[go: up one dir, main page]

WO2011017851A1 - Method for accessing message storage server securely by client and related devices - Google Patents

Method for accessing message storage server securely by client and related devices Download PDF

Info

Publication number
WO2011017851A1
WO2011017851A1 PCT/CN2009/073267 CN2009073267W WO2011017851A1 WO 2011017851 A1 WO2011017851 A1 WO 2011017851A1 CN 2009073267 W CN2009073267 W CN 2009073267W WO 2011017851 A1 WO2011017851 A1 WO 2011017851A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage server
message storage
client
secure channel
tls
Prior art date
Application number
PCT/CN2009/073267
Other languages
French (fr)
Chinese (zh)
Inventor
胡志远
万永根
骆志刚
Original Assignee
上海贝尔股份有限公司
阿尔卡特朗讯公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海贝尔股份有限公司, 阿尔卡特朗讯公司 filed Critical 上海贝尔股份有限公司
Priority to PCT/CN2009/073267 priority Critical patent/WO2011017851A1/en
Priority to CN200980160925XA priority patent/CN102474503A/en
Publication of WO2011017851A1 publication Critical patent/WO2011017851A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to access by a client to a message storage server in a communication network, and more particularly to how secure access to a message storage server is achieved without a client having a certificate. Background technique
  • Converged IP Communications provides a convergence of multimedia communication services while efficiently using standardized service functions in existing communication engines such as instant messaging. Storing a message in the message store and forwarding the message to the user later is one of the primary services provided by the CPM.
  • IMAP4 version 4 of the Internet Information Access Protocol
  • This protocol is a standard protocol for accessing e-mail from a remote server. It is a client/server model protocol.
  • Two security mechanisms for IMAP4 are currently defined in RFC2060. The first is SASL (Simple Authentication and Security Layer) as defined by RFC2222, and the second is Username/Password in plain text form. These two security mechanisms only provide authentication from the client to the message storage server. In addition, username/password and message communication can easily be tampered with and eavesdropped.
  • TLS Transport Layer Security
  • the user's certificate is required (of course, the user may not use the certificate, but the user cannot be authenticated at this time, and it is difficult to ensure that the TLS connection is secure).
  • only users with certificates can securely access the message store server.
  • Most of the former mobile phone users do not have a certificate. Therefore, for users who do not have a certificate, especially for a general mobile phone user, secure access to the message storage server becomes a problem.
  • PSK-TLS Transport Layer Security Pre-Shared Key Agreement
  • AKA Authentication and Key Agreement Protocol
  • the pre-shared key PSK is a symmetric key that is pre-shared between communication participants.
  • PSK-TLS has made some modifications to the existing TLS so that both parties can establish a TLS connection using a pre-shared symmetric key or certificate. That is, in this case, one of the communicating parties can use the pre-shared symmetric key and the other party can use the digital certificate or both of the communicating parties use the pre-shared symmetric key to establish the TLS connection.
  • the AKA protocol is a protocol for authentication and key agreement in a mobile communication network. The concept and principle can be applied to a UMTS network, called UMTS AKA. The same concept/principle can be reused for the IP multimedia core network subsystem. , known as IMS AKA.
  • the present invention provides a method for a client to access a message storage server in a communication network, the method comprising:
  • the message storage server replies with a response to the security layer of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA;
  • the client and the message storage server negotiate to establish a PSK-TLS or AKA security Full channel;
  • a PSK-TLS or AKA security channel is established between the message storage server and the client, and the confidentiality and integrity of the associated authentication communication between the client and the message storage server is protected via the secure channel.
  • the establishing, by the client, the PSK-TLS or the AKA secure channel by the message storage server includes: the client sending a request for establishing a PSK-TLS or AKA secure channel to the message storage server, and The message storage server replies to the client with a response to begin establishing a PSK-TLS or AKA secure channel.
  • the service GPRS support node SGSN or the serving call session control function included in the client and the communication network according to an embodiment of the present invention is included.
  • the S-CSCF performs two-way authentication and shares security parameters related to the user. Further, the service GPRS support node SGSN or service call session control function
  • the S-CSCF authenticates the message storage server and sends the user-related security parameters to the message storage server.
  • the user-related security parameters can be used to protect authentication process information and user data trust between the client and the message storage server,
  • an embodiment according to the present invention includes a digital certificate of a client authentication message storage server, the message storage server obtaining user-related authentication information from a network-side functional entity and the message storage server from the client The user's authentication information is directly obtained and the above two types of authentication information are compared and verified.
  • the present invention also provides a client in a communication network and a message storage server.
  • FIG. 1 shows a schematic diagram of a client secure access message storage server in accordance with the mechanism of the present invention
  • FIG. 2 is a flow chart of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention
  • FIG. 3 is a flow diagram of establishing a PSK-TLS secure channel between a client and a message storage server in accordance with another embodiment of the present invention. detailed description
  • FIG. 1 shows a schematic diagram of a client secure access to a message storage server in accordance with the mechanism of the present invention.
  • it is considered to add two types of secure channels, namely PSK-TLS secure channel and AKA secure channel, based on the original only providing TLS secure channel.
  • step 101 the client pre-accesses the message store server, and the message store server notifies the client that the relevant service is ready.
  • step 102 the client queries the message storage server for security capabilities.
  • the message storage server replies to the client with a response of STARTPSKTLS/STARTAKA, LOGINDISABLED, that is, needs to establish a PSK-TLS or AKA secure channel, and prohibits the login using the plaintext username/password at this time.
  • step 104 the client can send a request to the message storage server to establish a PSK-TLS or AKA secure channel.
  • step 105 the message storage server replies to the client with an immediate response to establish a PSK-TLS or AKA secure channel.
  • step 106 the client and the message storage server begin to establish a PSK-TLS or AKA secure channel.
  • the specific process of how to establish a secure channel according to the mechanism of the present invention will be described in detail below according to the flow of FIG. 3 and FIG. 4 below.
  • the PSK-TLS or AKA secure channel is established, the confidentiality protection and integrity protection of the associated authentication communication between the client and the message storage server is provided by the PSK-TLS or AKA channel.
  • this secure channel is mainly used to enhance the client.
  • the user's subsequent communication data may not be protected by confidentiality.
  • the PSK-TLS/AKA secure channel of the solution can be reused to protect the confidentiality of the user communication data.
  • step 107 the client queries the message storage server for its security capabilities.
  • step 108 the message storage server replies to the client with a response whose authentication capability is authenticated using plaintext authentication.
  • the client sends the plaintext username/password to the message storage server, step 109.
  • an OK response is sent to the client, indicating that the verification is successful, and the state of the user is changed from the unauthenticated state to the authenticated state, that is, step 110.
  • the client accesses the service of the message storage server, and of course the access of the client needs to be controlled by the set authority of the message storage server.
  • the PSK-TLS or AKA security channel of the solution can be reused to protect the confidentiality of the user communication data.
  • FIG. 2 is a flow diagram of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention.
  • the AKA procedure mentioned in the present invention may be IMS AKA, UMTS AKA, CDMA2000 AKA, and the corresponding standards can be found in 3GPP TS 33.102, 3GPP TS 33.203, 3GPP2 S.R0032.
  • step 201 the client sends a request to the message storage server to establish an AKA secure channel.
  • step 201 the message storage server replies to the client to establish an AKA secure channel.
  • the client performs the UMTS AKA or IMS AKA procedure with the Serving GPRS Support Node (SGSN) / Serving Call Session Control Function (S-CSCF) and the Home Subscriber Server (HSS).
  • SGSN Serving GPRS Support Node
  • S-CSCF Serving Call Session Control Function
  • HSS Home Subscriber Server
  • the SGSN/S-CSCF authenticates the message storage server. If the IMS AKA process is used, the S-CSCF sends the user's security parameters (such as CryptoKey, IntegrityKey) to the message storage server through the standard interface ISC according to the relevant policy.
  • security parameters such as CryptoKey, IntegrityKey
  • UMTS AKA there is currently no standard interface for the SGSN to send relevant security parameters to the message storage server, but in theory it is possible to reuse the Gp/Gn interface to send relevant security parameters to the message storage server.
  • the client and the message storage server protect the IMAPv4 authentication information and user data information between the client and the message storage server according to the shared security parameters (such as CryptoKey, IntegrityKey).
  • shared security parameters such as CryptoKey, IntegrityKey
  • the flowchart of Figure 3 shows a flow chart for establishing a PSK-TLS security channel between the client and the message storage server.
  • GBA General Bootstrapping Architecture
  • the client sends a request to the message storage server to establish a PSK-TLS secure channel.
  • the message storage server replies to the client to establish a PSK-TLS secure channel, and the message storage server also sends its digital certificate to the client.
  • the client verifies the digital certificate of the message store server.
  • a shared key K_MessageStorage can be generated between the client and the BSF (Boot Service Function).
  • the client sends a message to the message storage server, the message containing the address or identifier of the BSF, the identity information of the user, and the authentication information (eg, the authentication credential generated by the shared key K_MessageStorage) Wait.
  • the message storage server obtains user-related authentication information, such as K_MessageStorage, from the BSF according to the address or identifier of the BSF.
  • the message storage server then performs a comparison verification based on the user authentication information obtained from the BSF and the user authentication information obtained from the client.
  • the interface Zn between the message storage server and the BSF has a standard definition.
  • step 307 after the message storage server successfully verifies, an OK message is sent back to the client, indicating that the PSK-TLS secure channel is established. Thereafter, IMAPv4 authentication information and user data information between the client and the message storage server can be secured by confidentiality based on the key derived from K_MessageStorage.
  • both the client and the message storage server use the negotiated key or the client uses the key and the message storage server uses the digital certificate.
  • the client does not have the certificate, the same can be used. Securely access the message store server.
  • the present invention also provides a client in a communication network and a message storage server.
  • the client includes an inquiry device for inquiring about a security capability related to the message storage server, and the client further includes:
  • a secure channel negotiation device configured to receive, when receiving, from the message storage server, a security capability of the message storage server, a transport layer secure pre-shared key PSK-TLS or an authentication and key agreement AKA response, and the message storage
  • the server negotiates to establish a PSK-TLS or AKA secure channel
  • a secure channel establishing means for establishing a PSK-TLS or AKA secure channel with the message storage server to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.
  • the secure channel negotiation means is configured to send a request to establish a PSK-TLS or AKA secure channel to the message storage server and to receive a response from the message storage server to initiate establishment of a PSK-TLS or AKA secure channel .
  • the secure channel when the AKA protocol is applied, the secure channel is built
  • the device is configured to perform two-way authentication with the serving GPRS support node SGSN or the serving call session control function S-CSCF in the communication network, and share security parameters related to the user.
  • the security parameter is sent to the message storage server after authenticating the service GPRS support node SGSN or the serving call session control function S-CSCF to the message storage server. In this way, the security process can be used to protect authentication process information and user data information between the client and the message storage server.
  • the secure channel establishing means is configured to verify a digital certificate of the message storage server, generate a shared key with the boot service function BSF, and The message storage server sends the authentication information, so that the message storage server obtains the user-related authentication information from the boot service function BSF and the message storage server obtains the user's relevant authentication information from the client and compares and verifies the above two types of authentication information. .
  • the message storage server comprises:
  • a security capability replying device configured to: when the client queries the security capability related to the message storage server, replies to the client with the security capability of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA Answer
  • a secure channel negotiation device configured to negotiate with the client to establish a PSK-TLS or AKA secure channel
  • a secure channel establishing means for establishing a PSK-TLS or AKA security channel with the client to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.
  • the secure channel negotiation device is configured to: receive a request to establish a PSK-TLS or AKA secure channel from the client and reply to the client to start establishing a PSK-TLS or AKA secure channel Answer.
  • the secure channel establishing means when the AKA protocol is used, is configured to: verify, by the message storage server, the QoS support node SGSN or the serving call session control function S-CSCF, and from the Service GPRS support node The SGSN or Serving Call Session Control Function S-CSCF receives user-related security parameters.
  • the secure channel establishing means when the PSK-TLS protocol is used, is configured to: obtain user-related authentication information from the client, and obtain a user from a boot service function B SF of the communication network Relevant authentication information and comparison verification of the above two types of authentication information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for accessing message storage server by a client in the communication network is provided in the invention. The method includes: when the client inquires of the message storage server about the related security ability, the message storage server responds to the client with the response that its security ability is the transport layer security pre-shared key (PSK-TLS) or the authentication and key agreement (AKA); the client and the message storage server negotiate the establishment of the PSK-TLS or the AKA security channel; the PSK-TLS or the AKA security channel is established between the message storage server and the client, and the confidentiality and the integrality of the related authentication communication between the client and the message storage server and the confidentiality and the integrality of the user data are protected through the security channel.

Description

客户端安全访问消息存储服务器的方法和相关设备 技术领域  Method and related device for client secure access to message storage server

本发明涉及通信网络中客户端对消息存储服务器的访问, 特别涉 及在客户端无证书的情况下如何实现对消息存储服务器的安全访问。 背景技术  The present invention relates to access by a client to a message storage server in a communication network, and more particularly to how secure access to a message storage server is achieved without a client having a certificate. Background technique

融合式 IP通讯( CPM )提供了多媒体通信服务的融合, 同时在诸 如即时通讯的现有通信引擎中高效地使用标准化服务功能。 在消息存 储服务器中存储消息并且稍后将该消息转发给用户是 CPM提供的主 要服务之一。  Converged IP Communications (CPM) provides a convergence of multimedia communication services while efficiently using standardized service functions in existing communication engines such as instant messaging. Storing a message in the message store and forwarding the message to the user later is one of the primary services provided by the CPM.

以 IMAP4 ( Internet信息访问协议的第 4版本) 为例, 该协议是 用于从远程服务器上访问电子邮件的标准协议, 它是一种客户端 /服务 器模型协议。 目前在 RFC2060中定义了用于 IMAP4的两种安全机制。 第一种是 RFC2222定义的 SASL (简单认证和安全层), 第二种是纯文 字形式的用户名 /口令。 这两种安全机制只能提供客户端到消息存储服 务器的认证。 另外, 用户名 /口令和消息通信很容易被篡改和窃听。  Take IMAP4 (version 4 of the Internet Information Access Protocol) as an example. This protocol is a standard protocol for accessing e-mail from a remote server. It is a client/server model protocol. Two security mechanisms for IMAP4 are currently defined in RFC2060. The first is SASL (Simple Authentication and Security Layer) as defined by RFC2222, and the second is Username/Password in plain text form. These two security mechanisms only provide authentication from the client to the message storage server. In addition, username/password and message communication can easily be tampered with and eavesdropped.

IETF RFC2595和 RFC3501中已经定义了保护用户访问媒体存储 服务器的安全解决方案。 但是只有传输层安全协议(TLS ) 用于这些 解决方案。如 RFC2595和 RFC3501所定义的, TLS是对简单认证 (只 有 SASL机制或者已配置的明文的用户名 /口令认证机制) 的补充。 这 样, 可以保护 IMAP4在进行认证时尤其是使用明文的用户名 /口令方 式进行认证时免于窃听和欺诈攻击。  A security solution to protect users' access to the media storage server has been defined in IETF RFC2595 and RFC3501. However, only Transport Layer Security (TLS) is used for these solutions. As defined in RFC 2595 and RFC 3501, TLS is a supplement to simple authentication (only the SASL mechanism or the configured plaintext username/password authentication mechanism). In this way, IMAP4 can be protected from eavesdropping and fraudulent attacks when authenticating, especially when using plaintext username/password authentication.

为了建立 TLS连接, 用户的证书是必需的 (当然用户也可以不使 用证书, 但此时不能认证用户, 很难保证 TLS连接是安全的)。 换句 话说, 只有具有证书的用户可以安全地访问消息存储服务器。 但是目 前大部分移动电话用户都不具有证书。 因此, 对于不具有证书的用户, 特别是一般的移动电话用户来说, 安全地访问消息存储服务器成为一 个问题。 In order to establish a TLS connection, the user's certificate is required (of course, the user may not use the certificate, but the user cannot be authenticated at this time, and it is difficult to ensure that the TLS connection is secure). In other words, only users with certificates can securely access the message store server. But the purpose Most of the former mobile phone users do not have a certificate. Therefore, for users who do not have a certificate, especially for a general mobile phone user, secure access to the message storage server becomes a problem.

因此, 存在这样的需求, 即, 为没有证书的用户, 特别是移动电 话用户, 提供访问消息存储服务器的安全解决方案。 发明内容  Therefore, there is a need to provide a secure solution for accessing a message storage server for users without certificates, particularly mobile phone users. Summary of the invention

本发明的目的在于提供可选的安全解决方案, 使得移动电话用户 能安全地访问消息存储服务器。 同时, 将重利用和集成用于底层无线 网络的现有安全机制。  It is an object of the present invention to provide an optional security solution that enables mobile phone users to securely access a message storage server. At the same time, existing security mechanisms for the underlying wireless network will be reused and integrated.

为了使得没有证书的用户能以安全的方式访问消息存储服务器, 对于 IMAP4,申请人建议使用 PSK-TLS (传输层安全预共享密钥协议) 或 AKA (认证和密钥协商协议)协商。  In order to enable users without certificates to access the message storage server in a secure manner, for IMAP4, the applicant recommends using PSK-TLS (Transport Layer Security Pre-Shared Key Agreement) or AKA (Authentication and Key Agreement Protocol) negotiation.

预共享的密钥 PSK是在通信参与方之间预先共享的对称密钥。 PSK-TLS对现有的 TLS做了一些修改,使得双方可以使用预共享的对 称密钥或证书都能建立 TLS连接。 即在此情况下, 通信双方中的一方 可以使用预共享的对称密钥而另一方可以使用数字证书或者通信双方 都使用预共享的对称密钥来建立 TLS连接。 AKA协议是一种为移动通 信网络中认证和密钥协商的协议,该概念和原理可以用于 UMTS网络, 即称为 UMTS AKA, 相同的概念 /原理也可以重新用于 IP多媒体核心 网子系统, 被称为 IMS AKA。  The pre-shared key PSK is a symmetric key that is pre-shared between communication participants. PSK-TLS has made some modifications to the existing TLS so that both parties can establish a TLS connection using a pre-shared symmetric key or certificate. That is, in this case, one of the communicating parties can use the pre-shared symmetric key and the other party can use the digital certificate or both of the communicating parties use the pre-shared symmetric key to establish the TLS connection. The AKA protocol is a protocol for authentication and key agreement in a mobile communication network. The concept and principle can be applied to a UMTS network, called UMTS AKA. The same concept/principle can be reused for the IP multimedia core network subsystem. , known as IMS AKA.

一方面, 本发明提供了一种在通信网络中客户端访问消息存储服 务器的方法, 该方法包括:  In one aspect, the present invention provides a method for a client to access a message storage server in a communication network, the method comprising:

当客户端询问消息存储服务器相关的安全能力时, 所述消息存储 服务器回复其安全能力为传输层安全预共享密钥 PSK-TLS或者认证和 密钥协商 AKA的应答;  When the client queries the security capability associated with the message storage server, the message storage server replies with a response to the security layer of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA;

所述客户端和所述消息存储服务器协商建立 PSK-TLS或 AKA安 全通道; 以及 The client and the message storage server negotiate to establish a PSK-TLS or AKA security Full channel;

在所述消息存储服务器和所述客户端之间建立 PSK-TLS或 AKA安 全通道, 并且经由所述安全通道保护客户端和消息存储服务器之间相 关认证通信的机密性和完整性。  A PSK-TLS or AKA security channel is established between the message storage server and the client, and the confidentiality and integrity of the associated authentication communication between the client and the message storage server is protected via the secure channel.

根据本发明的实施例, 所述客户端和所述消息存储服务器协商建 立 PSK-TLS或 AKA安全通道包括: 所述客户端向所述消息存储服务 器发送建立 PSK-TLS或 AKA安全通道的请求以及所述消息存储服务 器向所述客户端回复开始建立 PSK-TLS或 AKA安全通道的应答。  According to an embodiment of the present invention, the establishing, by the client, the PSK-TLS or the AKA secure channel by the message storage server includes: the client sending a request for establishing a PSK-TLS or AKA secure channel to the message storage server, and The message storage server replies to the client with a response to begin establishing a PSK-TLS or AKA secure channel.

当采用 AKA协议时,才艮据本发明的实施例包括在所述客户端和所 述通信网络中的服务 GPRS支持节点 SGSN或服务呼叫会话控制功能 When the AKA protocol is employed, the service GPRS support node SGSN or the serving call session control function included in the client and the communication network according to an embodiment of the present invention is included.

S-CSCF之间进行双向验证, 并共享地得到与用户相关的安全参数。 进 一步地, 所述服务 GPRS 支持节点 SGSN或服务呼叫会话控制功能The S-CSCF performs two-way authentication and shares security parameters related to the user. Further, the service GPRS support node SGSN or service call session control function

S-CSCF对消息存储服务器进行认证,并且将所述用户相关的安全参数 发送给所述消息存储服务器。 于是, 可以使用所述用户相关的安全参 数保护客户端和消息存储服务器之间的认证过程信息和用户数据信 自、 The S-CSCF authenticates the message storage server and sends the user-related security parameters to the message storage server. Thus, the user-related security parameters can be used to protect authentication process information and user data trust between the client and the message storage server,

当采用 PSK-TLS协议时,根据本发明的实施例包括客户端验证消 息存储服务器的数字证书, 所述消息存储服务器从网络侧功能实体获 得用户相关的认证信息以及所述消息存储服务器从客户端直接得到用 户的认证信息并将以上两种认证信息进行比较验证。  When the PSK-TLS protocol is employed, an embodiment according to the present invention includes a digital certificate of a client authentication message storage server, the message storage server obtaining user-related authentication information from a network-side functional entity and the message storage server from the client The user's authentication information is directly obtained and the above two types of authentication information are compared and verified.

另一方面, 本发明还提供了一种通信网络中的客户端以及一种消 息存储服务器。  In another aspect, the present invention also provides a client in a communication network and a message storage server.

由于重新使用和集成了底层 /承载层无线网络的现有安全机制, 本 发明的解决方案的实现和部署非常容易。 附图说明  The implementation and deployment of the solution of the present invention is very easy due to the reuse and integration of existing security mechanisms for the underlying/carrier layer wireless network. DRAWINGS

通过参考以下结合附图的说明, 本发明的其他目的及优点将变得 更加清楚和易于理解, 在附图中: Other objects and advantages of the present invention will become apparent by reference to the following description taken in conjunction with the drawings. More clear and easy to understand, in the drawing:

图 1示出了根据本发明的机制, 客户端安全访问消息存储服务器 的示意图;  1 shows a schematic diagram of a client secure access message storage server in accordance with the mechanism of the present invention;

图 2 是根据本发明的实施例客户端和消息存储服务器之间建立 AKA安全通道的流程图;  2 is a flow chart of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention;

图 3是根据本发明的另一个实施例客户端和消息存储服务器之间 建立 PSK-TLS安全通道的流程图。 具体实施方式  3 is a flow diagram of establishing a PSK-TLS secure channel between a client and a message storage server in accordance with another embodiment of the present invention. detailed description

图 1 的流程图示出根据本发明的机制, 客户端安全访问消息存储 服务器的示意图。 在根据本发明的解决方案中, 考虑在原来只提供建 立 TLS安全通道的基础上再增加两种安全通道的方式即 PSK-TLS安全 通道和 AKA安全通道。  The flowchart of Figure 1 shows a schematic diagram of a client secure access to a message storage server in accordance with the mechanism of the present invention. In the solution according to the present invention, it is considered to add two types of secure channels, namely PSK-TLS secure channel and AKA secure channel, based on the original only providing TLS secure channel.

在步骤 101 中, 客户端预访问消息存储服务器, 消息存储服务器 通知客户端相关服务已准备就绪。 接着在步骤 102中, 客户端询问消 息存储服务器相关的安全能力。 如步骤 103所述, 消息存储服务器向 客 户 端 回 复 其 安 全 能 力 为 STARTPSKTLS/STARTAKA, LOGINDISABLED的应答, 即需要建立 PSK-TLS或 AKA安全通道, 同时禁止此时使用明文的用户名 /口令进行登录。 于是在步骤 104中, 客户端可以向消息存储服务器发送建立 PSK-TLS或 AKA安全通道的 请求。 在步骤 105 中, 消息存储服务器向客户端回复立即开始建立 PSK-TLS或 AKA安全通道的应答。 在步骤 106中, 客户端和消息存 储服务器开始建立 PSK-TLS或 AKA安全通道, 如何根据本发明的机 制建立安全通道的具体过程将在下文中根据以下图 3和图 4的流程进 行详细描述。 在 PSK-TLS或 AKA安全通道建立之后, 客户端和消息 存储服务器之间相关认证通信的机密性保护和完整性保护由 PSK-TLS 或 AKA通道提供。 根据 RFC3501 , 该安全通道主要用来增强客户端 与消息存储服务器之间认证过程的安全, 认证过程结束后, 用户后续 的通信数据并不一定能得到机密性保护。 根据本方案, 如果用户有需 求且消息服务器端也支持的话, 可以重用本方案的 PSK-TLS/AKA安 全通道来对用户通信数据进行机密性保护。 In step 101, the client pre-accesses the message store server, and the message store server notifies the client that the relevant service is ready. Next in step 102, the client queries the message storage server for security capabilities. As described in step 103, the message storage server replies to the client with a response of STARTPSKTLS/STARTAKA, LOGINDISABLED, that is, needs to establish a PSK-TLS or AKA secure channel, and prohibits the login using the plaintext username/password at this time. Then in step 104, the client can send a request to the message storage server to establish a PSK-TLS or AKA secure channel. In step 105, the message storage server replies to the client with an immediate response to establish a PSK-TLS or AKA secure channel. In step 106, the client and the message storage server begin to establish a PSK-TLS or AKA secure channel. The specific process of how to establish a secure channel according to the mechanism of the present invention will be described in detail below according to the flow of FIG. 3 and FIG. 4 below. After the PSK-TLS or AKA secure channel is established, the confidentiality protection and integrity protection of the associated authentication communication between the client and the message storage server is provided by the PSK-TLS or AKA channel. According to RFC3501, this secure channel is mainly used to enhance the client. The security of the authentication process with the message storage server. After the authentication process ends, the user's subsequent communication data may not be protected by confidentiality. According to the solution, if the user has the requirement and the message server side also supports, the PSK-TLS/AKA secure channel of the solution can be reused to protect the confidentiality of the user communication data.

更具体地说, 在步骤 107中, 客户端询问消息存储服务器其安全 能力。 在步骤 108中, 消息存储服务器向客户端回复其安全能力为可 以使用明文的认证方式进行认证的应答。 接着, 客户端发送明文的用 户名 /口令给消息存储服务器, 即步骤 109。 消息存储服务器验证成功 后, 向客户端发送 OK应答, 表示验证成功, 此时用户的状态由未认 证状态转变为认证状态, 即步骤 110。 于是, 在接下来的步骤 111中, 客户端访问消息存储服务器的业务, 当然客户端的访问需要受到消息 存储服务器的所设定的权限控制。 根据本方案, 如果用户有需求且消 息服务器端也支持的话, 可以重用本方案的 PSK-TLS或 AKA安全通 道来对用户通信数据进行机密性保护。  More specifically, in step 107, the client queries the message storage server for its security capabilities. In step 108, the message storage server replies to the client with a response whose authentication capability is authenticated using plaintext authentication. Next, the client sends the plaintext username/password to the message storage server, step 109. After the message storage server is successfully authenticated, an OK response is sent to the client, indicating that the verification is successful, and the state of the user is changed from the unauthenticated state to the authenticated state, that is, step 110. Thus, in the next step 111, the client accesses the service of the message storage server, and of course the access of the client needs to be controlled by the set authority of the message storage server. According to the solution, if the user has a request and the server server also supports, the PSK-TLS or AKA security channel of the solution can be reused to protect the confidentiality of the user communication data.

图 2 是根据本发明的实施例客户端和消息存储服务器之间建立 AKA安全通道的流程图。本发明中提到的 AKA过程可以是 IMS AKA, UMTS AKA, CDMA2000 AKA, 相应标准在 3GPP TS33.102, 3GPP TS33.203, 3GPP2 S.R0032中可以找到。  2 is a flow diagram of establishing an AKA secure channel between a client and a message storage server in accordance with an embodiment of the present invention. The AKA procedure mentioned in the present invention may be IMS AKA, UMTS AKA, CDMA2000 AKA, and the corresponding standards can be found in 3GPP TS 33.102, 3GPP TS 33.203, 3GPP2 S.R0032.

在步骤 201中,客户端向消息存储服务器发送建立 AKA安全通道 的请求。 在步骤 201中, 消息存储服务器向客户端回复可以建立 AKA 安全通道。  In step 201, the client sends a request to the message storage server to establish an AKA secure channel. In step 201, the message storage server replies to the client to establish an AKA secure channel.

才艮据规范 3GPP TS33.102 或 3GPP TS33.203 , 客户端会和服务 GPRS 支持节点 (SGSN ) /服务呼叫会话控制功能 (S-CSCF )及归属 用户服务器 (HSS )进行 UMTS AKA或 IMS AKA过程, 该过程的结 果是在客户端和 SGSN/S-CSCF之间进行双向认证,同时会在客户端和 SGSN/S-CSCF之间共享得到与用户相关的安全参数, 如至少包含有一 对用于机密性保护和完整保护的密钥(CryptoKey, IntegrityKey ), 步骤 203示出了这一过程。 According to the specification 3GPP TS33.102 or 3GPP TS33.203, the client performs the UMTS AKA or IMS AKA procedure with the Serving GPRS Support Node (SGSN) / Serving Call Session Control Function (S-CSCF) and the Home Subscriber Server (HSS). The result of this process is that the client and the SGSN/S-CSCF perform mutual authentication, and the user-related security parameters are shared between the client and the SGSN/S-CSCF, for example, at least one pair is used for Confidentiality protection and full protection key (CryptoKey, IntegrityKey), steps 203 shows this process.

在步骤 204中, SGSN/S-CSCF对消息存储服务器进行认证。 如果 是使用 IMS AKA过程, S-CSCF会通过标准的接口 ISC根据相关的策 略将用户的安全参数(如 CryptoKey, IntegrityKey )发送给消息存储月良 务器。 如果是 UMTS AKA, 目前还没有标准接口让 SGSN将相关安全 参数发送给消息存储服务器, 不过理论上可以重用 Gp/Gn接口将相关 安全参数发送给消息存储服务器。 此时, 客户端和消息存储服务器之 间有了共享的安全参数(如 CryptoKey, IntegrityKey ), 而客户端和消 息存储服务器是间接的双向认证,因为客户端和 SGSN/S-CSCF是双向 认证而 SGSN/S-CSCF会认证消息存储服务器。  In step 204, the SGSN/S-CSCF authenticates the message storage server. If the IMS AKA process is used, the S-CSCF sends the user's security parameters (such as CryptoKey, IntegrityKey) to the message storage server through the standard interface ISC according to the relevant policy. In the case of UMTS AKA, there is currently no standard interface for the SGSN to send relevant security parameters to the message storage server, but in theory it is possible to reuse the Gp/Gn interface to send relevant security parameters to the message storage server. At this point, there is a shared security parameter (such as CryptoKey, IntegrityKey) between the client and the message storage server, and the client and the message storage server are indirect two-way authentication because the client and the SGSN/S-CSCF are both-way authenticated. The SGSN/S-CSCF will authenticate the message storage server.

在接下来的步骤 205中, 客户端和消息存储服务器根据共享的安 全参数(如 CryptoKey, IntegrityKey ) 来保护此后客户端和消息存储服 务器之间的 IMAPv4认证信息和用户数据信息。  In the next step 205, the client and the message storage server protect the IMAPv4 authentication information and user data information between the client and the message storage server according to the shared security parameters (such as CryptoKey, IntegrityKey).

图 3的流程图示出客户端和消息存储服务器之间建立 PSK-TLS安 全通道的流程图。 对于 PSK-TLS 安全通道的建立, 预共享密钥 PSK 的协商有很多方式, 其中一种可能的方式是使用通用认证机制 GBA ( General Bootstrapping Architecture ), GBA是 3GPP定义的一种基于 移动通信网络、 轻量级的安全基础设施, 可以为应用层业务提供统一 的密钥协商服务, 具体过程参见 3GPP TS33.220.  The flowchart of Figure 3 shows a flow chart for establishing a PSK-TLS security channel between the client and the message storage server. For the establishment of the PSK-TLS secure channel, there are many ways to negotiate the pre-shared key PSK. One possible way is to use the General Bootstrapping Architecture (GBA), which is a mobile communication network defined by 3GPP. A lightweight security infrastructure that provides unified key agreement services for application layer services. For details, see 3GPP TS33.220.

如步骤 301所示,客户端向消息存储服务器发送建立 PSK-TLS安 全通道的请求。 在步骤 302中, 消息存储服务器向客户端回复可以建 立 PSK-TLS安全通道, 同时消息存储服务器还向客户端发送其数字证 书。 在步骤 303 中, 客户端验证消息存储服务器的数字证书。 在步骤 304中, 根据规范 3GPP TS33.220, 客户端与 BSF (引导服务功能)之 间能产生共享密钥 K_MessageStorage。 在步骤 305中, 客户端向消息 存储服务器发送消息, 该消息包含 BSF的地址或标识, 用户的身份信 息以及认证信息(例如由共享密钥 K_MessageStorage产生的认证凭证 ) 等。 在步骤 306中, 消息存储服务器才艮据 BSF的地址或标识, 用户的 身份信息向 BSF获取用户相关的认证信息, 如 K_MessageStorage。 消 息存储服务器然后根据从 BSF获得的用户认证信息和从客户端获得的 用户认证信息进行比较验证。 消息存储服务器和 BSF之间的接口 Zn 已有标准定义。 最后, 在步骤 307中, 消息存储服务器验证成功后, 向客户端回复 OK消息, 表示 PSK-TLS安全通道建立完毕。 此后客户 端和消息存储服务器之间的 IMAPv4认证信息和用户数据信息就可以 使用根据从 K_MessageStorage派生出来的密钥进行机密性保护。 As shown in step 301, the client sends a request to the message storage server to establish a PSK-TLS secure channel. In step 302, the message storage server replies to the client to establish a PSK-TLS secure channel, and the message storage server also sends its digital certificate to the client. In step 303, the client verifies the digital certificate of the message store server. In step 304, according to the specification 3GPP TS 33.220, a shared key K_MessageStorage can be generated between the client and the BSF (Boot Service Function). In step 305, the client sends a message to the message storage server, the message containing the address or identifier of the BSF, the identity information of the user, and the authentication information (eg, the authentication credential generated by the shared key K_MessageStorage) Wait. In step 306, the message storage server obtains user-related authentication information, such as K_MessageStorage, from the BSF according to the address or identifier of the BSF. The message storage server then performs a comparison verification based on the user authentication information obtained from the BSF and the user authentication information obtained from the client. The interface Zn between the message storage server and the BSF has a standard definition. Finally, in step 307, after the message storage server successfully verifies, an OK message is sent back to the client, indicating that the PSK-TLS secure channel is established. Thereafter, IMAPv4 authentication information and user data information between the client and the message storage server can be secured by confidentiality based on the key derived from K_MessageStorage.

这样, 根据本发明的不同实施例, 采用客户端和消息存储服务器 均使用协商出来的密钥或者客户端使用密钥而消息存储服务器使用数 字证书的方式, 当客户端不具有证书时, 同样可以安全地访问消息存 储服务器。  Thus, according to different embodiments of the present invention, both the client and the message storage server use the negotiated key or the client uses the key and the message storage server uses the digital certificate. When the client does not have the certificate, the same can be used. Securely access the message store server.

与本发明描述的交互方法相对应, 本发明还提供了一种通信网络 中的客户端以及一种消息存储服务器。  Corresponding to the interaction method described in the present invention, the present invention also provides a client in a communication network and a message storage server.

根据本发明的实施例, 所述客户端包括用于询问消息存储服务器 相关的安全能力的询问装置, 所述客户端还包括:  According to an embodiment of the present invention, the client includes an inquiry device for inquiring about a security capability related to the message storage server, and the client further includes:

安全通道协商装置, 用于在从所述消息存储服务器接收所述消息 存储服务器的安全能力为传输层安全预共享密钥 PSK-TLS或者认证和 密钥协商 AKA的应答时, 和所述消息存储服务器协商建立 PSK-TLS 或 AKA安全通道; 以及  a secure channel negotiation device, configured to receive, when receiving, from the message storage server, a security capability of the message storage server, a transport layer secure pre-shared key PSK-TLS or an authentication and key agreement AKA response, and the message storage The server negotiates to establish a PSK-TLS or AKA secure channel;

安全通道建立装置, 用于和所述消息存储服务器建立 PSK-TLS或 AKA安全通道, 以便经由所述安全通道保护客户端和消息存储服务器 之间相关认证通信的机密性和完整性。  A secure channel establishing means for establishing a PSK-TLS or AKA secure channel with the message storage server to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.

根据本发明的实施例, 安全通道协商装置被配置为向所述消息存 储服务器发送建立 PSK-TLS或 AKA安全通道的请求以及从所述消息 存储服务器接收开始建立 PSK-TLS或 AKA安全通道的应答。  According to an embodiment of the invention, the secure channel negotiation means is configured to send a request to establish a PSK-TLS or AKA secure channel to the message storage server and to receive a response from the message storage server to initiate establishment of a PSK-TLS or AKA secure channel .

才艮据本发明的实施例, 当应用 AKA协议时, 所述安全通道建立装 置被配置为, 和通信网络中的服务 GPRS支持节点 SGSN或服务呼叫 会话控制功能 S-CSCF之间进行双向验证, 并共享地得到与用户相关 的安全参数。 所述安全参数在对所述服务 GPRS支持节点 SGSN或服 务呼叫会话控制功能 S-CSCF对消息存储服务器进行认证后被发送给 所述消息存储服务器。 这样, 可以使用所述安全参数保护所述客户端 和所述消息存储服务器之间的认证过程信息和用户数据信息。 According to an embodiment of the present invention, when the AKA protocol is applied, the secure channel is built The device is configured to perform two-way authentication with the serving GPRS support node SGSN or the serving call session control function S-CSCF in the communication network, and share security parameters related to the user. The security parameter is sent to the message storage server after authenticating the service GPRS support node SGSN or the serving call session control function S-CSCF to the message storage server. In this way, the security process can be used to protect authentication process information and user data information between the client and the message storage server.

才艮据本发明的实施例, 当应用 PSK-TLS协议时, 所述安全通道建 立装置被配置为, 验证消息存储服务器的数字证书, 与引导服务功能 BSF之间产生共享密钥, 以及向所述消息存储服务器发送认证信息, 以便所述消息存储服务器从所述引导服务功能 BSF获得用户相关的认 证信息和消息存储服务器从客户端得到用户的相关认证信息并且对以 上两种认证信息进行比较验证。  According to an embodiment of the present invention, when the PSK-TLS protocol is applied, the secure channel establishing means is configured to verify a digital certificate of the message storage server, generate a shared key with the boot service function BSF, and The message storage server sends the authentication information, so that the message storage server obtains the user-related authentication information from the boot service function BSF and the message storage server obtains the user's relevant authentication information from the client and compares and verifies the above two types of authentication information. .

在本发明的实施例中, 消息存储服务器包括:  In an embodiment of the invention, the message storage server comprises:

安全能力回复装置, 用于在所述客户端询问消息存储服务器相关 的安全能力时, 向所述客户端回复其安全能力为传输层安全预共享密 钥 PSK-TLS或者认证和密钥协商 AKA的应答;  a security capability replying device, configured to: when the client queries the security capability related to the message storage server, replies to the client with the security capability of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA Answer

安全通道协商装置,用于和所述客户端协商建立 PSK-TLS或 AKA 安全通道; 以及  a secure channel negotiation device, configured to negotiate with the client to establish a PSK-TLS or AKA secure channel;

安全通道建立装置, 用于和所述客户端建立 PSK-TLS或 AKA安 全通道, 以便经由所述安全通道保护客户端和消息存储服务器之间相 关认证通信的机密性和完整性。  A secure channel establishing means for establishing a PSK-TLS or AKA security channel with the client to protect the confidentiality and integrity of the associated authentication communication between the client and the message storage server via the secure channel.

根据本发明的实施例, 所述安全通道协商装置被配置为: 从所述 客户端接收建立 PSK-TLS或 AKA安全通道的请求以及向所述客户端 回复开始建立 PSK-TLS或 AKA安全通道的应答。  According to an embodiment of the invention, the secure channel negotiation device is configured to: receive a request to establish a PSK-TLS or AKA secure channel from the client and reply to the client to start establishing a PSK-TLS or AKA secure channel Answer.

根据本发明的实施例, 当使用 AKA协议时, 所述安全通道建立装 置被配置为: 所述消息存储服务器 ¾良务 GPRS支持节点 SGSN或服 务呼叫会话控制功能 S-CSCF验证, 并从所述服务 GPRS 支持节点 SGSN或服务呼叫会话控制功能 S-CSCF接收用户相关的安全参数。 根据本发明的实施例, 当使用 PSK-TLS协议时, 所述安全通道建 立装置被配置为: 从所述客户端获得用户相关的认证信息, 从所述通 信网络的引导服务功能 B SF获得用户相关的认证信息以及将以上两种 认证信息进行比较验证。 According to an embodiment of the present invention, when the AKA protocol is used, the secure channel establishing means is configured to: verify, by the message storage server, the QoS support node SGSN or the serving call session control function S-CSCF, and from the Service GPRS support node The SGSN or Serving Call Session Control Function S-CSCF receives user-related security parameters. According to an embodiment of the present invention, when the PSK-TLS protocol is used, the secure channel establishing means is configured to: obtain user-related authentication information from the client, and obtain a user from a boot service function B SF of the communication network Relevant authentication information and comparison verification of the above two types of authentication information.

值得注意的是, 在本发明的实施例中, 并不涉及硬件结构体系的 修改, 因此, 以上提到的客户端和消息存储服务器的实现对于本领域 技术人员而言并不存在特别的困难, 因此, 对它们的说明也是模块化 的。  It should be noted that in the embodiment of the present invention, the modification of the hardware architecture is not involved. Therefore, the implementation of the above-mentioned client and message storage server does not have any particular difficulty for those skilled in the art. Therefore, the description of them is also modular.

尽管结合了实施例来描述本发明, 但是本发明并不局限于任何实 施例。 本发明的范围由权利要求书限定, 并且包括各种可选方式、 修 改和等效替换。 因此, 本发明的保护范围应当由所附的权利要求书的 内容确定。  Although the invention has been described in connection with the embodiments, the invention is not limited to any embodiments. The scope of the invention is defined by the claims, and includes various alternatives, modifications and equivalents. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims

权利要求 Rights request 1. 一种在通信网络中客户端访问消息存储服务器的方法, 该方法 包括:  A method for a client to access a message storage server in a communication network, the method comprising: 在所述客户端询问所述消息存储服务器相关的安全能力时, 所述 消息存储服务器回复其安全能力为传输层安全预共享密钥 PSK-TLS或 者认证和密钥协商 AKA的应答;  And when the client queries the security capability related to the message storage server, the message storage server replies with a response of the security layer to the transport layer security pre-shared key PSK-TLS or the authentication and key agreement AKA; 所述客户端和所述消息存储服务器协商建立 PSK-TLS或 AKA安 全通道; 以及  The client negotiates with the message storage server to establish a PSK-TLS or AKA security channel; 在所述消息存储服务器和所述客户端之间建立 PSK-TLS或 AKA安 全通道, 并且经由所述安全通道保护客户端和消息存储服务器之间相 关认证通信的机密性和完整性及用户数据的机密性和完整性。  Establishing a PSK-TLS or AKA secure channel between the message storage server and the client, and protecting confidentiality and integrity of the associated authentication communication between the client and the message storage server and user data via the secure channel Confidentiality and integrity. 2. 根据权利要求 1所述的方法, 其中在所述消息存储服务器和所 述客户端之间建立 AKA安全通道包括在所述客户端和所述通信网络 的服务 GPRS支持节点 SGSN或服务呼叫会话控制功能 S-CSCF之间 进行双向验证, 并共享地得到与用户相关的安全参数。  2. The method of claim 1, wherein establishing an AKA secure channel between the message storage server and the client comprises serving a GPRS support node SGSN or a serving call session at the client and the communication network The control function S-CSCF performs two-way authentication and shares the security parameters related to the user. 3. 根据权利要求 2所述的方法, 进一步包括所述服务 GPRS支持 节点 SGSN或服务呼叫会话控制功能 S-CSCF对消息存储服务器进行 认证, 并且将所述用户相关的安全参数发送给所述消息存储服务器。  3. The method according to claim 2, further comprising the serving GPRS support node SGSN or the Serving Call Session Control Function S-CSCF authenticating the message storage server and transmitting the user related security parameters to the message Storage server. 4. 根据权利要求 2或 3所述的方法, 进一步包括使用所述用户相 关的安全参数保护所述客户端和所述消息存储服务器之间的认证过程 信息和用户数据信息。  4. The method of claim 2 or 3, further comprising protecting authentication process information and user data information between the client and the message storage server using the user related security parameters. 5. 根据权利要求 1或 2所述的方法, 其中在所述消息存储服务器 和所述客户端之间建立 PSK-TLS安全通道包括: 所述客户端验证消息 存储服务器的数字证书, 所述消息存储服务器从所述客户端获得用户 相关的认证信息, 从所述通信网络的引导服务功能 BSF获得用户相关 的认证信息以及将以上两种认证信息进行比较验证。  The method according to claim 1 or 2, wherein establishing a PSK-TLS secure channel between the message storage server and the client comprises: the client verifying a digital certificate of a message storage server, the message The storage server obtains user-related authentication information from the client, obtains user-related authentication information from the guiding service function BSF of the communication network, and compares and verifies the above two types of authentication information. 6. —种在通信网络中访问消息存储服务器的客户端, 所述客户端 包括用于询问消息存储服务器相关的安全能力的询问装置, 所述客户 端还包括: 6. A client accessing a message storage server in a communication network, the client The query device includes a security capability for inquiring about a message storage server, and the client further includes: 安全通道协商装置, 用于在从所述消息存储服务器接收所述消息 存储服务器的安全能力为传输层安全预共享密钥 PSK-TLS或者认证和 密钥协商 AKA的应答时, 和所述消息存储服务器协商建立 PSK-TLS 或 AKA安全通道; 以及  a secure channel negotiation device, configured to receive, when receiving, from the message storage server, a security capability of the message storage server, a transport layer secure pre-shared key PSK-TLS or an authentication and key agreement AKA response, and the message storage The server negotiates to establish a PSK-TLS or AKA secure channel; 安全通道建立装置, 用于和所述消息存储服务器建立 PSK-TLS或 AKA安全通道, 以便经由所述安全通道保护客户端和消息存储服务器 之间相关认证通信的机密性和完整性及用户数据的机密性和完整性。  a secure channel establishing device, configured to establish a PSK-TLS or AKA secure channel with the message storage server, so as to protect confidentiality and integrity of the related authentication communication and user data between the client and the message storage server via the secure channel Confidentiality and integrity. 7. 根据权利要求 6所述的客户端, 其中, 所述安全通道建立装置 被配置为, 和所述通信网络中的服务 GPRS支持节点 SGSN或服务呼 叫会话控制功能 S-CSCF之间进行双向验证, 并共享地得到与用户相 关的安全参数, 所述安全参数在对所述服务 GPRS支持节点 SGSN或 服务呼叫会话控制功能 S-CSCF对所述消息存储服务器进行认证后被 发送给所述消息存储服务器。  7. The client according to claim 6, wherein the secure channel establishing means is configured to perform mutual authentication between a serving GPRS support node SGSN or a serving call session control function S-CSCF in the communication network. And sharing security parameters related to the user, the security parameters being sent to the message storage after authenticating the message storage server by the serving GPRS support node SGSN or the serving call session control function S-CSCF server. 8. 根据权利要求 6或 7所述的客户端, 其中, 所述安全通道建立 装置被配置为: 验证消息存储服务器的数字证书以及向所述消息存储 服务器发送认证信息, 以便所述消息存储服务器从所述通信网络中的 引导服务功能 BSF获得用户相关的认证信息和消息存储服务器从客户 端得到用户的相关认证信息并且对以上两种认证信息进行比较验证。  The client according to claim 6 or 7, wherein the secure channel establishing means is configured to: verify a digital certificate of the message storage server and send authentication information to the message storage server, so that the message storage server The user-related authentication information is obtained from the boot service function BSF in the communication network, and the message storage server obtains the user's relevant authentication information from the client and compares and verifies the above two types of authentication information. 9. 一种在通信网络中被客户端访问的消息存储服务器, 所述消息 存储服务器包括:  9. A message storage server accessed by a client in a communication network, the message storage server comprising: 安全能力回复装置, 用于在所述客户端询问消息存储服务器相关 的安全能力时, 向所述客户端回复其安全能力为传输层安全预共享密 钥 PSK-TLS或者认证和密钥协商 AKA的应答;  a security capability replying device, configured to: when the client queries the security capability related to the message storage server, replies to the client with the security capability of the transport layer security pre-shared key PSK-TLS or authentication and key agreement AKA Answer 安全通道协商装置,用于和所述客户端协商建立 PSK-TLS或 AKA 安全通道; 以及 安全通道建立装置, 用于和所述客户端建立 PSK-TLS或 AKA安 全通道, 以便经由所述安全通道保护客户端和消息存储服务器之间相 关认证通信的机密性和完整性及用户数据的机密性和完整性。 a secure channel negotiation device, configured to negotiate with the client to establish a PSK-TLS or AKA secure channel; a secure channel establishing device, configured to establish a PSK-TLS or AKA secure channel with the client, so as to protect confidentiality and integrity of related authentication communication between the client and the message storage server and confidentiality of user data via the secure channel Sex and integrity. 10. 根据权利要求 9所述的消息存储服务器, 其中所述安全通道 建立装置被配置为:所述消息存储服务器被服务 GPRS支持节点 SGSN 或服务呼叫会话控制功能 S-CSCF验证, 并从所述服务 GPRS支持节 点 SGSN或服务呼叫会话控制功能 S-CSCF接收用户相关的安全参数, 其中所述安全参数在所述客户端和所述通信网络中的服务 GPRS支持 节点 SGSN或服务呼叫会话控制功能 S-CSCF之间进行双向验证时共 享地得到。  10. The message storage server according to claim 9, wherein the secure channel establishing means is configured to: the message storage server is authenticated by a serving GPRS support node SGSN or a serving call session control function S-CSCF, and from the The serving GPRS support node SGSN or the serving call session control function S-CSCF receives user-related security parameters, wherein the security parameters are in the client and the serving GPRS support node SGSN or the serving call session control function S in the communication network - Two-way verification between CSCFs is obtained in a shared manner. 11. 根据权利要求 10所述的消息存储服务器, 其中所述安全通道 建立装置被配置为: 从所述客户端获得用户相关的认证信息, 从所述 通信网络的 ^ I导服务功能 BSF获得用户相关的认证信息以及将以上两 种认证信息进行比较验证。  11. The message storage server according to claim 10, wherein the secure channel establishing means is configured to: obtain user-related authentication information from the client, and obtain a user from the communication service function BSF of the communication network Relevant authentication information and comparison verification of the above two types of authentication information.
PCT/CN2009/073267 2009-08-14 2009-08-14 Method for accessing message storage server securely by client and related devices WO2011017851A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2009/073267 WO2011017851A1 (en) 2009-08-14 2009-08-14 Method for accessing message storage server securely by client and related devices
CN200980160925XA CN102474503A (en) 2009-08-14 2009-08-14 Method and related equipment for securely accessing message storage server by client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/073267 WO2011017851A1 (en) 2009-08-14 2009-08-14 Method for accessing message storage server securely by client and related devices

Publications (1)

Publication Number Publication Date
WO2011017851A1 true WO2011017851A1 (en) 2011-02-17

Family

ID=43585858

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073267 WO2011017851A1 (en) 2009-08-14 2009-08-14 Method for accessing message storage server securely by client and related devices

Country Status (2)

Country Link
CN (1) CN102474503A (en)
WO (1) WO2011017851A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11153285B2 (en) * 2018-11-07 2021-10-19 Citrix Systems, Inc. Systems and methods for application pre-launch
CN118633266A (en) * 2023-01-09 2024-09-10 北京小米移动软件有限公司 Authentication method, device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008010003A1 (en) * 2006-07-14 2008-01-24 Abb Research Ltd. Secure password-based authentication and key distribution protocol with robust availability properties
CN101267301A (en) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 Identity authentication and secret key negotiation method and device in communication network
CN101304310A (en) * 2008-07-04 2008-11-12 成都卫士通信息产业股份有限公司 Method for reinforcing network SSL service
CN101370007A (en) * 2007-08-13 2009-02-18 北京三星通信技术研究有限公司 Method for Enhancing Security and Protecting Privacy Right of Positioning Service in Wimax Network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008010003A1 (en) * 2006-07-14 2008-01-24 Abb Research Ltd. Secure password-based authentication and key distribution protocol with robust availability properties
CN101267301A (en) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 Identity authentication and secret key negotiation method and device in communication network
CN101370007A (en) * 2007-08-13 2009-02-18 北京三星通信技术研究有限公司 Method for Enhancing Security and Protecting Privacy Right of Positioning Service in Wimax Network
CN101304310A (en) * 2008-07-04 2008-11-12 成都卫士通信息产业股份有限公司 Method for reinforcing network SSL service

Also Published As

Publication number Publication date
CN102474503A (en) 2012-05-23

Similar Documents

Publication Publication Date Title
EP3752941B1 (en) Security management for service authorization in communication systems with service-based architecture
JP5651313B2 (en) SIP signaling that does not require continuous re-authentication
US8468353B2 (en) Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network
CN101156352B (en) Authentication method, system and authentication center based on mobile network end-to-end communication
JP6189953B2 (en) Method and system for authenticating a user of a wireless unit
CN1977514B (en) Authenticating users
WO2019158819A1 (en) Security management for roaming service authorization in communication systems with service-based architecture
US20090063851A1 (en) Establishing communications
US20060059344A1 (en) Service authentication
US20080222714A1 (en) System and method for authentication upon network attachment
CN101371550A (en) Method and system for automatically and securely provisioning a user of a mobile communication terminal with service access credentials for an online service
CN103098414B (en) Method for certificate-based authentication
US8875236B2 (en) Security in communication networks
US20080137859A1 (en) Public key passing
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
WO2013056619A1 (en) Method, idp, sp and system for identity federation
WO2006000144A1 (en) The session initial protocol identification method
EP1639782B1 (en) Method for distributing passwords
WO2016115694A1 (en) Enhanced establishment of ims session with secure media
CN100544247C (en) Security Capability Negotiation Method
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
WO2012126299A1 (en) Combined authentication system and authentication method
WO2011017851A1 (en) Method for accessing message storage server securely by client and related devices
CN110933673B (en) Access authentication method of IMS network
CN120675819A (en) QUIC protocol-based distributed node unified identity authentication method and system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980160925.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09848181

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09848181

Country of ref document: EP

Kind code of ref document: A1