[go: up one dir, main page]

CN1698308B - Method and apparatus enabling reauthentication in a cellular communication system - Google Patents

Method and apparatus enabling reauthentication in a cellular communication system Download PDF

Info

Publication number
CN1698308B
CN1698308B CN03823734.2A CN03823734A CN1698308B CN 1698308 B CN1698308 B CN 1698308B CN 03823734 A CN03823734 A CN 03823734A CN 1698308 B CN1698308 B CN 1698308B
Authority
CN
China
Prior art keywords
authentication
terminal
server
identity
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN03823734.2A
Other languages
Chinese (zh)
Other versions
CN1698308A (en
Inventor
H·哈韦里宁
K·阿马瓦拉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Technologies Oy
Original Assignee
Nokia Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/659,774 external-priority patent/US8972582B2/en
Application filed by Nokia Oyj filed Critical Nokia Oyj
Publication of CN1698308A publication Critical patent/CN1698308A/en
Application granted granted Critical
Publication of CN1698308B publication Critical patent/CN1698308B/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

A method (and corresponding equipment) for us in reauthentication--after a first, full authentication by a first authentication server (23a)--of a communication session involving the exchange of information between a terminal (21) and a server (24), the method including: a step (11) in which the first authentication server (23a) and other authentication servers (23b) are each assigned a respective unique realm name; and a step (13) in which during authentication between the terminal and the first authentication server (23a), the first authentication server (23a) transmits to the terminal (21) a reauthentication identity including the unique realm name assigned to the first authentication server. Then, later, during reauthentication, to make possible that the reauthentication is performed by the same authentication server (23a) as performed the full authentication--i.e. by the first authentication server (23a)--the reauthentication identity is included in a request for reauthentication.

Description

允许在蜂窝通信系统中重新认证的方法和装置Method and apparatus allowing re-authentication in a cellular communication system

相关申请的交叉引用Cross References to Related Applications

本申请要求于2002年10月3日提交的、题为“EAPAKA和SIM认证”的美国临时申请序列号No.60/416481的优先权。 This application claims priority to US Provisional Application Serial No. 60/416,481, filed October 3, 2002, entitled "EAPAKA and SIM Authentication." the

技术领域technical field

本发明涉及通信系统中用于认证和会话密钥分发的可扩展认证协议(EAP)机制,如用于通用移动通信系统(UMTS)的认证和(会话)密钥(分发)协议(AKA)的EAP机制,又如在全球移动通信系统(GSM)所用用户识别模块(SIM)中实现的用于AKA的EAP机制。更具体地来说,本发明涉及将EAP机制用于GSMSIM或UMTSAKA认证的通信系统中的重新认证。The present invention relates to Extensible Authentication Protocol (EAP) mechanisms for authentication and session key distribution in communication systems such as Authentication and (Session) Key (Distribution) Protocol (AKA) for Universal Mobile Telecommunications System (UMTS) The EAP mechanism is another example of the EAP mechanism for AKA implemented in the Subscriber Identity Module (SIM) used in the Global System for Mobile Communications (GSM). More specifically, the present invention relates to the use of EAP mechanisms for re-authentication in GSMSIM or UMTSAKA authenticated communication systems.

背景技术Background technique

AKA基于查询-响应机制和对称密码术,在UMTS中,它可参见3GPP(第三代伙伴关系计划)组织于2000年11月发布的3GPPTS(技术规范)33.102 V3.6.0:“技术规范组服务和系统方面;3G安全性;安全性体系结构(1999版)”。AKA通常在UMTS用户识别模块(USIM)(类智能卡设备)中运行。但是AKA的应用并不局限于含智能卡的客户设备;例如AKA还可以用主机软件实现。AKA还提供对GSM认证机制的后向兼容,GSM认证机制是在欧洲电信标准协会于1997年8月发布的GSM03.20(ETS 300 534):“数字蜂窝电信系统(第2阶段);安全性相关的网络功能”中提出的。与GSM机制比较,AKA提供长得多的密钥长度并且提供对服务器端(以及客户端)的认证。AKA is based on query-response mechanism and symmetric cryptography. In UMTS, it can refer to 3GPPTS (Technical Specification) 33.102 V3.6.0 issued by 3GPP (Third Generation Partnership Project) in November 2000: "Technical Specification Group Service and system aspects; 3G security; security architecture (1999 edition)". AKA typically runs in a UMTS Subscriber Identity Module (USIM), a smart card-like device. However, the application of AKA is not limited to client devices containing smart cards; for example, AKA can also be implemented with host software. AKA also provides backward compatibility with the GSM authentication mechanism, which was published by the European Telecommunications Standards Institute in August 1997 in GSM03.20 (ETS 300 534): "Digital Cellular Telecommunications Systems (Phase 2); Security Related Network Capabilities". Compared to the GSM mechanism, AKA provides a much longer key length and provides authentication of the server side (as well as the client side).

为了使客户设备如无线终端(更具体的例如移动台)使用服务器(如运营商提供和管理的通信系统中的服务器)提供的服务(或包括如因特网的任何类型网络的服务器的服务),用户终端在某些情况下(对于某些网络和那些网络的某些服务)必须向服务器认证自己,反之亦然。(至少在一些网络,尤其是UMTS中服务器必须向客户机认证自己),即各方必须向另一方证明其宣称的身份。在拨号网络、无线LAN、有线LAN网络和各种数字用户线(xDSL)网络上,网络的运营商通常采用所谓的AAA(认证、授权和记帐)服务器来认证客户,并认证该客户的服务请求所发往的运营商网络的服务器(或认证运营商网络而无论任何特定的服务器)。AAA服务器可以负责存储共享的秘密和认证用户(具有特定于特定用户并因此识别用户的组件的终端)所需的其他保密信息,或者AAA服务器也可以使用单独的用户数据库服务器,用于存储这些保密信息。可扩展认证协定(EAP)通常在采用AAA服务器来执行AAA服务器和终端之间的认证的网络上使用。如果网络的运营商是UMTS或GSM网络的蜂窝运营商,则EAP方法可以如在EAP SIM中封装增强的GSM认证和密钥协定,或者如在EAP AKA中封装增强的UMTS认证和密钥协定。终端与本地网络上的值班设备交换认证分组。值班设备随网络类型不同而不同,但它可以是例如无线LAN接入点、以太网交换机和拨号网络接入服务器(NAS)。值班设备通常作为所谓的AAA客户机运行,AAA客户机和AAA服务器使用所谓的AAA协议来执行认证。In order for a client device such as a wireless terminal (more specifically, a mobile station) to use services provided by a server (such as a server in a communication system provided and managed by an operator) (or services including a server of any type of network such as the Internet), the user A terminal must under certain circumstances (for certain networks and certain services of those networks) authenticate itself to a server and vice versa. (At least in some networks, notably UMTS, the server must authenticate itself to the client), ie each party must prove to the other party who it claims to be. On dial-up networks, wireless LANs, wired LAN networks and various Digital Subscriber Line (xDSL) networks, the operator of the network usually employs a so-called AAA (Authentication, Authorization and Accounting) server to authenticate the client and to authenticate the client's service The server of the carrier's network (or authenticating carrier's network regardless of any particular server) the request is sent to. The AAA server may be responsible for storing shared secrets and other secrets needed to authenticate users (terminals with components specific to a particular user and thus identifying the user), or the AAA server may use a separate user database server for storing these secrets information. Extensible Authentication Protocol (EAP) is generally used on a network employing an AAA server to perform authentication between the AAA server and a terminal. If the operator of the network is a cellular operator of a UMTS or GSM network, the EAP method may encapsulate enhanced GSM authentication and key agreement as in EAP SIM, or enhanced UMTS authentication and key agreement as in EAP AKA. The terminal exchanges authentication packets with the watch device on the local network. The on-duty device varies with the type of network, but it can be, for example, a wireless LAN access point, an Ethernet switch, and a dial-up network access server (NAS). The watch device usually operates as a so-called AAA client, and the AAA client and the AAA server perform authentication using the so-called AAA protocol.

在与EAP SIM或EAP AKA建立的通信会话开始时,终端和AAA服务器执行本文所谓的完整认证,即认证从终端或AAA服务器彼此均不作为认证对方的任何基础的状态开始。At the beginning of a communication session established with EAP SIM or EAP AKA, the terminal and the AAA server perform so-called full authentication in this paper, that is, the authentication starts from a state where neither the terminal nor the AAA server serves as any basis for authenticating the other party.

在建立完整认证之后,可能在一段预定时间或某个其他条件得到满足的情况下,需要重新认证来降低如下可能性:“坏蛋”利用某个其他设备(服务器设备或客户设备)开始冒充最初通过认证的 实体,或者甚至以某种方式获得了最初通过认证的设备的物理控制权(例如用户离开时忘记关闭通过认证的终端并走开)并开始发送请求。为了确认终端仍在使用网络资源,也可能需要根据本地网络发送的记帐消息的要求重新进行认证。同样,在密钥有效期有限的情况下,出于安全性原因也可能使用重新认证来协商新的安全密钥。重新认证在EAP SIM(对应于GSM)和EAP AKA(对应于UMTS)中是完全相同的。After full authentication has been established, possibly at a predetermined time or some other condition is met, re-authentication is required to reduce the likelihood that a "bad guy" will use some other device (either a server device or a client device) to start impersonating the originally authenticated The authenticated entity, or even somehow gains physical control of the initially authenticated device (e.g. the user forgets to close the authenticated terminal and walks away) and starts sending requests. In order to confirm that the terminal is still using network resources, it may also need to re-authenticate as required by accounting messages sent by the local network. Likewise, re-authentication may also be used to negotiate new secure keys for security reasons where the keys have a limited lifetime. Reauthentication is exactly the same in EAP SIM (corresponding to GSM) and EAP AKA (corresponding to UMTS).

现有技术的EAP SIM和EAP AKA协议利用分别从AAA服务器传递给正在被重新认证的终端的重新认证用户身份提供重新认证。重新认证基于会话密钥和完整认证过程中建立的其他上下文信息。The prior art EAP SIM and EAP AKA protocols provide re-authentication using the re-authentication user identity respectively passed from the AAA server to the terminal being re-authenticated. Reauthentication is based on the session key and other contextual information established during the full authentication process.

营运商可能基于均衡负载和其他原因在网络中部署多个AAA服务器。因为可以随机选择或通过某种预定机制如轮询机制选择AAA服务器来对终端进行认证,所以终端(用户)可能不总是向同一个AAA服务器进行认证。在这种网络中,如果上下文信息只存储在执行过完整认证的AAA服务器中,则重新认证就成了问题。因为重新认证假定完整认证过程中提供的一些信息的有效性,所以如果终端的重新认证AAA请求被转发到不同于执行过完整认证的AAA服务器的另一个AAA服务器,则重新认证无法进行(即无法执行)。Operators may deploy multiple AAA servers in the network for load balancing and other reasons. Since an AAA server may be selected randomly or through some predetermined mechanism such as a polling mechanism to authenticate the terminal, the terminal (user) may not always authenticate to the same AAA server. In such networks, reauthentication becomes problematic if the context information is only stored in AAA servers that have performed full authentication. Because reauthentication assumes the validity of some information provided during the full authentication process, if the terminal's reauthentication AAA request is forwarded to another AAA server than the one that performed the full authentication, reauthentication cannot be performed (i.e., cannot implement).

因此,需要有一种方法,使重新认证可以在重新认证请求可能转发到不同于执行过完整认证的AAA服务器的另一个AAA服务器的网络中执行。Therefore, there is a need for a method by which reauthentication can be performed in networks where reauthentication requests may be forwarded to another AAA server than the one that performed full authentication.

发明的公开disclosure of invention

因此,在本发明的第一方面中,提供一种用于对涉及通过认证网络在一个终端和一个服务器之间交换信息的通信会话重新进行认证的方法,所述通信会话已经由终端和认证网络的第一认证服务器认证过,所述方法的特征在于:对第一认证服务器和其他认证服务 器分别分配相应的唯一域名的步骤;以及在终端和第一认证服务器之间进行认证期间,第一认证服务器向终端发送重新认证身份的步骤,所述重新认证身份含有分配给第一认证服务器的唯一域名。Accordingly, in a first aspect of the invention there is provided a method for re-authenticating a communication session involving the exchange of information between a terminal and a server over an authentication network, said communication session having been authenticated by the terminal and the authentication network has been authenticated by the first authentication server, the method is characterized in that: the step of assigning corresponding unique domain names to the first authentication server and other authentication servers; and during the authentication between the terminal and the first authentication server, the first The authentication server sends a re-authentication identity to the terminal, the re-authentication identity contains the unique domain name assigned to the first authentication server.

根据本发明的第一方面,所述方法的特征还在于:为执行重新认证,终端发送使用含唯一域名的重新认证身份的重新认证请求的步骤;以及,收到重新认证请求的认证网元根据所述请求中包含的重新认证身份确定指示执行过完整认证的认证服务器的唯一域名的步骤。所述方法的特征还在于:认证网元将所述请求转发到作为所述重新认证身份的一部分包含的唯一域名所指示的认证服务器的步骤;以及终端和第一认证服务器执行重新认证的步骤。According to the first aspect of the present invention, the method is further characterized by: in order to perform re-authentication, the terminal sends a re-authentication request using a re-authentication identity with a unique domain name; and the authentication network element receiving the re-authentication request according to The re-authentication identity determination included in the request indicates the steps to perform the unique domain name of the fully authenticated authentication server. The method is further characterized by the step of the authentication network element forwarding the request to the authentication server indicated by the unique domain name included as part of the re-authentication identity; and the step of the terminal and the first authentication server performing the re-authentication.

在本发明的第二方面中,提供了蜂窝通信系统中的一种认证服务器,它包括用于重新认证终端和内容服务器之间的通信会话的装置,所述认证服务器的特征在于:用于接收分配的唯一域名的装置;以及用于向终端发送包含唯一域名的重新认证身份的装置。In a second aspect of the present invention there is provided an authentication server in a cellular communication system comprising means for re-authenticating a communication session between a terminal and a content server, said authentication server being characterized in that it receives means for assigning a unique domain name; and means for sending a re-authentication identity including the unique domain name to the terminal.

根据本发明的第一方面,所述认证服务器的特征还在于:接收使用重新认证身份的重新认证请求,以及根据重新认证身份确定唯一域名的装置。所述认证服务器的特征还在于:将所述请求转发到作为重新认证身份的一部分包含的唯一域名所指示的认证服务器的装置。According to the first aspect of the present invention, the authentication server is further characterized by means for receiving a re-authentication request using a re-authentication identity, and determining a unique domain name based on the re-authentication identity. The authentication server is further characterized by means for forwarding the request to the authentication server indicated by the unique domain name included as part of the re-authentication identity.

在本发明的第三方面中,提供了一种计算机程序产品,它包括:其上含由认证服务器中的计算机处理器执行的计算机程序代码的计算机可读存储结构,其中所述计算机程序代码的特征在于它包括用于启用根据本发明的第二方面的设备的装置的指令。In a third aspect of the present invention there is provided a computer program product comprising: a computer readable storage structure having computer program code embodied thereon for execution by a computer processor in an authentication server, wherein the computer program code's It is characterized in that it comprises instructions for enabling means for the apparatus according to the second aspect of the invention.

在本发明的第四方面中,提供了一种系统,它包括:多个终端、多个认证服务器和至少一个内容服务器;所述终端可操作以在通过一个或另一个所述认证服务器的认证和偶尔重新认证之后向所述内容服务器请求内容,所述系统的特征在于:至少两个所述认证服务器均为如本发明第二方面所述的设备。In a fourth aspect of the present invention there is provided a system comprising: a plurality of terminals, a plurality of authentication servers and at least one content server; said terminal being operable to be authenticated by one or another of said authentication servers and requesting content from the content server after occasional re-authentication, the system is characterized in that at least two of the authentication servers are devices according to the second aspect of the present invention.

附图简介Brief introduction to the drawings

参考如下结合附图的详细说明,可清楚本发明的上述和其他目的、特征和优点,附图中:The above and other objects, features and advantages of the present invention can be made clear with reference to the following detailed description in conjunction with the accompanying drawings, in which:

图1是根据本发明,用于(向充当认证代理的认证服务器)重新认证终端的方法的流程图;Figure 1 is a flowchart of a method for re-authentication (to an authentication server acting as an authentication proxy) of a terminal according to the present invention;

图2是根据本发明,终端认证以及之后向认证服务器重新认证的框图/流程图。Figure 2 is a block diagram/flow diagram of terminal authentication and subsequent re-authentication to an authentication server according to the present invention.

发明的最佳实施方式BEST MODE FOR CARRYING OUT THE INVENTION

针对如何确保可以在重新认证请求可能转发到不同于执行过完整认证的AAA服务器的另一个AAA服务器的网络中进行有效的重新认证的问题,本发明提供了一种解决方案。为解决此问题,本发明使得可以选择执行过完整认证的AAA服务器作为重新认证时的AAA服务器。The present invention provides a solution to the problem of how to ensure efficient re-authentication in a network where re-authentication requests may be forwarded to another AAA server than the one that performed full authentication. To solve this problem, the present invention makes it possible to select an AAA server that has performed complete authentication as the AAA server for re-authentication.

下面结合用于通用移动电信系统(UMTS)认证和密钥协定(AKA)中的认证和会话密钥分发的可扩展认证协议(EAP)机制来描述本发明,上述协议可参见3GPP组织于2000年11月发布的3GPPTS33.102 V3.6.0:“技术规范组服务和系统方面;3G安全性;安全性体系结构(1999版)”;以及J.Arkko和H.Haverinen于2002年6月提交的IETF(因特网工程任务组)草案文档:“EAPAKA认证”(draft-arkko-pppext-eap-aka-04.txt)。UMTS是全球第三代移动网络标准。本发明显然还可以结合用于采用全球移动通信系统(GSM)用户识别模块(SIM)的认证和会话密钥分发的EAP机制,此机制可参见欧洲电信标准协会于1997年8月发布的GSM技术规范GSM03.20(ETS 300 534):“数字蜂窝电信系统(第2阶段);安全性相关的网络功能”以及H.Haverinen于2002年7月2日提交的IETF草案文档:“EAPSIM认证”(draft-haverinen-pppext-eap-sim-05.txt)。 虽然对本发明的描述具体参照与可扩展认证协议的结合使用及其UMTS和GSM方法来进行,但应理解,本发明并不限用于可扩展认证协议或符合UMST或GSM标准的蜂窝通信系统;本发明实际上可以可扩展认证协议与AAA协议结合使用的类似或可比的方式用于提供认证的任何通信系统中。在所述实施例的情况中,本发明利用所谓的EAP(可扩展认证协议),此EAP可参见IETF网络工作组发布的标题为“PPP可扩展认证协议(EAP)”的RFC2284中。(PPP)EAP是一种通用的认证协议;它支持多种认证机制。The present invention is described below in conjunction with the Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution in the Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (AKA), which can be found in 2000 by the 3GPP organization 3GPPTS33.102 V3.6.0 published in November: "Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (Version 1999)"; and IETF submitted by J.Arkko and H.Haverinen in June 2002 (Internet Engineering Task Force) draft document: "EAPAKA Authentication" (draft-arkko-pppext-eap-aka-04.txt). UMTS is the third generation mobile network standard worldwide. Obviously, the present invention can also be used in combination with the EAP mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). Specification GSM03.20 (ETS 300 534): "Digital Cellular Telecommunications System (Stage 2); Security-Related Network Functions" and IETF draft document submitted by H. Haverinen on July 2, 2002: "EAPSIM Authentication" ( draft-haverinen-ppppext-eap-sim-05.txt). Although the present invention has been described with specific reference to its use in conjunction with the Extensible Authentication Protocol and its UMTS and GSM methods, it should be understood that the present invention is not limited to use in the Extensible Authentication Protocol or cellular communication systems conforming to the UMST or GSM standards; The present invention can be used in virtually any communication system that provides authentication in a similar or comparable manner to the use of the Extensible Authentication Protocol in conjunction with the AAA protocol. In the case of the described embodiment, the invention makes use of the so-called EAP (Extensible Authentication Protocol), which can be found in RFC 2284 entitled "PPP Extensible Authentication Protocol (EAP)" published by the IETF Network Working Group. (PPP)EAP is a generic authentication protocol; it supports multiple authentication mechanisms.

现在参考图1和图2,为确保重新认证始终可行,本发明提出一种包括第一步骤11的方法,在该步骤中,为每个AAA服务器23a和23b(位于相同或不同的营运商网络中)分配一个唯一的域名,在UMTS或GSM和IP服务认证的情况中,它是可用于网络接入标识符(NAI)的类型的名称(作为NAI的一部分,例如以user@realm的形式,其中“realm”是唯一的域名),NAI是AAA协议结合用于网络接入认证时使用的(终端)标识符。在制定的EAP和AAA协议中,认证请求包含用户的网络接入标识符。在完整认证的情况中,EAP SIM和EAP AKA指定终端将用于请求完整认证的身份格式。根据指定的规范,NAI的用户名部分包含国际移动用户标识符(IMSI)或EAP SIM和EAP AKA规范中称为假名的临时标识符。NAI中所用的域名通常是归属营运商的公用标识符。可以采用若干AAA服务器来服务传送到该域名的请求。因此,根据现有技术,通常NAI中的域名可由几个AAA服务器共享。例如:MyOperator的用户可以使用域名myoperator.com,而AAA消息会路由到myoperator.com的这些AAA服务器之一。在EAP SIM和EAP AKA完整认证中,域名可能指示一组AAA服务器。但是,根据本发明,将会为每个AAA服务器分配一个唯一的域名,例如,serverX.myoperator.com,它是将用于重新认证身份中的唯一域名。这里,第三级名称serverX使域名serverX.myoperator.com为唯一的域名。该域名的结构化格式可以允许某些AAA网元将所有以myoperator.com结尾的域路由到正确的下一跳,而无需考虑使域名唯一而必须添加的第三级名称;例如,值班设备21a可能不需要关心完整的域名,而是可以采用简单的规则:“将*.myoperator.com路由到MyOperator的AAA代理”(其中*用作通配符,即,它表示名称中允许的任何字符集)。Referring now to Figures 1 and 2, in order to ensure that reauthentication is always possible, the present invention proposes a method comprising a first step 11 in which a middle) to assign a unique domain name which, in the case of UMTS or GSM and IP service authentication, is the name of the type that can be used for a Network Access Identifier (NAI) (as part of the NAI, e.g. in the form user@realm, Where "realm" is a unique domain name), NAI is a (terminal) identifier used in conjunction with the AAA protocol for network access authentication. In the established EAP and AAA protocols, the authentication request contains the user's network access identifier. In case of full authentication, EAP SIM and EAP AKA specify the identity format that the terminal will use to request full authentication. Depending on the specification specified, the username part of the NAI contains the International Mobile Subscriber Identifier (IMSI) or a temporary identifier called a pseudonym in the EAP SIM and EAP AKA specifications. Domain names used in NAI are usually public identifiers attributed to operators. Several AAA servers may be employed to service requests directed to the domain name. Therefore, according to the prior art, usually the domain names in the NAI can be shared by several AAA servers. For example: a user of MyOperator may use the domain name myoperator.com, and AAA messages are routed to one of these AAA servers for myoperator.com. In EAP SIM and EAP AKA full authentication, the domain name may indicate a set of AAA servers. However, according to the present invention, each AAA server will be assigned a unique domain name, eg, serverX.myoperator.com, which is the unique domain name that will be used in the re-authentication identity. Here, the third-level name serverX makes the domain name serverX.myoperator.com the only domain name. The structured format of this domain name may allow certain AAA network elements to route all domains ending in myoperator.com to the correct next hop, regardless of the third-level name that must be added to make the domain name unique; e.g., on-duty device 21a It may not be necessary to care about the full domain name, but a simple rule: "route *.myoperator.com to MyOperator's AAA proxy" (where * is used as a wildcard, i.e., it denotes any set of characters allowed in the name).

在下一步骤12中,AAA服务器23a和23b中的第一服务器23a通过代理AAA服务器22从值班设备21a(即一个AAA客户机,具体为例如一个服务接入点)收到有关终端21的(完整)认证请求,因此值班设备21a可以同意终端21接入网络24(例如因特网)。图2中(为清楚起见)未显示一个或多个营运商网络的使终端21与AAA服务器23a和23b之间的无线通信成为可能的各种网元(具体指每个营运商网络的无线电接入网)以及将通信信息路由到AAA服务器23a和23b之一或另一方的其他网元。In the next step 12, the first server 23a in the AAA servers 23a and 23b receives the (complete ) authentication request, so the on-duty equipment 21a can agree to the terminal 21 accessing the network 24 (such as the Internet). The various network elements of one or more operator networks that enable wireless communication between the terminal 21 and the AAA servers 23a and 23b (specifically the radio interface of each operator network) are not shown in FIG. 2 (for clarity). network access) and other network elements that route communications to one or the other of the AAA servers 23a and 23b.

在下一步骤13中,第一AAA服务器23a(通过代理服务器22和值班设备221a)向终端21发送重新认证身份(以供终端在稍后的重新认证操作中使用),并且在所述重新认证身份包含唯一域名,它还包括用户名部分。重新认证身份不同于完整认证时所用的基于IMSI的身份和假名身份。步骤13作为完整认证程序的一部分执行,完整认证程序还包括为简明起见已在图1中省略的其他步骤。重新认证身份的用户名部分是服务器选择的一次性用户名。它可以是随机选择的数字或标识符。因此重新认证身份例如可以为:In the next step 13, the first AAA server 23a (via the proxy server 22 and the duty device 221a) sends a re-authentication identity to the terminal 21 (for use by the terminal in a later re-authentication operation), and upon said re-authentication identity Contains the unique domain name, which also includes the username portion. The re-authentication identity is different from the IMSI-based and pseudonymous identities used for full authentication. Step 13 is performed as part of a complete authentication procedure which also includes other steps which have been omitted from Figure 1 for the sake of brevity. The username portion of the re-authentication identity is a one-time username chosen by the server. It can be a randomly chosen number or an identifier. So the re-authentication identity could be, for example:

1209834387@server15.myoperator.com。1209834387@server15.myoperator.com.

在下一步骤14中,为了进行重新认证(通常基于某些已得到满足的条件),终端21发送使用含唯一域名的重新认证身份的重新认证请求。一般来说,可以几种方式启动重新认证。一种方式是,可由值班设备21a启动重新认证。在此情况中,在无线LAN上(其中根据唯一域名转发的“重新认证请求”包含EAP身份响应分组), 值班设备21a向终端21发送EAP身份请求分组,该终端以含有重新认证身份的EAP身份响应来响应。然后通过AAA协议将该分组转发到正确的AAA服务器。或者,终端21本身可以启动重新认证。在无线LAN上,终端21将EAPOL-Start(基于LAN的EAP启动)分组发送到值班设备21a。在收到EAPOL-Start时,值班设备21a向该终端发送EAP身份请求分组,然后重新认证交换如下所述继续。In a next step 14, for re-authentication (usually based on some fulfilled conditions), the terminal 21 sends a re-authentication request using a re-authentication identity with a unique domain name. In general, reauthentication can be initiated in several ways. In one way, re-authentication can be initiated by the watch device 21a. In this case, on the wireless LAN (where the "re-authentication request" forwarded according to the unique domain name contains the EAP identity response packet), the duty device 21a sends an EAP identity request packet to the terminal 21, which takes the EAP identity containing the re-authentication identity Respond to respond. The packet is then forwarded to the correct AAA server via the AAA protocol. Alternatively, the terminal 21 itself can initiate re-authentication. On the wireless LAN, the terminal 21 transmits an EAPOL-Start (EAP over LAN start) packet to the duty device 21a. On receipt of EAPOL-Start, watch device 21a sends an EAP Identity Request packet to the terminal, and the re-authentication exchange then continues as described below.

在下一步骤15中,收到该请求的任何AAA网元(值班设备21a、代理22以及AAA服务器23a和23b)检查该请求中所含的重新认证身份,以确定要将该请求路由到哪里(根据通过域名指示第一AAA服务器23a的重新认证身份)。这种路由选择基于路由表或适当的其他常用AAA路由方法。通常,代理服务器22检查域名并直接将请求路由到第一AAA服务器23a。因此,执行过完整认证的AAA服务器(即第一AAA服务器23a)或早或晚都会收到该请求。In the next step 15, any AAA network element (attendment device 21a, proxy 22, and AAA servers 23a and 23b) receiving the request checks the re-authentication identity contained in the request to determine where to route the request ( According to the re-authentication identity of the first AAA server 23a indicated by the domain name). This routing is based on routing tables or other common AAA routing methods as appropriate. Typically, the proxy server 22 checks the domain name and routes the request directly to the first AAA server 23a. Therefore, sooner or later, the AAA server that has performed the full authentication (ie the first AAA server 23a) will receive the request.

在下一步骤16中,第一AAA服务器23a根据制定的重新认证协议响应该重新认证请求。在下一步骤17中,根据制定的AAA协议,终端21与第一AAA服务器23a之间的后续通信通过值班设备21a在终端21和第一AAA服务器23a之间进行。后续通信可以直接在值班设备21a和第一AAA服务器23a之间路由或通过中间AAA网元路由。制定的AAA协议通常包括用于确保执行认证的AAA服务器23a不在认证交换期间改变的装置。In the next step 16, the first AAA server 23a responds to the re-authentication request according to the established re-authentication protocol. In the next step 17, according to the established AAA protocol, subsequent communication between the terminal 21 and the first AAA server 23a is performed between the terminal 21 and the first AAA server 23a through the duty device 21a. Subsequent communications may be routed directly between the watch device 21a and the first AAA server 23a or through intermediate AAA network elements. A formulated AAA protocol typically includes means for ensuring that the AAA server 23a performing the authentication does not change during an authentication exchange.

在一些实例中,终端21可以同时通过几个不同的会话进行通信,对每个会话使用完整认证程序。这些会话可以由同一AAA服务器或由不同AAA服务器来认证,并且可以利用相同或不同的无线电技术和相同或不同的用于执行认证的应用程序。根据本发明,为了适应这种可变性,终端21维护每个此类会话各自的状态信息,于是终端21随后可以分别对每个此类会话执行重新认证,如结合图1所述的那样。对应地,用于对一个或多个同时会话进行认证的每个AAA服务器23a和23b维护每个此类会话各自的状态信息。In some instances, terminal 21 may communicate through several different sessions simultaneously, using the full authentication procedure for each session. These sessions may be authenticated by the same AAA server or by different AAA servers, and may utilize the same or different radio technologies and the same or different applications for performing the authentication. According to the present invention, to accommodate this variability, terminal 21 maintains individual state information for each such session, and terminal 21 can then perform re-authentication for each such session separately, as described in connection with FIG. 1 . Correspondingly, each AAA server 23a and 23b for authenticating one or more simultaneous sessions maintains respective state information for each such session.

注意,虽然本发明涉及无线LAN认证,但它与xDSL、拨号网络、以太网和其他认证上下文相关。用于UMTS和GSM认证的可扩展认证协议方法将是希望管理WLAN或其他辅助接入网的移动营运商的目标;本发明也可能从不会应用于实际的UMTS或GSM网络中。Note that while the present invention relates to wireless LAN authentication, it is relevant to xDSL, dial-up networking, Ethernet and other authentication contexts. Extensible Authentication Protocol methods for UMTS and GSM authentication will be targeted by mobile operators wishing to manage WLANs or other supplementary access networks; it is also possible that the invention will never be applied in actual UMTS or GSM networks.

要理解,上述安排仅是对本发明原理应用的说明。在不背离本发明范围的前提下,本领域技术人员可以设计出各种修改和替代安排,所附权利要求书旨在涵盖这类修改和安排。It is to be understood that the above arrangement is merely illustrative of the application of the principles of the invention. Various modifications and alternative arrangements can be devised by those skilled in the art without departing from the scope of the invention, and the appended claims are intended to cover such modifications and arrangements.

Claims (7)

1.一种用于对涉及通过认证网络在终端和服务器之间交换信息的通信会话进行重新认证的方法,所述方法在所述认证网络的第一认证服务器中实现,所述通信会话已经由所述终端和所述第一认证服务器认证过,所述方法包括:1. A method for re-authentication of a communication session involving an exchange of information between a terminal and a server over an authentication network, said method being implemented in a first authentication server of said authentication network, said communication session having been authenticated by The terminal has been authenticated by the first authentication server, and the method includes: 接收终端的完整认证请求;Receive the terminal's complete authentication request; 向所述终端发送重新认证身份,所述重新认证身份含有唯一标识所述第一认证服务器的唯一域名;以及sending a re-authentication identity to the terminal, the re-authentication identity including a unique domain name uniquely identifying the first authentication server; and 从认证网元接收来自所述终端的重新认证请求,其中所述重新认证请求包括含有唯一标识所述第一认证服务器的所述唯一域名的所述重新认证身份,以及所述重新认证请求是所述认证网元根据包括在所述重新认证请求中的所述唯一域名路由至所述第一认证服务器的。receiving a re-authentication request from the terminal from an authentication network element, wherein the re-authentication request includes the re-authentication identity including the unique domain name that uniquely identifies the first authentication server, and the re-authentication request is the The authentication network element is routed to the first authentication server according to the unique domain name included in the re-authentication request. 2.如权利要求1所述的方法,其中唯一标识执行所述终端的完整认证的所述第一认证服务器的所述唯一域名是根据所述重新认证请求中包含的所述重新认证身份确定的。2. The method of claim 1, wherein the unique domain name uniquely identifying the first authentication server performing a complete authentication of the terminal is determined from the re-authentication identity contained in the re-authentication request . 3.如权利要求2所述的方法,还包括:3. The method of claim 2, further comprising: 响应于所述重新认证请求,执行所述终端的重新认证。Re-authentication of the terminal is performed in response to the re-authentication request. 4.一种用于对涉及通过认证网络在终端和服务器之间交换信息的通信会话进行重新认证的设备,所述设备在所述认证网络的第一认证服务器中实现,所述通信会话已经由所述终端和所述第一认证服务器认证过,所述设备包括:4. A device for re-authentication of a communication session involving an exchange of information between a terminal and a server over an authentication network, said device being implemented in a first authentication server of said authentication network, said communication session having been performed by The terminal has been authenticated by the first authentication server, and the device includes: 用于接收终端的完整认证请求的装置;means for receiving a complete authentication request from a terminal; 用于向所述终端发送重新认证身份的装置,所述重新认证身份含有唯一标识所述第一认证服务器的唯一域名;以及means for sending a re-authentication identity to the terminal, the re-authentication identity including a unique domain name uniquely identifying the first authentication server; and 用于从认证网元接收来自所述终端的重新认证请求的装置,其中所述重新认证请求包括含有唯一标识所述第一认证服务器的所述唯一域名的所述重新认证身份,以及所述重新认证请求是所述认证网元根据包括在所述重新认证请求中的所述唯一域名路由至所述第一认证服务器的。means for receiving a re-authentication request from the terminal from an authentication network element, wherein the re-authentication request includes the re-authentication identity including the unique domain name that uniquely identifies the first authentication server, and the re-authentication The authentication request is routed by the authentication network element to the first authentication server according to the unique domain name included in the re-authentication request. 5.一种系统,包括:5. A system comprising: 第一认证服务器,其被配置用于接收终端的完整认证请求,并被配置用于向所述终端发送包含唯一域名的重新认证身份,所述唯一域名唯一标识所述第一认证服务器;以及a first authentication server configured to receive a complete authentication request from a terminal and configured to send to the terminal a re-authentication identity comprising a unique domain name uniquely identifying the first authentication server; and 认证网元,其被配置用于从所述终端接收重新认证请求,所述重新认证请求包括含有唯一标识所述第一认证服务器的所述唯一域名的所述重新认证身份,并被配置用于根据标识所述第一认证服务器的所述唯一域名,将所述重新认证请求路由至所述第一认证服务器。an authentication network element configured to receive a re-authentication request from the terminal, the re-authentication request including the re-authentication identity including the unique domain name uniquely identifying the first authentication server, and configured to Routing the re-authentication request to the first authentication server based on the unique domain name identifying the first authentication server. 6.一种用于对涉及通过认证网络在终端和服务器之间交换信息的通信会话进行重新认证的设备,所述设备在所述终端中实现,所述通信会话已经由所述终端和第一认证服务器认证过,所述设备包括:6. A device for re-authentication of a communication session involving an exchange of information between a terminal and a server over an authentication network, said device being implemented in said terminal, said communication session having been performed by said terminal and a first The authentication server has been authenticated, and the device includes: 用于向所述第一认证服务器发送完整认证请求的装置;means for sending a complete authentication request to said first authentication server; 用于从所述第一认证服务器接收包含唯一标识所述第一认证服务器的唯一域名的重新认证身份的装置;以及means for receiving from said first authentication server a re-authentication identity comprising a unique domain name that uniquely identifies said first authentication server; and 用于向认证网元发送使用包含所述唯一域名的所述重新认证身份的重新认证请求的装置。means for sending a re-authentication request using said re-authentication identity including said unique domain name to an authenticating network element. 7.如权利要求6所述的设备,其特征在于:用于向所述认证网元发送的装置包括用于在可扩展认证协议身份响应中包含所述重新认证身份的装置。7. The apparatus of claim 6, wherein the means for sending to the authenticating network element comprises means for including the re-authentication identity in an Extensible Authentication Protocol identity response.
CN03823734.2A 2002-10-03 2003-09-30 Method and apparatus enabling reauthentication in a cellular communication system Expired - Lifetime CN1698308B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US41648102P 2002-10-03 2002-10-03
US60/416,481 2002-10-03
US10/659,774 US8972582B2 (en) 2002-10-03 2003-09-10 Method and apparatus enabling reauthentication in a cellular communication system
US10/659,774 2003-09-10
PCT/IB2003/004298 WO2004032415A1 (en) 2002-10-03 2003-09-30 Method and apparatus enabling reauthentication in a cellular communication system

Publications (2)

Publication Number Publication Date
CN1698308A CN1698308A (en) 2005-11-16
CN1698308B true CN1698308B (en) 2011-07-20

Family

ID=35266144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN03823734.2A Expired - Lifetime CN1698308B (en) 2002-10-03 2003-09-30 Method and apparatus enabling reauthentication in a cellular communication system

Country Status (4)

Country Link
CN (1) CN1698308B (en)
MY (1) MY153211A (en)
NO (1) NO336812B1 (en)
TW (1) TWI246300B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183939B (en) * 2006-11-14 2010-06-09 中兴通讯股份有限公司 Re-authorization method based on multi-factor authentication
US12519789B2 (en) * 2021-12-17 2026-01-06 Ruckus Ip Holdings Llc Virtual authentication realm specified by wildcard elements

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
US5740361A (en) * 1996-06-03 1998-04-14 Compuserve Incorporated System for remote pass-phrase authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5544322A (en) * 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
US5740361A (en) * 1996-06-03 1998-04-14 Compuserve Incorporated System for remote pass-phrase authentication

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
G.Schafer, A.Festag, H.Karl.Current Approaches to Authentication in Wireless andMobileCommunications Networks.TKN Technical Reports Series.2001,36-44. *
WO01/57626A! 2001.08.09

Also Published As

Publication number Publication date
NO20051254L (en) 2005-05-03
TWI246300B (en) 2005-12-21
CN1698308A (en) 2005-11-16
TW200423674A (en) 2004-11-01
NO336812B1 (en) 2015-11-02
MY153211A (en) 2015-01-29

Similar Documents

Publication Publication Date Title
US8972582B2 (en) Method and apparatus enabling reauthentication in a cellular communication system
JP4832756B2 (en) Method and system for performing GSM authentication during WLAN roaming
JP4394682B2 (en) Apparatus and method for single sign-on authentication via untrusted access network
JP5199405B2 (en) Authentication in communication systems
CN1765082B (en) Fast re-authentication with dynamic credentials
US9113332B2 (en) Method and device for managing authentication of a user
US20050114680A1 (en) Method and system for providing SIM-based roaming over existing WLAN public access infrastructure
US20080026724A1 (en) Method for wireless local area network user set-up session connection and authentication, authorization and accounting server
CN107070846A (en) The method and system of the specific key of access is provided
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
US20060046693A1 (en) Wireless local area network (WLAN) authentication method, WLAN client and WLAN service node (WSN)
CN1795656B (en) Method for safely initializing user and confidential data
EP1624639B1 (en) Sim-based authentication
WO2007097101A1 (en) Radio access system and radio access method
WO2006013150A1 (en) Sim-based authentication
CN1698308B (en) Method and apparatus enabling reauthentication in a cellular communication system
JP4984020B2 (en) Communication system, node, authentication server, communication method and program thereof
KR100732655B1 (en) Method and system for SMS authentication during LAN roaming
CN101341779A (en) Prioritized network access for radio access networks
Kostopoulos et al. Security in wireless networks: the FlexiNET approach
ZA200501089B (en) Method system for GSM authentication during WLAN Roaming

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20160118

Address after: Espoo, Finland

Patentee after: NOKIA TECHNOLOGIES OY

Address before: Espoo, Finland

Patentee before: NOKIA Corp.

CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20110720