration server.
The user terminal receives the user token transmitted by the registration server, for example, receives a registration success response message sent by the registration server, and acquires the user token in the registration success response message.
For another example, the steps 603 and 604 may also be that the user terminal and the registration server maintain a session state or an authentication token after the user terminal successfully performs security authentication, and the user terminal sends a request for obtaining the user token to the registration server through the session state or the authentication token, and the registration server feeds back the user token, and the user terminal receives and obtains the user token.
After the user terminal receives the user token, the user token is passed to a third party application client. The third party application client will be able to achieve authentication to the corresponding third party application server based on the user token.
The above embodiment procedure generates a user token for a third party application client running in the user terminal. The brought effects include: in the first aspect, a user token is automatically acquired for a third party application client, so that input operation of a terminal user is reduced, and use experience of the user is improved; in the second aspect, the user token can be used for authentication of the third party application client to the corresponding third party application server, so that the use experience of the user is improved; in the third aspect, when used for authentication and authorization, the user token is more suitable for some lightweight third party application clients (such as client programs based on HTML5 and JavaScript) because operations such as encryption calculation are not needed.
8. Authentication and Key agreement procedure embodiment
Referring to fig. 7, a flowchart of an embodiment of an authentication and key agreement procedure provided by the present invention is shown. The present embodiment may be used in the implementation environment shown in fig. 1, and specifically may include:
Step 801. The user terminal initiates an authentication and key agreement procedure.
After acquiring the operation instruction for authentication and key agreement, the user terminal starts an authentication and key agreement procedure.
Step 802. The user terminal obtains the mobile user identifier.
The mobile subscriber identity is an identity for uniquely identifying the subscriber identity module SIM, and the mobile subscriber identity is the same identity as the mobile subscriber identity obtained in the flow of the client security authentication process embodiment.
For example, taking the example that the user data system used is a home subscriber server HSS and the subscriber identity module SIM is a USIM, the mobile subscriber identity obtained on the USIM is an IMSI, the user terminal obtains the IMSI through an API on the operating system (for example, using the getsubsriber id method on the Android system), or the user terminal reads the EFimsi value of the USIM through an APDU command.
For another example, taking the example that the user data system used is a home subscriber server HSS, the subscriber identity module SIM is an ISIM, the mobile subscriber identity obtained on the ISIM is an IMPI, and the user terminal reads the efippi value of the ISIM by an APDU command.
Also, for example, taking the case that the user data system used is a unified user management UDM and the subscriber identity module SIM is a USIM, the mobile subscriber identity obtained through the USIM is SUPI, which is composed of an IMSI, a network identity, and the like.
Step 803. The user terminal sends an authentication and key agreement request to the registration server, the authentication and key agreement request comprising the mobile user identity.
Further, as an example in step 802 above, if the mobile subscriber identifier is a SUPI, the SUPI may also be encrypted to generate a sui, and the sui may be used as the mobile subscriber identifier in the authentication and key agreement request, that is, the user terminal sends an authentication and key agreement request to the registration server, where the sui is included in the authentication and key agreement request.
Accordingly, the registration server receives an authentication and key negotiation request sent by the user terminal.
Step 804. The registration server sends an authentication request to the user data system, the authentication request including the mobile user identification.
For example, taking the user data system as the home subscriber server HSS and the mobile subscriber identifier as the IMSI, the Multimedia-Auth-Request authentication Request may be sent to the SWx interface of the home subscriber server HSS, where the Multimedia-Auth-Request authentication Request includes the mobile subscriber identifier (i.e. IMSI).
For another example, taking the case that the user data system used is the home subscriber server HSS and the mobile subscriber identity is the IMSI, the Authentication-Information-request_s6 Authentication Request may be sent to the S6a interface of the home subscriber server HSS, where the Authentication Request includes the mobile subscriber identity (i.e. IMSI), the service network identity, and the network type, for example, the service network identity is MCC (Mobile Country Code ) +mnc (Mobile Network Code, mobile network code), and the network type is E-UTRAN.
For another example, taking the user data system as the home subscriber server HSS and the mobile user identifier as the IMPI, the multi-media-Auth-Request authentication Request may be sent to the Cx or SWx interface of the home subscriber server HSS, where the multi-media-Auth-Request authentication Request includes the mobile user identifier (i.e. the IMPI).
Also for example, taking the case that the user data system used is a unified user management UDM, the mobile user identity is SUPI or sui, the registration server sends a nudm_authentication_get Authentication request to the unified data management UDM, the Authentication request including the mobile user identity (i.e. SUPI or sui), and a service network name (SN name), which is the service network name of the registration server.
It should be noted that, if the registration server is connected to the home subscriber server HSS and the unified data management UDM at the same time, the registration server needs to send an authentication request to the home subscriber server HSS or the unified data management UDM to which the mobile subscriber identifier belongs, for example, determining whether the authentication request is to be sent to the home subscriber server HSS or the unified data management UDM according to the type or the range of the mobile subscriber identifier.
Step 805. The registration server receives an authentication reply fed back by the user data system, the authentication reply comprising the random number RAND, the authentication token AUTN and the second expected response value.
After the user data system receives the authentication request sent by the registration server, the user data system feeds back a corresponding authentication response according to the authentication request, wherein the authentication response comprises a random number RAND, an authentication token AUTN and a second expected response value.
Accordingly, the registration server acquires the random number RAND, the authentication token AUTN, and the second expected response value from the authentication reply.
For example, taking the example that the user data system used is a home subscriber server HSS, and the mobile subscriber identity is IMSI or IMPI, after the registration server sends a Multimedia-Auth-Request authentication Request to the home subscriber server HSS, the home subscriber server HSS returns a Multimedia-Auth-Answer authentication response to the registration server. The registration server parses the Multimedia-Auth-Answer authentication reply, obtains a SIP-Auth-Data-Item attribute value pair (AVP: attribute Value Pair) therefrom, the SIP-Auth-Data-Item attribute value pair comprising a SIP-Authenticate, SIP-authentication attribute value pair, and obtains a random number RAND and an authentication token AUTN from the SIP-authentication attribute value pair, and obtains a desired response value XRES from the SIP-authentication attribute value pair, wherein the second desired response value is the desired response value XRES.
For another example, taking the home subscriber server HSS as the user data system and the mobile subscriber identifier as the IMSI, after the home subscriber server HSS receives the Authentication-Information-request_s6 Authentication Request sent by the registration server, the home subscriber server HSS returns an Authentication-Information-answer_s6 Authentication response to the registration server, where the Authentication response includes the random number RAND, the Authentication token AUTN, and the expected response value XRES, where the second expected response value is the expected response value XRES.
For another example, taking the unified user data system as the unified user management UDM and the mobile user identifier as the SUPI or the sui as the example, after the unified data management UDM receives the nudm_authentication_get Authentication request sent by the registration server, the unified data management UDM returns a nudm_authentication_get Authentication response to the registration server, where the Authentication response includes a random number RAND, an Authentication token AUTN and an expected response value XRES, and the second expected response value is the expected response value XRES. Further, if the mobile user identifier included in the nudm_authentication_get Authentication request sent by the registration server to the unified data management UDM is a sui, the nudm_authentication_get Authentication response returned by the unified user management UDM further includes a sui obtained by decrypting the sui, and the registration server uses the decrypted sui as the mobile user identifier in the subsequent step.
Step 806. The registration server sends an authentication and key agreement challenge message to the user terminal, the authentication and key agreement challenge message comprising the random number RAND and the authentication token AUTN.
The registration server retains the second expected response value and sends an authentication and key agreement challenge message to the user terminal, the authentication and key agreement challenge message comprising the random number RAND and the authentication token AUTN.
Accordingly, the user terminal receives the authentication and key agreement challenge message sent by the registration server, and obtains the random number RAND and the authentication token AUTN therefrom.
Step 807. The user terminal sends an authentication request to the subscriber identity module SIM, the authentication request comprising the random number RAND and the authentication token AUTN.
The subscriber terminal sends an authentication request (e.g. by sending an APDU command AUTHENTICATE) to the subscriber identity module SIM, the transfer parameters being the random number RAND and the authentication token AUTN.
Step 808. The user terminal receives a return value of the subscriber identity module SIM, the return value comprising the expected response value RES.
After receiving the authentication request sent by the user terminal, the user identification module SIM sends a return value to the user terminal after authentication calculation, wherein the return value comprises an expected response value RES, and the user terminal receives the return value.
Step 809. The user terminal sends an authentication and key agreement challenge response message to the registration server, the authentication and key agreement challenge response message comprising a first expected response value, the first expected response value being generated based on the expected response value RES.
Taking the home subscriber server HSS as an example of the user data system used, that is, the expected response value RES obtained by the user terminal from the return value is the first expected response value corresponding to the second expected response value reserved by the registration server as the expected response value XRES.
Taking the example that the user data system used is a unified user management UDM, that is, the user terminal refers to the manner used in the "RES and XRES derivative functions" in TS33.501 Annex a.4 corresponding to the second expected response value reserved by the registration server as the expected response value XRES, that is, the manner that the unified data management UDM generates the expected response value XRES according to the expected response value RES, that is, the first expected response value.
Further, in order to protect the expected response value RES or the expected response value RES from being leaked in the transmission process, a hash algorithm (for example, SHA 256) may be used to hash the expected response value RES or the expected response value RES, and the hashed value generated after the hash calculation is used as the first expected response value, so that plaintext of the expected response value RES or the expected response value RES is not sent.
Accordingly, the registration server receives the first expected response value sent by the user terminal.
Step 810, the registration server verifies the first expected response value based on the second expected response value; if the first expected response value is verified to be valid, step 811 is performed.
The registration server obtains a first expected response value from the received authentication and key agreement challenge response message, and the registration server verifies the locally reserved second expected response value. If the first expected response value is verified to be valid, the following step 811 is performed; if the verification is invalid, an authentication and key agreement response message is sent to the user terminal, the authentication and key agreement response message being an authentication and key agreement failure response message, and the following step 814 is skipped.
If the first expected response value is the expected response value RES or the plaintext of the expected response value RES, comparing whether the second expected response value is consistent with the first expected response value; if the first expected response values are consistent, determining that the first expected response values are valid; if the first expected response value is inconsistent, determining that the first expected response value is invalid; or alternatively, the process may be performed,
if the first expected response value is the expected response value RES or the hash value obtained by hash calculation of the expected response value RES, calculating a second expected response value by using the same hash calculation mode to generate a hash value, and comparing whether the two hash values are consistent; if the first expected response values are consistent, determining that the first expected response values are valid; if the first expected response values are inconsistent, the first expected response values are determined to be invalid.
Step 811, the registration server determines the user identity according to the mobile user identity.
The mobile subscriber identity may be used to uniquely identify the mobile subscriber, or a subscriber identity determined from the mobile subscriber identity may be used to uniquely identify the mobile subscriber.
For example, the mobile subscriber identity is used as the subscriber identity.
For another example, the corresponding MSISDN is obtained according to the mobile subscriber identity, and the corresponding MSISDN is determined to be the subscriber identity. Specifically, in the user data system (for example, home subscriber server HSS or unified data management UDM), a mapping relation between the mobile subscriber identifier and the MSISDN is stored, and the corresponding MSISDN can be obtained from the mapping relation according to the mobile subscriber identifier. Therefore, the registration server sends an MSISDN query request including the mobile user identifier to the user data system, and the user data system feeds back the MSISDN corresponding to the mobile user identifier to the registration server, so that the registration server acquires the corresponding MSISDN.
For another example, an association relationship between the mobile user identifier and the user identifier is pre-established, and the user identifier is obtained from the association relationship according to the mobile user identifier. Specifically, a unique user identity is pre-established on the registration server, and then an association relationship between the mobile user identity and the user identity is pre-established, so that the user identity can be searched and obtained in the association relationship according to the mobile user identity.
Step 812, the registration server generates a security token and establishes an association between the security token and the user identity.
The registration server generates a security token and establishes an association relationship between the security token and the user identity, so that the user identity can be obtained according to the security token.
For example, the registration server generates a security token that is globally unique and has sufficient length and sufficient randomness to be difficult to guess to crack. And simultaneously, establishing an association relation between the security token and the user identity so that the associated user identity can be obtained in the association relation according to the security token.
For another example, the registration server encrypts the information including the user identity based on the preset key using a symmetric encryption algorithm, and uses the encrypted ciphertext as the security token, so that the registration server obtains the user identity after decrypting the security token. Taking AES as an example of a symmetric encryption algorithm for generating a security token, the encryption scheme may be expressed as: s=aes_encryption (m, k), where m is plaintext, the plaintext is information including the user identity, k is an encryption key, i.e. a preset key, aes_encryption is an encryption algorithm, and s is an encryption result, i.e. a security token.
Step 813. The registration server transmits an authentication and key agreement response message to the user terminal, the authentication and key agreement response message being an authentication and key agreement success response message.
The registration server sends an authentication and key agreement response message to the user terminal, wherein the authentication and key agreement response message is an authentication and key agreement success response message, and the authentication and key agreement success response message also comprises the security token.
Step 814. The ue receives the authentication and key agreement response message sent by the registration server and performs the corresponding operation.
The user terminal receives an authentication and key negotiation response message sent by the registration server, wherein the authentication and key negotiation response message comprises an authentication and key negotiation success response message or an authentication and key negotiation failure response message.
The user terminal executes corresponding operation according to the authentication and key agreement response message, and the method comprises the following steps:
if the authentication and key agreement response message is an authentication and key agreement success response message, the user terminal acquires the security token included in the authentication and key agreement success response message, and ends the authentication and key agreement flow.
If the authentication and key negotiation response message is an authentication and key negotiation failure response message, ending the authentication and key negotiation flow.
In practical application, the unified user management UDM is mainly used as a user data system of the 5G network, and the home subscriber server HSS is mainly used as a user data system of the 3G/4G network, but if the unified user management UDM maintains forward compatibility to the home subscriber server HSS, the steps of the embodiment are applied to the example of the home subscriber server HSS, and may also be applied to the unified user management UDM.
According to the method provided by the embodiment, the user terminal obtains the security token generated by the registration server after the authentication and key negotiation between the user terminal and the registration server are successful based on the mobile user identifier, the mobile user key (K) and the related AKA algorithm stored in the user identification module SIM, and the registration server is based on the mobile user identifier, the mobile user key (K) and the related AKA algorithm stored in the user data system, so that the user terminal can be used for the subsequent security authentication between the user terminal and the registration server according to the security token.
It should be noted that, in this document, the terms "comprises," "comprising," "includes," "including," "transmitting," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system.
The terms "first," "second," "third," and the like, if any, are used merely for distinguishing between similar objects and not for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The methods, apparatus and systems of the present invention may be implemented in numerous ways. For example, the methods, apparatus and systems of the present invention may be implemented by software, hardware, firmware, or any combination of software, hardware, firmware. The above-described sequence of steps for the method is for illustration only, and the steps of the method of the present invention are not limited to the sequence specifically described above unless specifically stated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (39)
1. A client registration method, applied to a user terminal running a third party application client, comprising:
performing authentication and key negotiation with a registration server through an authentication and key negotiation mechanism, wherein the user terminal performs the authentication and key negotiation based on a mobile user identifier, a mobile user key and an AKA algorithm included in a Subscriber Identity Module (SIM), and the registration server performs the authentication and key negotiation based on a user data system;
if the authentication and key agreement is successful, a security token transmitted by the registration server is obtained;
performing security authentication with the registration server based on the security token;
transmitting a third party application identifier to the registration server, wherein the third party application identifier is an identifier of the third party application client;
After the security authentication is successful, receiving registration information and services provided by the registration server for the third party application client, and transmitting the registration information and services to the third party application client.
2. The method according to claim 1, wherein the user terminal is connected to the registration server via a data network.
3. The method of claim 2, wherein the data network comprises the internet or a mobile internet.
4. A method according to claim 3, characterized in that the user terminal accesses the mobile internet via a mobile data connection or/and a WiFi connection or/and a WLAN connection.
5. The method of claim 4, wherein the movement data comprises 3G movement data or 4G movement data or 5G movement data or 6G movement data.
6. The method of claim 1, wherein the authenticating and key negotiating with the registration server via an authentication and key negotiating mechanism comprises:
acquiring the mobile user identification of the Subscriber Identity Module (SIM);
sending an authentication and key agreement request to the registration server, wherein the authentication and key agreement request comprises the mobile user identifier;
Receiving an authentication and key agreement challenge message sent by the registration server, wherein the authentication and key agreement challenge message comprises a random number (RAND) and an authentication token (AUTN);
sending an authentication request to the Subscriber Identity Module (SIM), wherein the authentication request comprises the random number (RAND) and the authentication token (AUTN);
receiving a return value of the Subscriber Identity Module (SIM), wherein the return value comprises an expected response value (RES);
transmitting an authentication and key agreement challenge response message to the registration server, the authentication and key agreement challenge response message including a first expected response value, the first expected response value being generated based on the expected response value RES;
receiving an authentication and key negotiation success response message sent by the registration server, wherein the authentication and key negotiation success response message is sent after the registration server verifies that the first expected response value is valid;
and acquiring the security token transmitted by the registration server.
7. The method according to claim 6, wherein the user data system is a home subscriber server, HSS, then:
the subscriber identity module SIM is a universal subscriber identity module USIM, and the mobile subscriber identity is an International Mobile Subscriber Identity (IMSI); or the subscriber identity module SIM is an IP multimedia service identity module ISIM, and the mobile subscriber identity is an IP multimedia private identity IMPI;
The first expected response value is the expected response value RES; or, the first expected response value is a hash value generated after hash calculation of the expected response value RES.
8. The method of claim 6, wherein the user data system manages UDM for a unified user, then:
the subscriber identity module SIM is a universal subscriber identity module USIM, and the mobile subscriber identity is a subscriber permanent identity SUPI;
the first expected response value is an expected response value RES generated based on the expected response value RES; or, the first expected response value is a hash value generated after hash calculation of the expected response value RES.
9. The method of claim 8, wherein the sending an authentication and key agreement request to the registration server further comprises:
encrypting the user permanent identification SUPI to generate a user hidden identification SUCI;
and in the authentication and key negotiation request sent to the registration server, the user hidden identifier SUCI is used as the mobile user identifier.
10. The method of claim 6, wherein the obtaining the security token passed by the registration server comprises:
The authentication and key negotiation success response message comprises the security token, and the security token is obtained from the authentication and key negotiation success response message; or alternatively, the process may be performed,
and after receiving the authentication and key negotiation success response message, receiving and acquiring the security token sent by the registration server.
11. The method of claim 1, wherein the securely authenticating with the registration server based on the security token comprises:
sending a security authentication request to the registration server, the security authentication request including the security token;
and if the registration server verifies that the security token is valid, determining that the security authentication is successful.
12. The method of claim 1, wherein said communicating a third party application identification to the registration server comprises:
transmitting the third party application identifier to the registration server in the security authentication process; or alternatively, the process may be performed,
the third party application identification is communicated to the registration server after the secure authentication process and before the registration information and services provided by the registration server for the third party application client are received.
13. The method of claim 1, wherein the receiving registration information and services provided by the registration server for the third party application client comprises:
the registration information and the service comprise a third party user identifier, specifically, the third party user identifier transmitted by the registration server is received, and the third party user identifier is used for identifying the user identity in the third party application client; or/and the combination of the two,
the registration information and the service comprise user tokens, specifically, the user tokens sent by the registration server are received, and the user tokens are used for authentication and authorization of the third party application client to access the corresponding third party application server.
14. The method of claim 1, further comprising, after said communicating a third party application identification to said registration server and after said secure authentication is successful, and before said receiving registration information and services provided by said registration server for said third party application client:
authorization information confirmed by the end user is sent to the registration server.
15. The method of claim 14, wherein said sending authorization information to the registration server as confirmed by an end user comprises:
Receiving an application authorization request message sent by the registration server;
displaying an application authorization verification interface;
receiving authorization information input by a terminal user in the application authorization verification interface;
and if the authorization information indicates confirmation authorization, sending an application authorization response message to the registration server, wherein the application authorization response message is an application authorization confirmation message.
16. A client registration method, applied to a registration server, comprising:
performing authentication and key negotiation with a user terminal through an authentication and key negotiation mechanism, wherein the user terminal performs the authentication and key negotiation based on a user identification module (SIM), and the registration server performs the authentication and key negotiation based on a mobile user identifier, a mobile user key and an AKA algorithm included in a user data system, wherein the mobile user identifier is a mobile user identifier of the user identification module (SIM), and the mobile user key is a mobile user key corresponding to the mobile user identifier;
if the authentication and key agreement is successful, determining a user identity according to a mobile user identity, generating a security token, establishing an association relationship between the security token and the user identity, and transmitting the security token to the user terminal;
Based on the association relation, carrying out security authentication with the user terminal, and acquiring the user identity;
acquiring a third party application identifier transmitted by the user terminal, wherein the third party application identifier is an identifier of a third party application client operated in the user terminal;
and after the security authentication is successful, providing registration information and service for the user terminal according to the user identity and the third party application identity, wherein the registration information and service are provided for the third party application client.
17. The method according to claim 16, wherein the registration server is connected to the user terminal via a data network.
18. The method of claim 17, wherein the data network comprises the internet or a mobile internet.
19. The method of claim 16, wherein said authenticating and key negotiating with the user terminal via an authentication and key negotiating mechanism comprises:
receiving an authentication and key negotiation request sent by the user terminal, wherein the authentication and key negotiation request comprises the mobile user identifier;
Sending an authentication request to the user data system, wherein the authentication request comprises the mobile user identification;
receiving an authentication response fed back by the user data system, wherein the authentication response comprises a random number (RAND), an authentication token (AUTN) and a second expected response value;
sending an authentication and key agreement challenge message to the user terminal, the authentication and key agreement challenge message comprising the random number RAND and the authentication token AUTN;
receiving an authentication and key negotiation challenge response message sent by the user terminal, wherein the authentication and key negotiation challenge response message comprises a first expected response value;
validating the first expected response value based on the second expected response value;
if the first expected response value is verified to be effective, determining a user identity according to the mobile user identity, generating a security token, establishing an association relation between the security token and the user identity, transmitting the security token to the user terminal, and sending a response message of successful authentication and key negotiation to the user terminal.
20. The method of claim 19, wherein the verifying the first expected response value based on the second expected response value comprises:
The first expected response value is plaintext, whether the second expected response value is consistent with the first expected response value or not is compared, and if so, the first expected response value is determined to be valid; or alternatively, the process may be performed,
and if the first expected response value is the hash value after hash calculation, calculating the second expected response value by using the same hash calculation mode to generate a hash value, comparing whether the two hash values are consistent, and if so, determining that the first expected response value is effective.
21. The method of claim 19, wherein said determining a user identity from said mobile user identity comprises:
determining the mobile user identity as the user identity; or alternatively, the process may be performed,
acquiring a corresponding MSISDN according to the mobile user identification, and determining the corresponding MSISDN as the user identification; or alternatively, the process may be performed,
the method comprises the steps of establishing an association relation between a mobile user identifier and a user identity in advance, and acquiring the user identity from the association relation between the mobile user identifier and the user identity according to the mobile user identifier.
22. The method of claim 19, wherein the generating a security token and establishing an association of the security token with the user identity comprises:
Using a randomly generated global unique character string as the security token, and establishing an association relationship between the security token and the user identity; or alternatively, the process may be performed,
and encrypting the information comprising the user identity mark based on a preset key by using a symmetric encryption algorithm, and taking the encrypted ciphertext as the security token.
23. The method of claim 19, wherein said communicating the security token to the user terminal comprises:
the authentication and key agreement success response message comprises the security token so that the user terminal obtains the security token; or alternatively, the process may be performed,
and after the authentication and key agreement success response message is sent, the security token is sent to the user terminal.
24. The method according to claim 19, wherein the user data system is a home subscriber server, HSS, then:
the mobile user identifier is an international mobile user identifier IMSI or an IP multimedia private identifier IMPI;
the second desired response value is a desired response value XRES.
25. The method of claim 19, wherein the user data system manages UDM for a unified user, then:
The mobile user identifier is a user permanent identifier SUPI;
the second expected response value is an expected response value XRES.
26. The method according to claim 25, wherein the mobile subscriber identity is a subscriber identity hidden sui generated by encrypting the subscriber identity hidden sui, the subscriber identity hidden sui is used as the mobile subscriber identity included in the authentication request sent to the subscriber data system, the subscriber identity hidden sui obtained by decrypting the subscriber identity hidden sui by the subscriber data system is further included in the authentication response, and the subscriber identity obtained by decrypting the subscriber identity hidden sui is used as the mobile subscriber identity in the subsequent step.
27. The method of claim 16, wherein the securely authenticating with the user terminal based on the association relationship comprises:
receiving a security authentication request sent by the user terminal, wherein the security authentication request comprises the security token;
and if the security token is verified to be valid and the user identity is obtained, determining that the security authentication is successful.
28. The method of claim 27, wherein the verifying that the security token is valid and obtaining the associated user identity comprises:
If the randomly generated global unique character string is used as the security token, searching the security token in the association relation between all the stored security tokens and the user identity, and acquiring the user identity associated with the security token; if the user identity is found, determining that the security token is verified to be effective, and determining that the associated user identity is the user identity; if not, determining to verify that the security token is invalid; or alternatively, the process may be performed,
if a ciphertext obtained by encrypting information comprising user identity marks based on a preset key by using a symmetric encryption algorithm is used as a security token, decrypting the security token based on the preset key by using the same symmetric encryption algorithm, and obtaining the user identity marks in the decrypted plaintext; if the user identity can be successfully decrypted and obtained, determining that the security token is valid, and determining that the user identity obtained after the successful decryption is the user identity; if not, determining to verify that the security token is invalid.
29. The method of claim 16, wherein the obtaining the third party application identification communicated by the user terminal comprises:
Receiving the third party application identifier transmitted by the user terminal in the security authentication process; or alternatively, the process may be performed,
and receiving the third party application identifier transmitted by the user terminal after the security authentication process and before the registration information and services are provided to the user terminal according to the user identity identifier and the third party application identifier.
30. The method of claim 16, wherein said providing registration information and services to the user terminal based on the user identity and the third party application identity comprises:
the registration information and the service comprise a third party user identifier, specifically, the third party user identifier corresponding to the user identity identifier and the third party application identifier is obtained and used as the third party user identifier, and the third party user identifier is transmitted to the user terminal, so that the third party user identifier is used for identifying the user identity in the third party application client; or/and the combination of the two,
the registration information and services comprise a user token, specifically, a user token associated with the user identity and the third party application identity is generated as the user token, and the user token is transmitted to the user terminal, so that the user token is used for accessing the authentication of the corresponding third party application server in the third party application client.
31. The method of claim 30, wherein the obtaining the third party user identification corresponding to the user identification and the third party application identification comprises:
searching a corresponding third party user identifier according to the user identity identifier and the third party application identifier;
if the corresponding third party user identifier is found, determining the found corresponding third party user identifier as the third party user identifier;
if the corresponding third party user identification is not found, a unique third party user identification is created, the unique third party user identification is determined to be the third party user identification, and the corresponding relation between the user identification and the third party application identification as well as the unique third party user identification is established, so that the unique third party user identification can be found according to the user identification and the third party application identification.
32. The method of claim 31, wherein the generating a user token associated with the user identification and the third party application identification comprises:
using a randomly generated globally unique string as the user token;
And establishing an association relation between the user token and the user identity and the third-party application identity so that the user identity and the third-party application identity can be obtained according to the user token.
33. The method of claim 16, further comprising, after receiving a third party application identification communicated by the user terminal and after the security authentication is successful, and before the providing registration information and services to the user terminal based on the user identification and the third party application identification:
acquiring the authorization information which is sent by the user terminal and confirmed by the terminal user, and if the authorization information which is sent by the user terminal and confirmed by the terminal user is acquired, executing the registration information and the service which are provided for the user terminal according to the user identity and the third party application identity.
34. The method of claim 33, wherein the obtaining the end-user-confirmed authorization information sent by the user terminal comprises:
sending an application authorization request message to the user terminal;
receiving an application authorization response message sent by the user terminal;
And if the application authorization response message is an application authorization confirmation message, executing the step of providing registration information and services for the user terminal according to the user identity and the third party application identity.
35. The method of claim 34, wherein the application authorization request message comprises:
a third party application name, wherein the third party application name is a third party application name corresponding to the third party application identifier; or/and the combination of the two,
and the mobile user name is the mobile user name corresponding to the user identity.
36. A client registration apparatus for use in a user terminal having a third party application client running thereon, comprising: a memory, a processor for running a program stored by the memory, the program when run performing a method comprising any one of claims 1 to 15.
37. A client registration apparatus, the client registration apparatus being applied to a registration server, comprising: a memory, a processor for running a program stored by the memory, the program when run performing a method comprising any one of claims 16 to 35.
38. A client registration system, the client registration system comprising: a user terminal and a registration server;
the user terminal comprising a client registration device as claimed in claim 36 for use in a user terminal running a third party application client;
the registration server includes a client registration device applied to the registration server as recited in claim 37.
39. A computer readable storage medium, characterized in that the storage medium has stored therein a program for implementing a method comprising any one of claims 1 to 15 when executed by a processor; or/and, the program, when executed by a processor, is for implementing a method comprising any of claims 16 to 35.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2018109699274 | 2018-08-23 | ||
| CN201810969927.4A CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
| PCT/CN2019/074724 WO2020037957A1 (en) | 2018-08-23 | 2019-02-04 | Client registration method, apparatus and system |
| CNPCT/CN2019/074724 | 2019-02-04 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111050314A CN111050314A (en) | 2020-04-21 |
| CN111050314B true CN111050314B (en) | 2023-06-30 |
Family
ID=64627198
Family Applications (4)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810969927.4A Pending CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
| CN201910777127.7A Pending CN110858969A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
| CN201910774037.2A Active CN111050314B (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
| CN201910775079.8A Pending CN110858968A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Family Applications Before (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810969927.4A Pending CN109041205A (en) | 2018-08-23 | 2018-08-23 | Client registers method, apparatus and system |
| CN201910777127.7A Pending CN110858969A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910775079.8A Pending CN110858968A (en) | 2018-08-23 | 2019-08-22 | Client registration method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (4) | CN109041205A (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020037957A1 (en) * | 2018-08-23 | 2020-02-27 | 刘高峰 | Client registration method, apparatus and system |
| CN111327582B (en) * | 2019-08-22 | 2022-12-20 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
| CN111327583B (en) * | 2019-08-22 | 2022-03-04 | 刘高峰 | Identity authentication method, intelligent equipment and authentication server |
| CN110611719B (en) * | 2019-10-16 | 2022-04-19 | 四川虹美智能科技有限公司 | Message pushing method, server and system |
| CN111327416A (en) * | 2019-12-13 | 2020-06-23 | 刘高峰 | Internet of things equipment access method and device and Internet of things platform |
| CN112118243B (en) * | 2020-09-09 | 2023-04-07 | 中国联合网络通信集团有限公司 | Identity authentication method and system, and Internet application login method and system |
| CN114268953B (en) * | 2020-09-14 | 2023-08-15 | ***通信集团重庆有限公司 | Base station authentication method, query node, system and equipment |
| CN112689283B (en) * | 2020-12-15 | 2021-11-23 | 青海大学 | Key protection and negotiation method, system and storage medium |
| WO2022133741A1 (en) * | 2020-12-22 | 2022-06-30 | Huawei Technologies Co., Ltd. | Registration methods using one-time identifiers for user equipments and nodes implementing the registration methods |
| CN113806798B (en) * | 2021-08-13 | 2023-07-14 | 苏州浪潮智能科技有限公司 | User side verification method, system, equipment and medium |
| CN114338173B (en) * | 2021-12-29 | 2023-01-24 | 渔翁信息技术股份有限公司 | Account registration method, system, equipment and computer readable storage medium |
| CN114584971A (en) * | 2022-02-15 | 2022-06-03 | 北京快乐茄信息技术有限公司 | Account registration method and device, electronic equipment and storage medium |
| CN115001841A (en) * | 2022-06-23 | 2022-09-02 | 北京瑞莱智慧科技有限公司 | Identity authentication method, identity authentication device and storage medium |
| CN115225672A (en) * | 2022-07-14 | 2022-10-21 | 蔚来汽车科技(安徽)有限公司 | End-to-end data transmission method, device and medium |
| CN115208702B (en) * | 2022-09-16 | 2022-12-30 | 国网江西省电力有限公司电力科学研究院 | Internet of things equipment authentication and key agreement method |
| CN117556411B (en) * | 2024-01-10 | 2024-05-10 | 鼎铉商用密码测评技术(深圳)有限公司 | Password generation method, password generation device, and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103259795A (en) * | 2013-05-14 | 2013-08-21 | 百度在线网络技术(北京)有限公司 | Method for executing automatic register and login, mobile terminal and server |
| CN104125565A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Method for realizing terminal authentication based on OMA DM, terminal and server |
| CN106161032A (en) * | 2015-04-24 | 2016-11-23 | 华为技术有限公司 | A kind of identity authentication method and device |
Family Cites Families (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100384120C (en) * | 2004-09-30 | 2008-04-23 | 华为技术有限公司 | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem |
| CN100544249C (en) * | 2004-10-29 | 2009-09-23 | 大唐移动通信设备有限公司 | Mobile communication user certification and cryptographic key negotiation method |
| CN1859087A (en) * | 2005-12-30 | 2006-11-08 | 华为技术有限公司 | Key consulting method and its system for customer end and server |
| EP1858278B1 (en) * | 2006-05-19 | 2013-05-15 | Research In Motion Limited | System and method for facilitating accelerated network selection in a radio network enviroment |
| CN101197673B (en) * | 2006-12-05 | 2011-08-10 | 中兴通讯股份有限公司 | Fixed network access into IMS bidirectional authentication and key distribution method |
| CN101488945B (en) * | 2008-01-14 | 2012-09-19 | 北京大唐高鸿数据网络技术有限公司 | Authentication method oriented to SIP |
| US20110191842A1 (en) * | 2008-09-09 | 2011-08-04 | Telefonaktiebolaget L M Ericsson (Publ) | Authentication in a Communication Network |
| CN101635823B (en) * | 2009-08-27 | 2011-09-21 | 中兴通讯股份有限公司 | Method and system of terminal for encrypting videoconference data |
| CN102196436B (en) * | 2010-03-11 | 2014-12-17 | 华为技术有限公司 | Security authentication method, device and system |
| CN102196426B (en) * | 2010-03-19 | 2014-11-05 | ***通信集团公司 | Method, device and system for accessing IMS (IP multimedia subsystem) network |
| CN102413464B (en) * | 2011-11-24 | 2014-07-09 | 杭州东信北邮信息技术有限公司 | GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform |
| US20160219039A1 (en) * | 2013-09-06 | 2016-07-28 | Mario Houthooft | Mobile Authentication Method and System for Providing Authenticated Access to Internet-Sukpported Services and Applications |
| CN106534050A (en) * | 2015-09-11 | 2017-03-22 | 中移(杭州)信息技术有限公司 | Method and device for realizing key agreement of virtual private network (VPN) |
| CN107454045B (en) * | 2016-06-01 | 2020-09-11 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and system for user IMS registration authentication |
| WO2018053271A1 (en) * | 2016-09-16 | 2018-03-22 | Idac Holdings, Inc. | Unified authentication framework |
| CN108401275A (en) * | 2017-02-06 | 2018-08-14 | 财团法人工业技术研究院 | user equipment registration method, network controller and network communication system |
-
2018
- 2018-08-23 CN CN201810969927.4A patent/CN109041205A/en active Pending
-
2019
- 2019-08-22 CN CN201910777127.7A patent/CN110858969A/en active Pending
- 2019-08-22 CN CN201910774037.2A patent/CN111050314B/en active Active
- 2019-08-22 CN CN201910775079.8A patent/CN110858968A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125565A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Method for realizing terminal authentication based on OMA DM, terminal and server |
| CN103259795A (en) * | 2013-05-14 | 2013-08-21 | 百度在线网络技术(北京)有限公司 | Method for executing automatic register and login, mobile terminal and server |
| CN106161032A (en) * | 2015-04-24 | 2016-11-23 | 华为技术有限公司 | A kind of identity authentication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109041205A (en) | 2018-12-18 |
| CN110858969A (en) | 2020-03-03 |
| CN111050314A (en) | 2020-04-21 |
| CN110858968A (en) | 2020-03-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111050314B (en) | Client registration method, device and system | |
| CN111327582B (en) | Authorization method, device and system based on OAuth protocol | |
| US10284555B2 (en) | User equipment credential system | |
| US8122250B2 (en) | Authentication in data communication | |
| CN111327583B (en) | Identity authentication method, intelligent equipment and authentication server | |
| CN111050322B (en) | GBA-based client registration and key sharing method, device and system | |
| KR101508360B1 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
| EP2852118B1 (en) | Method for an enhanced authentication and/or an enhanced identification of a secure element located in a communication device, especially a user equipment | |
| US10880291B2 (en) | Mobile identity for single sign-on (SSO) in enterprise networks | |
| CN111147421B (en) | Authentication method based on general guide architecture GBA and related equipment | |
| US9693226B2 (en) | Method and apparatus for securing a connection in a communications network | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| CN111327416A (en) | Internet of things equipment access method and device and Internet of things platform | |
| JP7404540B2 (en) | Privacy information transmission methods, devices, computer equipment and computer readable media | |
| CN111770496B (en) | 5G-AKA authentication method, unified data management network element and user equipment | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment | |
| WO2020037957A1 (en) | Client registration method, apparatus and system | |
| WO2020037958A1 (en) | Gba-based client registration and key sharing method, device, and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |