1246300 玖、發明說明: 【發明所屬之技術領域】 本發明係關於一種在通信系統中用以鑑認(authentication) 及通訊鍵分配(session key distribution)之可擴大鑑認協定 (ΕΑΡ)機制(Extensible Authentication Protocol mechanism),例如全 球性行動電信系統(UMTS)之鑑認及(通訊)鍵(分佈)合約 (Authentication Key Agreement,AKA)的 ΕΑΡ 機制,亦例如使用於 全球性行動電信系統(GSM)之使用者(用戶)身份辨識模組 (卡)(Subscriber Identity Module,SIM),實行之 ΑΚΑ 的 ΕΑΡ 機制。 【先前技術】 ΑΚΑ 係根據挑戰-回應機制(challenge-response mechanisms) 及對稱密碼學(symmetric cryptography)以及全球性行動電信系 統,其係描述於3GPP(第三代合作夥伴計劃,3GPP)之TS(技 術規格,TS) 33.102 V3_6.0(1999 出版^’Technical Specification Group Services and System Aspects; 3G Security; Security Architecture” 中0 AKA 代表性地運用於UMTS之使用者鑑認模組(USIM),即一種 智慧卡型裝置(smart card-like device)中。然則,AKA不限定運 用於備有智慧卡之客戶裝置(client devices),即例如AKA機制 亦可實施於主軟體(host software)。AKA亦對GSM鑑認機制 提供反向相容性(backward compatibility),見載於 GSM 03.20 (ETS 300 534)π數位蜂巢式通信系統(第2章);有關安全之網路功 能π—文中(歐洲電信標準學會,1997年8月出版)。ΑΚΑ規 定較長之鍵長度(key lengths)及伺服器側(server side,即服務提 供者)及客戶側(client side)之鑑認。 1246300 為了使用戶(例如無線終端機,更具體的說,行動台) 使用伺服器提供之服務,例如由通信業者(operator)提供及 管理之通信系統中之伺服器或例如包括網際網路等任何一 種網路之伺服器之服務,終端機或用戶(客戶)必須在有些場 合(例如對有些網路及該等網路之有些服務)自行對伺服器 鑑認及實行相反地動作(在後者場合係至少在有些網路,尤 其是在UMTS中實行鑑認),即在每一種場合必須向他方證 明其是誰(證明自己身份),在撥接網路(dial-up networks)、無 線區域網路(wireless LANs)、有線區域網路以及各種數位使 用者(用戶)線(Digital Subscriber Line,xDSL)網路中,網路通信業 者(operator)通常使用所謂之AAA[鑑認、授權及帳務 (Authentication,Authorization and Accounting)]伺服器鑑認用戶及 鑑認用戶提出服務要求之通信業者網路之伺服器(server of the operator network)(或鑑認與任何特定之伺服器無關之通信 業者網路)。AAA伺服器(服務提供者)對共享的秘密(shared secrets)及鑑認用戶戶斤用之其他身份資料(credential information) 有儲存之責任。A A A伺服器亦可使用各別用戶資料庫伺服 器儲存身份資料。至於ΕΑΡ則常用於使用AAA伺服器鑑認 ΑΑΑ伺服器及終端機之網路上。若網路之通信業者(operator) 為UMTS或GSM網路之行動通信業者,έαρ法即可包封強 化GSM鑑認及ΚΑ(鍵合約)(例如ΕΑΡ SIM)或強化UMTS 鑑認及KA(例如ΕΑΡ AKA)。終端機與區域網路上之轉接裝 置(attendant device)交換鑑認封包。該轉接裝置隨網路形式 之不同而不同,但它可為例如一種無線區域網路(LAN)接取 1246300 點(access point)、乙太網路開關、或撥接網路接取伺服器 (NAS)。轉接裝置通常當作所謂之AAA用戶(AAA client) 運作,而AAA用戶及AAA祠服器使用所謂之AAA協定進 行鑑認工作。 在用 EAP SIM 或 ΕΑΡ AKA 之通信(communication session) 之開始時,終端機及A A A祠服器實行在此所謂之全面鑑認 工作,即鑑認工作係從終端機及AAA伺服器都無鑑認其他 之任何基礎的狀態開始。 待全面鑑認後,經預定之時間後或其他某些條件已滿 足符合,需進行再鑑認以減少π壞蛋(bad §uy)fl使用其他某些 裝置(伺服器或用戶裝置)偽裝原已鑑認過之實體(entity)或以 不法手段獲得原已鑑認過之裝置之實體控制(physical control)(例如用戶留下已鑑認的終端機而走開)而開始發生 要求之機會。為了鑑認終端機依區域網路發出之會計訊息 (accounting messages)要求仍使用網路資源(network resources)時亦 需要再鑑認。另外,鍵的壽命有限之場合,為了保安亦可 用再鑑認來商議新的安全鍵。與EAP SIM (GSM用)及ΕΑΡ AKA) (UMTS用)之再鑑認為相同。 EAP SIM及ΕΑΡ AKA協定之先前技藝有再鑑認之規 範,係運用由ΑΑΑ伺服器遞送至正被再鑑認之终端機之各 個再鑑認用戶身份(separate reauthentication user identities)。再鑑認 係根據對話鍵(session keys)及在全面鑑認時建立之其他上下 文資訊(context information) 〇 為了負載的平衡及其他理由,通信業者(operator)可在 1246300 網路佈置數個AAA伺服器。因為AAA伺服器可被隨機的 選用或可被例如循環(round-robin)機制等某些預設機制 (predetermined mechanism)選用來鑑認終端機(用戶)。終端機(用 戶)可無需常用同一伺服器鑑認。在此種網路中,再鑑認變 成一個問題,因為上下文資訊只儲存於執行全面鑑認的 AAA伺服器中。由於再採用(assumes)全面鑑認期間提供之 一些資訊之可用性(availability),故若是終端機(用戶)之對再 鑑認的A A A要求被傳送至執行全面鑑認之A AA伺服器以 外之其他AAA伺服器時即不進行再鑑認工作(即不操作)。 因此,需要有一方法使能在上述情況,即再鑑認之要 求可能被傳送至執行全面鑑認之AAA伺服器以外之其他伺 服器時在網路中進行再鑑認工作。 【發明内容】 有鑑於上述之情形,本發明之第1要旨為提供一種經 由鑑認網路在終端機(用戶)與伺服器之間互相交換資訊之 通信期的再鑑認方法,該通信期係已由鑑認網路之終端機 (用戶)及第一鑑認伺服器鑑認過,該方法之特徵包括: 對於第一鑑認伺服器及其他鑑認伺服器分別指定一個 獨特的領域名(realm name)之步驟;及 在終端機與該第一鑑認伺服器之間之鑑認時,由該第 一鑑認伺服器將有關指定給第一鑑認伺服器之領域名等再 鑑認識別符(reauthentication identity)傳送給終端機之步驟。 依本發明之上述第1要旨,該所述之方法可進一步包 括如下步驟: 1246300 由終端機使用含有獨特領域名(unique reaim name)之再 鑑認身份將再鑑認之要求傳送而進行再鑑認之步驟;及接 收該再鑑認要求之鑑認網路單元(authentication network element) 從含於該要求内之再鑑認識別符核對表示(indicating)執行全 面鑑認之鑑認伺服器的獨特領域名之步驟。 上述之方法可進一步包括如下步驟·· 由鑑認網路單元將該要求傳送給以再鑑認身份資料作 為一部分含有之獨特領域名表示之一鑑認伺服器之步驟; 及 由該終端機及第一鑑認伺服器進行再鑑認之步驟。 本發明之第2要旨係提供一種蜂巢式通信系統中之鑑 認伺服器(authentication server),其包括一用以對終端機與網路 業者(content server)之間之通信交談(commimication session)實行 再鏗認之裝置;而該鑑認伺服器備有一用以接受被指定之 一個獨特的領域名(realm name)之裝置;及一用以傳送該含有 獨特的領域名之再鑑認身份給終端機(用戶)之裝置。 再者,依本發明之第1要旨,該鑑認伺服器可進一步 備有使用該再鑑認身份接收再鑑認要求以及從該再鑑認身 份核對該獨特的領域名之一裝置。該鑑認伺服器更可備有 一用以將該再鏗認要求傳送給以再鑑認身份資料作為一部 份含有之獨特領域名表示之一鑑認伺服器。 本發明之第3要旨為提供一種電腦程式,其包括: 一内藏有電腦程式碼之電腦可讀型儲存器以供在鑑認 祠服器内運用電腦處理機執行(execution),其中該電腦程式 1246300 碼含有可供依本發明第2要旨構成之裝置運作之指令 (instructions)。 本發明之第4要旨為提供一種含有多數之終端機、多 數之鑑認伺服器及至少一個内容提供者(content server)之通 信系統,其中該終端機(用戶)於向一或以上之鑑認伺服器 鑑認後或有時於再鑑認之後’操作而向内容提供者要求内 容,該系統之至少二個鑑認伺服器係各為依本發明上述第2 要旨構成之裝置。 【實施方式】 本發明之上述及其他目的、特徵及優點將由佐以附圖 所作之下面詳細說明趨為更明晰。 本發明提供一種如何地解決網路中確保再鑑認工作之 方法,因為在網路中再鑑認之要求可能不傳送至執行全面 鑑認(foil authentication)之A A A祠服器而傳送至其他之AA A 伺服器。為解決此問題,本發明提供一種再鑑認時可選擇 能執行全面性鑑認之A A A伺服器之方法及裝置。 本發明將關連記載於下述之鑑認用ΕΑΡ機制及UMTS 對話鍵分佈及AKA加以說明;3〇??丁8 33.102 乂3.6.0: "Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (1999 版)丨丨及 IETF (Internet Engineering Task Force)原稿文獻,’ΈΑΡ AKA Authentication,π draft-arkko-pppext-eap-aka-04.txt, J. Arkko 及 H· Haverinen、編, 2002年6月。又UMTS是全求第3代行動網路標準。 本發明亦可與使用GSM之SIM全球系統之鑑認及通 訊鍵分配ΕΑΡ機制關連的利用,例如描述於GSM技術規 格,GSM03.20 (ETS 300 534): ’’Digital cellular telecommunication 10 1246300 system (第 2 章);Security related network functions,’,歐洲零信 標準學會,1 997年8月及IETF原稿文獻中,“EAP SIM Authentication,” Η· Haverinen 著 draft-haverinen-pppext-eap-sim-05 •txt,2002 年 7 月 2 日。 雖然本發明將針對ΕΑΡ用以及其用於UMTS及GSM之 方法加以說明,但絕不限定用於ΕΑΡ或根據UMTS或GSM 標準之蜂巢式通信系統;本發明事實上可用於任何通信系 統,而提供完全相同或等同於AAA協定有關連之ΕΑΡ之使 用。本發明描述之實施例係利用所謂之ΕΑΡ,如記載於題 目 “PPP Extensible Authentication Protocol (ΕΑΡ),,中(紐約 IETF 網路工作組出版)。該(ρρρ) ΕΑΡ為鑑認上通用之協定,其支 援多重鑑認機制。 現依第1及2圖說明,為了能經常實行再鑑認 (reauthentication),本發明提供一種含有下述步驟之方法: 第1步驟11-在此給每一個AAA伺服器23a、23b(於 同一或不同系統業者網路)分配一個獨特之領域(realm),若 是UMTS或GSM及網際網路協定服務(IP services),則該領 域可作為一種型名(例如以user@realm中之一部分,即“realm” 作為獨特領域名)使用於網路識別器(ΝΑΙ),此ΝΑΙ為一種 終端識別符,於AΑΑ協定中與鑑認認連用以接取網路。在 現有之ΕΑΡ及AAA協定中,鑑認要求包含用戶之網路接取 識別符。在全面鑑認之場合,EAP SIM及ΕΑΡ ΑΚΑ規定供 用戶提出全面鑑認要求所用之識別格式(identity format)。依 現有之規格,NAI包含國際行動用戶識別符(IMSI)或在ΕΑΡ SIM及ΕΑΡ AKA規格中所謂假名(pseudonym)之一種暫時識 別符(temporary identifier)。在 NAI 中所用之領域名(realm name) 係一種國内網路業者(home operator)之共同識別符(common 1246300 identifier)。曾經有數個AAA祠服器被用以處理傳送至此領 域名之要求(request)。因此,依先前技術通常NAI中之領域 (realm)可被數個ΑΑΑ所分亨。舉例而言,MyOperator之用戶 可使用領域名myoperator.com,而AAA信息可被傳送(routed) 至myoperator.com’s AAA祠服器中之祠服器。在ΕΑΡ SIM及 ΕΑΡ AKA全面鑑認之場合,該領域可能代表一群之AAA 伺服器。但依本發明,每一個AAA伺服器均配有一個獨特 之領域名,例如serverX.myoperator.com,而此領域名係被用於 再鑑認識別。在此,第3準位名serverX使該領域名 serverX.myoperator.com成為一獨特之領域名。該領域名之結 構格式(structured format)可允許A A A元件之某些元件把尾 端帶有myoperator.com之所有領域名傳送至正確的次一中繼 段(hop)不管任何第3準位名被加入使領域名變為獨特;舉 例言之,轉接裝置(attendant device)21 a可不必理會全領域名 而可使用一簡單的規則 ’’Route *.myoperator.com to the MyOperator AAA proxy” (其中*字作為一個通配符 (wildcard),即它是指被允許在一名字内之任一字組。 在下一步驟,即第2步驟12中,AAA伺服器23a、23b 之第一個伺服器23a從轉接裝置21a(即AAA客戶,尤其例 如一伺服務接取點)經由代理AAA伺服器22接收有關終端 機21之全面鑑認請求,俾使該轉接裝置21a能夠准許該終 端機接取一網路24(例如網路)。為了清楚起見於第2圖中 有未示出之可使在終端機21及AAA伺服器23a、23b之間 進行無線通信之一或多個網路業者網路(operator networks) 之各種元件以及連通至AAA伺服器23 a、23b(即,特別是 每一網路業者所用之無線接取網路)之一或另一者之其他元 件。 12 1246300 在第3步驟13中,由該第一 AAA伺服器23a向終端 機21(經由代理伺服器22及轉接裝置21a)傳送再鑑認識別 符(供在繼後之再鑑認中被終端機使用)及含在該再鑑認識 別符内之特定之領域名,而此領域名亦含有一用者名部 分。上述再鑑認識別符與IMSI系識別符及全面鑑認用假識 別符(pseudonym identity)不同,此第3步驟13係作為全面鑑 認程序中之一部分運作,此步驟含有數個未在第1圖顯示 之其他步驟。再鑑認識別符之用者名部分係由伺服器所選 之暫時性者名,其可為任意選出之一個數字或一個識別 符。因此,再鑑認識別符可為例如: 1209834387@serverl5.myoperator.com. 第4步驟14係主要根據某些符合之條件實行再鑑認工 作,即使用含有特定(獨特之)領域名再鑑認識別符,由終端 機21發出再鑑認之請求。一般而言,可用數種方法來開始 再鑑認工作。其一個方法為可用轉接裝置21a開始再鑑認 工作。在此場合,該轉接裝置21a係利用無線LAN將ΕΑΡ 識別符要求(請求)封包(identity request packet)傳送至終端機 21(在此根據獨特之領域名發出之“再鑑認請求”含有一個 ΕΑΡ識別回應封包(identity response packet),然後由該終端機 對該ΕΑΡ鑑認作回應(此回應含有再鑑認識別符)。此封包 繼後使用 ΑΑΑ協定網路送至正確的ΑΑ Α伺服器(correct AAA server)。另外,該終端機21本身亦可用以開始作再鑑 認工作。即,該終端機21使用無線LAN,將EAPOL-Start (即 EAP over LAN start)封包傳送至轉接裝置21a。當轉接裝置 21a接收到EAPOL-Start時,即發出ΕΑΡ鑑認要求至終端機, 隨後進行下述之再鑑認交換操作。 13 1246300 在第5步驟15中,接收請求(request)之任一 AAA網路 元件(即轉接裝置21a、内容伺服器22及AAA伺服器23a、 23b)即檢查含在該請求内之再鑑認識別符以決定應將該請 求傳送至何處。傳送地點係例如可根據選路表(routing table) 或其他通常用AAA選路手段適當決定。一般而言,使用内 容伺服器22檢查領域名而將請求直接傳送至第1 AAA伺服 器23a。於是,該請求遲早被AAA伺服器接收,而由其(即 第1 AAA伺服器23a)執行全面鑑認工作。 在第6步驟16中,由第1 AAA伺服器23a,依據已建 立之再鑑認協定對再鑑認之請求作出回應。繼之第7步驟 17中,經由轉接裝置21a,根據終端機21及第1 AAA伺服 器23a之間之已建立的AAA協定進行終端機21至該第1 AAA伺服器23a之通信。此通信可在轉接裝置21a及該第 1 AAA伺服器23a之間傳送,亦可經由中間AAA元件(裝 置)傳送。上述已建立之AAA協定一般包含一個鑑認 (authentication exchange)期間確保該AAA伺月艮器23a鑑認工 作不會改變之裝置。 有些場合,終端機21可同時進行數個不同對話(sessions) 之通信,且對每一對話使用全面鑑認。各個對話可藉同一 AAA伺服器或不同伺服器鑑認並且可利用相同或不同之無 線電技術及利用相同或不同方法實行鑑認。為使提供此種 可變性,依本發明是使該終端機21在每一交談保持分離狀 態訊息,然後由該終端機21,依配合第1圖所作之說明, 分別對各個交談實行再鑑認。同樣地,各個使用於一或多 個同時交談之鑑認之AAA伺服器23a、23b,在每一交談保 持分離狀態之訊息。 以上述為關於無線LAS鑑認,但該鑑認是同樣適用於 14 1246300 數位用戶網路(xDSL)、撥接網路(dial-up)、乙太網路及其他鑑 認上下文(contexts)。全球行動電信系統(UMTS)及全球行動通 訊系統(GSM)鑑認所用之可延伸鑑認協定法係針對希望管 理(WLANs)或其他互辅接取網路之行動通訊業者而設計 的,但本發明可能不被應用於實際UMTS或GSM網路上。 以上所述只是本發明原理之應用上的描述,精於此技 術之人可在不背離本發明之範圍作出各種之修改及替代性 之安排,而請求專利範圍乃意欲涵蓋該種修改及安排。 15 1246300 【圖式簡單說明】 第1圖為本發明之終端機 、 ’啊 < 再鑑涊方法之流程圖,其 中設有作為鑑認代理者之鐘認伺服器。 第2圖為本發明之終端機鑑認工作及使用鑑認伺服器 實行再鑑認之方塊流程圖。 【符號說明】 11〜17 :第1步驟〜第7步驟 21 :終端機 21a :轉接裝置 22 ··代理伺服器 23a、23b ·· AAA伺服器(23a為第1鑑認伺服器;23b 為第2鑑認伺服器) 24 :網路 25 :領域名發出局 28 :鑑認網路 161246300 Description of the invention: [Technical field to which the invention belongs] The present invention relates to an extensible authentication protocol (ΕΑΡ) mechanism (authentication protocol) used in communication systems for authentication and session key distribution. Authentication Protocol mechanism), such as the Global Mobile Telecommunications System (UMTS) authentication and EAP mechanism of the (Communication) Key (Distribution) Agreement (AKA), and also used in the Global Mobile Telecommunications System (GSM) The Subscriber Identity Module (SIM) of the user (user) implements the ΑΡΑ mechanism of ΑΑΑ. [Prior art] AKA is based on challenge-response mechanisms, symmetric cryptography, and global mobile telecommunications systems, which are described in TS (3GPP) Technical specifications, TS) 33.102 V3_6.0 (published in 1999 ^ 'Technical Specification Group Services and System Aspects; 3G Security; Security Architecture "0 AKA is typically used in UMTS User Authentication Module (USIM) Smart card-like devices. However, AKA is not limited to use with client devices equipped with smart cards. For example, the AKA mechanism can also be implemented in host software. AKA also applies The GSM authentication mechanism provides backward compatibility, as described in GSM 03.20 (ETS 300 534) π digital cellular communication system (Chapter 2); network functions related to security π-text (European Telecommunication Standard Institute, published in August 1997). AKA specifies longer key lengths and server side (service provider) and 1246300 To enable users (such as wireless terminals, and more specifically, mobile stations) to use services provided by servers, such as those in communication systems provided and managed by operators. Server or server service of any kind of network including the Internet, for example, the terminal or user (customer) must authenticate the server on some occasions (for example, for some networks and some services of those networks) Recognize and perform the opposite action (in the latter case, at least in some networks, especially in UMTS), that is, in each case, you must prove to the other party who it is (prove your identity), and dial the network (Dial-up networks), wireless LANs, wired LANs, and various Digital Subscriber Line (xDSL) networks, network operators often use so-called AAA [Authentication, Authorization and Accounting (Authentication, Authorization and Accounting)] server authenticates users and authenticates users' requests for service requests By the web server (server of the operator network) (or authenticate with any telecommunications carrier network independent of the specific server). The AAA server (service provider) is responsible for storing shared secrets and other credential information used to identify users. A A A server can also use individual user database servers to store identity data. As for EAP, it is often used on the network that uses AAA server to authenticate AAA server and terminal. If the operator of the network is a UMTS or GSM network operator, the ααρ method can encapsulate and strengthen GSM authentication and KA (key contract) (such as EAP SIM) or UMTS authentication and KA (such as ΕΑΡ AKA). The terminal exchanges authentication packets with an attendant device on the local area network. The adapter device varies with the form of the network, but it can be, for example, a wireless local area network (LAN) access point 1246300 access point, an Ethernet switch, or a dial-up network access server (NAS). The switching device usually operates as a so-called AAA client, and the AAA user and the AAA server use the so-called AAA protocol for authentication. At the beginning of the communication session using EAP SIM or EAP AKA, the terminal and the AAA server perform the so-called full authentication work, that is, the authentication work is not authenticated from the terminal and the AAA server. Any other basic state begins. After full authentication, after a predetermined time or some other conditions have been met, re-authentication is required to reduce π bad §uy.fl Use some other device (server or user device) to pretend to have been The authenticated entity or the physical control of the previously authenticated device obtained by illegal means (for example, the user leaves the authenticated terminal and walks away) and the opportunity for the request begins to occur. In order to authenticate the accounting messages sent by the terminal in accordance with the local area network, the network resources need to be authenticated again. In addition, if the life of the key is limited, you can use re-authentication to discuss new security keys for security. It is considered the same as the re-authentication of EAP SIM (for GSM) and EAP AKA (for UMTS). The previous techniques of the EAP SIM and EAP AKA agreements have re-authentication specifications, which use separate reauthentication user identities delivered by the AA server to the terminal being re-authenticated. Re-authentication is based on session keys and other context information established during full authentication. For load balancing and other reasons, the operator can arrange several AAA servers on the 1246300 network. Device. Because the AAA server can be randomly selected or can be selected by some predetermined mechanism such as round-robin mechanism to authenticate the terminal (user). Terminals (users) do not need to use the same server for authentication. In this type of network, re-authentication becomes a problem because the context information is stored only in the AAA server that performs full authentication. Due to the availability of some information provided during the full authentication, if the terminal (user) 's AAA request for re-authentication is transmitted to other than the A AA server that performs the full authentication The AAA server does not perform re-authentication (ie, does not operate). Therefore, a method is needed to enable the re-authentication work in the network when the above-mentioned situation, that is, the request for re-authentication may be transmitted to a server other than the AAA server performing full authentication. [Summary of the Invention] In view of the above circumstances, a first gist of the present invention is to provide a re-authentication method for a communication period in which information is exchanged between a terminal (user) and a server via an authentication network. It has been authenticated by the terminal (user) and the first authentication server of the authentication network. The characteristics of the method include: Specifying a unique domain name for the first authentication server and other authentication servers respectively (Realm name) steps; and during the authentication between the terminal and the first authentication server, the first authentication server will re-identify the realm name assigned to the first authentication server, etc. The step of transmitting the identity to the terminal. According to the first gist of the present invention, the method may further include the following steps: 1246300 The terminal uses a re-authentication identity containing a unique reaim name to transmit the re-authentication request for re-authentication. The authentication step; and the authentication network element receiving the re-authentication request is unique to the authentication server performing the full authentication from the re-authentication identifier check contained in the request Steps in the field name. The above method may further include the steps of: transmitting the request by the authentication network unit to an authentication server representing one of the unique field names contained in the re-authentication identity data as a part; and the terminal and The first authentication server performs the re-authentication step. The second gist of the present invention is to provide an authentication server in a cellular communication system, which includes an implementation of a communication session between a terminal and a content server. Re-authentication device; and the authentication server is provided with a device for receiving a designated realm name; and a terminal for transmitting the re-authentication identity containing the unique realm name to the terminal Device (user). Furthermore, according to the first gist of the present invention, the authentication server may further be provided with a device for receiving a re-authentication request using the re-authentication identity and checking the unique domain name from the re-authentication identity. The authentication server may further be provided with an authentication server for transmitting the re-authentication request to one of the unique domain name representations containing the re-authentication identity data as a part. The third gist of the present invention is to provide a computer program, which includes: a computer-readable memory with computer code stored therein for execution by a computer processor in an authentication temple server, wherein the computer Program 1246300 code contains instructions that can be used to operate a device constructed in accordance with the second gist of the present invention. A fourth gist of the present invention is to provide a communication system including a plurality of terminals, a plurality of authentication servers, and at least one content server, wherein the terminals (users) are authenticated to one or more After the server authenticates, or sometimes after re-authentication, the content provider is requested for content. At least two authentication servers of the system are each a device constructed in accordance with the second gist of the present invention. [Embodiment] The above and other objects, features and advantages of the present invention will become clearer from the following detailed description made with the accompanying drawings. The invention provides a method for how to solve the problem of ensuring re-authentication in the network, because the request for re-authentication in the network may not be transmitted to the AAA server which performs full authentication AA A server. In order to solve this problem, the present invention provides a method and device for selecting an A A A server capable of performing comprehensive authentication during re-authentication. The present invention will be described in relation to the following authentication using the EAP mechanism and the UMTS dialog key distribution and AKA; 30. Ding 8 33.102 乂 3.6.0: " Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (1999 edition), and IETF (Internet Engineering Task Force) manuscript, 'ΈΑΡ AKA Authentication, π draft-arkko-pppext-eap-aka-04.txt, J. Arkko and H. Haverinen, ed., 2002 June. In addition, UMTS is a third-generation mobile network standard. The present invention can also be used in connection with the authentication and communication key allocation EAP mechanism of the SIM global system using GSM, such as described in the GSM technical specification, GSM03.20 (ETS 300 534): '' Digital cellular telecommunication 10 1246300 system (No. Chapter 2); Security related network functions, ', European Zero Credit Standards Institute, August 1997 and IETF manuscripts, "EAP SIM Authentication," Η · Haverinen by draft-haverinen-pppext-eap-sim-05 • txt, July 2, 2002. Although the present invention will be described with respect to the use of EAP and its methods for UMTS and GSM, it is by no means limited to EAP or a cellular communication system according to the UMTS or GSM standard; the invention can be used in virtually any communication system, and provides Exactly the same or equivalent to the use of EAP in connection with the AAA agreement. The embodiment described in the present invention uses the so-called EAP, as described in the title "PPP Extensible Authentication Protocol (ΕΑΡ)," (published by the New York IETF Network Working Group). The (ρρρ) ΕΑΡ is a general agreement for authentication, It supports multiple authentication mechanisms. As shown in Figures 1 and 2, the present invention provides a method that includes the following steps in order to implement reauthentication: Step 1-Step 11-each AAA server is here Device 23a, 23b (on the same or different system operator network) allocate a unique realm. If it is UMTS or GSM and Internet Protocol Services (IP services), this realm can be used as a type name (for example, user One part of @realm, that is, "realm" as a unique realm name, is used in the network identifier (ΝΑΙ), this ΝΙΙ is a terminal identifier, which is connected with authentication in the AAA protocol to access the network. In the EAP and AAA agreements, the authentication request includes the user's network access identifier. In the case of full authentication, EAP SIM and ΕΑΡ ΑκΑ are provided for users to request a full authentication The identity format used. According to existing standards, NAI includes the International Mobile Subscriber Identifier (IMSI) or a temporary identifier called a pseudonym in the EPA SIM and EPA AKA specifications. In NAI The realm name used in this is a common identifier (common 1246300 identifier) of a domestic Internet operator. Several AAA servers have been used to process requests sent to this realm name. Therefore, according to the prior art, the realm in NAI can be divided by several AAA. For example, MyOperator users can use the realm name myoperator.com, and AAA information can be routed to myoperator. com's AAA temple server. In the case of EAP SIM and EAP AKA, this field may represent a group of AAA servers. However, according to the present invention, each AAA server is equipped with a unique field. Name, such as serverX.myoperator.com, and this domain name is used for re-identification. Here, the third place name serverX makes the domain name serverX.myoperat or.com becomes a unique field name. The structured format of the field name allows certain elements of the AAA element to transmit all field names with myoperator.com at the end to the correct next hop ( hop) Regardless of any third level name being added to make the field name unique; for example, the attendant device 21 a can use a simple rule `` Route * .myoperator '' regardless of the full field name .com to the MyOperator AAA proxy "(where the * character is used as a wildcard, that is, it refers to any group of characters allowed in a name. In the next step, namely the second step 12, the first server 23a of the AAA server 23a, 23b receives from the switching device 21a (that is, the AAA client, especially, for example, a server access point) via the proxy AAA server 22 The full authentication request for the terminal 21 enables the switching device 21a to allow the terminal to access a network 24 (eg, a network). For the sake of clarity, there are various components and connections of one or more operator networks that are not shown in FIG. 2 that enable wireless communication between the terminal 21 and the AAA servers 23a and 23b. To other components of one or the other of the AAA servers 23a, 23b (ie, especially the wireless access network used by each network operator). 12 1246300 In the third step 13, the first AAA server 23a transmits a re-authentication identifier to the terminal 21 (via the proxy server 22 and the switching device 21a) (for re-authentication in subsequent re-authentication). Terminal use) and the specific field name included in the re-identification identifier, and this field name also contains a user name part. The above re-identification identifier is different from the IMSI identifier and pseudonym identity for full authentication. This third step 13 operates as part of the full authentication procedure. This step contains several The figure shows the other steps. The user name part of the recognizing identifier is a temporary name selected by the server, which can be an arbitrary number or an identifier. Therefore, the re-identification identifier can be, for example: 1209834387@serverl5.myoperator.com. Step 4 14 is to perform re-authentication mainly based on certain conditions that are met, that is, re-identification using a specific (unique) field name If it is different, the terminal 21 issues a re-authentication request. In general, there are several ways to start the reauthentication process. One method is to start the re-authentication operation using the adapter 21a. In this case, the switching device 21a transmits the EAP identification request packet (identity request packet) to the terminal 21 using a wireless LAN (the "re-authentication request" issued according to the unique domain name contains a The EAP identifies an identity response packet, and the terminal responds to the EAP authentication (this response contains a reidentification identifier). This packet is then sent to the correct ΑΑ Α server using the ΑΑΑ protocol network. (Correct AAA server). In addition, the terminal 21 itself can also be used to start the re-authentication work. That is, the terminal 21 uses a wireless LAN to transmit the EAPOL-Start (ie, EAP over LAN start) packet to the switching device. 21a. When the switching device 21a receives the EAPOL-Start, it sends an EAP authentication request to the terminal, and then performs the following re-authentication exchange operation. 13 1246300 In step 5, the request is received. Any AAA network element (ie, the switching device 21a, the content server 22, and the AAA servers 23a, 23b) checks the re-identification identifier included in the request to decide that the request should be transmitted Where. The transmission location can be appropriately determined according to a routing table or other AAA routing methods. Generally, the content server 22 checks the domain name and sends the request directly to the first AAA server. 23a. So, sooner or later, the request is received by the AAA server, and it (that is, the first AAA server 23a) performs the full authentication work. In step 6 of 16, the first AAA server 23a, based on the established The re-authentication agreement responds to the request for re-authentication. Following step 7 of step 17, the terminal 21 is performed via the switching device 21a according to the established AAA agreement between the terminal 21 and the first AAA server 23a. The communication to the first AAA server 23a. This communication can be transmitted between the switching device 21a and the first AAA server 23a, or it can be transmitted through the intermediate AAA element (device). The established AAA agreement generally includes A device that ensures that the authentication work of the AAA server 23a will not change during an authentication exchange. In some cases, the terminal 21 can communicate with several different sessions at the same time, and for each session, Use full authentication. Each conversation can be authenticated by the same AAA server or different servers and can be authenticated using the same or different radio technologies and using the same or different methods. To provide such variability, according to the present invention The terminal 21 is kept in a separate state message for each conversation, and then the terminal 21 performs re-authentication for each conversation in accordance with the description made in connection with FIG. 1. Similarly, each of the authenticated AAA servers 23a, 23b used for one or more simultaneous conversations maintains a separate state message in each conversation. The above is about wireless LAS authentication, but the authentication is also applicable to 14 1246300 Digital Subscriber Network (xDSL), dial-up, Ethernet, and other authentication contexts. The UMTS and GSM authentication extensible authentication agreement method is designed for mobile operators who want to manage WLANs or other access networks, but this The invention may not be applied to actual UMTS or GSM networks. The above is only a description of the application of the principles of the present invention. Those skilled in the art can make various modifications and alternative arrangements without departing from the scope of the present invention, and the scope of the claimed patent is intended to cover such modifications and arrangements. 15 1246300 [Schematic description] Figure 1 is a flow chart of the terminal of the present invention, 'Ah < re-authentication method, in which a bell server serving as an authentication agent is provided. Fig. 2 is a block flow chart of the terminal authentication work and re-authentication using the authentication server of the present invention. [Symbols] 11 to 17: Step 1 to Step 7 21: Terminal 21a: Transfer device 22 ·· Agent server 23a, 23b · · AAA server (23a is the first authentication server; 23b is 2nd authentication server) 24: network 25: domain name issuing station 28: authentication network 16