WO2010043134A1 - Method and system for realizing third party authentication of trans-system access in a communication system - Google Patents

Method and system for realizing third party authentication of trans-system access in a communication system Download PDF

Info

Publication number
WO2010043134A1
WO2010043134A1 PCT/CN2009/073270 CN2009073270W WO2010043134A1 WO 2010043134 A1 WO2010043134 A1 WO 2010043134A1 CN 2009073270 W CN2009073270 W CN 2009073270W WO 2010043134 A1 WO2010043134 A1 WO 2010043134A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
application server
user terminal
server
information
Prior art date
Application number
PCT/CN2009/073270
Other languages
French (fr)
Chinese (zh)
Inventor
崔振峰
唐琦
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010043134A1 publication Critical patent/WO2010043134A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention relates to an authentication service method and system for cross-system access in a communication system, and more particularly to providing a simple, versatile and efficient third party authentication method and system for cross-system access.
  • 3G has begun to be commercialized on a large scale, and the fixed network service and the mobile service are continuously integrated, and more and more services and functions are available for users to access and access.
  • the username and password are only stored on the Home Subscriber Server (HSS), which is used to store the user's personal information. Therefore, when the user uses a certain service (such as logging in to an application server), the user will be sent to the home server HSS. Certification.
  • HSS Home Subscriber Server
  • the object of the present invention is to provide a third-party authentication method and system for cross-system access in a communication system, which makes the third-party authentication have less influence on the performance of the application server system, and is simple and universal. And efficient purpose.
  • a method of third-party authentication for cross-system access in a communication system comprising the following steps:
  • the user terminal performs an authentication request to the home server through the application server, and the home server returns the authentication result to the application server after authorizing the authentication request, and the application server processes the authentication result to generate a temporary password. And the authentication result and temporary password Send to the user terminal;
  • the user terminal initiates a login request according to the temporary password, and logs in to the application server.
  • the method further includes: C. After the user terminal logs in, the user terminal is logged out, and the application server clears the temporary password when the user terminal logs in.
  • the step of the user terminal performing an authentication request to the home server by using the application server in the step A includes:
  • the user terminal initiates a first request for the authentication request to the application server, and the application server obtains the home server information to which the user belongs and replies to the user terminal;
  • the user terminal generates authentication information according to the returned home server information, and initiates a second request for the authentication request to the application server, where the application server transmits the authentication information to the home server.
  • the home server authenticates the authentication information.
  • step B further includes:
  • the home server information includes a class of the home server and a random code.
  • the home server information further includes information encrypted by an encryption algorithm.
  • the second request is provided with a response code and an authentication code, where the response code and the authentication code are calculated according to the home server information;
  • the response code is encrypted password information
  • the authentication code is summary information calculated according to the user account, the response code, and the identifier information, and is used to prevent the user account, the response code, and the identifier information from being modified or in error when the network is transmitted.
  • step A2 further includes:
  • the application server transparently transmits the authentication information to the interface device.
  • the interface device sends the authentication information to the corresponding home server according to the type of the home server to which the user belongs.
  • the home server authenticates the authentication information.
  • the interface machine receives the authentication result replied by the home server, translates the authentication result, and translates the authentication result into a unified result and sends the result to the application server.
  • the present invention also provides a third-party authentication system for cross-system access in a communication system, the system comprising: a user terminal, an application server, and at least one home server, wherein the user terminal, the application server, and the at least one home server are connected through a network, among them,
  • the home server is configured to save user information and provide an authentication service for the user;
  • the user terminal is configured to initiate an authentication request to the application server, and initiate a login request according to the authentication result and the temporary password provided by the application server;
  • the application server is configured to authenticate the user terminal by using the home server, and return an authentication result and a generated temporary password to the user terminal.
  • system further includes an interface device, the interface device is located between the application server and the home server, and the interface device is configured to receive authentication information from the application server, The authentication information is forwarded to the home server, and the authentication result is returned to the application server.
  • An application server supporting third-party authentication for cross-system access in a communication system the application server being configured to:
  • the user terminal When the user terminal initiates an authentication request to the application server, the user terminal authenticates the home terminal that belongs to the user terminal and is connected to the application server through a network, and returns the authentication to the user terminal. And a generated temporary password, so that the user terminal initiates a login request according to the authentication result and the temporary password provided by the application server.
  • application server is further configured to:
  • the server After the user terminal generates the authentication information according to the information of the home server and initiates the second request for the authentication request to the application server, transmitting the authentication information to the home server, so that the attribution is performed.
  • the server authenticates the authentication information.
  • a user terminal supporting third-party authentication for cross-system access in a communication system the user terminal The end is configured to initiate an authentication request to an application server connected to the network through the network, so that the application server authenticates the user terminal by using a home server to which the user terminal belongs and connected to the application server through a network
  • the user terminal returns an authentication result and a generated temporary password
  • the user terminal is further configured to initiate a login request according to the authentication result and the temporary password provided by the application server.
  • the user terminal is further configured to:
  • a second request for the authentication request is initiated to the application server to cause the application server to transmit the authentication information to the home server, thereby causing the home server to authenticate the authentication information.
  • a home server supporting third-party authentication for implementing cross-system access in a communication system the home server being configured to:
  • the user terminal When the user terminal initiates an authentication request to an application server connected to the network through the network, and the application server sends the authentication information to the home server, the user terminal is authenticated to enable the application server to The user terminal returns the authentication result and the generated temporary password, so that the user terminal can initiate a login request to the application server according to the authentication result and the temporary password provided by the application server.
  • a system for supporting third-party authentication of cross-system access in a communication system comprising the user terminal according to claim 12 and the home server according to claim 14.
  • the system further includes an interface device, where the interface device is located between the application server and the home server, the interface device is configured to receive authentication information from the application server, and forward the authentication information to the The home server is replied to and the authentication result is returned to the application server.
  • the invention has the following advantages: The third-party authentication method and system for cross-system access in a communication system of the present invention, since the user terminal performs an authentication authentication request to the home server through the application server before login, the authentication pass result is obtained.
  • the application server generates a temporary password, and the user terminal initiates the login request with the temporary password, and does not need to perform third-party authentication through the home server, so the impact on the performance and real-time performance of the application server is small, and the stability and versatility of the application server are enhanced. .
  • 1 is a networking diagram of cross-system authentication of the present invention
  • FIG. 2 is a flow chart of cross-system authentication signaling of the present invention.
  • the present invention provides a method of third-party authentication for cross-system access in a communication system.
  • the present invention will be further described in detail below with reference to the accompanying drawings and embodiments.
  • the present invention provides a simple, universal and efficient third-party access system in the communication system.
  • the authentication method the core idea of the method is: ⁇ use the general third-party authentication system networking structure, when the user terminal authenticates the authentication request to the home server through the application server before login, the home server authenticates the user and obtains The authentication response is sent to the application server.
  • the authentication generates a temporary password.
  • the application server notifies the user terminal of the authentication result and the temporary password.
  • the user terminal initiates the login request with the temporary password, and the application server authenticates with the temporary password without going through the home server.
  • Third-party authentication is performed. When the user terminal logs out, the application server clears the temporary password.
  • the above method enhances the performance and real-time performance of the application server, and simplifies the development of the application server in third-party authentication.
  • the present invention employs a networking structure of a general-purpose third-party authentication system as shown in FIG. 1, which includes a user terminal (UE) 10 connected through a network 20, that is, a client, an application server AS. ( Application Server ) 30, Interface Machine IMP ( Interface Machine ) 40 and the user's home server HSS 50; wherein the user terminal 10, the application server 30, the interface machine 40, and the home server 50 respectively perform communication connection through the network 20, and the user terminal uses the service provided by the application server to initiate authentication to the application server.
  • UE user terminal
  • AS Application Server
  • Interface Machine IMP Interface Machine
  • the request initiates a login request;
  • the application server is configured to authenticate the user terminal by the home server, and return the authentication result and the generated temporary password to the user terminal;
  • the home server save the user Detailed information, including user account, password, etc., is used to provide authentication services for the user terminal;
  • the interface machine is located between the application server and the home server, thereby shielding the details of the signaling interaction between the application server and the home server, the interface machine And receiving the authentication information from the application server, and the home server authentication message body is configured according to the authentication type and the node, and the authentication information is forwarded to the corresponding home server, and the authentication result is returned to the application server.
  • the interface between the application server 30 and the interface machine 40 can be an internal interface, which ensures the versatility and stability of the application server.
  • the present invention uses a third-party authentication method as shown in FIG. 2, wherein the method mainly includes: First, the client (user terminal (UE)) initiates the login to the application server before the official login.
  • the three-party authentication request the application server replies to notify the client of the home server where the password information is located;
  • the second step the client generates the authentication information according to its own identity, and sends the authentication information to the application server, and the application server transmits the authentication information to the attribution of the user password.
  • the third step is: the home server authenticates the user, and the authentication result is notified to the application server. If the authentication succeeds, the application server generates a temporary password to notify other authentication nodes in the application system, and then notifies the client of the authentication result and the temporary password.
  • the fourth step is to log in to the client or use the service provided by the application service.
  • the authentication of the application server uses the temporary password of the application server, and no third-party authentication is required.
  • the application server clears the temporary when the client logs off. password.
  • the flow describes the signaling flow of the interaction between the user terminal UE and the application server AS, the application server AS and the interface machine interaction process, and the interface machine. Interacting with the user home server signaling flow; for ease of representation, the information transfer between the user terminal UE and the application server AS is based on the XCAP protocol (Extensible Markup Language Configuration Access Protocol), the interface machine and the home server HSS.
  • XCAP protocol Extensible Markup Language Configuration Access Protocol
  • the interface machine and the home server HSS The information transfer between the third-party authentication flow of this patent is described by taking the SOAP protocol (Simple Object Access Protocol) as an example. Cheng, but not limited to this, where:
  • Step 201 The user terminal UE will use a certain service or service function provided by the application server AS to first initiate a third-party authentication request to the application server, and the AUID (Application Unique ID) requested by the XML configuration access protocol is the identifier remote-auth;
  • Step 202 The application server AS obtains the home server category to which the user belongs, that is, obtains the authentication type and node of the user terminal UE.
  • Step 203 The user terminal UE is notified by using the extended HTTP 401 message according to the obtained information, where the acquired information includes: a category of the home server, a private key, a random random code, and an encryption algorithm to encrypt the password.
  • the acquired information includes: a category of the home server, a private key, a random random code, and an encryption algorithm to encrypt the password.
  • Step 204 The user terminal UE calculates a response code (Activity Code) and an authentication code (Authenticator) according to the information of the category, private key, and random code of the home server returned by the application server AS.
  • the response code is the user's password, account number, and random code.
  • the same is the user authentication; the response code is the encrypted password;
  • the authentication code the authentication message sent by the application server AS to the home server HSS includes: account number, response code, request ID (identifier), etc., in order to prevent such information from being maliciously modified or error occurred during network transmission, these will be calculated. A summary of the information is used as the authentication code.
  • the authentication code can be implemented by the client
  • Step 205 The user terminal UE initiates a third-party authentication request to the application server AS again, where the request is a third-party authentication request with a response code and an authentication code.
  • Step 206 The application server AS transparently transmits the authentication information and the home server of the user terminal UE to the interface device. If the user terminal UE is the system user, the user directly returns OK, and the user terminal UE logs in with the user name and password entered by the user. ;
  • Step 207 The interface device forms a corresponding third-party authentication SOAP (Simple Object Access Protocol) message according to the user's home server category and the authentication interface specification, that is, the home server authentication Interest body
  • SOAP Simple Object Access Protocol
  • Step 208 Send an authentication message to a corresponding home server.
  • Step 209 The home server receives the authentication information, and performs authentication and authorization on the user.
  • Step 210 The home server notifies the sender of the authentication result, that is, the interface machine.
  • Step 211 The interface machine receives the user authentication result replied by the home server, and translates the authentication result (the difference between the different home server authentication result codes is translated into a unified result by the interface machine), and the reply authentication result is notified to the application.
  • Server Because the application server AS may have a large number of home servers HSS, the HSS representation method for the home server with different authentication results is different; for the authentication pass, password error, user non-existence, authentication code error, etc., the interface machine
  • the unified translation is a unified result (for example): 0: authentication passed; _3: password error; _5 account does not exist; -100: other errors;
  • Step 212 The application server receives the authentication result of the client, and generates a temporary password if the authentication succeeds;
  • Step 213 The application server returns information such as the authentication result, the temporary password, and the temporary account (if there is a difference in the account form between the application server and the home server, the temporary account needs to be allocated) to the user terminal UE, and may be considered for security reasons.
  • the temporary password is encrypted, and the encryption algorithm such as Base64, DES, and 3DES can be used according to the security level; if the application server AS system includes multiple authentication nodes, the user account and password are notified to all the authentication nodes in the system;
  • Step 214 The user terminal UE logs in to the application server with a temporary account and a temporary password, and starts to use the function of the application server;
  • Step 215 The user terminal logs out
  • Step 216 The application server and other authentication nodes in the system clear the temporary password.
  • the standardization of the third-party authentication interface between the AS and the user terminal UE also simplifies the development of the application server in the third-party authentication; at the same time, the system adds an interface machine to the interface, shielding the diversity between the application server and the home server.
  • the authentication interface enhances the stability and versatility of the application server.
  • a third-party authentication method and system for accessing a system in a communication system because the user terminal performs an authentication authentication request to the home server through the application server before login, obtains the authentication result, and generates a temporary password in the application server.
  • the user terminal initiates the login request with the temporary password, and does not need to perform third-party authentication through the home server. Therefore, the performance and real-time performance of the application server are less affected, and the stability and versatility of the application server are enhanced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method and a system for realizing third party authentication of trans-system access in a communication system are provided. The method involves that a user terminal transmits an authentication request to a home server through an application server, the obtained authentication result is processed by the application server to generate a temporary password, the authentication result and the temporary password are sent to the user terminal, a login request is initiated by the user terminal according to the temporary password and the user terminal logs in the application server. In the present invention, the third party authentication through the home server is unnecessary, and the temporary password is removed by the application server when the user terminal is logged out. The invention enhances the performance and immediacy of the application server, simplifies development of the application server about third party authentication, and increases stability and commonality of the application server.

Description

一种通信***中跨***访问的第三方认证方法和***  Third-party authentication method and system for cross-system access in communication system
技术领域 Technical field
本发明涉及通信***中跨***访问的认证服务方法和***,更具体的说, 是为跨***访问提供一种简单、 通用和高效的第三方认证方法和***。  The present invention relates to an authentication service method and system for cross-system access in a communication system, and more particularly to providing a simple, versatile and efficient third party authentication method and system for cross-system access.
背景技术 Background technique
现有技术中, 随着 Internet应用领域不断扩大, 3G开始大规模商用以及 固网业务和移动业务不断融合, 可供用户使用和访问的业务、 功能越来越多。  In the prior art, with the continuous expansion of the Internet application field, 3G has begun to be commercialized on a large scale, and the fixed network service and the mobile service are continuously integrated, and more and more services and functions are available for users to access and access.
但用户名和口令只存在相应归属服务器 HSS ( Home Subscriber Server ) 上, 用于保存用户个人信息, 所以当用户使用某一业务(如登录某一应用服 务器) 时, 则将要到归属服务器 HSS对用户进行认证。  However, the username and password are only stored on the Home Subscriber Server (HSS), which is used to store the user's personal information. Therefore, when the user uses a certain service (such as logging in to an application server), the user will be sent to the home server HSS. Certification.
对于非会话类的业务可能只需一次认证即可, 但对于频繁交互的非会话 类和既有会话类又有非会话类的业务则也要频繁进行跨***认证, 这将不仅 影响应用服务器的性能和实时性, 同时用户体验也较差。  For non-session type services, you only need to authenticate once. However, for non-session classes with frequent interactions and services with both session classes and non-session classes, cross-system authentication is also frequently performed, which will affect not only the application server. Performance and real-time performance, while the user experience is also poor.
所以现有技术有待改进。  Therefore, the prior art needs to be improved.
发明内容 Summary of the invention
本发明的目的是, 针对上述现有技术存在的缺陷提供了一种通信***中 跨***访问的第三方认证方法和***, 使得第三方认证对应用服务器***性 能的影响较小, 达到简单、 通用和高效的目的。  The object of the present invention is to provide a third-party authentication method and system for cross-system access in a communication system, which makes the third-party authentication have less influence on the performance of the application server system, and is simple and universal. And efficient purpose.
本发明的技术方案如下:  The technical solution of the present invention is as follows:
一种通信***中跨***访问的第三方认证的方法, 所述方法包括以下步 骤:  A method of third-party authentication for cross-system access in a communication system, the method comprising the following steps:
A、 用户终端通过应用服务器向归属服务器进行认证请求, 所述归属服 务器对所述认证请求授权后回复认证结果至所述应用服务器, 所述应用服务 器对所述认证结果进行处理, 生成临时密码, 并将所述认证结果和临时密码 发至所述用户终端; A. The user terminal performs an authentication request to the home server through the application server, and the home server returns the authentication result to the application server after authorizing the authentication request, and the application server processes the authentication result to generate a temporary password. And the authentication result and temporary password Send to the user terminal;
B、所述用户终端根据所述临时密码发起登录请求,登录到所述应用服务 器。  B. The user terminal initiates a login request according to the temporary password, and logs in to the application server.
进一步, 所述的方法在所述步骤 B之后还包括: C、 所述用户终端登录 结束后, 所述用户终端被注销, 所述应用服务器清除所述用户终端登录时的 所述临时密码。  Further, after the step B, the method further includes: C. After the user terminal logs in, the user terminal is logged out, and the application server clears the temporary password when the user terminal logs in.
进一步, 所述的方法中, 所述步骤 A中用户终端通过应用服务器向归属 服务器进行认证请求的所述步骤包括:  Further, in the method, the step of the user terminal performing an authentication request to the home server by using the application server in the step A includes:
Al、 所述用户终端向所述应用服务器发起所述认证请求的第一次请求, 所述应用服务器获取用户所属的归属服务器信息并回复给所述用户终端; Al, the user terminal initiates a first request for the authentication request to the application server, and the application server obtains the home server information to which the user belongs and replies to the user terminal;
A2、 所述用户终端根据回复的所述归属服务器信息生成认证信息, 向所 述应用服务器发起所述认证请求的第二次请求, 所述应用服务器将所述认证 信息传送到所述归属服务器, 所述归属服务器对所述认证信息进行认证。 A2. The user terminal generates authentication information according to the returned home server information, and initiates a second request for the authentication request to the application server, where the application server transmits the authentication information to the home server. The home server authenticates the authentication information.
进一步, 所述的方法中, 所述步骤 B还包括:  Further, in the method, the step B further includes:
进一步, 所述的方法中, 所述归属服务器信息包括所述归属服务器的类 另^ 私钥以及随机码。  Further, in the method, the home server information includes a class of the home server and a random code.
进一步, 所述的方法中, 所述归属服务器信息还包括以加密算法进行密 码加密的信息。  Further, in the method, the home server information further includes information encrypted by an encryption algorithm.
进一步, 所述的方法中, 所述第二次请求带有响应码和认证码, 其中, 所述响应码和所述认证码根据所述归属服务器信息计算得到;  Further, in the method, the second request is provided with a response code and an authentication code, where the response code and the authentication code are calculated according to the home server information;
所述响应码为经过加密后的密码信息;  The response code is encrypted password information;
所述认证码为根据用户帐号、响应码以及标示符信息计算出的摘要信息, 用于防止在网络传输时所述用户帐号、响应码以及标示符信息被修改或出错。  The authentication code is summary information calculated according to the user account, the response code, and the identifier information, and is used to prevent the user account, the response code, and the identifier information from being modified or in error when the network is transmitted.
进一步, 所述的方法中, 所述步骤 A2还包括:  Further, in the method, the step A2 further includes:
A21、 所述应用服务器将所述认证信息透传到接口机;  A21. The application server transparently transmits the authentication information to the interface device.
A22、 所述接口机根据所述用户所属的归属服务器的类型, 将所述认证 信息发送到对应的所述归属服务器; A23、 所述归属服务器对所述认证信息进行认证。 A22. The interface device sends the authentication information to the corresponding home server according to the type of the home server to which the user belongs. A23. The home server authenticates the authentication information.
A24、 所述接口机收到所述归属服务器回复的认证结果, 对所述认证结 果进行翻译, 将所述认证结果翻译成统一结果发送至所述应用服务器。  A24. The interface machine receives the authentication result replied by the home server, translates the authentication result, and translates the authentication result into a unified result and sends the result to the application server.
本发明还提供一种通信***中跨***访问的第三方认证***, 所述*** 包括: 用户终端、 应用服务器以及至少一个归属服务器, 所述用户终端、 应 用服务器以及至少一个归属服务器通过网络连接, 其中,  The present invention also provides a third-party authentication system for cross-system access in a communication system, the system comprising: a user terminal, an application server, and at least one home server, wherein the user terminal, the application server, and the at least one home server are connected through a network, among them,
所述归属服务器设置成保存用户信息, 为用户提供认证服务;  The home server is configured to save user information and provide an authentication service for the user;
所述用户终端设置成向所述应用服务器发起认证请求, 根据所述应用服 务器提供的认证结果及临时密码, 发起登录请求;  The user terminal is configured to initiate an authentication request to the application server, and initiate a login request according to the authentication result and the temporary password provided by the application server;
所述应用服务器设置成通过所述归属服务器对所述用户终端进行认证, 并向所述用户终端返回认证结果及生成的临时密码。  The application server is configured to authenticate the user terminal by using the home server, and return an authentication result and a generated temporary password to the user terminal.
进一步, 所述的***中, 还包括一个接口机, 所述接口机位于所述应用 服务器和所述归属服务器之间, 所述接口机设置成接收来自于所述应用服务 器的认证信息, 将所述认证信息转发给所述归属服务器, 并回复认证结果至 所述应用服务器。  Further, the system further includes an interface device, the interface device is located between the application server and the home server, and the interface device is configured to receive authentication information from the application server, The authentication information is forwarded to the home server, and the authentication result is returned to the application server.
一种支持通信***中跨***访问的第三方认证的应用服务器, 所述应用 服务器设置成:  An application server supporting third-party authentication for cross-system access in a communication system, the application server being configured to:
在用户终端向所述应用服务器发起认证请求时, 通过所述用户终端所属 的、 且通过网络与所述应用服务器连接的归属服务器, 对所述用户终端进行 认证, 并向所述用户终端返回认证结果及生成的临时密码, 以使所述用户终 端根据所述应用服务器提供的认证结果及临时密码, 发起登录请求。  When the user terminal initiates an authentication request to the application server, the user terminal authenticates the home terminal that belongs to the user terminal and is connected to the application server through a network, and returns the authentication to the user terminal. And a generated temporary password, so that the user terminal initiates a login request according to the authentication result and the temporary password provided by the application server.
进一步, 所述应用服务器还设置成:  Further, the application server is further configured to:
收到所述用户终端发来的所述认证请求的第一次请求后, 获取所述归属 服务器的信息并回复给所述用户终端; 以及  After receiving the first request for the authentication request sent by the user terminal, acquiring information of the home server and replying to the user terminal;
在所述用户终端根据所述归属服务器的信息生成认证信息且向所述应用 服务器发起所述认证请求的第二次请求后, 将所述认证信息传送到所述归属 服务器, 以使所述归属服务器对所述认证信息进行认证。  After the user terminal generates the authentication information according to the information of the home server and initiates the second request for the authentication request to the application server, transmitting the authentication information to the home server, so that the attribution is performed. The server authenticates the authentication information.
一种支持通信***中跨***访问的第三方认证的用户终端, 所述用户终 端设置成向与其通过网络连接的应用服务器发起认证请求, 以使所述应用服 务器通过所述用户终端所属的、 且通过网络与所述应用服务器连接的归属服 务器对所述用户终端进行认证并向所述用户终端返回认证结果及生成的临时 密码; A user terminal supporting third-party authentication for cross-system access in a communication system, the user terminal The end is configured to initiate an authentication request to an application server connected to the network through the network, so that the application server authenticates the user terminal by using a home server to which the user terminal belongs and connected to the application server through a network The user terminal returns an authentication result and a generated temporary password;
所述用户终端还设置成根据所述应用服务器提供的认证结果及临时密 码, 发起登录请求。  The user terminal is further configured to initiate a login request according to the authentication result and the temporary password provided by the application server.
进一步, 所述用户终端还设置成:  Further, the user terminal is further configured to:
向所述应用服务器发起所述认证请求的第一次请求;  Initiating a first request for the authentication request to the application server;
接收所述应用服务器获取并回复的所述归属服务器的信息;  Receiving information of the home server obtained and replied by the application server;
根据所述归属服务器的信息生成认证信息; 以及  Generating authentication information according to information of the home server;
向所述应用服务器发起所述认证请求的第二次请求, 以使所述应用服务 器将所述认证信息传送到所述归属服务器, 从而使所述归属服务器对所述认 证信息进行认证。  A second request for the authentication request is initiated to the application server to cause the application server to transmit the authentication information to the home server, thereby causing the home server to authenticate the authentication information.
一种支持实现通信***中跨***访问的第三方认证的归属服务器, 所述 归属服务器设置成:  A home server supporting third-party authentication for implementing cross-system access in a communication system, the home server being configured to:
保存用户终端的用户信息; 以及  Saving user information of the user terminal;
在所述用户终端向通过网络与其连接的应用服务器发起认证请求且所述 应用服务器向所述归属服务器发送了认证信息时,对所述用户终端进行认证, 以使所述应用服务器能够向所述用户终端返回认证结果及生成的临时密码, 从而所述用户终端能够根据所述应用服务器提供的认证结果及临时密码向所 述应用服务器发起登录请求。  When the user terminal initiates an authentication request to an application server connected to the network through the network, and the application server sends the authentication information to the home server, the user terminal is authenticated to enable the application server to The user terminal returns the authentication result and the generated temporary password, so that the user terminal can initiate a login request to the application server according to the authentication result and the temporary password provided by the application server.
一种支持通信***中跨***访问的第三方认证的***, 所属***包括根 据权利要求 12所述的用户终端以及根据权利要求 14所述的归属服务器。  A system for supporting third-party authentication of cross-system access in a communication system, the system comprising the user terminal according to claim 12 and the home server according to claim 14.
进一步, 所述***还包括一个接口机, 所述接口机位于应用服务器和归 属服务器之间, 所述接口机设置成接收来自于所述应用服务器的认证信息, 将所述认证信息转发给所述归属服务器,并回复认证结果至所述应用服务器。 本发明的有益效果为: 釆用本发明的一种通信***中跨***访问的第三 方认证方法和***, 由于用户终端在登录前通过应用服务器向归属服务器进 行鉴权认证请求, 获得认证通过结果, 在应用服务器生成临时密码, 用户终 端以临时密码发起登录请求, 无需通过归属服务器再进行第三方认证, 因此 对应用服务器的性能和实时性影响较小, 增强了应用服务器的稳定性和通用 性。 Further, the system further includes an interface device, where the interface device is located between the application server and the home server, the interface device is configured to receive authentication information from the application server, and forward the authentication information to the The home server is replied to and the authentication result is returned to the application server. The invention has the following advantages: The third-party authentication method and system for cross-system access in a communication system of the present invention, since the user terminal performs an authentication authentication request to the home server through the application server before login, the authentication pass result is obtained. The application server generates a temporary password, and the user terminal initiates the login request with the temporary password, and does not need to perform third-party authentication through the home server, so the impact on the performance and real-time performance of the application server is small, and the stability and versatility of the application server are enhanced. .
附图概述 BRIEF abstract
图 1是本发明的跨***认证的组网图;  1 is a networking diagram of cross-system authentication of the present invention;
图 2是本发明跨***认证信令流程图。  2 is a flow chart of cross-system authentication signaling of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
本发明提供了一种通信***中跨***访问的第三方认证的方法, 为使本 发明的目的、 技术方案及优点更加清楚、 明确, 以下参照附图并举实施例对 本发明进一步详细说明。  The present invention provides a method of third-party authentication for cross-system access in a communication system. The present invention will be further described in detail below with reference to the accompanying drawings and embodiments.
为了解决在跨***访问第三方认证服务中存在影响应用服务器性能和实 时性的因素, 并且用户体验差等问题, 本发明提供了一种简单、 通用和高效 的通信***中跨***访问的第三方认证方法, 该方法的核心思想是: 釆用通 用的第三方认证***的组网结构, 当用户终端在登录前通过应用服务器向归 属服务器进行鉴权认证请求, 归属服务器对用户认证授权, 将获得的认证回 复结果发至应用服务器, 认证通过生成临时密码, 应用服务器将认证结果和 临时密码通知给用户终端, 用户终端以临时密码发起登录请求, 应用服务器 通过临时密码进行认证, 无需通过归属服务器再进行第三方认证, 当用户终 端注销时, 应用服务器清除临时密码; 上述方法增强了应用服务器的性能和 实时性, 简化了应用服务器在第三方认证方面的开发。  In order to solve the problem that the application server performance and real-time performance are affected in the cross-system access third-party authentication service, and the user experience is poor, the present invention provides a simple, universal and efficient third-party access system in the communication system. The authentication method, the core idea of the method is: 釆 use the general third-party authentication system networking structure, when the user terminal authenticates the authentication request to the home server through the application server before login, the home server authenticates the user and obtains The authentication response is sent to the application server. The authentication generates a temporary password. The application server notifies the user terminal of the authentication result and the temporary password. The user terminal initiates the login request with the temporary password, and the application server authenticates with the temporary password without going through the home server. Third-party authentication is performed. When the user terminal logs out, the application server clears the temporary password. The above method enhances the performance and real-time performance of the application server, and simplifies the development of the application server in third-party authentication.
根据上述的方法, 本发明釆用了如图 1所示的通用第三方认证***的组 网结构, 该***包括通过网络 20相连的一个用户终端(UE ) 10, 即客户端, 一应用服务器 AS ( Application Server ) 30, 接口机 IMP ( Interface Machine ) 40和用户的归属服务器 HSS 50; 其中用户终端 10, 应用服务器 30, 接口机 40以及归属服务器 50分别通过网络 20进行通信连接, 用户终端, 使用应用 服务器提供的服务, 用于向应用服务器发起认证请求, 根据应用服务器提供 的认证结果信息及临时密码, 发起登录请求; 应用服务器, 用于通过归属服 务器对用户终端进行认证, 并向用户终端返回认证结果及生成的临时密码; 归属服务器, 保存用户的详细信息, 其中包括用户账号、 密码等, 用于为用 户终端提供认证服务; 接口机位于应用服务器和归属服务器之间, 以此屏蔽 应用服务器和归属服务器之间信令交互的细节, 接口机用于接收来自于应用 服务器的认证信息, 根据认证类型和节点组成归属服务器鉴权消息体, 将该 认证信息转发给对应的归属服务器, 并回复认证结果至应用服务器。 应用服 务器 30和接口机 40之间的接口可以是内部接口, 这样保证了应用服务器的 通用性和稳定性。 According to the above method, the present invention employs a networking structure of a general-purpose third-party authentication system as shown in FIG. 1, which includes a user terminal (UE) 10 connected through a network 20, that is, a client, an application server AS. ( Application Server ) 30, Interface Machine IMP ( Interface Machine ) 40 and the user's home server HSS 50; wherein the user terminal 10, the application server 30, the interface machine 40, and the home server 50 respectively perform communication connection through the network 20, and the user terminal uses the service provided by the application server to initiate authentication to the application server. The request, according to the authentication result information and the temporary password provided by the application server, initiates a login request; the application server is configured to authenticate the user terminal by the home server, and return the authentication result and the generated temporary password to the user terminal; the home server, save the user Detailed information, including user account, password, etc., is used to provide authentication services for the user terminal; the interface machine is located between the application server and the home server, thereby shielding the details of the signaling interaction between the application server and the home server, the interface machine And receiving the authentication information from the application server, and the home server authentication message body is configured according to the authentication type and the node, and the authentication information is forwarded to the corresponding home server, and the authentication result is returned to the application server. The interface between the application server 30 and the interface machine 40 can be an internal interface, which ensures the versatility and stability of the application server.
利用该***, 本发明釆用了如图 2所示的一种第三方认证的方法, 其中 该方法主要包括: 第一步、 客户端 (用户终端 (UE ) )正式登录前向应用服 务器发起第三方认证请求, 应用服务器回复通知客户端其密码信息所在的归 属服务器; 第二步、 客户端根据自身归属, 生成认证信息并发送到应用服务 器, 同时应用服务器将认证信息传送到用户密码所在的归属服务器; 第三步、 归属服务器对用户认证授权, 同时将认证结果通知给应用服务器, 如果认证 成功, 应用服务器生成临时密码通知应用***内其它认证节点, 之后将认证 结果和临时密码通知到客户端; 第四步、 客户端登录或者使用应用服务的提 供的业务, 而此时在应用服务器的认证则使用应用服务器的临时密码, 无需 第三方认证; 第五步、 客户端注销时应用服务器清除临时密码。  With the system, the present invention uses a third-party authentication method as shown in FIG. 2, wherein the method mainly includes: First, the client (user terminal (UE)) initiates the login to the application server before the official login. The three-party authentication request, the application server replies to notify the client of the home server where the password information is located; the second step, the client generates the authentication information according to its own identity, and sends the authentication information to the application server, and the application server transmits the authentication information to the attribution of the user password. The third step is: the home server authenticates the user, and the authentication result is notified to the application server. If the authentication succeeds, the application server generates a temporary password to notify other authentication nodes in the application system, and then notifies the client of the authentication result and the temporary password. The fourth step is to log in to the client or use the service provided by the application service. At this time, the authentication of the application server uses the temporary password of the application server, and no third-party authentication is required. In the fifth step, the application server clears the temporary when the client logs off. password.
下面根据本发明的信令交互流程图对本发明的方法具体步骤进行详细的 描述, 该流程描述了用户终端 UE和应用服务器 AS交互的信令流程,应用服 务器 AS和接口机交互流程, 以及接口机和用户归属服务器交互信令流程; 为便于表述, 用户终端 UE和应用服务器 AS之间的信息传送以 XCAP协议 ( XML 西己置访问协议 , Extensible Markup Language Configuration Access Protocol ),接口机和归属服务器 HSS之间的信息传送以 SOAP协议(简单对 象访问协议, Simple Object Access Protocol )为例描述本专利的第三方认证流 程, 但并不仅限于此, 其中: The specific steps of the method of the present invention are described in detail below according to the signaling interaction flowchart of the present invention. The flow describes the signaling flow of the interaction between the user terminal UE and the application server AS, the application server AS and the interface machine interaction process, and the interface machine. Interacting with the user home server signaling flow; for ease of representation, the information transfer between the user terminal UE and the application server AS is based on the XCAP protocol (Extensible Markup Language Configuration Access Protocol), the interface machine and the home server HSS The information transfer between the third-party authentication flow of this patent is described by taking the SOAP protocol (Simple Object Access Protocol) as an example. Cheng, but not limited to this, where:
步骤 201、用户终端 UE将要使用应用服务器 AS所提供的某种服务或者 业务功能, 首先发起第三方认证请求到应用服务器, XML配置访问协议请求 的 AUID ( Application Unique ID )为标识符 remote-auth;  Step 201: The user terminal UE will use a certain service or service function provided by the application server AS to first initiate a third-party authentication request to the application server, and the AUID (Application Unique ID) requested by the XML configuration access protocol is the identifier remote-auth;
步骤 202、应用服务器 AS获取用户所属的归属服务器类别, 即获取用户 终端 UE的认证类型和节点;  Step 202: The application server AS obtains the home server category to which the user belongs, that is, obtains the authentication type and node of the user terminal UE.
步骤 203、 根据所获取的信息, 通过扩展的 HTTP的 401消息通知用户 终端 UE, 所获取的信息包括: 归属服务器的类别、 私钥、 Random随机码, 以及将以何种加密算法进行密码的加密等信息;  Step 203: The user terminal UE is notified by using the extended HTTP 401 message according to the obtained information, where the acquired information includes: a category of the home server, a private key, a random random code, and an encryption algorithm to encrypt the password. Information
步骤 204、 用户终端 UE根据应用服务器 AS的返回归属服务器的类别、 私钥、 随机码等信息计算得到响应码 ( Response Code ) 和认证码 ( Authenticator ) , 响应码是用户的密码、 帐号和随机码等信息计算出的认证 信息; 归属服务器 HSS 用保存在其内的用户密码、 帐号和随机码(随机码是 AS 请求消息中包含的)等信息使用相同的算法计算出认证信息, 两个认证信 息相同则用户认证通过; 响应码是经过加密的密码;  Step 204: The user terminal UE calculates a response code (Activity Code) and an authentication code (Authenticator) according to the information of the category, private key, and random code of the home server returned by the application server AS. The response code is the user's password, account number, and random code. The authentication information calculated by the information; the home server HSS uses the same algorithm to calculate the authentication information, the two authentication information, using the user password, the account number, and the random code (the random code is included in the AS request message) stored therein. The same is the user authentication; the response code is the encrypted password;
认证码,应用服务器 AS发送到归属服务器 HSS的认证消息中包含:帐号、 响应码、 请求 ID (标示符)等信息, 为防止这些信息被恶意修改或者在网络 传输时出错, 将计算出的这些信息的一个摘要作为认证码。  The authentication code, the authentication message sent by the application server AS to the home server HSS includes: account number, response code, request ID (identifier), etc., in order to prevent such information from being maliciously modified or error occurred during network transmission, these will be calculated. A summary of the information is used as the authentication code.
根据归属服务器的类别、 私钥、 随机码等信息计算得到响应码和认证码 是本领域技术人员熟知的技术, 此处不再描述;  The calculation of the response code and the authentication code according to the information of the category, the private key, the random code, and the like of the home server is a technique well known to those skilled in the art, and is not described herein;
出于减轻应用服务器负担的考虑, 认证码可由客户端实现;  In order to reduce the burden on the application server, the authentication code can be implemented by the client;
步骤 205、 用户终端 UE再次发起第三方认证请求到应用服务器 AS, 所 述的请求是带有响应码和认证码的第三方认证请求  Step 205: The user terminal UE initiates a third-party authentication request to the application server AS again, where the request is a third-party authentication request with a response code and an authentication code.
步骤 206、应用服务器 AS将认证信息以及用户终端 UE的归属服务器等 信息透传到接口机; 如果用户终端 UE为本***用户, 则直接回复 OK, 用 户终端 UE将以用户输入的用户名和密码登录;  Step 206: The application server AS transparently transmits the authentication information and the home server of the user terminal UE to the interface device. If the user terminal UE is the system user, the user directly returns OK, and the user terminal UE logs in with the user name and password entered by the user. ;
步骤 207、 接口机根据用户的归属服务器类别和认证接口规范, 组成相 应的第三方认证 SOAP (简单对象访问协议)消息, 即组成归属服务器鉴权消 息体; Step 207: The interface device forms a corresponding third-party authentication SOAP (Simple Object Access Protocol) message according to the user's home server category and the authentication interface specification, that is, the home server authentication Interest body
步骤 208、 将认证消息发送到对应的归属服务器;  Step 208: Send an authentication message to a corresponding home server.
步骤 209、 归属服务器收到认证信息, 对用户进行认证授权;  Step 209: The home server receives the authentication information, and performs authentication and authorization on the user.
步骤 210、 归属服务器将认证结果通知发送方, 即接口机;  Step 210: The home server notifies the sender of the authentication result, that is, the interface machine.
步骤 211、 接口机收到归属服务器回复的用户认证结果, 并对认证结果 进行翻译(不同的归属服务器认证结果码存在差异, 由接口机翻译成统一的 结果), 同时将回复认证结果通知到应用服务器; 由于应用服务器 AS面对的 归属服务器 HSS可能有很多个, 对于认证结果不同的归属服务器 HSS表示方 式不尽相同; 对于认证通过、 密码错误、 用户不存在、 认证码错误等结果, 接口机统一的翻译为统一的结果(举例如下): 0: 认证通过; _3: 密码错 误; _5 帐号不存在; -100: 其它错误;  Step 211: The interface machine receives the user authentication result replied by the home server, and translates the authentication result (the difference between the different home server authentication result codes is translated into a unified result by the interface machine), and the reply authentication result is notified to the application. Server; Because the application server AS may have a large number of home servers HSS, the HSS representation method for the home server with different authentication results is different; for the authentication pass, password error, user non-existence, authentication code error, etc., the interface machine The unified translation is a unified result (for example): 0: authentication passed; _3: password error; _5 account does not exist; -100: other errors;
步骤 212、 应用服务器收到客户端的认证结果, 如果认证通过则生成临 时密码;  Step 212: The application server receives the authentication result of the client, and generates a temporary password if the authentication succeeds;
步骤 213、 应用服务器回复认证结果、 临时密码、 临时帐号 (如果应用 服务器和归属服务器之间的帐号形式存在差异, 则需要分配临时帐号)等信 息给用户终端 UE, 并且出于安全的考虑可以对临时密码进行加密,根据安全 的等级可以使用 Base64、 DES、 3DES等加密算法; 如果应用服务器 AS*** 内包含多个认证节点,则将该用户的帐号和密码通知该***内所有认证节点; 步骤 214: 用户终端 UE以临时帐号、 临时密码登录到应用服务器, 开始 使用该应用服务器的功能;  Step 213: The application server returns information such as the authentication result, the temporary password, and the temporary account (if there is a difference in the account form between the application server and the home server, the temporary account needs to be allocated) to the user terminal UE, and may be considered for security reasons. The temporary password is encrypted, and the encryption algorithm such as Base64, DES, and 3DES can be used according to the security level; if the application server AS system includes multiple authentication nodes, the user account and password are notified to all the authentication nodes in the system; Step 214 : The user terminal UE logs in to the application server with a temporary account and a temporary password, and starts to use the function of the application server;
步骤 215、 用户终端注销;  Step 215: The user terminal logs out;
步骤 216、 应用服务器和***内其它认证节点清除临时密码。  Step 216: The application server and other authentication nodes in the system clear the temporary password.
本发明用户终端在开发时, 无须知道用户登录时帐号和密码等信息具体 归属于那个归属服务器 HSS, 只需知道所有可能的归属服务器和认证算法即 可,增加客户端版本的统一性; 应用服务器 AS和用户终端 UE之间的第三方 认证接口的规范化, 也简化了应用服务器在第三方认证方面的开发; 同时该 ***在接口中增加了接口机, 屏蔽了应用服务器和归属服务器之间的多样认 证接口, 增强了应用服务器的稳定性和通用性。 应说明的是, 以上实施例仅用以说明本发明的技术方案而非限制, 尽管 参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解, 可以对本发明的技术方案进行修改或者等同替换, 而不脱离本发明技术方案 的精神和范围, 其均应涵盖在本发明的权利要求范围当中。 When developing the user terminal of the present invention, it is not necessary to know that the information such as the account number and the password when the user logs in is specifically attributed to the home server HSS, and only needs to know all possible home servers and authentication algorithms, thereby increasing the uniformity of the client version; The standardization of the third-party authentication interface between the AS and the user terminal UE also simplifies the development of the application server in the third-party authentication; at the same time, the system adds an interface machine to the interface, shielding the diversity between the application server and the home server. The authentication interface enhances the stability and versatility of the application server. It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and the present invention is not limited thereto. Although the present invention is described in detail with reference to the preferred embodiments, those skilled in the art should understand that the technical solutions of the present invention can be Modifications or equivalents are intended to be included within the scope of the appended claims.
工业实用性 Industrial applicability
釆用本发明的一种通信***中跨***访问的第三方认证方法和***, 由 于用户终端在登录前通过应用服务器向归属服务器进行鉴权认证请求, 获得 认证通过结果, 在应用服务器生成临时密码, 用户终端以临时密码发起登录 请求, 无需通过归属服务器再进行第三方认证, 因此对应用服务器的性能和 实时性影响较小, 增强了应用服务器的稳定性和通用性。  A third-party authentication method and system for accessing a system in a communication system according to the present invention, because the user terminal performs an authentication authentication request to the home server through the application server before login, obtains the authentication result, and generates a temporary password in the application server. The user terminal initiates the login request with the temporary password, and does not need to perform third-party authentication through the home server. Therefore, the performance and real-time performance of the application server are less affected, and the stability and versatility of the application server are enhanced.

Claims

权 利 要 求 书 Claim
1、一种通信***中跨***访问的第三方认证方法, 所述方法包括以下步 骤:  A third-party authentication method for cross-system access in a communication system, the method comprising the following steps:
A、 用户终端通过应用服务器向归属服务器进行认证请求, 所述归属服 务器对所述认证请求授权后回复认证结果至所述应用服务器, 所述应用服务 器对所述认证结果进行处理, 生成临时密码, 并将所述认证结果和临时密码 发至所述用户终端;  A. The user terminal performs an authentication request to the home server through the application server, and the home server returns the authentication result to the application server after authorizing the authentication request, and the application server processes the authentication result to generate a temporary password. And sending the authentication result and the temporary password to the user terminal;
B、所述用户终端根据所述临时密码发起登录请求,登录到所述应用服务 器。  B. The user terminal initiates a login request according to the temporary password, and logs in to the application server.
2、根据权利要求 1所述的方法, 其中, 所述方法在所述步骤 B之后还包 括:  2. The method according to claim 1, wherein the method further comprises, after the step B,:
C、 所述用户终端登录结束后, 所述用户终端被注销, 所述应用服务器清 除所述用户终端登录时的临时密码。  C. After the user terminal logs in, the user terminal is logged out, and the application server clears the temporary password when the user terminal logs in.
3、根据权利要求 1所述的方法, 其中, 所述步骤 A中用户终端通过应用 服务器向归属服务器进行认证请求的所述步骤包括:  The method according to claim 1, wherein the step of the user terminal performing an authentication request to the home server by using the application server in the step A includes:
Al、 所述用户终端向所述应用服务器发起所述认证请求的第一次请求, 所述应用服务器获取所述用户终端所属的归属服务器的信息并回复给所述用 户终端;  Al, the user terminal initiates a first request for the authentication request to the application server, and the application server acquires information about the home server to which the user terminal belongs and replies to the user terminal;
A2、 所述用户终端根据所述归属服务器的信息生成认证信息, 向所述应 用服务器发起所述认证请求的第二次请求, 所述应用服务器将所述认证信息 传送到所述归属服务器, 所述归属服务器对所述认证信息进行认证。  A2. The user terminal generates authentication information according to the information of the home server, and initiates a second request for the authentication request to the application server, where the application server transmits the authentication information to the home server. The home server authenticates the authentication information.
4、 根据权利要求 3所述的方法, 其中, 所述归属服务器的信息包括归属 服务器的类别、 私钥以及随机码。  4. The method according to claim 3, wherein the information of the home server comprises a category of a home server, a private key, and a random code.
5、 根据权利要求 4所述的方法, 其中, 所述归属服务器的信息还包括以 加密算法进行密码加密的信息。  The method according to claim 4, wherein the information of the home server further comprises information for encrypting the password by using an encryption algorithm.
6、 根据权利要求 3所述的方法, 其中, 所述认证请求的第二次请求带有 响应码和认证码, 其中, 所述响应码和所述认证码根据所述归属服务器的信息计算得到; 所述响应码为经过加密后的密码信息; The method according to claim 3, wherein the second request of the authentication request is accompanied by a response code and an authentication code, where The response code and the authentication code are calculated according to information of the home server; the response code is encrypted password information;
所述认证码为根据用户帐号、响应码以及标示符信息计算出的摘要信息, 用于防止所述用户帐号、响应码以及标示符信息在网络传输时被修改或出错。  The authentication code is summary information calculated according to the user account, the response code, and the identifier information, and is used to prevent the user account, the response code, and the identifier information from being modified or errored during network transmission.
7、 根据权利要求 3所述的方法, 其中, 所述步骤 A2还包括:  7. The method according to claim 3, wherein the step A2 further comprises:
A21、 所述应用服务器将所述认证信息透传到接口机;  A21. The application server transparently transmits the authentication information to the interface device.
A22、 所述接口机将所述认证信息发送到所述用户终端所归属的归属服 务器;  A22. The interface device sends the authentication information to a home server to which the user terminal belongs.
A23、 所述归属服务器对所述认证信息进行认证;  A23. The home server authenticates the authentication information.
A24、 所述接口机收到所述归属服务器回复的认证结果, 对所述认证结 果进行翻译, 将翻译后的统一结果发送至所述应用服务器。  A24. The interface machine receives the authentication result replied by the home server, translates the authentication result, and sends the translated unified result to the application server.
8、 一种通信***中跨***访问的第三方认证***, 所述***包括: 用户 终端、 应用服务器以及至少一个归属服务器, 所述用户终端、 应用服务器以 及至少一个归属服务器通过网络连接, 其中,  A third-party authentication system for accessing a system in a communication system, the system comprising: a user terminal, an application server, and at least one home server, wherein the user terminal, the application server, and the at least one home server are connected through a network, where
所述归属服务器设置成保存用户信息, 为用户提供认证服务;  The home server is configured to save user information and provide an authentication service for the user;
所述用户终端设置成向所述应用服务器发起认证请求, 根据所述应用服 务器提供的认证结果及临时密码, 发起登录请求;  The user terminal is configured to initiate an authentication request to the application server, and initiate a login request according to the authentication result and the temporary password provided by the application server;
所述应用服务器设置成通过所述归属服务器对所述用户终端进行认证, 并向所述用户终端返回认证结果及生成的临时密码。  The application server is configured to authenticate the user terminal by using the home server, and return an authentication result and a generated temporary password to the user terminal.
9、 根据权利要求 8所述的***, 其中, 所述***还包括一个接口机, 所 述接口机位于所述应用服务器和所述归属服务器之间, 所述接口机设置成接 收来自于所述应用服务器的认证信息, 将所述认证信息转发给所述归属服务 器, 并回复认证结果至所述应用服务器。  9. The system according to claim 8, wherein the system further comprises an interface machine, the interface machine is located between the application server and the home server, and the interface machine is configured to receive from the The authentication information of the application server is forwarded to the home server, and the authentication result is returned to the application server.
10、 一种支持通信***中跨***访问的第三方认证的应用服务器, 所述 应用服务器设置成:  10. An application server supporting third-party authentication for cross-system access in a communication system, the application server being configured to:
在用户终端向所述应用服务器发起认证请求时, 通过所述用户终端所属 的、 且通过网络与所述应用服务器连接的归属服务器, 对所述用户终端进行 认证, 并向所述用户终端返回认证结果及生成的临时密码, 以使所述用户终 端根据所述应用服务器提供的认证结果及临时密码, 发起登录请求。 When the user terminal initiates an authentication request to the application server, the user terminal is performed by the home server to which the user terminal belongs and connected to the application server through a network. And authenticating, and returning the authentication result and the generated temporary password to the user terminal, so that the user terminal initiates the login request according to the authentication result and the temporary password provided by the application server.
11、 根据权利要求 10所述的应用服务器, 其中, 所述应用服务器还设置 成:  The application server according to claim 10, wherein the application server is further configured to:
收到所述用户终端发来的所述认证请求的第一次请求后, 获取所述归属 服务器的信息并回复给所述用户终端; 以及  After receiving the first request for the authentication request sent by the user terminal, acquiring information of the home server and replying to the user terminal;
在所述用户终端根据所述归属服务器的信息生成认证信息且向所述应用 服务器发起所述认证请求的第二次请求后, 将所述认证信息传送到所述归属 服务器, 以使所述归属服务器对所述认证信息进行认证。  After the user terminal generates the authentication information according to the information of the home server and initiates the second request for the authentication request to the application server, transmitting the authentication information to the home server, so that the attribution is performed. The server authenticates the authentication information.
12、 一种支持通信***中跨***访问的第三方认证的用户终端, 所述用 户终端设置成向与其通过网络连接的应用服务器发起认证请求, 以使所述应 用服务器通过所述用户终端所属的、 且通过网络与所述应用服务器连接的归 属服务器对所述用户终端进行认证并向所述用户终端返回认证结果及生成的 临时密码;  12. A user terminal supporting third-party authentication for cross-system access in a communication system, the user terminal being configured to initiate an authentication request to an application server connected to the network through the network, so that the application server passes the And authenticating the user terminal by using a home server connected to the application server by using a network, and returning the authentication result and the generated temporary password to the user terminal;
所述用户终端还设置成根据所述应用服务器提供的认证结果及临时密 码, 发起登录请求。  The user terminal is further configured to initiate a login request according to the authentication result and the temporary password provided by the application server.
13、 根据权利要求 12所述的用户终端, 其中, 所述用户终端还设置成: 向所述应用服务器发起所述认证请求的第一次请求;  The user terminal according to claim 12, wherein the user terminal is further configured to: initiate a first request for the authentication request to the application server;
接收所述应用服务器获取并回复的所述归属服务器的信息;  Receiving information of the home server obtained and replied by the application server;
根据所述归属服务器的信息生成认证信息; 以及  Generating authentication information according to information of the home server;
向所述应用服务器发起所述认证请求的第二次请求, 以使所述应用服务 器将所述认证信息传送到所述归属服务器, 从而使所述归属服务器对所述认 证信息进行认证。  A second request for the authentication request is initiated to the application server to cause the application server to transmit the authentication information to the home server, thereby causing the home server to authenticate the authentication information.
14、 一种支持实现通信***中跨***访问的第三方认证的归属服务器, 所述归属服务器设置成:  14. A home server supporting third-party authentication for implementing cross-system access in a communication system, the home server being configured to:
保存用户终端的用户信息; 以及  Saving user information of the user terminal;
在所述用户终端向通过网络与其连接的应用服务器发起认证请求且所述 应用服务器向所述归属服务器发送了认证信息时,对所述用户终端进行认证, 以使所述应用服务器能够向所述用户终端返回认证结果及生成的临时密码, 从而所述用户终端能够根据所述应用服务器提供的认证结果及临时密码向所 述应用服务器发起登录请求。 Initiating an authentication request at the user terminal to an application server connected thereto through a network and the When the application server sends the authentication information to the home server, the user terminal is authenticated, so that the application server can return the authentication result and the generated temporary password to the user terminal, so that the user terminal can The authentication result and the temporary password provided by the application server initiate a login request to the application server.
15、 一种支持通信***中跨***访问的第三方认证的***, 所属***包 括根据权利要求 12所述的用户终端以及根据权利要求 14所述的归属服务器。  A system for supporting third-party authentication of cross-system access in a communication system, the system comprising the user terminal according to claim 12 and the home server according to claim 14.
16、 根据权利要求 15所述的***, 其中, 所述***还包括一个接口机, 所述接口机位于应用服务器和归属服务器之间, 所述接口机设置成接收来自 于所述应用服务器的认证信息, 将所述认证信息转发给所述归属服务器, 并 回复认证结果至所述应用服务器。  16. The system according to claim 15, wherein the system further comprises an interface machine, the interface machine is located between the application server and the home server, and the interface machine is configured to receive the authentication from the application server. The information is forwarded to the home server, and the authentication result is returned to the application server.
PCT/CN2009/073270 2008-10-16 2009-08-14 Method and system for realizing third party authentication of trans-system access in a communication system WO2010043134A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810216759.8A CN101388777B (en) 2008-10-16 2008-10-16 Third party authentication method and system for cross-system access in communication system
CN200810216759.8 2008-10-16

Publications (1)

Publication Number Publication Date
WO2010043134A1 true WO2010043134A1 (en) 2010-04-22

Family

ID=40477973

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073270 WO2010043134A1 (en) 2008-10-16 2009-08-14 Method and system for realizing third party authentication of trans-system access in a communication system

Country Status (2)

Country Link
CN (1) CN101388777B (en)
WO (1) WO2010043134A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140053242A1 (en) * 2012-08-15 2014-02-20 Verizon Patent And Licensing, Inc. Management of private information

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388777B (en) * 2008-10-16 2013-01-16 中兴通讯股份有限公司 Third party authentication method and system for cross-system access in communication system
CN102055754B (en) * 2009-10-30 2013-11-06 ***通信集团公司 Method, system and device for initializing card-free hard terminal
JP5521736B2 (en) * 2010-04-23 2014-06-18 富士ゼロックス株式会社 COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL PROGRAM, AND COMMUNICATION CONTROL SYSTEM
CN103780584A (en) * 2012-10-22 2014-05-07 上海俊悦智能科技有限公司 Cloud computing-based identity authentication fusion method
CN104518876B (en) 2013-09-29 2019-01-04 腾讯科技(深圳)有限公司 Service login method and device
CN105099683A (en) * 2014-05-08 2015-11-25 中兴通讯股份有限公司 Account distribution method and device
CN105227320B (en) * 2015-10-28 2020-01-10 腾讯科技(深圳)有限公司 Authorization method, server, terminal and system
CN112751800B (en) * 2019-10-29 2023-11-24 杭州海康威视***技术有限公司 Authentication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588850A (en) * 2004-06-30 2005-03-02 大唐微电子技术有限公司 Network identifying method and system
CN101150407A (en) * 2007-10-25 2008-03-26 王松 Network identity validation method based on fingerprint
CN101388777A (en) * 2008-10-16 2009-03-18 中兴通讯股份有限公司 Third party authentication method and system for cross-system access in communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1588850A (en) * 2004-06-30 2005-03-02 大唐微电子技术有限公司 Network identifying method and system
CN101150407A (en) * 2007-10-25 2008-03-26 王松 Network identity validation method based on fingerprint
CN101388777A (en) * 2008-10-16 2009-03-18 中兴通讯股份有限公司 Third party authentication method and system for cross-system access in communication system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140053242A1 (en) * 2012-08-15 2014-02-20 Verizon Patent And Licensing, Inc. Management of private information
US9202016B2 (en) * 2012-08-15 2015-12-01 Verizon Patent And Licensing Inc. Management of private information

Also Published As

Publication number Publication date
CN101388777A (en) 2009-03-18
CN101388777B (en) 2013-01-16

Similar Documents

Publication Publication Date Title
WO2010043134A1 (en) Method and system for realizing third party authentication of trans-system access in a communication system
CN106233704B (en) Method and apparatus by Relay mode network address translation hole punching voucher are provided
JP5490874B2 (en) Identity management services provided by network operators
WO2015062398A1 (en) Access authentication method and device for information system
US8559633B2 (en) Method and device for generating local interface key
WO2013087039A1 (en) Secure data transmission method, device and system
US10158608B2 (en) Key establishment for constrained resource devices
WO2012024910A1 (en) Authentication method, apparatus and system
WO2006032214A1 (en) Method for realizng transmission of syncml synchronous data
WO2016134657A1 (en) Operating method for push authentication system and device
CN112261022A (en) Security authentication method based on API gateway
JP2010086529A (en) Sip signaling without requiring constant re-authentication
WO2013075661A1 (en) Login and open platform identifying method, open platform and system
US9882897B2 (en) Method and system for transmitting and receiving data, method and device for processing message
US11622276B1 (en) Systems and method for authentication and authorization in networks using service based architecture
WO2011144081A2 (en) Method, system and server for user service authentication
Huang et al. A token-based user authentication mechanism for data exchange in RESTful API
US9270771B2 (en) System and method for performing a delegation operation
WO2008025272A1 (en) A session initiated protocol system, a means for establishing a security channel and the method thereof
CN102694779B (en) Combination attestation system and authentication method
JP5614465B2 (en) Encryption communication device, proxy server, encryption communication device program, and proxy server program
CN101232379B (en) Method for implementing system login, information technology system and communication system
WO2012000313A1 (en) Method and system for home gateway certification
CN116233832A (en) Verification information sending method and device
WO2008001988A1 (en) System and method for managing network/service access for linkage between network access and application service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09820210

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09820210

Country of ref document: EP

Kind code of ref document: A1