WO2007104245A1 - An identity web service framework system and authentication method thereof - Google Patents

An identity web service framework system and authentication method thereof Download PDF

Info

Publication number
WO2007104245A1
WO2007104245A1 PCT/CN2007/000762 CN2007000762W WO2007104245A1 WO 2007104245 A1 WO2007104245 A1 WO 2007104245A1 CN 2007000762 W CN2007000762 W CN 2007000762W WO 2007104245 A1 WO2007104245 A1 WO 2007104245A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
service
entity
user terminal
point
Prior art date
Application number
PCT/CN2007/000762
Other languages
French (fr)
Chinese (zh)
Inventor
Chengdong He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007104245A1 publication Critical patent/WO2007104245A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Definitions

  • the present invention relates to the field of the Internet technology and the Next Generation Networks (NGN) technology field and the third generation partnership project (3GPP), and specifically relates to an identity identification webpage service network system. (ID-WSF, Identity Web Service Framework) and its authentication method.
  • NTN Next Generation Networks
  • 3GPP Third Generation Partnership Project
  • 3GPP defines a Generic Bootstrapping Architecture (GBA), which is usually guided by the IP Multimedia Core Subsystem (UE, User Equipment).
  • BSF Service Function Entity
  • HSS Home Subscriber Server
  • SLF Subscriber Locator Function
  • NAF Network Application Function
  • the UE and the BSF are connected through the Ub interface
  • the UE and the NAF are connected through the Ua interface
  • the BSF and the HSS are connected through the Zh interface
  • the BSF and the NAF are connected through the Zn interface
  • the BSF and the SLF are connected through the Dz interface.
  • the BSF is used to perform mutual authentication with the UE when performing bootstrapping, and generates a shared key Ks of the BSF and the user;
  • the HSS stores a subscription file for describing user information, and the HSS also generates authentication information.
  • Function SLF is used to assist the BSF to find the corresponding HSS when there are multiple HSSs;
  • NAF is used to provide network services for the UE.
  • Step 1 When the UE needs to use a certain service, if it knows that the service needs to go to the BSF for mutual authentication, it directly sends an authentication request to the BSF to perform mutual authentication. Otherwise, the UE first contacts the NAF corresponding to the service, if the NAF uses the GBA universal authentication architecture, And the UE is not yet to the BSF to perform the mutual authentication process, and the NAF notifies the UE to perform mutual authentication to verify the identity, and then the UE sends an authentication request to the BSF for mutual authentication.
  • Step 2 The BSF receives the UE. After the authentication request, first obtain an authentication vector quintuple (AUTN, RAND, IK, CK, XRES) of the UE to the HSS;
  • AUTN, RAND, IK, CK, XRES authentication vector quintuple
  • Step 3 to Step 6 The BSF uses the HTTP digest AKA protocol to perform mutual authentication and key agreement with the UE to complete mutual authentication between the UE and the BSF.
  • Step 7 The BSF generates a shared root key Ks, which also defines an expiration date for the shared key Ks to periodically update the Ks;
  • Step 8 The BSF allocates a bootstrapping transaction identifier (B-TID) to identify the current authentication interaction transaction between the BSF and the UE.
  • B-TID bootstrapping transaction identifier
  • the BSF uses the B-TID with the root key Ks and the private UE.
  • the user identifier IMPI, IMS Private Identity
  • IMPI IMS Private Identity
  • Step 9 The UE also generates the same shared key Ks as the BSF side.
  • a root key Ks is shared between the UE and the BSF, and the UE can use the formula:
  • the NAF and the protocol identifier (UalD) on the Ua interface are connected.
  • RAND is a random number
  • IMPI is the private user identifier of the UE
  • "gba-me” and “gba-u” represent strings
  • KDF is a key export.
  • Abbreviation of function such that the UE side obtains the derived shared key Ks - (Ext / Int) - NAF.
  • the remaining task is how NAF obtains the derived shared key Ks—(Ext Int)—NAF. Only NAF and UE acquire Ks—(Ext/Int)—NAF to establish a secure channel for mutual communication.
  • the flow of NAF obtaining Ks_(Ext/Int)_NAF is shown in Figure 3.
  • the UE first derives the derived shared key Ks_(Ext/Int)_NAF according to the above formula, and then performs the following steps:
  • Step 1 B-TID is the username, Ks_(Ext/Int)—NAF is the password to send the connection to NAF.
  • TLS TransportLayer Security
  • TLS TransportLayer Security
  • Step 2 After receiving the connection request from the UE, the NAF sends an authentication request message to the BSF, where the BV carries the boot transaction identifier B-TID and the NAF host name, that is, the NAF_ID.
  • Step 3 The BSF retains B-TID, IMPL Ks, key validity period, start time of mutual authentication between BSF and UE, and application related GBA User security setting (GUSS), if The BSF can find the corresponding Ks according to the B-TID, and then complete the authentication of the corresponding user, and then the BSF calculates the derived shared key Ks_(Ext/Int)_NAF using the same formula as the user side, and then In the authentication response message, Ks—(Ext/Int)—NAF, Ks—(Ext/Int)—the expiration date of the NAF, the start time of the mutual authentication between the BSF and the UE, and the user security settings related to other applications.
  • (USS, User security setting) information is sent to NAF, which may contain multiple USSs in a GUSS.
  • Step 4 After NAF receives it, save the information.
  • Step 5 The NAF returns an application response to the UE.
  • the NAF and the UE share the Ks-derived key Ks_(Ext/Int)-NAF, so that the two can communicate securely in subsequent communications.
  • LAP Liberty Alliance Project
  • ID-FF Identity-based Alliance Network Architecture
  • ID-WSF Identity-based Web Service Network Architecture
  • ID-SIS Identity Services Interface Specifications
  • ID-FF mainly includes Identity Federation function and single point authentication function (SSO, , Single Sign On).
  • ID-WSF mainly defines some identity-based Web service architectures based on ID-FF to provide some simple, user-customizable Web services.
  • ID-SIS defines some interface specifications related to Web services.
  • the architecture of ID-FF is shown in Figure 4. It mainly consists of three entities: UE, Identity Provider (IdP, Identity Provider), Service Provider (SP).
  • IdP Identity Provider
  • SP Service Provider
  • the UE has its own identity on the IdP and SP, namely the user identity.
  • the logos can form an alliance.
  • SS0 refers to the above-mentioned identity identification alliance function. As long as the UE passes the authentication on the IdP, it is equal to the authentication at the same time on all the SPs that form the alliance.
  • the ID-FF and GBA interworking architecture is shown in Figure 5.
  • the UE has two authentication modes: one is that the UE authenticates (Assertion) directly after the UE passes the authentication on the IdP. Returning to the UE; the UE sends the Assertion to the SP; the SP authenticates the UE by analyzing Assertion. The other is that after the UE passes the authentication on the IdP, the IdP returns the Artifact of the UE to the UE; the UE sends the Artifact to the SP; the SP then sends the Artifact to the IdP through the SOAP protocol. IdP queries the corresponding Assertion according to the Artifact and returns it to the SP; Finally, the SP authenticates the UE by analyzing Assertion.
  • the ID-WSF architecture is shown in Figure 6. It mainly consists of the following entities: UE, IdP, SP, Web Service Consumer (WSC) for Web services. Web Service Provider (WSP) ⁇ Discovery Service Entity (DS, Discover Service).
  • WSP Web Service Provider
  • DS Discovery Service Entity
  • the WSP registers the type of Web service that it can provide on the DS; when the UE accesses the WSC, the WSC goes to the DS to query the accessible WSP; the DS matches the relevant WSP address and provides it to the WSC. ; then WSC can access the relevant WSP on behalf of the UE.
  • WSC and WSP are relative, that is, WSC can be used as a Web service consumer, as well as a Web service provider (WSP or SP). WSP or SP can also be another WEB Business Consumer (WSC) while serving as a Web service provider.
  • FIG. 7 A further simplified form of the above architecture is shown in Figure 7, where the functionality of the WSC is implemented on the UE, and a WSP can provide the functionality of an Authentication Service Entity (AS).
  • AS Authentication Service Entity
  • the AS function in the ID-WSF is equivalent to the IdP function in the ID-FF, and is used to complete the identity authentication Web service network authentication function. Since Figure 7 mainly deals with the authentication of ID-WSF, DS is omitted.
  • Figure 8 shows the network architecture of the ID-WSF of the Single-Sign-On Service (SSOS).
  • the main workflow is as follows: First, the UE and the AS interact through the SASL protocol to complete the AS authentication. After the right is passed, the AS returns the SSOS address to the UE and The credentials required to access the SSOS (Credentials); the UE accesses the SSOS by using the Credentials obtained from the AS to perform SSOS authentication, and the SSOS returns the corresponding Assertion to the UE after successfully authenticating the UE; the UE uses the Assertion to access the related SP.
  • the UE and the AS interact through the SASL protocol to complete the AS authentication.
  • the AS returns the SSOS address to the UE and The credentials required to access the SSOS (Credentials); the UE accesses the SSOS by using the Credentials obtained from the AS to perform SSOS authentication, and the SSOS returns the corresponding Assertion to the UE after successfully authenticating the
  • the UE after the UE interacts with the BSF to obtain the root key Ks and B-TID in the universal authentication architecture, it needs to use the B-TID as the user name, KsJExt/Int) - NAF as the password. Authentication is performed on each NAF to access individual NAFs. This frequent authentication enhances security but increases the complexity and inconvenience of terminal operations.
  • the identity identification webpage service network architecture establishes an identity security association between each SP and SSOS through a single-point authentication function, and forms a security trust circle. As long as the authentication is passed on the SSOS, it is equal to the SSOS. Authentication is also passed on all SPs within the security trust.
  • the prior art provides a network architecture in which GBA and ID-WSF interworking when AS and SSOS are different entities, but does not provide any corresponding authentication method. Therefore, although there is an interworking network architecture in the prior art, there is no way to implement interworking between the two network architectures, so that the interworking network architecture cannot be practically applied.
  • the security of the ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate. Therefore, the application scenario of the extended user terminal is convenient for the user terminal to apply various kinds of existing WEB services.
  • an object of the present invention is to provide an identity identification webpage service network system and an authentication method thereof.
  • an identity identification webpage service network system a user home network server including a universal authentication architecture, a guidance service function entity, a service provider entity, a user terminal, a user home network server, and a service
  • the functional entities communicate through the Zh interface, and the functional entity and the user terminal communicate through the Ub interface, and are characterized by: a network service application function/authentication service/single point authentication service entity, including a network
  • the service application function module, the authentication service module, the single point authentication service module, the network service application function module are used to provide the network service application function entity function, and the authentication service module is used to provide the authentication service entity function.
  • the single-point authentication service module is used to provide a single-point authentication service entity function, and the network service application function module and the 1-way service function entity communicate through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface.
  • the identity identification webpage service network system wherein: the single-point authentication service module and the user terminal use a single-point authentication and identity association protocol described by the security declaration markup language to perform communication between the two, using a single-object access protocol or The hypertext transfer protocol encapsulates the communication message; the authentication service module and the user terminal use a simple authentication and security layer protocol to communicate between the two, and use a simple object access protocol or a hypertext transfer protocol to encapsulate the communication message; the single point authentication service module When communicating with the service provider entity, the communication message is encapsulated by the simple object access protocol; when the user terminal communicates with the service provider entity, the communication message is encapsulated by a simple object access protocol or a hypertext transfer protocol.
  • An authentication method for an identity identification webpage service network system includes the following steps:
  • the communication process between the user terminal and the service provider entity of the identity identification webpage service network system includes two authentication processes, namely, a common authentication architecture authentication process and
  • the identification webpage service network architecture authentication process in the universal authentication architecture authentication process, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal generate roots.
  • the authentication service entity or the authentication service module generates a credential required for the user terminal to access the single-point authentication service entity or the single-point authentication service module in the authentication network service network architecture authentication process; the single-point authentication service entity Or the single-point authentication service module generates an authentication declaration and sends it to the user terminal, or the single-point authentication service entity or the single-point authentication service module generates an authentication statement and a corresponding authentication declaration link, and saves the authentication declaration and the authentication declaration link.
  • the correspondence table sends the authentication declaration link to the user terminal.
  • the method for authenticating the identity identification webpage service network system includes the following steps: the user terminal sends an identity identification webpage service network architecture authentication request message to the corresponding authentication service entity or the authentication service module, and the authentication service entity or the authentication
  • the service module sends a challenge response message requesting the user to perform the authentication of the universal authentication framework to the user terminal, and the service function entity performs the universal authentication architecture authentication on the user terminal, and after the authentication succeeds, the universal authentication architecture is successfully authenticated to the user terminal.
  • the authentication success response message includes a boot transaction identifier and a key validity period; the user terminal sends an application request message to the authentication service entity or the authentication service module, and the authentication is performed.
  • the service entity or the authentication service module authenticates the user terminal according to the application request message, and after the authentication is passed, sends a response message to the user terminal, where the address and the credential of the single-point authentication service entity or the single-point authentication service module are included.
  • the method for authenticating the identity identification webpage service network system includes the steps of: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and sends the identity to the user terminal after the authentication succeeds.
  • the webpage service network architecture authentication success response message is identified, and the authentication success response message includes an authentication statement.
  • the authentication method for the identity identification webpage service network system includes the following steps: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and generates an authentication statement and corresponding authentication. Declaring the link, saving the correspondence table of the authentication claim and the authentication claim link, and including the authentication claim link in the identity network service network architecture authentication success response message subsequently sent to the user terminal.
  • the identity identification webpage service network system authentication method includes the following steps:
  • the user terminal sends an application request message to the service provider entity
  • the service provider entity After receiving the application request message, the service provider entity first obtains the address of the authentication service entity or the authentication service module, and then sends a response message to the user terminal, where the authentication request header field is carried;
  • the user terminal sends an application request message to the authentication service entity or the authentication service module, where the user includes a simple authentication and security layer protocol request header field, where the authentication mechanism header field is included, and the authentication mechanism header field includes user terminal support. List of authentication methods;
  • the authentication service entity or the authentication service module sends a challenge response message to the user terminal, where the simple authentication and security layer protocol response header field is included, which includes a server authentication mechanism header field and a challenge header field, and a server authentication mechanism header.
  • the domain records the rights of the authentication service entity or the authentication service module.
  • the user terminal interacts with the guiding service function entity to perform universal authentication architecture authentication. ⁇ 6.
  • the user terminal sends an application request message to the authentication service entity or the authentication service module, where the simple authentication and security layer protocol request header field is included.
  • the simple authentication and security layer protocol request header field contains a challenge response header field
  • the challenge response header field contains a boot transaction identifier and an authentication response header.
  • the A7, the authentication service entity or the authentication service module obtains information such as a shared key, a user security setting, a key validity period, a boot time, and the like by using the ⁇ n interface, and the authentication service entity or the authentication service module is simple according to the receipt.
  • the authentication and security layer protocol request header field authenticates the user terminal, and after the authentication is passed, sends a response message to the user terminal, which includes a simple authentication and a security layer protocol response header field, and the header domain has a single authentication service.
  • the address and credentials of the entity or single-point authentication service module is accessed using the ⁇ n interface.
  • the identity identification webpage service network system authentication method wherein: the application request sent by the user terminal that supports the common authentication architecture authentication and the identity identification webpage service network architecture authentication to the authentication service entity or the authentication service module
  • the common authentication architecture identifier is set in the message. If the authentication service entity or the authentication service module finds the universal authentication architecture identifier, the user terminal is notified to start the universal authentication architecture authentication process, and then the user identity identification webpage service network architecture is started. The authentication process, otherwise, notifies the user terminal that only the user identity webpage service network architecture authentication process is initiated.
  • the authentication method for the identity identification webpage service network system wherein: the step ⁇ 5 includes the following steps:
  • the user terminal sends a universal authentication framework authentication request message to the guiding service function entity, where the private user identifier is included;
  • the guiding service function entity After receiving the universal authentication framework authentication request message, acquires an authentication vector of the user terminal from the user home network server.
  • the guiding service function entity sends a challenge message to the user terminal, where the authentication sequence number parameter and the random parameter are carried;
  • the user terminal checks the validity of the authentication sequence number parameter and generates a desired result
  • the user terminal sends a message to the guiding service function entity, where the private user identifier and the expected result are carried;
  • the guiding service function entity checks the validity of the expected result and generates a root key; ⁇ 7.
  • the guiding service function entity sends a universal authentication architecture success response message to the user terminal, where the guiding transaction identifier and the root key validity period are carried;
  • the identity identification webpage service network system authentication method includes the following steps:
  • the address of the single-point authentication service entity or the single-point authentication service module is sent to the single-point authentication service entity or the single-point authentication service module to send an application request message;
  • the C2 the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, and sends a success response message to the user terminal after the authentication succeeds, which includes an authentication statement, and the authentication claim has a single The digital signature of the point authentication service entity or the single point authentication service module;
  • the user terminal sends an application request message to the service provider entity, where the authentication claim is included;
  • the service provider entity processes the authentication statement, and verifies the digital signature of the single-point authentication service entity or the single-point authentication service module, and after completing the authentication of the user terminal, sends a response message to the user terminal.
  • the identity identification webpage service network system authentication method includes the following steps:
  • the user terminal sends an application request message to the single-point authentication service entity or the single-point authentication service module according to the address of the single-point authentication service entity or the single-point authentication service module;
  • the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, generates an authentication statement and a corresponding authentication declaration link, and saves the authentication statement, the authentication statement, and the corresponding certificate. After the authentication is successful, the success response message is sent to the user terminal, and the authentication claim link is included.
  • the user terminal sends an application request message to the service provider entity, where the authentication claim link is included;
  • the service provider entity sends an application request message to the single-point authentication service entity or the single-point authentication service module, where the authentication claim link is included;
  • the single-point authentication service entity or the single-point authentication service module finds a corresponding authentication statement according to the authentication declaration link, and sends a response message to the service provider entity, where the authentication claim is included, and the authentication claim has a single-point authentication service entity. Or the digital signature of the single-point authentication service module;
  • the service provider entity processes the authentication statement, and verifies the single-point authentication service entity or a single point.
  • the digital signature of the authentication service module sends a response message to the user terminal after completing the authentication of the user terminal.
  • the identity identification webpage service network system authentication method wherein: simple authentication and security encapsulation.
  • the authentication method of the identity identification webpage service network system wherein: the service provider entity receives the exit link request message sent by the user terminal, the single-point authentication service entity or the single-point authentication service module.
  • the service provider entity requests the user terminal to re-authenticate in the subsequent communication process with the user terminal.
  • the identity identification page service network system authentication method The following local security policy is configured on the authentication service entity or the authentication service module: When re-authenticating the user terminal, if the shared key of the two parties does not expire, the user terminal is only authenticated.
  • the identity identification webpage service network system authentication method wherein: the authentication service entity or the Configuring local security policy follows the service module: When the user terminal re-authentication, shared key Kampo if not expired, the user terminal generic authentication architecture and identity authentication page authentication service network architecture.
  • the technical solution of the present invention improves the ID-WSF of the prior art, and provides a new interworking architecture, that is, the function of the original authentication service entity, the single-point authentication service entity, and the network service application function are respectively
  • the different modules in the network service application function/authentication service/single-point authentication service entity that is, the authentication service module, the single-point authentication service module, and the network service application function module are implemented, thereby realizing the interworking of the ID-WSF and the GBA.
  • the present invention also provides a method for realizing the authentication of the identity identification webpage service system, so that the interworking of the GBA and the ID-WSF is realized. Therefore, the security of ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate.
  • the problem is that the application scenario of the user terminal is extended, and the limitation of the various WEB services existing in the user terminal application is avoided.
  • the invention includes the following figures:
  • GBA Common Authentication Architecture
  • FIG. 2 is a flow chart of a UE performing a bootstrapping process in a prior art universal authentication architecture
  • FIG. 3 is a flow chart of the prior art NAF acquiring a shared key Ks_(Ext/Int)_NAF;
  • FIG. 4 is a schematic diagram of a prior art identity identity alliance network architecture (ID-FF);
  • FIG. 5 is a schematic diagram of a prior art ID-FF and GBA interworking architecture
  • FIG. 6 is a schematic diagram of a prior art identity identification webpage service network architecture (ID-WSF);
  • FIG. 7 is a simplified schematic diagram of a prior art ID-WSF;
  • FIG. 8 is a schematic diagram of an ID-WSF including a single point authentication service entity (SSOS) in the prior art
  • FIG. 9 is a schematic diagram of a network architecture of a prior art GBA and ID-WSF interworking
  • FIG. 10 is a network service according to an embodiment of the present invention. Schematic diagram of application function/authentication service/single point authentication service entity;
  • FIG. 11 is a schematic diagram of an identity identification webpage service network system according to an embodiment of the present invention
  • FIG. 12 is a flowchart of an authentication method for returning Assertion to a UE when NAF/AS and SSOS are different entities according to an embodiment of the invention
  • FIG. 13 is a diagram showing an Artifact to a UE when NAF/AS and SSOS are different entities according to an embodiment of the present invention.
  • FIG. 14 is a flowchart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning Assertion to the UE according to an embodiment of the present invention
  • 15 is a flow chart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning an Artifact to the UE according to an embodiment of the present invention.
  • the present invention provides a network service application function/authentication service/single point authentication service entity, which includes a network service application function module, an authentication service module, a single point authentication service module, and a network.
  • the service application function module is used to provide a network service application function entity function
  • the authentication service module is used to provide an authentication service entity function
  • the single point authentication service module is used to provide a single point authentication service entity function.
  • the present invention provides an identity identification webpage service network system, which includes a user home network server and a derivative service function entity of a universal authentication architecture, and a network service application function/authentication service/single point authentication service.
  • the entity, the service provider entity, the user terminal, the user home network server, and the boot service function entity communicate through the zh interface, and the first service function entity communicates with the user terminal through the ub interface, and the network service application function module and the The service function entities communicate with each other through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface; the single point authentication service module and the user terminal use the security declaration markup language to describe the single point authentication and identity identity alliance.
  • the protocol performs communication between the two, and may encapsulate the communication message by using a single object access protocol or a hypertext transfer protocol; the user terminal and the authentication service module use a simple authentication and security layer protocol to communicate between the two, and Simple object access protocol or hypertext transfer protocol can be used Communication message; single authentication between the service module and the service provider entity, for communication between the user terminal and the service provider entity, using the access protocol or a hypertext transfer protocol Simple Object message encapsulated communication.
  • the present invention not only provides a network architecture different from the existing GBA and ID-WSF interworking, but also provides a method for implementing authentication based on the two architectures.
  • FIG. 12 and FIG. 13 the method for authenticating the UE is as shown in FIG. 12 and FIG. 13 , wherein FIG. 12 is the same as FIG. 13 in that NAF/AS and SSOS are Different entities, the difference is that FIG. 12 is Embodiment 1 for returning Assertion to the UE, and FIG. 13 is a second embodiment of the authentication method for returning Artifact to the UE.
  • the network service application function/authentication service/single point authentication provided by the present invention is provided.
  • the method for authenticating the UE by the service entity is as shown in FIG. 14 and FIG. 15 , wherein FIG. 14 is the same as FIG.
  • FIG. 15 in that the NAP/AS and the SSOS are the same entity, and the difference is that FIG. 14 is a reference for returning the Assertion to the UE.
  • FIG. 15 is an embodiment 4 of an authentication method for returning an Artifact to a UE.
  • the implementation of the authentication method shown in Figures 12 and 13 and Figures 14 and 15 The steps are basically the same, the difference is: the single-point authentication service entity in FIG. 12 and 13 and the authentication service entity including the network service application function are two separate logical entities, and in FIGS. 14 and 15, the two entities are The function is implemented by three modules in a network service application function/authentication service/single point authentication service entity, namely, a network service application function module, a single point authentication service module, and an authentication service module.
  • Embodiments 1 and 3, 2 and 4 are substantially the same, the implementation process of the authentication method of the present invention will be described below by the specific description of Embodiment 1 and Embodiment 2.
  • the main point of the authentication method of the present invention is In order to realize the interworking between the GBA and the ID-WSF, and improve the security and application convenience of the ID-WSF network communication, two authentication processes are included in the communication process between the user terminal of the identity page service network system and the service provider entity.
  • the boot service function entity In the process of authenticating the authority structure, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal both generate a root key;
  • the authentication service entity or the authentication service module generates a credential required by the user terminal to access the single-point authentication service entity or the single-point authentication service module;
  • the single-point authentication service entity or the single-point authentication service module generates an authentication statement.
  • Right declaration and the corresponding authentication affirm the link and save affirmed authentication, authentication corresponding relationship declaration stated link and authentication, and transmits the link to the user terminal authentication affirmed.
  • the UE and the AS negotiate through the SASL protocol, adopting the HTTP DIGEST authentication mode, and if other authentication methods are adopted, the digest-challenge header field (challenge header field) and the digest-response header field are used. (4 mil war response header field) is changed to the challenge header field and challenge response header field of the corresponding authentication mode.
  • Embodiment 1 The following is a description of Embodiment 1:
  • Step 1 The UE sends an HTTP Request message (application request message) to the SP.
  • HTTP Request message application request message
  • a TLS security tunnel can be established in advance between the UE and the SP.
  • Step 2 After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field (authentication request header field) is carried.
  • Step 3 Since the UE integrates the WSC entity function, it receives the inclusion returned by the SP.
  • the UE After the response message of the AuthnRequest header field, the UE knows through the WSC on it that the AS should be authenticated through the SASL (Simple Authentication and Security Layer) protocol instead of authenticating the IdP through the HTTP DIGEST protocol.
  • the UE sends an HTTP Request message to the AS, which carries a SASLRequest header field (Simple Authentication and Security Layer Protocol Request Header Domain) encapsulated by the Simple Object Access Protocol (SOAP), where the mechanism header field of the SASLRequest header field (Authentication mechanism header field) contains a list of authentication modes supported by the UE, such as mechanism- "CRAM-MD5 DIGEST-MD5", where DIGEST-MD5 indicates HTTP DIGEST authentication mode;
  • Step 4 AS returns an HTTP Response message To the UE, which carries the S ASLResponse header field encapsulated by the SOAP protocol (simple authentication and security layer protocol response header field), and the serverMechanism header field of the SASLRespon
  • Step 5 The UE sends a GBA authentication request message to the BSF, which includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
  • IMPI Private User Identity
  • Step 6 After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the ,, that is, the authentication vector (authentication number parameter AUTN, random parameter RAND, integrity key IK, confidentiality secret) Key CK, expected result XRES);
  • the authentication vector authentication number parameter AUTN, random parameter RAND, integrity key IK, confidentiality secret
  • Key CK expected result XRES
  • Step 7 The BSF saves the RES, IK, and CK, and sends a message to the UE, which carries the AUTN and the RAND;
  • Step 8 The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
  • Step 9 The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
  • Step 10 The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
  • Step 11 The BSF sends a GBA success response message to the UE, where the BV is carried with the boot transaction identifier (B-TID) and the root key Ks;
  • Step 12 The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
  • Step 13 The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol.
  • the mechanism header field of the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (the authentication mode here is HTTP DIGEST).
  • the digest-response header field (challenge response header field) of the SASLRequest header field contains the usemame header field, the B-TID in the usemame header field, and the authentication response summary calculated by the key Ks_(Ext/Int)-NAF.
  • Step 14 AS and NAF are on one entity. If there is no relevant information such as Ks_(Ext/Int)-NAF key in the AS, the Ks "Ext/Int” can be obtained from the BSF through the Zn interface - NAF, USS, Key validity period, boot time, and other information, where the USS may contain some identity-related alliance information;
  • Step 15 According to the obtained Ks_(Ext/Int)-NAF key information, the AS processes the digest-response in the SASLRequest header field, and after the AS authentication passes, sends an HTTP Response response message to the UE, where the SOAP is carried.
  • the SASLResponse header of the protocol encapsulation contains the SSOS address and the ServiceType field.
  • the contents of the ServiceType field include urn:liberty:ssos:2004-04, and other SSO related information such as the Credentials required to access the SSOS.
  • Step 16 The UE sends an HTTP Request message to the SSOS according to the SS0 address obtained in step 15 to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Correlation header field, and the wsse:security header field encapsulated by the SOAP protocol are carried.
  • the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, which includes some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to Um:liberty:iff:profiles:id-wsf, to indicate that you want to use the SAML protocol binding, the wsse:security header field contains the credentials to access the SSOS in the previous step, the sb orrelation header field is mainly Used to associate a response message returned by the SSOS with a corresponding request message;
  • Step 17 The SSOS performs authentication processing according to the content of the received HTTP Request message. After the success of the right, the SSOS may tell the UE which identities to form an identity alliance with the UE. The UE agrees and completes the identity association with the SP. Then the SSOS returns an HTTP Response response message carrying the samlp2:Response header field encapsulated by the SOAP protocol, where the Response is The header field contains the saml: Assertion header field required to access the SP (which contains the digital signature of the SSOS);
  • Step 18 The UE sends an HTTP Request message to the SP again, which carries the saml:Assertion header field returned in the previous step of the SOAP protocol encapsulation;
  • Step 19 The SP processes the saml:Assertion header field, and verifies the digital signature of the SSOS, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP Response message after successful.
  • the AS may require the UE to perform steps 5 to 12 each time, and then perform step 13 to ensure that each time the user identifier B-TID and the key Ks — (Ext/Int) — NAF is regenerated. Or,
  • step 3 to step 12 are not performed, and step 13 is directly executed, that is, the HTTP Request request sent by the UE to the AS is sent.
  • the digest-response header field in the SASLRequest header field of the message contains the username header field, the username header field is filled with the B-TID, and the shared key Ks_(Ext/Int)_NAF is used to calculate the authentication response summary information.
  • Step 3 If no security association is established between the UE and the AS, you need to perform Step 3 to Step 12 to obtain the B-TID and key information Ks_(Ext/Int)-NAF in the normal GBA boot process, and then perform the steps. 13.
  • step 3 also has the existing B-TID, and the key Ks-( Ext/Int) - the authentication response summary information calculated by the NAF, then the AS challenges the UE through step 4, and the UE performs steps 5 to 12 to perform the normal GBA authentication process to obtain the updated B-TID and the shared key Ks. — (Ext/Int) — NAF, then proceed to step 13.
  • the UE when the UE sends an HTTP request to the AS in step 3, the UE needs to carry an identifier indicating that the GBA mechanism is supported, for example, based on ME (Mobile Equipment, mobile) Device) application, in the User-Agent header
  • ME Mobile Equipment, mobile
  • the domain is set to "3gpp-gba,”; for applications based on UICC (Universal Integrated Circuit Card), set to "3gpp-gba-uicc," in the User-Agent header field.
  • the challenge response in step 4 also carries an identifier indicating that the UE needs to perform the GBA mechanism.
  • step 13 is performed. Otherwise, step 13 is directly executed, where the user name and password are obtained through the existing SSO mechanism. Processing, for example, can play a dialog box for the user, and the user directly enters the username and password.
  • step 14 When the UE sends an HTTP request to the AS again in step 13, as in step 3, it also needs to carry an identifier indicating that the GBA mechanism is supported. If the AS finds the identifier, it knows that step 14 needs to be performed first, and then step 15 is performed; otherwise, Go directly to step 15.
  • Steps 1 to 16 are exactly the same as steps 1 to 16 in Embodiment 1, and are specifically:
  • Step 1 The UE sends an HTTP Request message to the SP.
  • Step 2 After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field is carried.
  • Step 3 Since the UE integrates the WSC entity function, after receiving the response message including the AuthnRequest header field returned by the SP, the UE knows through the WSC on which the UE should authenticate to the AS through the SASL protocol, instead of using the HTTP DIGEST protocol to the IdP.
  • the UE sends an HTTP Request message to the AS, which carries the SASLRequest header field encapsulated by the SOAP protocol.
  • the mechanism header field of the SASLRequest header field contains a list of authentication modes supported by the UE, for example, mechanism- "CRAM-MD5 DIGEST- MD5", where DIGEST-MD5 indicates the HTTP DIGEST authentication mode;
  • Step 4 The AS returns an HTTP Response response message to the UE, which carries the SOAP Response header field that is loaded by the SOAP, and the serverMechanism header of the SASLResponse header field.
  • the domain (server authentication mechanism header field) records the authentication mode selected by the AS from the list of authentication modes supported by the UE (for example, serverMechanism: "DIGEST-MD5" indicates that the authentication mode selected by the AS is HTTP DIGEST), and the challenge header Domain digest-challenge;
  • Step 5 The UE sends a GBA authentication request message to the BSF, where the UE includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
  • IMPI Private User Identity
  • Step 6 After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the UE, that is, the authentication vector (authentication sequence number parameter AUTN, random parameter RAND, integrity key IK:, confidentiality). Key CK, expected result XRES);
  • Step 7 The BSF saves XRES, IK, CK, and sends a message to the UE, which carries AUTN and RAND;
  • Step 8 The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
  • Step 9 The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
  • Step 10 The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
  • Step 11 The BSF sends a GBA success response message to the UE, where the boot transaction identifier (B-TID) and the root key Ks are valid;
  • Step 12 The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
  • Step 13 The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol, where the mechanism header field in the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (authentication in this embodiment)
  • the method is HTTP DIGEST
  • the challenge response header field contains the usemame header field in the digest-response, the B-TID in the username header field, and the authentication response summary information calculated by the key Ks_(Ext/Int)-NAF;
  • Step 14 The AS and the NAF are on one entity. If there is no information such as the Ks_(ext)_NAF key in the AS, the Ks_(Ext/Int)_NAF, USS, key validity period, and bootstrap can be obtained from the Zn interface through the Zn interface. Information such as time, where the USS may contain some information about the identity alliance;
  • Step 15 The AS processes the SASLRequest header field, and after the AS authentication succeeds, sends an HTTP Response response message to the UE, where the SASLResponse header field of the SOAP encapsulation is carried, and the ID-WSF EPR (EndpointReference header field) in the SASLResponse header field is used. Contains the SSOS address, the ServiceType field in the SASLResponse header field is set to urn:liberty:ssos:2004-04, the credentials required to access the SSOS;
  • Step 16 The UE sends an HTTP Request message to the SSOS obtained in the previous step to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Corrdation header field, and the wsse:security header field encapsulated by the SOAP protocol are present.
  • the application and network model, the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, including some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to um:liberty:iff: Profiles: id-wsf, to indicate the SAML protocol binding to be used.
  • the wsse:security header field contains the credentials (Credentials header field) information required to access the SSOS returned in the previous step.
  • the sb: Correlation header field is mainly used to The response message returned by the SSOS is associated with the corresponding request message;
  • Step 17 The SSOS processes the received HTTP Request message, generates the corresponding Artifact and Assertion, and saves the relationship between the two, and then returns an HTTP Response success response message, which carries the Samlp2:Response header field encapsulated by the SOAP protocol;
  • the header field contains the Artifact header field corresponding to the saml: Assertion required to access the SP;
  • the response returned to the UE in this step includes "Artifact”, and the response returned to the UE in step 17 of Figure 12 (Embodiment 1) contains "Assertion", thus causing subsequent processing to be different.
  • Step 18 The UE sends an HTTP Request message to the SP again, where the Artifact header field returned in step 17 of the SOAP protocol encapsulation is carried;
  • Step 19 The SP sends an HTTP Request message to the SSOS, where the Artifact header field obtained in the previous step of the SOAP protocol encapsulation is used to request an Assertion for the UE authentication process.
  • Step 20 The SSOS finds the corresponding Assertion according to the Artifact, and then returns the HTTP. Response message, which carries the saml:Assertion encapsulated by the SOAP protocol (which contains the digital signature of the SSOS);
  • Step 21 The SP processes the saml:Assertion header field, and verifies the digital signature thereof, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP after success. Response message.
  • Embodiment 1 or Embodiment 2 After the authentication process of Embodiment 1 or Embodiment 2 is completed, the UE and the SP can continue to communicate, and the UE must be re-authenticated when the following conditions occur:
  • the SP needs to send a new HTTP Response message carrying the AuthnRequest to the UE in the next interaction with the UE, indicating that it needs to re-authenticate, and then the process starting from step 3 in Embodiment 1 or Embodiment 2 is performed later.
  • the new GBA can be omitted according to the local security policy configured on the AS.
  • the rights process can also be used to perform a new GB A authentication process. If the new GBA authentication process is not performed, steps 3 to 12 and 14 may be omitted. Steps 13, 15 and 16 are the same as the last corresponding message content.
  • SSOS needs to generate a new Assertion (for In Embodiment 2, a new Artifact is also generated, and the remaining steps are unchanged.
  • FIG. 14 is substantially the same as the embodiment shown in FIG. 12, and FIG. 15 is basically the same as the embodiment shown in FIG. 13, except that: NAF/AS is a logical entity, and SSOS is a logical entity in FIG. 12 and FIG. In 14, 15, NAF/AS/SSOS is a logical entity.

Abstract

An identity Web Service Framework (ID-WSF) system includes HSS, BSF, Network Application Function/Authentication Service/Single-Sign-On Service Entity, SP and UE. An authentication method includes steps: the communication process between UE and SP includes the GBA authentication process and the ID-WSF authentication process; during the GBA authentication process, Bootstrapping Service Function Entity generates a bootstrapping transaction identifier and the period of validity of root key, sends it to UE, and both Bootstrapping Service Function and UE generate the root key; during the ID-WSF authentication process, AS Entity or AS Module generates credentials which the user equipment needs to access SSOS Entity or SSOS Module; Single-Sign-On Service Entity or Single-Sign-On Service Module generates authentication assertion and sends it to UE, or Single-Sign-On Service Entity or Single-Sign-On Service Module generates authentication assertion and the corresponding Artifact of it, saves the corresponding relation table of authentication assertion and its Artifact, and sends the Artifact of authentication assertion to UE.

Description

一种身份标识网页业务网系统及其鉴权方法 本申请要求于 2006 年 3 月 16 日提交中国专利局、 申请号为 200610034493.6、发明名称为 "一种身份标识网页业务网系统及其鉴权方 法" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及互联网技术领域和下一代网络 (NGN, Next Generation Networks)技术领域以及第三代合作伙伴计划(3GPP , The Third Generation Partnership Project)技术领域, 具体涉及一种身份标识网页业务网系统 (ID-WSF, Identity Web Service Framework)及其鉴权方法。  Identity identification webpage service network system and authentication method thereof The application claims to be submitted to the Chinese Patent Office on March 16, 2006, the application number is 200610034493.6, and the invention name is "an identity identification webpage service network system and its authentication method" The priority of the Chinese Patent Application, the entire contents of which is incorporated herein by reference. The present invention relates to the field of the Internet technology and the Next Generation Networks (NGN) technology field and the third generation partnership project (3GPP), and specifically relates to an identity identification webpage service network system. (ID-WSF, Identity Web Service Framework) and its authentication method.
背景技术 Background technique
如图 1 所示, 3GPP 定义了一种通用鉴权架构(GBA , Generic Bootstrapping Architecture), 其通常由 IP 多媒体业务子系统( IMS , IP Multimedia Core Network Subsystem)用户终端 (UE, User Equipment)、 引 导服务功能实体 (BSF , Bootstrapping Server Function)、 用户归属网絡服务 器 (HSS , Home Subscribe Server) ^ 用户定位功能实体 (SLF, Subscriber Locator Function)和网络业务应用功能实体 (NAF , Network Application Function)组成。 UE与 BSF通过 Ub接口连接, UE与 NAF通过 Ua接口 连接, BSF与 HSS通过 Zh接口连接, BSF与 NAF通过 Zn接口连接, BSF与 SLF通过 Dz接口连接。 BSF用于与 UE执行引导过程 (bootstrapping) 时进行互验证身份, 同时生成 BSF与用户的共享密钥 Ks; HSS中存储用 于描述用户信息的签约文件, 同时 HSS还兼有产生鉴权信息的功能; SLF 用于当存在多个 HSS时, 协助 BSF查找相应的 HSS; NAF用于为 UE提 供网络业务。  As shown in Figure 1, 3GPP defines a Generic Bootstrapping Architecture (GBA), which is usually guided by the IP Multimedia Core Subsystem (UE, User Equipment). The Service Function Entity (BSF), the Home Subscriber Server (HSS), the Subscriber Locator Function (SLF), and the Network Application Function (NAF). The UE and the BSF are connected through the Ub interface, the UE and the NAF are connected through the Ua interface, the BSF and the HSS are connected through the Zh interface, the BSF and the NAF are connected through the Zn interface, and the BSF and the SLF are connected through the Dz interface. The BSF is used to perform mutual authentication with the UE when performing bootstrapping, and generates a shared key Ks of the BSF and the user; the HSS stores a subscription file for describing user information, and the HSS also generates authentication information. Function; SLF is used to assist the BSF to find the corresponding HSS when there are multiple HSSs; NAF is used to provide network services for the UE.
在 Ub接口中, UE执行引导过程 (bootstrapping)的流程如图 2所示, 说明如下:  In the Ub interface, the process of the UE performing the bootstrapping process is as shown in FIG. 2, and the description is as follows:
步骤 1: UE需要使用某种业务时, 如果知道该业务需要到 BSF进行 相互鉴权过程, 则直接发送鉴权请求到 BSF进行相互鉴权。 否则, UE会 首先和该业务对应的 NAF联系, 如果该 NAF使用 GBA通用鉴权架构, 并且发现该 UE还未到 BSF进行互认证过程, NAF则通知该 UE到 BSF 进行互鉴权以验证身份, 然后 UE再发送鉴权请求到 BSF进行相互鉴权; 步骤 2: BSF接到 UE的鉴权请求后, 首先到 HSS获取该 UE的鉴权 矢量五元组 (AUTN, RAND, IK, CK, XRES); Step 1: When the UE needs to use a certain service, if it knows that the service needs to go to the BSF for mutual authentication, it directly sends an authentication request to the BSF to perform mutual authentication. Otherwise, the UE first contacts the NAF corresponding to the service, if the NAF uses the GBA universal authentication architecture, And the UE is not yet to the BSF to perform the mutual authentication process, and the NAF notifies the UE to perform mutual authentication to verify the identity, and then the UE sends an authentication request to the BSF for mutual authentication. Step 2: The BSF receives the UE. After the authentication request, first obtain an authentication vector quintuple (AUTN, RAND, IK, CK, XRES) of the UE to the HSS;
步骤 3〜步驟 6: BSF釆用 HTTP digest AKA协议与 UE进行双向认证 以及密钥协商, 完成 UE和 BSF之间身份的互相认证;  Step 3 to Step 6: The BSF uses the HTTP digest AKA protocol to perform mutual authentication and key agreement with the UE to complete mutual authentication between the UE and the BSF.
步骤 7: BSF生成共享根密钥 Ks, BSF还为共享密钥 Ks定义了一个 有效期限, 以便对 Ks进行定期更新;  Step 7: The BSF generates a shared root key Ks, which also defines an expiration date for the shared key Ks to periodically update the Ks;
步骤 8: BSF分配一个引导事务标识 (B-TID, bootstrapping transaction identifier),用于标识 BSF和 UE之间的本次鉴权交互事务; BSF将该 B-TID 与根密钥 Ks、 UE的私有用户标识 (IMPI, IMS Private identity)相关联, 以 便以后 BSF可以才艮据该 B-TID查找出相应的 Ks, 然后 BSF将引导事务 标识和 Ks的有效期限一起明文发送给 UE;  Step 8: The BSF allocates a bootstrapping transaction identifier (B-TID) to identify the current authentication interaction transaction between the BSF and the UE. The BSF uses the B-TID with the root key Ks and the private UE. The user identifier (IMPI, IMS Private Identity) is associated, so that the BSF can find the corresponding Ks according to the B-TID, and then the BSF sends the boot transaction identifier and the validity period of the Ks together to the UE in plaintext;
步骤 9: UE也生成和 BSF侧相同的共享才艮密钥 Ks。  Step 9: The UE also generates the same shared key Ks as the BSF side.
完成上述步骤后, UE和 BSF之间就共享了一个根密钥 Ks, 并且 UE 可以利用公式:  After the above steps are completed, a root key Ks is shared between the UE and the BSF, and the UE can use the formula:
Ks_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAP— Id)或者 Ks_Ext_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAF— Id)、 Ks— Int— NAF - KDF (Ks, "gba-u", RAND, IMPI, NAF— Id), 推导出与想要访问的 NAF之间的衍生的共享密钥 Ks_(Ext/Int)_ NAF , 其中 NAF— Id是由要访问的 NAF以及 Ua接口上的协议标识 (UalD)连接而 成, RAND是一个随机数, IMPI是 UE 的私有用户标识, "gba-me"和 "gba-u"代表字符串, KDF是密钥导出函数的缩写, 这样 UE侧就获取了 该衍生的共享密钥 Ks— (Ext/Int)— NAF。 剩下的任务就是 NAF如何获取该 衍生的共享密钥 Ks—(Ext Int)—NAF。 只有 NAF 和 UE 都获取了 Ks— (Ext/Int)— NAF, 才能建立双方通讯的安全通道。  Ks_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAP- Id) or Ks_Ext_NAF = KDF (Ks, "gba-me", RAND, IMPI, NAF- Id), Ks-Int-NAF-KDF ( Ks, "gba-u", RAND, IMPI, NAF- Id), derive the derived shared key Ks_(Ext/Int)_NAF between NAF and the NAF that you want to access, where NAF-Id is to be accessed The NAF and the protocol identifier (UalD) on the Ua interface are connected. RAND is a random number, IMPI is the private user identifier of the UE, "gba-me" and "gba-u" represent strings, and KDF is a key export. Abbreviation of function, such that the UE side obtains the derived shared key Ks - (Ext / Int) - NAF. The remaining task is how NAF obtains the derived shared key Ks—(Ext Int)—NAF. Only NAF and UE acquire Ks—(Ext/Int)—NAF to establish a secure channel for mutual communication.
NAF获取 Ks_(Ext/Int)_NAF的流程如图 3所示, UE首先根据上述公 式推导出衍生的共享密钥 Ks—(Ext/Int)— NAF, 然后执行以下步骤:  The flow of NAF obtaining Ks_(Ext/Int)_NAF is shown in Figure 3. The UE first derives the derived shared key Ks_(Ext/Int)_NAF according to the above formula, and then performs the following steps:
步骤 1: B-TID为用户名, Ks_(Ext/Int)—NAF为口令向 NAF发送连 接请求, 本步骤之前可能会事先建立传输层安全(TLS, TransportLayer Security )链接, 以保证 Ua接口的通讯安全; Step 1: B-TID is the username, Ks_(Ext/Int)—NAF is the password to send the connection to NAF. To receive the request, a transport layer security (TLS, TransportLayer Security) link may be established in advance to ensure the communication security of the Ua interface.
步驟 2: NAF收到 UE的连接请求后, 给 BSF发出认证请求消息, 其中携带引导事务标识 B-TID和 NAF主机名即 NAF— ID;  Step 2: After receiving the connection request from the UE, the NAF sends an authentication request message to the BSF, where the BV carries the boot transaction identifier B-TID and the NAF host name, that is, the NAF_ID.
步骤 3: BSF上保留有 B-TID、 IMPL Ks、 密钥有效期、 BSF与 UE 之间的相互鉴权的开始时间、 应用相关的 GBA用户安全设置 (GUSS, GBA User security setting)等信息, 如果 BSF能够根据该 B-TID查找到 相应的 Ks, 则完成相应用户的认证, 然后 BSF再使用与用户侧相同的上 述公式计算出衍生的共享密钥 Ks— (Ext/Int)— NAF,然后在认证响应消息中 把 Ks— (Ext/Int)— NAF、 Ks— (Ext/Int)— NAF的有效期限、 BSF与 UE之间的 相互鉴权的开始时间、 以及与其它应用相关的用户安全设置 (USS, User security setting)信息发给 NAF, —个 GUSS中可能包含多个 USS。  Step 3: The BSF retains B-TID, IMPL Ks, key validity period, start time of mutual authentication between BSF and UE, and application related GBA User security setting (GUSS), if The BSF can find the corresponding Ks according to the B-TID, and then complete the authentication of the corresponding user, and then the BSF calculates the derived shared key Ks_(Ext/Int)_NAF using the same formula as the user side, and then In the authentication response message, Ks—(Ext/Int)—NAF, Ks—(Ext/Int)—the expiration date of the NAF, the start time of the mutual authentication between the BSF and the UE, and the user security settings related to other applications. (USS, User security setting) information is sent to NAF, which may contain multiple USSs in a GUSS.
步骤 4: NAF收到后, 保存这些信息。  Step 4: After NAF receives it, save the information.
步骤 5: NAF给 UE返回应用应答。  Step 5: The NAF returns an application response to the UE.
这样 NAF和 UE也就共享了由 Ks衍生的密钥 Ks— (Ext/Int)— NAF,从 而这两者在后续的通信中可以进行安全通信。  In this way, the NAF and the UE share the Ks-derived key Ks_(Ext/Int)-NAF, so that the two can communicate securely in subsequent communications.
另夕卜, 自由联盟工程 (LAP, Liberty Alliance Project)组织也定义了 一些网络架构和规范, 用于实现对 Web业务的访问, 其主要包含三个子 网络架构:  In addition, the Liberty Alliance Project (LAP) organization also defines some network architectures and specifications for accessing Web services. It mainly consists of three sub-network architectures:
身份标识联盟网络架构 (ID-FF , Identity Federation Framework); 身份 标识网页业务网络架构 (ID- WSF, Identity Web Service Framework); 和身 份标识业务接口规范 (ID-SIS , Identity Services Interface Specifications)。  Identity-based Alliance Network Architecture (ID-FF, Identity Federation Framework); Identity-based Web Service Network Architecture (ID-WSF, Identity Web Service Framework); and Identity-Label Service Interface Specification (ID-SIS, Identity Services Interface Specifications).
其中 ID-FF主要包含身份标识联盟 (Identity Federation)功能和单点认 证功能 (SSO, , Single Sign On)。 ID- WSF主要在 ID-FF的基础上定义一些 基于身份标识的 Web业务架构, 以便提供一些简单的、 用户可以定制的 Web业务。 ID-SIS则定义一些 与 Web 业务相关的接口规范。 ID-FF的架 构如图 4所示, 它主要包含三个实体: UE、 身份鉴权提供商实体(IdP, Identity Provider)、 业务提供商实体 (SP, Service Provider)„ 身份标识联盟 功能是指 UE在 IdP和 SP上都有自己的身份标识, 即用户标识。 这些身 份标识可以结成一个联盟。 SS0是指在上述身份标识联盟功能的基 上, 只要 UE在 IdP上通过了鉴权, 就等于同时在所有结成联盟的 SP上也同 时通过了鉴权。 Among them, ID-FF mainly includes Identity Federation function and single point authentication function (SSO, , Single Sign On). ID-WSF mainly defines some identity-based Web service architectures based on ID-FF to provide some simple, user-customizable Web services. ID-SIS defines some interface specifications related to Web services. The architecture of ID-FF is shown in Figure 4. It mainly consists of three entities: UE, Identity Provider (IdP, Identity Provider), Service Provider (SP). The UE has its own identity on the IdP and SP, namely the user identity. The logos can form an alliance. SS0 refers to the above-mentioned identity identification alliance function. As long as the UE passes the authentication on the IdP, it is equal to the authentication at the same time on all the SPs that form the alliance.
ID-FF和 GBA互通架构如图 5所示, 在该架构中 UE有两种鉴权方 式:一种是 UE在 IdP上鉴权通过后 , IdP会将该 UE的鉴权申明 (Assertion) 直接返回给 UE; UE再将该 Assertion发给 SP; SP通过分析 Assertion来 对 UE进行鉴权。 另一种是 UE在 IdP上鉴权通过后, IdP会将该 UE的 鉴权申明链接 (Artifact)返回给 UE; UE再将该 Artifact发给 SP; SP再将 该 Artifact通过 SOAP协议发给 IdP; IdP根据该 Artifact查询相应的 Assertion, 并返回给 SP; 最后 SP通过分析 Assertion来对 UE进行鉴权。  The ID-FF and GBA interworking architecture is shown in Figure 5. In this architecture, the UE has two authentication modes: one is that the UE authenticates (Assertion) directly after the UE passes the authentication on the IdP. Returning to the UE; the UE sends the Assertion to the SP; the SP authenticates the UE by analyzing Assertion. The other is that after the UE passes the authentication on the IdP, the IdP returns the Artifact of the UE to the UE; the UE sends the Artifact to the SP; the SP then sends the Artifact to the IdP through the SOAP protocol. IdP queries the corresponding Assertion according to the Artifact and returns it to the SP; Finally, the SP authenticates the UE by analyzing Assertion.
ID- WSF的架构如图 6所示, 其主要包含如下几个实体: UE、 IdP, SP、 用于使用 Web 业务的 Web 业务消费者实体 (WSC, Web Service Consumer)^用于提供 Web业务的 Web业务提供者实体 (WSP, Web Service Provider) ^ 发现业务实体 (DS, Discover Service)。  The ID-WSF architecture is shown in Figure 6. It mainly consists of the following entities: UE, IdP, SP, Web Service Consumer (WSC) for Web services. Web Service Provider (WSP) ^ Discovery Service Entity (DS, Discover Service).
这些实体配合工作的过程如下: 首先 WSP在 DS上注册其所能够提 供的 Web业务类型; 当 UE访问 WSC时, WSC到 DS上去查询可访问 的 WSP; DS匹配相关的 WSP地址, 并提供给 WSC; 然后 WSC即可代 表 UE访问相关的 WSP。 WSC和 WSP (或者 SP)的功能是相对的,也就是 说 WSC在作为某个 WEB业务消费者的同时 , 也可以作为另夕 I、一个 Web 业务提供者 (WSP或者 SP)。 WSP或者 SP在作为某个 Web业务提供者的 同时, 也可以另外一个 WEB业务消费者 (WSC)。  The process of working with these entities is as follows: First, the WSP registers the type of Web service that it can provide on the DS; when the UE accesses the WSC, the WSC goes to the DS to query the accessible WSP; the DS matches the relevant WSP address and provides it to the WSC. ; then WSC can access the relevant WSP on behalf of the UE. The functions of WSC and WSP (or SP) are relative, that is, WSC can be used as a Web service consumer, as well as a Web service provider (WSP or SP). WSP or SP can also be another WEB Business Consumer (WSC) while serving as a Web service provider.
上述架构的进一步简化形式如图 7所示, 其中 WSC的功能在 UE上 实现, 并且某个 WSP可以提供认证业务实体 (AS, Authentication Service) 的功能。 这里 ID-WSF中的 AS功能与 ID-FF中的 IdP功能相当, 用于完 成身份标识 Web业务网鉴权功能。 由于图 7主要涉及 ID-WSF的鉴权事 务, 因此略去 DS。  A further simplified form of the above architecture is shown in Figure 7, where the functionality of the WSC is implemented on the UE, and a WSP can provide the functionality of an Authentication Service Entity (AS). Here, the AS function in the ID-WSF is equivalent to the IdP function in the ID-FF, and is used to complete the identity authentication Web service network authentication function. Since Figure 7 mainly deals with the authentication of ID-WSF, DS is omitted.
图 8介绍了增加单点认证业务实体 (SSOS, Single-Sign-On Service)的 ID-WSF的网络架构,其主要的工作流程如下:首先 UE和 AS通过 SASL 协议交互, 完成 AS鉴权; 鉴权通过后 AS给 UE返回 SSOS的地址以及 访问 SSOS所需要的信任状 (Credentials); UE利用从 AS获取的 Credentials 访问 SSOS, 进行 SSOS鉴权, SSOS对 UE鉴权成功后给 UE返回相应的 Assertion; UE利用该 Assertion去访问相关的 SP。 Figure 8 shows the network architecture of the ID-WSF of the Single-Sign-On Service (SSOS). The main workflow is as follows: First, the UE and the AS interact through the SASL protocol to complete the AS authentication. After the right is passed, the AS returns the SSOS address to the UE and The credentials required to access the SSOS (Credentials); the UE accesses the SSOS by using the Credentials obtained from the AS to perform SSOS authentication, and the SSOS returns the corresponding Assertion to the UE after successfully authenticating the UE; the UE uses the Assertion to access the related SP.
从上面的介绍可以看出, 一方面, 通用鉴权架构中 UE与 BSF交互 获取根密钥 Ks 和 B-TID 以后, 都需要分别以 B-TID 为用户名, KsJExt/Int)— NAF为口令在各个 NAF上鉴权, 以便访问各个 NAF。 这种 频繁的认证增强了安全性, 但增加了终端搡作的复杂性和不方便性。  As can be seen from the above description, on the one hand, after the UE interacts with the BSF to obtain the root key Ks and B-TID in the universal authentication architecture, it needs to use the B-TID as the user name, KsJExt/Int) - NAF as the password. Authentication is performed on each NAF to access individual NAFs. This frequent authentication enhances security but increases the complexity and inconvenience of terminal operations.
另一方面, 身份标识网页业务网络架构中通过单点认证功能在各个 SP与 SSOS之间建立身份标识安全联盟, 并组成一个安全信任圈, 只要 在 SSOS上通过了鉴权, 就等于在 SSOS所属的安全信任圏内的所有 SP 上也通过了鉴权。  On the other hand, the identity identification webpage service network architecture establishes an identity security association between each SP and SSOS through a single-point authentication function, and forms a security trust circle. As long as the authentication is passed on the SSOS, it is equal to the SSOS. Authentication is also passed on all SPs within the security trust.
如图 9所示,现有技术给出了一种当 AS和 SSOS为不同的实体时的 GBA和 ID-WSF互通的网络架构,但是并没有给出任何相应的鉴权方法。 因此, 现有技术中虽然存在一种互通网络架构, 但没有实现这两种网络 架构之间互通的方法, 致使该互通网络架构不能被实际应用。 而 ID- WSF 通信的安全性不够高, 通用鉴权架构用户终端操作也不够简便, 因此对 扩展用户终端的应用场景,方便用户终端应用已有的多种多样的 WEB业 务造成诸多限制。  As shown in FIG. 9, the prior art provides a network architecture in which GBA and ID-WSF interworking when AS and SSOS are different entities, but does not provide any corresponding authentication method. Therefore, although there is an interworking network architecture in the prior art, there is no way to implement interworking between the two network architectures, so that the interworking network architecture cannot be practically applied. The security of the ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate. Therefore, the application scenario of the extended user terminal is convenient for the user terminal to apply various kinds of existing WEB services.
发明内容 Summary of the invention
本发明要解决的技术问题是使 GBA和 ID-WSF能够实现互通, 因而 本发明一个目的是提供一种身份标识网页业务网系统及其鉴权方法。  The technical problem to be solved by the present invention is to enable GBA and ID-WSF to implement interworking. Therefore, an object of the present invention is to provide an identity identification webpage service network system and an authentication method thereof.
本发明采用如下的技术方案: 一种身份标识网页业务网系统, 包括通用鉴权架构的用户归属网络 服务器和引导服务功能实体、 业务提供商实体、 用户终端, 用户归属网 络服务器和弓 ]导服务功能实体之间通过 Zh接口进行通信 , 弓 I导服务功能 实体与用户终端之间通过 Ub接口进行通信, 其特征在于: 包括网络业务 应用功能 /鉴权服务 /单点认证业务实体, 其包括网络业务应用功能模块、 鉴权服务模块、 单点认证业务模块, 网络业务应用功能模块用于提供网 络业务应用功能实体功能, 鉴权服务模块用于提供鉴权服务实体功能, 单点认证业务模块用于提供单点认证业务实体功能, 网絡业务应用功能 模块与 1导服务功能实体之间通过 Zn接口进行通信 , 网络业务应用功能 模块与用户终端之间通过 Ua接口进行通信。 所述的身份标识网页业务网系统, 其中: 单点认证业务模块与用户 终端采用安全申明标记语言描述的单点认证和身份标识联盟协议进行两 者之间的通信, 采用筒单对象访问协议或超文本传输协议封装通信消息; 鉴权服务模块与用户终端采用简单鉴权和安全层协议进行两者之间的通 信, 采用简单对象访问协议或超文本传输协议封装通信消息; 单点认证 业务模块与业务提供商实体之间进行通信时, 采用简单对象访问协议封 装通信消息; 用户终端与业务提供商实体之间进行通信时, 采用简单对 象访问协议或超文本传输协议封装通信消息。 一种身份标识网页业务网系统鉴权方法, 包括步骤: 身份标识网页 业务网系统的用户终端和业务提供商实体的通信过程中包括两种鉴权过 程, 分别是通用鉴权架构鉴权过程和身份标识网页业务网络架构鉴权过 程, 在通用鉴权架构鉴权过程中, 引导服务功能实体生成引导事务标识、 根密钥有效期, 并且发送给用户终端, 引导服务功能实体和用户终端都 生成根密钥; 在身份标识网页业务网络架构鉴权过程中, 鉴权服务实体 或鉴权服务模块生成用户终端访问单点认证业务实体或单点认证业务模 块所需要的信任状; 单点认证业务实体或单点认证业务模块生成鉴权申 明并发送给用户终端, 或者单点认证业务实体或单点认证业务模块生成 鉴权申明及相应的鉴权申明链接, 保存鉴权申明和鉴权申明链接的对应 关系表, 将鉴权申明链接发送给用户终端。 The invention adopts the following technical solutions: an identity identification webpage service network system, a user home network server including a universal authentication architecture, a guidance service function entity, a service provider entity, a user terminal, a user home network server, and a service The functional entities communicate through the Zh interface, and the functional entity and the user terminal communicate through the Ub interface, and are characterized by: a network service application function/authentication service/single point authentication service entity, including a network The service application function module, the authentication service module, the single point authentication service module, the network service application function module are used to provide the network service application function entity function, and the authentication service module is used to provide the authentication service entity function. The single-point authentication service module is used to provide a single-point authentication service entity function, and the network service application function module and the 1-way service function entity communicate through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface. The identity identification webpage service network system, wherein: the single-point authentication service module and the user terminal use a single-point authentication and identity association protocol described by the security declaration markup language to perform communication between the two, using a single-object access protocol or The hypertext transfer protocol encapsulates the communication message; the authentication service module and the user terminal use a simple authentication and security layer protocol to communicate between the two, and use a simple object access protocol or a hypertext transfer protocol to encapsulate the communication message; the single point authentication service module When communicating with the service provider entity, the communication message is encapsulated by the simple object access protocol; when the user terminal communicates with the service provider entity, the communication message is encapsulated by a simple object access protocol or a hypertext transfer protocol. An authentication method for an identity identification webpage service network system includes the following steps: The communication process between the user terminal and the service provider entity of the identity identification webpage service network system includes two authentication processes, namely, a common authentication architecture authentication process and The identification webpage service network architecture authentication process, in the universal authentication architecture authentication process, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal generate roots. The authentication service entity or the authentication service module generates a credential required for the user terminal to access the single-point authentication service entity or the single-point authentication service module in the authentication network service network architecture authentication process; the single-point authentication service entity Or the single-point authentication service module generates an authentication declaration and sends it to the user terminal, or the single-point authentication service entity or the single-point authentication service module generates an authentication statement and a corresponding authentication declaration link, and saves the authentication declaration and the authentication declaration link. The correspondence table sends the authentication declaration link to the user terminal.
所述的身份标识网页业务网系统鉴权方法, 其中包括步驟: 用户终 端向相应的鉴权服务实体或鉴权服务模块发送身份标识网页业务网络架 构鉴权请求消息, 鉴权服务实体或鉴权服务模块向用户终端发送要求其 进行通用鉴权架构鉴权的挑战响应消息, 引导服务功能实体对用户终端 进行通用鉴权架构鉴权, 鉴权成功后向用户终端发送通用鉴权架构鉴权 成功响应消息, 该鉴权成功响应消息中包含引导事务标识和 ^密钥有效 期; 用户终端向鉴权服务实体或鉴权服务模块发送应用请求消息, 鉴权 服务实体或鉴权服务模块根据该应用请求消息对用户终端进行鉴权, 鉴 权通过后, 向用户终端发送响应消息, 其中包含单点认证业务实体或单 点认证业务模块的地址和信任状。 所述的身份标识网页业务网系统鉴权方法, 其中包括步骤: 单点认 证业务实体或单点认证业务模块对用户终端进行身份标识网页业务网络 架构鉴权, 鉴权成功后向用户终端发送身份标识网页业务网络架构鉴权 成功响应消息, 该鉴权成功响应消息中包含鉴权申明。 所述的身份标识网页业务网系统鉴权方法, 其中包括步骤: 单点认 证业务实体或单点认证业务模块对用户终端进行身份标识网页业务网络 架构鉴权, 生成鉴权申明及相应的鉴权申明链接, 保存鉴权申明和鉴权 申明链接的对应关系表, 在随后发送给用户终端的身份标识网页业务网 絡架构鉴权成功响应消息中包含鉴权申明链接。 所述的身份标识网页业务网系统鉴权方法, 其中包括步骤: The method for authenticating the identity identification webpage service network system includes the following steps: the user terminal sends an identity identification webpage service network architecture authentication request message to the corresponding authentication service entity or the authentication service module, and the authentication service entity or the authentication The service module sends a challenge response message requesting the user to perform the authentication of the universal authentication framework to the user terminal, and the service function entity performs the universal authentication architecture authentication on the user terminal, and after the authentication succeeds, the universal authentication architecture is successfully authenticated to the user terminal. In response to the message, the authentication success response message includes a boot transaction identifier and a key validity period; the user terminal sends an application request message to the authentication service entity or the authentication service module, and the authentication is performed. The service entity or the authentication service module authenticates the user terminal according to the application request message, and after the authentication is passed, sends a response message to the user terminal, where the address and the credential of the single-point authentication service entity or the single-point authentication service module are included. The method for authenticating the identity identification webpage service network system includes the steps of: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and sends the identity to the user terminal after the authentication succeeds. The webpage service network architecture authentication success response message is identified, and the authentication success response message includes an authentication statement. The authentication method for the identity identification webpage service network system includes the following steps: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal web service network architecture of the user terminal, and generates an authentication statement and corresponding authentication. Declaring the link, saving the correspondence table of the authentication claim and the authentication claim link, and including the authentication claim link in the identity network service network architecture authentication success response message subsequently sent to the user terminal. The identity identification webpage service network system authentication method includes the following steps:
Al、 用户终端向业务提供商实体发送应用请求消息;  Al, the user terminal sends an application request message to the service provider entity;
Α2、· 业务提供商实体收到该应用请求消息后, 首先获取鉴权服务实 体或鉴权服务模块的地址, 然后发送响应消息给用户终端, 其中携带鉴 权请求头域;  Α2. After receiving the application request message, the service provider entity first obtains the address of the authentication service entity or the authentication service module, and then sends a response message to the user terminal, where the authentication request header field is carried;
A3、 用户终端向鉴权服务实体或鉴权服务模块发送应用请求消息, 其中包含简单鉴权和安全层协议请求头域, 其包含鉴权机制头域, 鉴权 机制头域中包含用户终端支持的鉴权方式列表;  A3. The user terminal sends an application request message to the authentication service entity or the authentication service module, where the user includes a simple authentication and security layer protocol request header field, where the authentication mechanism header field is included, and the authentication mechanism header field includes user terminal support. List of authentication methods;
Α4、 鉴权服务实体或鉴权服务模块给用户终端发送挑战响应消息, 其中包含简单鉴权和安全层协议响应头域, 其包含服务器鉴权机制头域 和挑战头域, 服务器鉴权机制头域中记录鉴权服务实体或鉴权服务模块 选择的婆权方式。 Α4. The authentication service entity or the authentication service module sends a challenge response message to the user terminal, where the simple authentication and security layer protocol response header field is included, which includes a server authentication mechanism header field and a challenge header field, and a server authentication mechanism header. The domain records the rights of the authentication service entity or the authentication service module.
Α5、 用户终端与引导服务功能实体交互, 进行通用鉴权架构鉴权; Α6、 用户终端向鉴权服务实体或鉴权服务模块发送应用请求消息, 其中包含简单鉴权和安全层协议请求头域, 简单鉴权和安全层协议请求 头域包含挑战响应头域, 挑战响应头域包含引导事务标识和鉴权响应摘 要信息 ·, Α5. The user terminal interacts with the guiding service function entity to perform universal authentication architecture authentication. Α6. The user terminal sends an application request message to the authentication service entity or the authentication service module, where the simple authentication and security layer protocol request header field is included. The simple authentication and security layer protocol request header field contains a challenge response header field, and the challenge response header field contains a boot transaction identifier and an authentication response header. Want information,
A7、鉴权服务实体或鉴权服务模块通过 Ζη接口向引导服务功能实体 获取共享密钥、 用户安全设置 、 密钥有效期、 引导时间等信息, 鉴权服 务实体或鉴权服务模块根据收到简单鉴权和安全层协议请求头域对用户 终端进行鉴权, 鉴权通过后, 向用户终端发送响应消息, 其中包含简单 鉴权和安全层协议响应头域, 该头域中有单点认证业务实体或单点认证 业务模块的地址和信任状。 所述的身份标识网页业务网系统鉴权方法, 其中: 同时支持通用鉴 权架构鉴权和身份标识网页业务网络架构鉴权的用户终端在向鉴权服务 实体或鉴权服务模块发送的应用请求消息中设置通用鉴权架构标识, 若 鉴权服务实体或鉴权服务模块发现此通用鉴权架构标识, 则通知用户终 端先启动通用鉴权架构鉴权过程, 再启动用户身份标识网页业务网络架 构鉴权过程, 否则通知用户终端只启动用户身份标识网页业务网络架构 鉴权过程。 所述的身份标识网页业务网系统鉴权方法, 其中: 所述步骤 Α5包括 步驟:  The A7, the authentication service entity or the authentication service module obtains information such as a shared key, a user security setting, a key validity period, a boot time, and the like by using the Ζn interface, and the authentication service entity or the authentication service module is simple according to the receipt. The authentication and security layer protocol request header field authenticates the user terminal, and after the authentication is passed, sends a response message to the user terminal, which includes a simple authentication and a security layer protocol response header field, and the header domain has a single authentication service. The address and credentials of the entity or single-point authentication service module. The identity identification webpage service network system authentication method, wherein: the application request sent by the user terminal that supports the common authentication architecture authentication and the identity identification webpage service network architecture authentication to the authentication service entity or the authentication service module The common authentication architecture identifier is set in the message. If the authentication service entity or the authentication service module finds the universal authentication architecture identifier, the user terminal is notified to start the universal authentication architecture authentication process, and then the user identity identification webpage service network architecture is started. The authentication process, otherwise, notifies the user terminal that only the user identity webpage service network architecture authentication process is initiated. The authentication method for the identity identification webpage service network system, wherein: the step Α5 includes the following steps:
Β 1、用户终端向引导服务功能实体发送通用鉴权架构鉴权请求消息, 其中包含私有用户标识;  用户 1. The user terminal sends a universal authentication framework authentication request message to the guiding service function entity, where the private user identifier is included;
Β2、 引导服务功能实体收到该通用鉴权架构鉴权请求消息后, 从用 户归属网络服务器获取用户终端的认证矢量;  Β 2. After receiving the universal authentication framework authentication request message, the guiding service function entity acquires an authentication vector of the user terminal from the user home network server.
Β3、 引导服务功能实体向用户终端发送挑战消息, 其中携带鉴权序 号参数和随机参数;  Β 3. The guiding service function entity sends a challenge message to the user terminal, where the authentication sequence number parameter and the random parameter are carried;
Β4、 用户终端检查鉴权序号参数有效性并生成期望结果;  Β4, the user terminal checks the validity of the authentication sequence number parameter and generates a desired result;
Β5、 用户终端向引导服务功能实体发送消息, 其中携带私有用户标 识、 期望结果;  Β 5. The user terminal sends a message to the guiding service function entity, where the private user identifier and the expected result are carried;
Β6、 引导服务功能实体检查期望结果的有效性并生成根密钥; Β7、 引导服务功能实体向用户终端发送通用鉴权架构成功响应消息, 其中携带引导事务标识和根密钥有效期;  引导 6. The guiding service function entity checks the validity of the expected result and generates a root key; Β 7. The guiding service function entity sends a universal authentication architecture success response message to the user terminal, where the guiding transaction identifier and the root key validity period are carried;
Β8、.用户终端保存引导事务标识和根密钥有效期, 生成并保存根密 钥和共享密钥。 所述的身份标识网页业务网系统鉴权方法, 其中包括步骤: Β 8, the user terminal saves the boot transaction ID and the root key validity period, generates and saves the root secret Key and shared secret. The identity identification webpage service network system authentication method includes the following steps:
C1、 用户终端 居单点认证业务实体或单点认证业务模块的地址向 单点认证业务实体或单点认证业务模块发送应用请求消息;  The address of the single-point authentication service entity or the single-point authentication service module is sent to the single-point authentication service entity or the single-point authentication service module to send an application request message;
C2、 单点认证业务实体或单点认证业务模块根据收到的应用请求消 息内容进行鉴权处理, 鉴权成功后向用户终端发送成功响应消息, 其中 包含鉴权申明, 鉴权申明中有单点认证业务实体或单点认证业务模块的 数字签名;  The C2, the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, and sends a success response message to the user terminal after the authentication succeeds, which includes an authentication statement, and the authentication claim has a single The digital signature of the point authentication service entity or the single point authentication service module;
C3、 用户终端向业务提供商实体发送应用请求消息, 其中包含鉴权 申明;  C3. The user terminal sends an application request message to the service provider entity, where the authentication claim is included;
C4、 业务提供商实体处理鉴权申明, 验证单点认证业务实体或单点 认证业务模块的数字签名, 完成对用户终端的鉴权后, 向用户终端发送 响应消息。 所述的身份标识网页业务网系统鉴权方法, 其中包括步驟: C4. The service provider entity processes the authentication statement, and verifies the digital signature of the single-point authentication service entity or the single-point authentication service module, and after completing the authentication of the user terminal, sends a response message to the user terminal. The identity identification webpage service network system authentication method includes the following steps:
D1、 用户终端根据单点认证业务实体或单点认证业务模块的地址向 单点认证业务实体或单点认证业务模块发送应用请求消息;  The user terminal sends an application request message to the single-point authentication service entity or the single-point authentication service module according to the address of the single-point authentication service entity or the single-point authentication service module;
D2、 单点认证业务实体或单点认证业务模块根据收到的应用请求消 息内容进行鉴权处理, 生成鉴权申明和相应的鉴权申明链接, 保存鉴权 申明、 鉴权申明和相应的鉴权申明链接的对应关系, 鉴权成功后向用户 终端发送成功响应消息, 其中包含鉴权申明链接。  D2. The single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, generates an authentication statement and a corresponding authentication declaration link, and saves the authentication statement, the authentication statement, and the corresponding certificate. After the authentication is successful, the success response message is sent to the user terminal, and the authentication claim link is included.
D3、 用户终端向业务提供商实体发送应用请求消息, 其中包含鉴权 申明链接;  D3. The user terminal sends an application request message to the service provider entity, where the authentication claim link is included;
D4、 业务提供商实体向单点认证业务实体或单点认证业务模块发送 应用请求消息, 其中包含鉴权申明链接;  D4. The service provider entity sends an application request message to the single-point authentication service entity or the single-point authentication service module, where the authentication claim link is included;
D5、 单点认证业务实体或单点认证业务模块根据鉴权申明链接找到 对应的鉴权申明, 向业务提供商实体发送响应消息, 其中包含鉴权申明, 鉴权申明中有单点认证业务实体或单点认证业务模块的数字签名;  D5. The single-point authentication service entity or the single-point authentication service module finds a corresponding authentication statement according to the authentication declaration link, and sends a response message to the service provider entity, where the authentication claim is included, and the authentication claim has a single-point authentication service entity. Or the digital signature of the single-point authentication service module;
D6、 业务提供商实体处理鉴权申明, 验证单点认证业务实体或单点 认证业务模块的数字签名, 完成对用户终端的鉴权后, 向用户终端发送 响应消息。 所述的身份标识网页业务网系统鉴权方法, 其中: 简单鉴权和安全 封装。 "^' 、 ' ' 。 ' 所述的身份标识网页业务网系统鉴权方法, 其中: 当业务提供商实 体收到用户终端、 单点认证业务实体或单点认证业务模块发送的退出链 接请求消息时, 或者当业务提供商实体和用户终端之间的会话正常终止 时, 或者当业务提供商实体收到的鉴权申明中的重新认证期限头域对应 的时间过期时 , 或者当业务提供商实体收到的鉴权申明中的期限头域对 应的时间过期时, 业务提供商实体在随后与用户终端的通信过程中要求 用户终端重新鉴权。 所述的身份标识网页业务网系统鉴权方法, 其中: 在鉴权服务实体 或鉴权服务模块上配置如下的本地安全策略: 在对用户终端重新鉴权时, 若双方的共享密钥没有过期, 则只对用户终端进行身份标识网页业务网 络架构鉴权。 所述的身份标识网页业务网系统鉴权方法, 其中: 在鉴权服务实体 或鉴权服务模块上配置如下的本地安全策略: 在对用户终端重新鉴权时, 若汉方的共享密钥没有过期, 对用户终端进行通用鉴权架构鉴权和身份 标识网页业务网络架构鉴权。 D6. The service provider entity processes the authentication statement, and verifies the single-point authentication service entity or a single point. The digital signature of the authentication service module sends a response message to the user terminal after completing the authentication of the user terminal. The identity identification webpage service network system authentication method, wherein: simple authentication and security encapsulation. The authentication method of the identity identification webpage service network system, wherein: the service provider entity receives the exit link request message sent by the user terminal, the single-point authentication service entity or the single-point authentication service module. Or when the session between the service provider entity and the user terminal terminates normally, or when the time corresponding to the re-authentication term header field in the authentication statement received by the service provider entity expires, or when the service provider entity When the time corresponding to the term header field in the received authentication statement expires, the service provider entity requests the user terminal to re-authenticate in the subsequent communication process with the user terminal. The identity identification page service network system authentication method, The following local security policy is configured on the authentication service entity or the authentication service module: When re-authenticating the user terminal, if the shared key of the two parties does not expire, the user terminal is only authenticated. The identity identification webpage service network system authentication method, wherein: the authentication service entity or the Configuring local security policy follows the service module: When the user terminal re-authentication, shared key Kampo if not expired, the user terminal generic authentication architecture and identity authentication page authentication service network architecture.
本发明的技术方案对现有技术的 ID-WSF进行了改进,提供了一种全 新的互通架构, 即将原有的鉴权服务实体、 单点认证业务实体的功能以 及网络业务应用功能分别由一个网络业务应用功能 /鉴权服务 /单点认证 业务实体中的不同模块, 即鉴权服务模块、 单点认证业务模块和网络业 务应用功能模块来实现, 从而实现了 ID-WSF和 GBA的互通。 针对现有 的互通架构和本发明提供的互通架构, 本发明还提供了实现身份标识网 页业务系统鉴权的方法, 使得 GBA和 ID-WSF的互通得以实现。 因而解 决了 ID-WSF通信的安全性不够高,通用鉴权架构用户终端操作不够简便 的问题, 扩展了用户终端的应用场景, 避免了用户终端应用已有的多种 多样的 WEB业务的诸多限制。 The technical solution of the present invention improves the ID-WSF of the prior art, and provides a new interworking architecture, that is, the function of the original authentication service entity, the single-point authentication service entity, and the network service application function are respectively The different modules in the network service application function/authentication service/single-point authentication service entity, that is, the authentication service module, the single-point authentication service module, and the network service application function module are implemented, thereby realizing the interworking of the ID-WSF and the GBA. For the existing interworking architecture and the interworking architecture provided by the present invention, the present invention also provides a method for realizing the authentication of the identity identification webpage service system, so that the interworking of the GBA and the ID-WSF is realized. Therefore, the security of ID-WSF communication is not high enough, and the user terminal of the universal authentication architecture is not easy to operate. The problem is that the application scenario of the user terminal is extended, and the limitation of the various WEB services existing in the user terminal application is avoided.
附图说明 DRAWINGS
本发明包括如下附图:  The invention includes the following figures:
图 1是现有技术通用鉴权架构 (GBA)示意图;  1 is a schematic diagram of a prior art Common Authentication Architecture (GBA);
图 2是现有技术通用鉴权架构中 UE执行引导过程 (bootstrapping)的 流程图;  2 is a flow chart of a UE performing a bootstrapping process in a prior art universal authentication architecture;
图 3是现有技术 NAF获取共享密钥 Ks— (Ext/Int)—NAF的流程图; 图 4是现有技术身份标识联盟网络架构 (ID-FF)示意图;  3 is a flow chart of the prior art NAF acquiring a shared key Ks_(Ext/Int)_NAF; FIG. 4 is a schematic diagram of a prior art identity identity alliance network architecture (ID-FF);
图 5是现有技术 ID-FF和 GBA互通架构示意图;  5 is a schematic diagram of a prior art ID-FF and GBA interworking architecture;
图 6是现有技术身份标识网页业务网絡架构 (ID- WSF)示意图; 图 7是现有技术 ID-WSF的简化形式示意图;  6 is a schematic diagram of a prior art identity identification webpage service network architecture (ID-WSF); FIG. 7 is a simplified schematic diagram of a prior art ID-WSF;
图 8是现有技术包含单点认证业务实体 (SSOS)的 ID-WSF示意图; 图 9是现有技术 GBA和 ID-WSF互通的网絡架构示意图; 图 10是根据本发明一实施例的网络业务应用功能 /鉴权服务 /单点认 证业务实体示意图;  8 is a schematic diagram of an ID-WSF including a single point authentication service entity (SSOS) in the prior art; FIG. 9 is a schematic diagram of a network architecture of a prior art GBA and ID-WSF interworking; FIG. 10 is a network service according to an embodiment of the present invention. Schematic diagram of application function/authentication service/single point authentication service entity;
图 11是根据本发明一实施例的身份标识网页业务网系统示意图; 图 12是根据本发明一实施例的当 NAF/AS和 SSOS为不同的实体时 给 UE返回 Assertion的鉴权方法流程图;  11 is a schematic diagram of an identity identification webpage service network system according to an embodiment of the present invention; FIG. 12 is a flowchart of an authentication method for returning Assertion to a UE when NAF/AS and SSOS are different entities according to an embodiment of the invention;
图 13是根据本发明一实施例的当 NAF/AS和 SSOS为不同的实体时 给 UE返回 Artifact  FIG. 13 is a diagram showing an Artifact to a UE when NAF/AS and SSOS are different entities according to an embodiment of the present invention.
的鉴权方法流程图; Flow chart of the authentication method;
图 14是根据本发明一实施例的使用网络业务应用功能 /鉴权服务 /单 点认证业务实体并给 UE返回 Assertion的鉴权方法流程图;  14 is a flowchart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning Assertion to the UE according to an embodiment of the present invention;
图 15是根据本发明一实施例的使用网络业务应用功能 /鉴权服务 /单 点认证业务实体并给 UE返回 Artifact的鉴权方法流程图。  15 is a flow chart of an authentication method for using a network service application function/authentication service/single point authentication service entity and returning an Artifact to the UE according to an embodiment of the present invention.
具体实施方式 detailed description
下面结合附图和实施例对本发明作进一步详细说明: 为了提高现有技术 ID-WSF网络通信的安全性,实现 ID-WSF和 GBA 的互通, 如图 10所示, 本发明提供了一种网絡业务应用功能 /鉴权服务 / 单点认证业务实体, 其包括网絡业务应用功能模块、 鉴权服务模块、 单 点认证业务模块 , 网络业务应用功能模块用于提供网络业务应用功能实 体功能, .鉴权服务模块用于提供鉴权服务实体功能, 单点认证业务模块 用于提供单点认证业务实体功能。 如图 11所示, 本发明提供了一种身份 标识网页业务网系统, 其包括通用鉴权架构的用户归属网络服务器和 1 导服务功能实体、 网络业务应用功能 /鉴权服务 /单点认证业务实体、 业务 提供商实体、 用户终端, 用户归属网络服务器和引导服务功能实体之间 通过 zh接口进行通信, 1导服务功能实体与用户终端之间通过 ub接口 进行通信 , 网络业务应用功能模块与 1导服务功能实体之间通过 Zn接口 进行通信,网络业务应用功能模块与用户终端之间通过 Ua接口进行通信; 单点认证业务模块与用户终端采用安全申明标记语言描述的单点认证和 身份标识联盟协议进行两者之间的通信, 并可采用筒单对象访问协议或 超文本传输协议封装通信消息; 用户终端与鉴权服务模块采用简单鉴权 和安全层协议进行两者之间的通信, 并可采用简单对象访问协议或超文 本传输协议封装通信消息; 单点认证业务模块与业务提供商实体之间、 用户终端与业务提供商实体之间进行通信时, 采用简单对象访问协议或 超文本传输协议封装通信消息。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. In order to improve the security of the prior art ID-WSF network communication, ID-WSF and GBA are implemented. Interworking, as shown in FIG. 10, the present invention provides a network service application function/authentication service/single point authentication service entity, which includes a network service application function module, an authentication service module, a single point authentication service module, and a network. The service application function module is used to provide a network service application function entity function, the authentication service module is used to provide an authentication service entity function, and the single point authentication service module is used to provide a single point authentication service entity function. As shown in FIG. 11, the present invention provides an identity identification webpage service network system, which includes a user home network server and a derivative service function entity of a universal authentication architecture, and a network service application function/authentication service/single point authentication service. The entity, the service provider entity, the user terminal, the user home network server, and the boot service function entity communicate through the zh interface, and the first service function entity communicates with the user terminal through the ub interface, and the network service application function module and the The service function entities communicate with each other through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface; the single point authentication service module and the user terminal use the security declaration markup language to describe the single point authentication and identity identity alliance. The protocol performs communication between the two, and may encapsulate the communication message by using a single object access protocol or a hypertext transfer protocol; the user terminal and the authentication service module use a simple authentication and security layer protocol to communicate between the two, and Simple object access protocol or hypertext transfer protocol can be used Communication message; single authentication between the service module and the service provider entity, for communication between the user terminal and the service provider entity, using the access protocol or a hypertext transfer protocol Simple Object message encapsulated communication.
本发明不但给出了一种不同于现有的 GBA和 ID-WSF互通的网络架 构, 同时还给出了基于这两种架构的实现鉴权的方法。  The present invention not only provides a network architecture different from the existing GBA and ID-WSF interworking, but also provides a method for implementing authentication based on the two architectures.
本发明提供的当 NAF/AS和 SSOS为不同的实体时,对 UE进行鉴权 的方法如图 12和图 13所示,其中,图 12与图 13的相同之处在于 NAF/AS 和 SSOS为不同的实体, 区别在于图 12为给 UE返回 Assertion的实施例 1 , 图 13为给 UE返回 Artifact的鉴权方法实施例 2; 本发明提供的使用 网络业务应用功能 /鉴权服务 /单点认证业务实体对 UE进行鉴权的方法如 图 14和图 15所示,其中,图 14与图 15的相同之处在于 NAP/AS和 SSOS 为同一实体,区别在于图 14为给 UE返回 Assertion的鉴权方法实施例 3; 如图 15为给 UE返回 Artifact的鉴权方法实施例 4。  When the NAF/AS and the SSOS are different entities, the method for authenticating the UE is as shown in FIG. 12 and FIG. 13 , wherein FIG. 12 is the same as FIG. 13 in that NAF/AS and SSOS are Different entities, the difference is that FIG. 12 is Embodiment 1 for returning Assertion to the UE, and FIG. 13 is a second embodiment of the authentication method for returning Artifact to the UE. The network service application function/authentication service/single point authentication provided by the present invention is provided. The method for authenticating the UE by the service entity is as shown in FIG. 14 and FIG. 15 , wherein FIG. 14 is the same as FIG. 15 in that the NAP/AS and the SSOS are the same entity, and the difference is that FIG. 14 is a reference for returning the Assertion to the UE. Right method embodiment 3; FIG. 15 is an embodiment 4 of an authentication method for returning an Artifact to a UE.
需要强调说明一点, 图 12、 13与图 14、 15 中所示鉴权方法的实现 步骤基本相同, 区别在于: 图 12、 13中的单点认证业务实体以及包含网 络业务应用功能的鉴权服务实体为两个单独存在的逻辑实体, 而图 14、 15中,上述两个实体的功能由一个网络业务应用功能 /鉴权服务 /单点认证 业务实体中的三个模块, 即网络业务应用功能模块、 单点认证业务模块 和鉴权服务模块来完成。 It should be emphasized that the implementation of the authentication method shown in Figures 12 and 13 and Figures 14 and 15 The steps are basically the same, the difference is: the single-point authentication service entity in FIG. 12 and 13 and the authentication service entity including the network service application function are two separate logical entities, and in FIGS. 14 and 15, the two entities are The function is implemented by three modules in a network service application function/authentication service/single point authentication service entity, namely, a network service application function module, a single point authentication service module, and an authentication service module.
由于实施例 1和 3 , 2和 4的实现过程基本相同, 因此, 下面通过对 实施例 1和实施例 2的具体说明 , 阐述本发明鉴权方法的实现过程: 本发明鉴权方法的要点是为了实现 GBA与 ID-WSF 的互通, 提高 ID-WSF网络通信的安全性和应用方便性,在身份标识网页业务网系统的 用户终端和业务提供商实体的通信过程中包括两种鉴权过程, 分别是通 权架构鉴权过程中, 引导服务功能实体生成引导事务标识、 根密钥有效 期, 并且发送给用户终端, 引导服务功能实体和用户终端都生成根密钥; 在身份标识网页业务网络架构鉴权过程中, 鉴权服务实体或鉴权服务模 块生成用户终端访问单点认证业务实体或单点认证业务模块所需要的信 任状; 单点认证业务实体或单点认证业务模块生成鉴权申明并发送给用 户终端, 或者单点认证业务实体或单点认证业务模块生成鉴权申明及相 应的鉴权申明链接, 保存鉴权申明、 鉴权申明和鉴权申明链接的对应关 系, 将鉴权申明链接发送给用户终端。  Since the implementation processes of Embodiments 1 and 3, 2 and 4 are substantially the same, the implementation process of the authentication method of the present invention will be described below by the specific description of Embodiment 1 and Embodiment 2. The main point of the authentication method of the present invention is In order to realize the interworking between the GBA and the ID-WSF, and improve the security and application convenience of the ID-WSF network communication, two authentication processes are included in the communication process between the user terminal of the identity page service network system and the service provider entity. In the process of authenticating the authority structure, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal, and the boot service function entity and the user terminal both generate a root key; During the authentication process, the authentication service entity or the authentication service module generates a credential required by the user terminal to access the single-point authentication service entity or the single-point authentication service module; the single-point authentication service entity or the single-point authentication service module generates an authentication statement. And sent to the user terminal, or a single point authentication service entity or a single point authentication service module generation Right declaration and the corresponding authentication affirm the link and save affirmed authentication, authentication corresponding relationship declaration stated link and authentication, and transmits the link to the user terminal authentication affirmed.
在实施例 1和实施例 2中, UE和 AS通过 SASL协议进行协商, 采 用 HTTP DIGEST鉴权方式,如果采用其他鉴权方式, 则 digest-challenge 头域 (挑战头域)和 digest-response头域 (4兆战响应头域)改成相应鉴权方式 的挑战头域和挑战响应头域。  In Embodiment 1 and Embodiment 2, the UE and the AS negotiate through the SASL protocol, adopting the HTTP DIGEST authentication mode, and if other authentication methods are adopted, the digest-challenge header field (challenge header field) and the digest-response header field are used. (4 mil war response header field) is changed to the challenge header field and challenge response header field of the corresponding authentication mode.
下面是对实施例 1的说明:  The following is a description of Embodiment 1:
步骤 1: UE向 SP发送 HTTP Request消息 (应用请求消息); 为保证 安全, UE和 SP之间可以事先建立 TLS安全隧道。  Step 1: The UE sends an HTTP Request message (application request message) to the SP. To ensure security, a TLS security tunnel can be established in advance between the UE and the SP.
步骤 2: SP收到该 HTTP Request消息后, 首先获取 AS的地址, 然后发 送一个 HTTP Response响应消息给 UE,其中携带 AuthnRequest头域 (鉴权请 求头域); 步骤 3: 由于 UE集成了 WSC实体功能, 收到 SP返回的包含 Step 2: After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field (authentication request header field) is carried. Step 3: Since the UE integrates the WSC entity function, it receives the inclusion returned by the SP.
AuthnRequest头域的响应消息后, UE通过其上的 WSC知道应该通过 SASL (Simple Authentication and Security Layer , 简单鉴权和安全层)协议 向 AS进行鉴权, 而不是通过 HTTP DIGEST协议向 IdP进行鉴权, UE 向 AS发送一个 HTTP Request消息,其中携带 SOAP(Simple Object Access Protocol, 简单对象访问协议)封装的 SASLRequest头域 (简单鉴权和安全 层协议请求头域),其中 SASLRequest头域的 mechanism头域 (鉴权机制头 域)中包含 UE支持的鉴权方式列表, 例如 mechanism- "CRAM-MD5 DIGEST-MD5" , 其中 DIGEST-MD5表示 HTTP DIGEST鉴权方式; 步骤 4: AS返回一个 HTTP Response响应消息给 UE, 其中携带 SOAP 协议封装的 S ASLResponse头域(简单鉴权和安全层协议响应头域), SASLResponse头域的 serverMechanism头域中记录 AS从 UE支持的養权方 式列表中选择的鉴权方式 (例如 serverMechanism = "DIGEST-MD5 " 表示 AS选择的鉴权方式为 HTTP DIGEST), 以及 digest-challenge头域 (挑战头 域); After the response message of the AuthnRequest header field, the UE knows through the WSC on it that the AS should be authenticated through the SASL (Simple Authentication and Security Layer) protocol instead of authenticating the IdP through the HTTP DIGEST protocol. The UE sends an HTTP Request message to the AS, which carries a SASLRequest header field (Simple Authentication and Security Layer Protocol Request Header Domain) encapsulated by the Simple Object Access Protocol (SOAP), where the mechanism header field of the SASLRequest header field (Authentication mechanism header field) contains a list of authentication modes supported by the UE, such as mechanism- "CRAM-MD5 DIGEST-MD5", where DIGEST-MD5 indicates HTTP DIGEST authentication mode; Step 4: AS returns an HTTP Response message To the UE, which carries the S ASLResponse header field encapsulated by the SOAP protocol (simple authentication and security layer protocol response header field), and the serverMechanism header field of the SASLResponse header field records the authentication mode selected by the AS from the list of protection methods supported by the UE. (eg serverMechanism = "DIGEST-MD5" means that the authentication method selected by the AS is HTTP DIGEST), And digest-challenge header field (challenge header field);
步驟 5: UE向 BSF发送 GBA鉴权请求消息, 其中包含私有用户标 识 (IMPI), 要求与 BSF进行相互鉴权;  Step 5: The UE sends a GBA authentication request message to the BSF, which includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
步骤 6: BSF收到 UE的 GBA鉴权请求消息后, 首先到 HSS获取该 ΌΈ 的鉴权向量信息,即认证矢量 (鉴权序号参数 AUTN,随机参数 RAND, 完整 性密钥 IK, 机密性密钥 CK, 预期结果 XRES);  Step 6: After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the ,, that is, the authentication vector (authentication number parameter AUTN, random parameter RAND, integrity key IK, confidentiality secret) Key CK, expected result XRES);
步骤 7: BSF保存 RES、 IK、 CK, 并向 UE发送消息, 其中携带 AUTN 和 RAND;  Step 7: The BSF saves the RES, IK, and CK, and sends a message to the UE, which carries the AUTN and the RAND;
步骤 8: UE运行 AKA算法, 检查 AUTN有效性以鉴权 BSF, 并生成期 望结果 RES, 并且利用 RAND生成完整性密钥 IK和机密性密钥 CK;  Step 8: The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
步骤 9: UE向 BSF发送消息, 其中携带 IMPI、 期望结果 RES;  Step 9: The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
步骤 10: BSF将 RES和保存的 XRES比较, 如果两者一致的话完成对 UE的鉴权, 并利用保存的 IK和 CK生成根密钥 Ks;  Step 10: The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
步驟 11: BSF向 UE发送 GBA成功响应消息, 其中携带引导事务标识 (B-TID)和根密钥 Ks有效期; 步骤 12: UE保存 B-TID和根密钥 Ks有效期, 并利用 IK和 CK生成根密 钥 Ks, 然后生成并保存共享密钥 Ks— (Ext/Int)_NAF; Step 11: The BSF sends a GBA success response message to the UE, where the BV is carried with the boot transaction identifier (B-TID) and the root key Ks; Step 12: The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
步驟 13: UE再次向 AS发送一个 HTTP Request消息, 其中携带 SOAP 协议封装的 SASLRequest头域, SASLRequest头域的 mechanism头域填写步 驟 4中 AS选择的鉴权方式(这里的鉴权方式为 HTTP DIGEST) , SASLRequest头域的 digest-response头域 (挑战响应头域 )中包含 usemame头 域, usemame头域中填写 B-TID以及用密钥 Ks— (Ext/Int)— NAF计算出来的 鉴权响应摘要信息;  Step 13: The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol. The mechanism header field of the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (the authentication mode here is HTTP DIGEST). The digest-response header field (challenge response header field) of the SASLRequest header field contains the usemame header field, the B-TID in the usemame header field, and the authentication response summary calculated by the key Ks_(Ext/Int)-NAF. Information
步骤 14 : AS和 NAF在一个实体上, 如果 AS中没有相关的 Ks— (Ext/Int)— NAF密钥等信息, 则可以通过 Zn接口 向 BSF获取 Ks」Ext/Int)—NAF、 USS、 密钥有效期、 引导时间等信息, 其中 USS可能 包含一些身份标识联盟相关信息;  Step 14: AS and NAF are on one entity. If there is no relevant information such as Ks_(Ext/Int)-NAF key in the AS, the Ks "Ext/Int" can be obtained from the BSF through the Zn interface - NAF, USS, Key validity period, boot time, and other information, where the USS may contain some identity-related alliance information;
步驟 15 : 根据获取的 Ks— (Ext/Int)— NAF密钥信息, AS对上述 SASLRequest头域中的 digest-response进行处理, AS鉴权通过后, 向 UE发 送 HTTP Response响应消息, 其中携带 SOAP协议封装的 SASLResponse头 包含 SSOS地址和 ServiceType域 , ServiceType域中 的 内 容包括 urn:liberty:ssos:2004-04、 以及访问 SSOS所需要的信任状 (Credentials)等其 他 SSO相关信息;  Step 15: According to the obtained Ks_(Ext/Int)-NAF key information, the AS processes the digest-response in the SASLRequest header field, and after the AS authentication passes, sends an HTTP Response response message to the UE, where the SOAP is carried. The SASLResponse header of the protocol encapsulation contains the SSOS address and the ServiceType field. The contents of the ServiceType field include urn:liberty:ssos:2004-04, and other SSO related information such as the Credentials required to access the SSOS.
步骤 16: UE根据步骤 15得到的 SS0S地址向 SSOS发送 HTTP Request 消息, 以请求访问 SP所需要的 Assertion , 其中携带 SOAP协议封装的 samlp2:AuthnRequest头域、 sb:Correlation头域、 wsse: security头域, 才艮据 具体的应用程序和网络模型, AuthnRequest头域可能是步骤 2中 SP返回的, 也可能由 UE自己生成, 其中包含一些要求 AuthnRequest接收方采取的鉴 权操作 , 其中 ProtocolBinding 头域设置成 um:liberty:iff:profiles:id-wsf, 以 表示要使用 SAML协议绑定, wsse:security头域包含上一步中返回的访问 SSOS所^要的信任状 (Credentials)信息, sb orrelation头域主要用于将 SSOS返回的响应消息和相应的请求消息关联起来;  Step 16: The UE sends an HTTP Request message to the SSOS according to the SS0 address obtained in step 15 to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Correlation header field, and the wsse:security header field encapsulated by the SOAP protocol are carried. According to the specific application and network model, the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, which includes some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to Um:liberty:iff:profiles:id-wsf, to indicate that you want to use the SAML protocol binding, the wsse:security header field contains the credentials to access the SSOS in the previous step, the sb orrelation header field is mainly Used to associate a response message returned by the SSOS with a corresponding request message;
步骤 17: SSOS根据收到的 HTTP Request消息内容进行鉴权处理, 鉴 权成功后 SSOS可能告诉 UE可以和哪些 SP结成身份标识联盟, UE同意并 完成和 SP的身份标识联盟, 然后 SSOS返回 HTTP Response响应消息, 其 中携带 SOAP协议封装的 samlp2:Response头域, 其中 Response头域包含访 问 SP所需要的 saml: Assertion头域 (其中包含 SSOS的数字签名 ); Step 17: The SSOS performs authentication processing according to the content of the received HTTP Request message. After the success of the right, the SSOS may tell the UE which identities to form an identity alliance with the UE. The UE agrees and completes the identity association with the SP. Then the SSOS returns an HTTP Response response message carrying the samlp2:Response header field encapsulated by the SOAP protocol, where the Response is The header field contains the saml: Assertion header field required to access the SP (which contains the digital signature of the SSOS);
步骤 18: UE再次向 SP发送 HTTP Request消息,其中携带 SOAP协议封 装的上一步中返回的 saml:Assertion头域;  Step 18: The UE sends an HTTP Request message to the SP again, which carries the saml:Assertion header field returned in the previous step of the SOAP protocol encapsulation;
步骤 19: SP处理上述 saml:Assertion头域, 并^ r证 SSOS的数字签名 , 根据和 SSOS的身份标识联盟信息对 UE完成鉴权, 成功后返回一个 HTTP Response消息。  Step 19: The SP processes the saml:Assertion header field, and verifies the digital signature of the SSOS, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP Response message after successful.
另外的几点说明:  Additional notes:
根据 AuthnRequest中的身份标识策略, AS可能每次都要求 UE必须先 执行步骤 5〜步骤 12,再执行步骤 13, 以保证每次的用户标识 B-TID和密钥 Ks— (Ext/Int)— NAF都是重新生成的。 或者,  According to the identity policy in the AuthnRequest, the AS may require the UE to perform steps 5 to 12 each time, and then perform step 13 to ensure that each time the user identifier B-TID and the key Ks — (Ext/Int) — NAF is regenerated. Or,
如果 UE和 AS之间已经建立了安全联盟, 并且 Ks— (Ext/Int)— NAF密钥 没有过期, 则不执行步骤 3〜步骤 12, 直接执行步骤 13 , 即 UE给 AS发送的 HTTP Request请求消息的 SASLRequest头域中的 digest-response头域中包 含 username头域, username头域中填写 B-TID以及用共享密钥 Ks— (Ext/Int)— NAF计算出来的鉴权响应摘要信息。  If the security association has been established between the UE and the AS, and the Ks_(Ext/Int)-NAF key has not expired, step 3 to step 12 are not performed, and step 13 is directly executed, that is, the HTTP Request request sent by the UE to the AS is sent. The digest-response header field in the SASLRequest header field of the message contains the username header field, the username header field is filled with the B-TID, and the shared key Ks_(Ext/Int)_NAF is used to calculate the authentication response summary information.
如果 UE和 AS之间还没有建立安全联盟, 则需要先执行步骤 3〜步骤 12, 进行正常的 GBA 引导过程获取 B-TID和密钥信息 Ks— (Ext/Int)— NAF, 然后再执行步骤 13。  If no security association is established between the UE and the AS, you need to perform Step 3 to Step 12 to obtain the B-TID and key information Ks_(Ext/Int)-NAF in the normal GBA boot process, and then perform the steps. 13.
如果 UE和 AS之间已经建立了安全联盟, 但是 Ks— (Ext/Int)— NAF密钥 已经或者将要过期, 则步骤 3中也带有已有的 B-TID , 以及用密钥 Ks— (Ext/Int)— NAF计算出来的鉴权响应摘要信息, 然后 AS通过步驟 4挑战 UE , UE再执行步骤 5〜步骤 12, 进行正常的 GBA鉴权过程获取更新的 B-TID和共享密钥 Ks— (Ext/Int)— NAF, 然后再执行步驟 13。  If a security association has been established between the UE and the AS, but the Ks-(Ext/Int)-NAF key has expired or will expire, then step 3 also has the existing B-TID, and the key Ks-( Ext/Int) - the authentication response summary information calculated by the NAF, then the AS challenges the UE through step 4, and the UE performs steps 5 to 12 to perform the normal GBA authentication process to obtain the updated B-TID and the shared key Ks. — (Ext/Int) — NAF, then proceed to step 13.
另外, 对于本发明中 GBA和 SSO两种机制都支持的 UE来讲: UE在步 骤 3中向 AS发送 HTTP请求时, 需要携带一个表示支持 GBA机制的标识, 例如对于基于 ME(Mobile Equipment, 移动设备)的应用, 在 User-Agent头 域中设置成 "3gpp-gba,,; 对基于 UICC(Universal Integrated Circuit Card , 通用集成电路卡)的应用, 在 User-Agent头域中设置成 "3gpp-gba-uicc,,。 AS发现 UE支持 GBA后, 在步骤 4的挑战响应中也携带一个表示需要 UE执 行 GBA机制的标识, 例如对于基于 ME的应用, 在 digest-challenge头域中 的 realm参数中设置 "3gpp-gba@ NAF 的域名", 对于基于 UICC的应用, 在 digest-challenge头域的 realm参数中设置 "3gpp-gba-uicc@ NAF的域名 "。 In addition, for the UE that supports both the GBA and the SSO mechanisms in the present invention: when the UE sends an HTTP request to the AS in step 3, the UE needs to carry an identifier indicating that the GBA mechanism is supported, for example, based on ME (Mobile Equipment, mobile) Device) application, in the User-Agent header The domain is set to "3gpp-gba,"; for applications based on UICC (Universal Integrated Circuit Card), set to "3gpp-gba-uicc," in the User-Agent header field. After the UE finds that the UE supports the GBA, the challenge response in step 4 also carries an identifier indicating that the UE needs to perform the GBA mechanism. For example, for the ME-based application, set "3gpp-gba@" in the realm parameter in the digest-challenge header field. "NAF domain name", for UICC-based applications, set "3gpp-gba-uicc@NAF domain name" in the realm parameter of the digest-challenge header field.
UE如果在挑战响应中发现此标识,则知道需要先执行 GBA过程 (步驟 3〜步骤 12), 然后再执行步骤 13, 否则直接执行步骤 13 , 其中的用户名、 密码的获取通过现有 SSO机制处理, 例如可以给用户弹一个对话框, 由用 户直接输入用户名和密码。  If the UE finds the identifier in the challenge response, it knows that the GBA process needs to be performed first (steps 3 to 12), and then step 13 is performed. Otherwise, step 13 is directly executed, where the user name and password are obtained through the existing SSO mechanism. Processing, for example, can play a dialog box for the user, and the user directly enters the username and password.
UE在步驟 13中再次向 AS发送 HTTP请求时, 同步骤 3—样, 也需要携 带一个表示支持 GBA机制的标识, 如果 AS发现此标识, 则知道需要先执 行步驟 14, 然后执行步骤 15; 否则直接执行步骤 15。  When the UE sends an HTTP request to the AS again in step 13, as in step 3, it also needs to carry an identifier indicating that the GBA mechanism is supported. If the AS finds the identifier, it knows that step 14 needs to be performed first, and then step 15 is performed; otherwise, Go directly to step 15.
另外, 也可以通过配置 AS来达到上述同样目的。 上述几点同样适用 于下面的实施例 2。  In addition, the same purpose can be achieved by configuring the AS. The above points are equally applicable to the following embodiment 2.
下面是对实施例 2的说明: 其中, 步骤 1 ~ 16与实施例 1中的步骤 1 ~ 16完全相同, 具体为:  The following is a description of Embodiment 2: Steps 1 to 16 are exactly the same as steps 1 to 16 in Embodiment 1, and are specifically:
步骤 1: UE向 SP发送 HTTP Request消息;  Step 1: The UE sends an HTTP Request message to the SP.
步骤 2: SP收到该 HTTP Request消息后, 首先获取 AS的地址, 然后发 送一个 HTTP Response响应消息给 UE, 其中携带 AuthnRequest头域;  Step 2: After receiving the HTTP Request message, the SP first obtains the address of the AS, and then sends an HTTP Response message to the UE, where the AuthnRequest header field is carried.
步骤 3 : 由于 UE集成了 WSC实体功能, 收到 SP返回的包含 AuthnRequest头域的响应消息后, UE通过其上的 WSC知道应该通过 SASL 协议向 AS进行鉴权, 而不是通过 HTTP DIGEST协议向 IdP进行鉴权, UE 向 AS发送一个 HTTP Request消息, 其中携带 SOAP协议封装的 SASLRequest头域, 其中 SASLRequest头域的 mechanism头域中包含 UE支 持的鉴权方式列表, 例如 mechanism- "CRAM-MD5 DIGEST-MD5" , 其 中 DIGEST-MD5表示 HTTP DIGEST鉴权方式;  Step 3: Since the UE integrates the WSC entity function, after receiving the response message including the AuthnRequest header field returned by the SP, the UE knows through the WSC on which the UE should authenticate to the AS through the SASL protocol, instead of using the HTTP DIGEST protocol to the IdP. The UE sends an HTTP Request message to the AS, which carries the SASLRequest header field encapsulated by the SOAP protocol. The mechanism header field of the SASLRequest header field contains a list of authentication modes supported by the UE, for example, mechanism- "CRAM-MD5 DIGEST- MD5", where DIGEST-MD5 indicates the HTTP DIGEST authentication mode;
步骤 4: AS返回一个 HTTP Response响应消息给 UE, 其中携带 SOAP 十办议去于装的 SASLResponse头域, SASLResponse头域的 serverMechanism头 域 (服务器鉴权机制头域)中记录 AS从 UE支持的鉴权方式列表中选择的鉴 权方式 (例如 serverMechanism : "DIGEST-MD5"表示 AS选择的鉴权方式 为 HTTP DIGEST), 以及挑战头域 digest-challenge; Step 4: The AS returns an HTTP Response response message to the UE, which carries the SOAP Response header field that is loaded by the SOAP, and the serverMechanism header of the SASLResponse header field. The domain (server authentication mechanism header field) records the authentication mode selected by the AS from the list of authentication modes supported by the UE (for example, serverMechanism: "DIGEST-MD5" indicates that the authentication mode selected by the AS is HTTP DIGEST), and the challenge header Domain digest-challenge;
步骤 5: UE向 BSF发送 GBA鉴权请求消息, 其中包含私有用户标识 (IMPI), 要求与 BSF进行相互鉴权;  Step 5: The UE sends a GBA authentication request message to the BSF, where the UE includes an Private User Identity (IMPI), and requires mutual authentication with the BSF.
步骤 6: BSF收到 UE的 GBA鉴权请求消息后, 首先到 HSS获取该 UE 的鉴权向量信息,即认证矢量 (鉴权序号参数 AUTN,随机参数 RAND, 完整 性密钥 IK:,机密性密钥 CK, 预期结果 XRES);  Step 6: After receiving the GBA authentication request message of the UE, the BSF first obtains the authentication vector information of the UE, that is, the authentication vector (authentication sequence number parameter AUTN, random parameter RAND, integrity key IK:, confidentiality). Key CK, expected result XRES);
步骤 7: BSF保存 XRES、 IK, CK, 并向 UE发送消息, 其中携带 AUTN 和 RAND;  Step 7: The BSF saves XRES, IK, CK, and sends a message to the UE, which carries AUTN and RAND;
步骤 8: UE运行 AKA算法, 检查 AUTN有效性以鉴权 BSF, 并生成期 望结果 RES, 并且利用 RAND生成完整性密钥 IK和机密性密钥 CK;  Step 8: The UE runs the AKA algorithm, checks the validity of the AUTN to authenticate the BSF, and generates the expected result RES, and generates the integrity key IK and the confidentiality key CK by using the RAND;
步骤 9: UE向 BSF发送消息, 其中携带 IMPI、 期望结果 RES;  Step 9: The UE sends a message to the BSF, where the IMPI and the expected result RES are carried;
步骤 10: BSF将 RES和保存的 XRES比较, 如果两者一致的话完成对 UE的鉴权, 并利用保存的 IK和 CK生成根密钥 Ks;  Step 10: The BSF compares the RES with the saved XRES, and if the two are consistent, the UE is authenticated, and the saved IK and CK are used to generate the root key Ks;
步骤 11 : BSF向 UE发送 GBA成功响应消息, 其中携带引导事务标识 (B-TID)和根密钥 Ks有效期;  Step 11: The BSF sends a GBA success response message to the UE, where the boot transaction identifier (B-TID) and the root key Ks are valid;
步骤 12: UE保存 B-TID和根密钥 Ks有效期, 并利用 IK和 CK生成根密 钥 Ks, 然后生成并保存共享密钥 Ks— (Ext/Int)— NAF;  Step 12: The UE saves the validity period of the B-TID and the root key Ks, and generates the root key Ks by using IK and CK, and then generates and saves the shared key Ks_(Ext/Int)_NAF;
步骤 13: UE再次向 AS发送一个 HTTP Request消息, 其中携带 SOAP 协议封装的 SASLRequest头域,其中 SASLRequest头域中的 mechanism头域 填写步骤 4中 AS选择的鉴权方式(本实施例中的鉴权方式为 HTTP DIGEST), 挑战响应头域 digest-response中包含 usemame头域, username 头域中填写 B-TID, 以及用密钥 Ks— (Ext/Int)— NAF计算出来的鉴权响应摘 要信息;  Step 13: The UE sends an HTTP Request message to the AS again, which carries the SASLRequest header field encapsulated by the SOAP protocol, where the mechanism header field in the SASLRequest header field fills in the authentication mode selected by the AS in step 4 (authentication in this embodiment) The method is HTTP DIGEST), the challenge response header field contains the usemame header field in the digest-response, the B-TID in the username header field, and the authentication response summary information calculated by the key Ks_(Ext/Int)-NAF;
步骤 14 : AS和 NAF在一个实体上, 如果 AS中没有相关的 Ks_(ext)_NAF密钥等信息 , 则可以通过 Zn接 口 向 BSF获取 Ks_(Ext/Int)_NAF, USS、 密钥有效期、 引导时间等信息, 其中 USS可能 包含一些身份标识联盟相关信息; 步骤 15: AS对上述 SASLRequest头域进行处理, AS鉴权通过后, 向 UE发送 HTTP Response响应消息, 其中携带 SOAP封装的 SASLResponse 头域, SASLResponse头域中的 ID-WSF EPR(EndpointReference头域)中包 含 SSOS地址 、 SASLResponse头域 中 的 ServiceType域设置为 urn:liberty:ssos:2004-04、 访问 SSOS所需要的信任状; Step 14: The AS and the NAF are on one entity. If there is no information such as the Ks_(ext)_NAF key in the AS, the Ks_(Ext/Int)_NAF, USS, key validity period, and bootstrap can be obtained from the Zn interface through the Zn interface. Information such as time, where the USS may contain some information about the identity alliance; Step 15: The AS processes the SASLRequest header field, and after the AS authentication succeeds, sends an HTTP Response response message to the UE, where the SASLResponse header field of the SOAP encapsulation is carried, and the ID-WSF EPR (EndpointReference header field) in the SASLResponse header field is used. Contains the SSOS address, the ServiceType field in the SASLResponse header field is set to urn:liberty:ssos:2004-04, the credentials required to access the SSOS;
步骤 16: UE向上一步得到的 SSOS发送 HTTP Request消息, 以请求访 问 SP所需要的 Assertion, 其中携带 SOAP协议封装的 samlp2:AuthnRequest 头域、 sb:Corrdation头域、 wsse: security头域, 居具体的应用程序和网 络模型, AuthnRequest头域可能是步骤 2中 SP返回的, 也可能由 UE自己生 成, 其中包含一些要求 AuthnRequest接收方采取的鉴权操作, 其中 ProtocolBinding 头域设置成 um:liberty:iff:profiles:id-wsf, 以表示要使用的 SAML协议绑定, wsse:security头域包含上一步中返回的访问 SSOS所需 要的信任状 (Credentials头域)信息, sb: Correlation头域主要用于将 SSOS返 回的响应消息和相应的请求消息关联起来;  Step 16: The UE sends an HTTP Request message to the SSOS obtained in the previous step to request access to the Assertion required by the SP, where the Samlp2:AuthnRequest header field, the sb:Corrdation header field, and the wsse:security header field encapsulated by the SOAP protocol are present. The application and network model, the AuthnRequest header field may be returned by the SP in step 2, or may be generated by the UE itself, including some authentication operations required by the AuthnRequest receiver, where the ProtocolBinding header field is set to um:liberty:iff: Profiles: id-wsf, to indicate the SAML protocol binding to be used. The wsse:security header field contains the credentials (Credentials header field) information required to access the SSOS returned in the previous step. The sb: Correlation header field is mainly used to The response message returned by the SSOS is associated with the corresponding request message;
步骤 17: SSOS处理收到的 HTTP Request消息, 生成相应的 Artifact和 Assertion, 并保存两者之间的关系, 然后返回 HTTP Response成功响应消 息, 其中携带 SOAP协议封装的 samlp2:Response头域; 其中 Response头域 包含访问 SP所需要的 saml: Assertion对应的 Artifact头域;  Step 17: The SSOS processes the received HTTP Request message, generates the corresponding Artifact and Assertion, and saves the relationship between the two, and then returns an HTTP Response success response message, which carries the Samlp2:Response header field encapsulated by the SOAP protocol; The header field contains the Artifact header field corresponding to the saml: Assertion required to access the SP;
本步骤中给 UE返回的响应中包含 "Artifact" , 而图 12 (实施例 1 ) 中 步骤 17给 UE返回的响应中包含 "Assertion" , 因而导致了后续处理不同。  The response returned to the UE in this step includes "Artifact", and the response returned to the UE in step 17 of Figure 12 (Embodiment 1) contains "Assertion", thus causing subsequent processing to be different.
步驟 18: UE再次向 SP发送 HTTP Request消息,其中携带 SOAP协议封 装的步驟 17中返回的 Artifact头域;  Step 18: The UE sends an HTTP Request message to the SP again, where the Artifact header field returned in step 17 of the SOAP protocol encapsulation is carried;
步骤 19: SP向 SSOS发送 HTTP Request消息, 其中携带 SOAP协议封 装的上一步得到的 Artifact头域, 请求用于对 UE鉴权处理的 Assertion; 步骤 20 : SSOS根据 Artifact找到对应的 Assertion , 然后返回 HTTP Response消息, 其中携带 SOAP协议封装的 saml:Assertion (其中包含 SSOS 的数字签名);  Step 19: The SP sends an HTTP Request message to the SSOS, where the Artifact header field obtained in the previous step of the SOAP protocol encapsulation is used to request an Assertion for the UE authentication process. Step 20: The SSOS finds the corresponding Assertion according to the Artifact, and then returns the HTTP. Response message, which carries the saml:Assertion encapsulated by the SOAP protocol (which contains the digital signature of the SSOS);
步骤 21 : SP处理上述 saml:Assertion头域, 并验证其数字签名, 根据 和 SSOS的身份标识联盟信息对 UE完成鉴权, 成功后返回一个 HTTP Response消息。 Step 21: The SP processes the saml:Assertion header field, and verifies the digital signature thereof, and performs authentication on the UE according to the identity information of the SSOS, and returns an HTTP after success. Response message.
完成了上述实施例 1或实施例 2的鉴权过程后, UE和 SP可以继续进行 通讯, 当出现下列情况时则必须对 UE重新进行鉴权:  After the authentication process of Embodiment 1 or Embodiment 2 is completed, the UE and the SP can continue to communicate, and the UE must be re-authenticated when the following conditions occur:
1、 SP收到 UE或者 SSOS发来的 LogoutRequest消息 (退出链接请求消息) 时;  1. When the SP receives the LogoutRequest message (the exit link request message) sent by the UE or the SSOS;
2、 SP和 UE之间的会话正常中止时;  2. When the session between the SP and the UE is normally suspended;
3、 SP收到的 Assertion中的 AuthenticationStatement头域 (认证声明头域) 中的 ReauthenticateOnOrAfter头域 (;重新认证期限头域)对应的时间过期 时;  3. When the time corresponding to the ReauthenticateOnOrAfter header field (the re-authentication term header field) in the AuthenticationStatement header field (authentication header field) in the Assertion received by the SP expires;
4、 SP收到的 Assertion中的 Conditions头域(条件头域)中的 NotOnOrAfter头域 (期限头域 )对应的时间过期时。  4. When the time corresponding to the NotOnOrAfter header field (term header field) in the Conditions header field (condition header field) in the Assertion received by the SP expires.
SP需要在和 UE进行下一次交互时, 发送一个新的携带 AuthnRequest 的 HTTP Response响应消息给 UE,指示其需要重新鉴权, 以后进行实施例 1或实施例 2中从步驟 3开始的流程。  The SP needs to send a new HTTP Response message carrying the AuthnRequest to the UE in the next interaction with the UE, indicating that it needs to re-authenticate, and then the process starting from step 3 in Embodiment 1 or Embodiment 2 is performed later.
对于 ID-WSF, 步骤 4中当 AS收到 UE发来的 HTTP Request消息时, 如 果 Ks— (ext)— NAF还没有过期, 则根据 AS上配置的本地安全策略, 可以不 进行新的 GBA鉴权过程, 也可以进行一个新的 GB A鉴权过程。 如果不进 行新的 GBA鉴权过程, 则步骤 3〜步驟 12、 步骤 14可以省略, 步骤 13、 步 驟 15、 步骤 16同上次对应的消息内容相同, 步驟 17中 SSOS需要产生一个 新的 Assertion (对于实施例 2, 还要产生新的 Artifact), 其余步驟不变。  For the ID-WSF, in the step 4, when the AS receives the HTTP Request message sent by the UE, if the Ks_(ext)-NAF has not expired, the new GBA can be omitted according to the local security policy configured on the AS. The rights process can also be used to perform a new GB A authentication process. If the new GBA authentication process is not performed, steps 3 to 12 and 14 may be omitted. Steps 13, 15 and 16 are the same as the last corresponding message content. In step 17, SSOS needs to generate a new Assertion (for In Embodiment 2, a new Artifact is also generated, and the remaining steps are unchanged.
如果要进行新的 GBA过程, 则将重新执行实施例 1或实施例 2中其余 的所有步骤。  If a new GBA process is to be performed, all the remaining steps in either Example 1 or Embodiment 2 will be re-executed.
图 14与图 12所示实施例基本相同, 图 15与图 13所示实施例基本相同, 其区别仅在于: 图 12、 13中 NAF/AS为一个逻辑实体, SSOS为一个逻辑实 体, 而图 14、 15中 NAF/AS/SSOS为一个逻辑实体。  14 is substantially the same as the embodiment shown in FIG. 12, and FIG. 15 is basically the same as the embodiment shown in FIG. 13, except that: NAF/AS is a logical entity, and SSOS is a logical entity in FIG. 12 and FIG. In 14, 15, NAF/AS/SSOS is a logical entity.
虽然通过 照本发明的优选实施例, 已经对本发明进行了图示和描 述, 但本领域的普通技术人员应该明白, 可以在形式上和细节上对其作 各种各样的改变, 而不偏离所附权利要求书所限定的本发明的精神和范 围。  While the invention has been illustrated and described with respect to the preferred embodiments embodiments of the embodiments The spirit and scope of the invention as defined by the appended claims.

Claims

权 利 要 求 Rights request
1、 一种身份标识网页业务网系统, 包括通用鉴权架构的用户归属网 络服务器和引导服务功能实体、 业务提供商实体、 用户终端, 用户归属 网絡服务器和 1导服务功能实体之间通过 zh接口进行通信 , ? I导服务功 能实体与用户终端之间通过 ub接口进行通信, 其特征在于: 包括网络业 务应用功能 /鉴权服务 /单点认证业务实体, 其包括网络业务应用功能模 块、 鉴权服务模块、 单点认证业务模块, 网络业务应用功能模块用于提 供网络业务应用功能实体功能, 鉴权服务模块用于提供鉴权服务实体功 能, 单点认证业务模块用于提供单点认证业务实体功能, 网络业务应用 功能模块与弓 1导服务功能实体之间通过 Zn接口进行通信, 网络业务应用 功能模块与用户终端之间通过 Ua接口进行通信。 1. An identity identification webpage service network system, comprising: a user home network server and a guidance service function entity, a service provider entity, a user terminal, a user home network server, and a service function entity through a universal authentication architecture Communicate, ? The I service function entity communicates with the user terminal through the ub interface, and is characterized in that: the network service application function/authentication service/single point authentication service entity includes a network service application function module, an authentication service module, and a single The point authentication service module, the network service application function module is used to provide the network service application function entity function, the authentication service module is used to provide the authentication service entity function, and the single point authentication service module is used to provide the single point authentication service entity function, the network service The application function module communicates with the bow function service entity through the Zn interface, and the network service application function module communicates with the user terminal through the Ua interface.
2、 根据权利要求 1所述的身份标识网页业务网系统, 其特征在于: 单点认证业务模块与用户终端采用安全申明标记语言描述的单点认证和 身份标识联盟协议进行两者之间的通信, 采用简单对象访问协议或超文 本传输协议封装通信消息; 鉴权服务模块与用户终端采用简单鉴权和安 全层协议进行两者之间的通信, 采用简单对象访问协议或超文本传输协 议封装通信消息; 单点认证业务模块与业务提供商实体之间进行通信时 , 采用简单对象访问协议封装通信消息; 用户终端与业务提供商实体之间 进行通信时, 采用筒单对象访问协议或超文本传输协议封装通信消息。 2. The identity identification webpage service network system according to claim 1, wherein: the single point authentication service module and the user terminal use a single point authentication and identity association protocol described by a security declaration markup language to perform communication between the two. The communication message is encapsulated by a simple object access protocol or a hypertext transfer protocol; the authentication service module and the user terminal use a simple authentication and security layer protocol to communicate between the two, and the communication is encapsulated by a simple object access protocol or a hypertext transfer protocol. Message; when the single-point authentication service module communicates with the service provider entity, the communication message is encapsulated by the simple object access protocol; when the user terminal communicates with the service provider entity, the single object access protocol or hypertext transmission is adopted. The protocol encapsulates the communication message.
3、一种身份标识网页业务网系统鉴权方法, 其特征在于, 包括步骤: 身份标识网页业务网系统的用户终端和业务提供商实体的通信过程中包 括两种鉴权过程, 分别是通用鉴权架构鉴权过程和身份标识网页业务网 络架构鉴权过程, 在通用鉴权架构鉴权过程中, 引导服务功能实体生成 引导事务标识、 根密钥有效期, 并且发送给用户终端, 引导服务功能实 体和用户终端都生成根密钥; 在身份标识网页业务网络架构鉴权过程中, 鉴权服务实体或鉴权服务模块生成用户终端访问单点认证业务实体或单 点认证业务模块所需要的信任状; 单点认证业务实体或单点认证业务模 块生成鉴权申明并发送给用户终端, 或者单点认证业务实体或单点认证 业务模块生成鉴权申明及相应的鉴权申明链接, 保存鉴权申明和鉴权申 明链接的对应关系表, 将鉴权申明链接发送给用户终端。 3. An authentication method for an identity identification webpage service network system, comprising the steps of: the identification process of the user terminal of the webpage service network system and the service provider entity include two authentication processes, namely, a common authentication The right structure authentication process and the identity identification webpage service network architecture authentication process, in the universal authentication architecture authentication process, the boot service function entity generates a boot transaction identifier, a root key validity period, and sends it to the user terminal to guide the service function entity And the user terminal generates a root key; in the authentication network service network architecture authentication process, the authentication service entity or the authentication service module generates a credential required by the user terminal to access the single-point authentication service entity or the single-point authentication service module. The single-point authentication service entity or the single-point authentication service module generates an authentication statement and sends it to the user terminal, or a single-point authentication service entity or single-point authentication. The service module generates an authentication statement and a corresponding authentication declaration link, and saves a correspondence table of the authentication declaration and the authentication declaration link, and sends the authentication declaration link to the user terminal.
4、 根据权利要求 3所述的身份标识网页业务网系统鉴权方法, 其特 征在于, 包括步骤: 用户终端向相应的鉴权服务实体或鉴权服务模块发 送身份标识网页业务网络架构鉴权请求消息, 鉴权服务实体或鉴权服务 模块向用户终端发送要求其进行通用鉴权架构鉴权的挑战响应消息, 引 导服务功能实体对用户终端进行通用鉴权架构鉴权, 鉴权成功后向用户 终端发送通用鉴权架构鉴权成功响应消息, 该鉴权成功响应消息中包含 引导事务标识和根密钥有效期; 用户终端向鉴权服务实体或鉴权服务模 块发送应用请求消息 , 鉴权服务实体或鉴权服务模块根据该应用请求消 息对用户终端进行鉴权, 鉴权通过后, 向用户终端发送响应消息, 其中 包含单点认证业务实体或单点认证业务模块的地址和信任状。  The method for authenticating an identity identification webpage service network system according to claim 3, comprising the steps of: the user terminal sending an identity identification webpage service network architecture authentication request to the corresponding authentication service entity or the authentication service module The message, the authentication service entity or the authentication service module sends a challenge response message requesting the user to perform the universal authentication architecture authentication to the user terminal, and the guidance service function entity performs the universal authentication framework authentication on the user terminal, and the authentication succeeds to the user. The terminal sends a universal authentication framework authentication success response message, where the authentication success response message includes a guiding transaction identifier and a root key validity period; the user terminal sends an application request message to the authentication service entity or the authentication service module, and the authentication service entity Or the authentication service module authenticates the user terminal according to the application request message, and after the authentication is passed, sends a response message to the user terminal, where the address and the credential of the single-point authentication service entity or the single-point authentication service module are included.
5、 根据权利要求 4所述的身份标识网页业务网系统鉴权方法, 其特 征在于, 包括步骤: 单点认证业务实体或单点认证业务模块对用户终端 进行身份标识网页业务网絡架构鉴权, 鉴权成功后向用户终端发送身份 标识网页业务网络架构鉴权成功响应消息, 该鉴权成功响应消息中包含 鉴权申明。 The authentication method for the identity identification webpage service network system according to claim 4, comprising the steps of: the single-point authentication service entity or the single-point authentication service module authenticating the identity identification webpage service network architecture of the user terminal, After the authentication succeeds, the identity identification webpage service network architecture authentication success response message is sent to the user terminal, and the authentication success response message includes an authentication statement.
6、 根据权利要求 4所述的身份标识网页业务网系统鉴权方法, 其特 征在于, 包括步尊: 单点认证业务实体或单点认证业务模块对用户终端 进行身份标识网页业务网络架构鉴权, 生成鉴权申明及相应的鉴权申明 链接, 保存鉴权申明和鉴权申明链接的对应关系表, 在随后发送给用户 终端的身份标识网页业务网络架构鉴权成功响应消息中包含鉴权申明链 接。 The method for authenticating an identity identification webpage service network system according to claim 4, comprising: step by step: the single-point authentication service entity or the single-point authentication service module performs authentication on the identity terminal webpage service network architecture of the user terminal. Generating an authentication statement and a corresponding authentication claim link, and storing a correspondence table of the authentication claim and the authentication claim link, and then transmitting an authentication request to the identity terminal webpage service network architecture authentication success response message sent to the user terminal link.
7、 根据权利要求 4所述的身份标识网页业务网系统鉴权方法, 其特 征在于, 包括步骤: 7. The method for authenticating an identity webpage service network system according to claim 4, comprising the steps of:
Al、 用户终端向业务提供商实体发送应用请求消息;  Al, the user terminal sends an application request message to the service provider entity;
A2、 业务提供商实体收到该应用请求消息后, 首先获取鉴权服务实 体或鉴权服务模块的地址, 然后发送响应消息给用户终端, 其中携带鉴 权请求头域; A2. After receiving the application request message, the service provider entity first obtains an address of the authentication service entity or the authentication service module, and then sends a response message to the user terminal, where the carrier Right request header field;
A3、 用户终端向鉴权服务实体或鉴权服务模块发送应用请求消息, 其中包含简单鉴权和安全层协议请求头域, 其包含鉴权机制头域, 鉴权 机制头域中包含用户终端支持的鉴权方式列表;  A3. The user terminal sends an application request message to the authentication service entity or the authentication service module, where the user includes a simple authentication and security layer protocol request header field, where the authentication mechanism header field is included, and the authentication mechanism header field includes user terminal support. List of authentication methods;
A4、 鉴权服务实体或鉴权服务模块给用户终端发送挑战响应消息, 其中包含筒单鉴权和安全层协议响应头域, 其包含服务器鉴权机制头域 和挑战头域, 服务器鉴权机制头域中记录鉴权服务实体或鉴权服务模块 选择的鉴权方式。  A4. The authentication service entity or the authentication service module sends a challenge response message to the user terminal, where the packet authentication and security layer protocol response header fields are included, and the server authentication mechanism header field and the challenge header field are included, and the server authentication mechanism is The authentication method selected by the authentication service entity or the authentication service module is recorded in the header field.
A5、 用户终端与引导服务功能实体交互, 进行通用鉴权架构鉴权; A6、 用户终端向鉴权服务实体或鉴权服务模块发送应用请求消息, 其中包含简单鉴权和安全层协议请求头域, 简单鉴权和安全层协议请求 头域包含挑战响应头域, 挑战响应头域包含引导事务标识和鉴权响应摘 要信息;  A5. The user terminal interacts with the guiding service function entity to perform universal authentication architecture authentication. A6. The user terminal sends an application request message to the authentication service entity or the authentication service module, where the simple authentication and security layer protocol request header field is included. The simple authentication and security layer protocol request header field includes a challenge response header field, and the challenge response header field includes a boot transaction identifier and an authentication response summary information;
A7、鉴权服务实体或鉴权服务模块通过 Zn接口向引导服务功能实体 获取共享密钥、 用户安全设置 、 密钥有效期、 引导时间等信息, 鉴权服 务实体或鉴权服务模块根据收到简单鉴权和安全层协议请求头域对用户 终端进行鉴权, 鉴权通过后, 向用户终端发送响应消息, 其中包含简单 鉴权和安全层协议响应头域, 该头域中有单点认证业务实体或单点认证 业务模块的地址和信任状。  The A7, the authentication service entity or the authentication service module obtains information such as a shared key, a user security setting, a key validity period, a boot time, and the like by using the Zn interface to the boot service function entity, and the authentication service entity or the authentication service module is simple according to the receipt. The authentication and security layer protocol request header field authenticates the user terminal, and after the authentication is passed, sends a response message to the user terminal, which includes a simple authentication and a security layer protocol response header field, and the header domain has a single authentication service. The address and credentials of the entity or single-point authentication service module.
8、 根据权利要求 7所述的身份标识网页业务网系统鉴权方法, 其特 征在于: 同时支持通用鉴权架构鉴权和身份标识网页业务网络架构鉴权 的用户终端在向鉴权服务实体或鉴权服务模块发送的应用请求消息中设 置通用鉴权架构标识, 若鉴权服务实体或鉴权服务模块发现此通用鉴权 架构标识, 则通知用户终端先启动通用鉴权架构鉴权过程, 再启动用户 身份标识网页业务网络架构鉴权过程, 否则通知用户终端只启动用户身 份标识网页业务网络架构鉴权过程。 The authentication method for the identity identification webpage service network system according to claim 7, wherein: the user terminal supporting the authentication of the universal authentication architecture and the identification of the webpage service network architecture is in the authentication service entity or The common authentication architecture identifier is set in the application request message sent by the authentication service module. If the authentication service entity or the authentication service module finds the universal authentication architecture identifier, the user terminal is notified to start the universal authentication architecture authentication process. The user identity identification webpage service network architecture authentication process is initiated, otherwise the user terminal is notified to only initiate the user identity identification webpage service network architecture authentication process.
9、 根据权利要求 7所述的身份标识网页业务网系统鉴权方法, 其特 征在于, 所述步骤 A5包括步骤: B 1、用户终端向引导服务功能实体发送通用鉴权架构鉴权请求消息, 其中包含私有用户标识; The authentication method of the identity identification webpage service network system according to claim 7, wherein the step A5 comprises the steps of: B1. The user terminal sends a universal authentication framework authentication request message to the guiding service function entity, where the user identifier is included;
B2、 引导服务功能实体收到该通用鉴权架构鉴权请求消息后, 从用 户归属网络服务器获取用户终端的认证矢量;  B2. After receiving the universal authentication framework authentication request message, the guiding service function entity acquires an authentication vector of the user terminal from the user home network server.
B3、 引导服务功能实体向用户终端发送挑战消息, 其中携带鉴权序 号参数和随机参数;  B3. The guiding service function entity sends a challenge message to the user terminal, where the authentication sequence number parameter and the random parameter are carried;
B4、 用户终端检查鉴权序号参数有效性并生成期望结果;  B4. The user terminal checks the validity of the authentication sequence number parameter and generates a desired result.
B5、 用户终端向引导服务功能实体发送消息, 其中携带私有用户标 识、 期望结果;  B5. The user terminal sends a message to the guiding service function entity, where the private user identifier and the expected result are carried;
B6、 引导服务功能实体检查期望结果的有效性并生成根密钥; B6. The boot service function entity checks the validity of the desired result and generates a root key;
Β7、'引导服务功能实体向用户终端发送通用鉴权架构成功响应消息, 其中携带引导事务标识和根密钥有效期; Β7, the 'boot service function entity sends a universal authentication framework success response message to the user terminal, where the boot transaction identifier and the root key validity period are carried;
Β8、 用户终端保存引导事务标识和根密钥有效期, 生成并保存根密 钥和共享密钥。  Β 8. The user terminal saves the boot transaction identifier and the root key validity period, and generates and saves the root key and the shared key.
10、 根据权利要求 5 所述的身份标识网页业务网系统鉴权方法, 其 特征在于, 包括步驟:  10. The method for authenticating an identity identification webpage service network system according to claim 5, comprising the steps of:
C1、 用户终端根据单点认证业务实体或单点认证业务模块的地址向 单点认证业务实体或单点认证业务模块发送应用请求消息;  The user terminal sends an application request message to the single-point authentication service entity or the single-point authentication service module according to the address of the single-point authentication service entity or the single-point authentication service module;
C2、 单点认证业务实体或单点认证业务模块根据收到的应用请求消 息内容进行鉴权处理, 鉴权成功后向用户终端发送成功响应消息, 其中 包含鉴权申明, 鉴权申明中有单点认证业务实体或单点认证业务模块的 数字签名;  The C2, the single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, and sends a success response message to the user terminal after the authentication succeeds, which includes an authentication statement, and the authentication claim has a single The digital signature of the point authentication service entity or the single point authentication service module;
C3、 用户终端向业务提供商实体发送应用请求消息, 其中包含鉴权 申明;  C3. The user terminal sends an application request message to the service provider entity, where the authentication claim is included;
C4、 业务提供商实体处理鉴权申明, 验证单点认证业务实体或单点 认证业务模块的数字签名, 完成对用户终端的鉴权后, 向用户终端发送 响应消息。  C4. The service provider entity processes the authentication statement, and verifies the digital signature of the single-point authentication service entity or the single-point authentication service module, and after completing the authentication of the user terminal, sends a response message to the user terminal.
11、 根据权利要求 6 所述的身份标识网页业务网系统鉴权方法, 其 特征在于, 包括步骤: 11. The method for authenticating an identity identification webpage service network system according to claim 6, The feature is that it includes the steps:
D1、 用户终端根据单点认证业务实体或单点认证业务模块的地址向 单点认证业务实体或单点认证业务模块发送应用请求消息;  The user terminal sends an application request message to the single-point authentication service entity or the single-point authentication service module according to the address of the single-point authentication service entity or the single-point authentication service module;
D2、 单点认证业务实体或单点认证业务模块根据收到的应用请求消 息内容进行鉴权处理, 生成鉴权申明和相应的鉴权申明链接, 保存鉴权 申明、 鉴权申明和相应的鉴权申明链接的对应关系, 鉴权成功后向用户 终端发送成功响应消息, 其中包含鉴权申明链接。  D2. The single-point authentication service entity or the single-point authentication service module performs authentication processing according to the content of the received application request message, generates an authentication statement and a corresponding authentication declaration link, and saves the authentication statement, the authentication statement, and the corresponding certificate. After the authentication is successful, the success response message is sent to the user terminal, and the authentication claim link is included.
D3、 用户终端向业务提供商实体发送应用请求消息, 其中包含鉴权 申明链接;  D3. The user terminal sends an application request message to the service provider entity, where the authentication claim link is included;
D4、 业务提供商实体向单点认证业务实体或单点认证业务模块发送 应用请求消息, 其中包含鉴权申明链接;  D4. The service provider entity sends an application request message to the single-point authentication service entity or the single-point authentication service module, where the authentication claim link is included;
D5、 单点认证业务实体或单点认证业务模块根据鉴权申明链接找到 对应的鉴权申明, 向业务提供商实体发送响应消息, 其中包含鉴权申明, 婆权申明中有单点认证业务实体或单点认证业务模块的数字签名;  D5. The single-point authentication service entity or the single-point authentication service module finds the corresponding authentication statement according to the authentication declaration link, and sends a response message to the service provider entity, which includes the authentication statement, and the single-point authentication service entity is included in the woman rights declaration. Or the digital signature of the single-point authentication service module;
D6、 业务提供商实体处理鉴权申明, 验证单点认证业务实体或单点 认证业务模块的数字签名, 完成对用户终端的鉴权后, 向用户终端发送 响应消息。  D6. The service provider entity processes the authentication statement, and verifies the digital signature of the single-point authentication service entity or the single-point authentication service module, and after completing the authentication of the user terminal, sends a response message to the user terminal.
12、 根据权利要求 7、 8、 10、 11任一所述的身份标识网页业务网系 统鉴权方法, 其特征在于: 简单鉴权和安全层协议请求头域和简单鉴权 和安全层协议响应头域由筒单对象访问协议封装。 The method for authenticating an identity identification webpage service network system according to any one of claims 7, 8, 10, and 11, wherein: the simple authentication and security layer protocol request header domain and the simple authentication and security layer protocol response The header field is encapsulated by a single object access protocol.
13、 据权利要求 5 所述的身份标识网页业务网系统鉴权方法, 其 特征在于: 当业务提供商实体收到用户终端、 单点认证业务实体或单点 认证业务模块发送的退出链接请求消息时, 或者当业务提供商实体和用 户终端之间的会话正常终止时, 或者当业务提供商实体收到的鉴权申明 中的重新认证期限头域对应的时间过期时, 或者当业务提供商实体收到 的鉴权申明中的期限头域对应的时间过期时, 业务提供商实体在随后与 用户终端的通信过程中要求用户终端重新鉴权。 The authentication method for the identity identification webpage service network system according to claim 5, wherein: the service provider entity receives an exit link request message sent by the user terminal, the single-point authentication service entity or the single-point authentication service module. Or when the session between the service provider entity and the user terminal terminates normally, or when the time corresponding to the re-authentication term header field in the authentication statement received by the service provider entity expires, or when the service provider entity When the time corresponding to the term header field in the received authentication statement expires, the service provider entity requests the user terminal to re-authenticate during the subsequent communication with the user terminal.
14、 根据权利要求 6 所述的身份标识网页业务网系统鉴权方法, 其 特征在于: 当业务提供商实体收到用户终端、 单点认证业务实体或单点 认证业务模块发送的退出链接请求消息时, 或者当业务提供商实体和用 户终端之间的会话正常终止时 , 或者当业务提供商实体收到的鉴权申明 中的重新认证期限头域对应的时间过期时, 或者当业务提供商实体收到 的鉴权申明中的期限头域对应的时间过期时, 业务提供商实体在随后与 用户终端的通信过程中要求用户终端重新鉴权。 14. The method for authenticating an identity identification webpage service network system according to claim 6, wherein The feature is: when the service provider entity receives the exit link request message sent by the user terminal, the single-point authentication service entity or the single-point authentication service module, or when the session between the service provider entity and the user terminal is normally terminated, or When the time corresponding to the re-authentication header field in the authentication statement received by the service provider entity expires, or when the time corresponding to the term header field in the authentication statement received by the service provider entity expires, the service provider The entity requires the user terminal to re-authenticate during subsequent communication with the user terminal.
15、 根据权利要求 13或 14所述的身份标识网页业务网系统鉴权方 法, 其特征在于: 在鉴权服务实体或鉴权服务模块上配置如下的本地安 全策略: 在对用户终端重新鉴权时, 若双方的共享密钥没有过期, 则只 对用户终端进行身份标识网页业务网络架构鉴权。 The authentication method for the identity identification webpage service network system according to claim 13 or 14, wherein: the local security policy is configured on the authentication service entity or the authentication service module: when re-authenticating the user terminal If the shared key of the two parties does not expire, the user terminal is only authenticated by the identity network service network architecture.
16、 '根据权利要求 13或 14所述的身份标识网页业务网系统鉴权方 法, 其特征在于: 在鉴权服务实体或鉴权服务模块上配置如下的本地安 全策略: 在对用户终端重新鉴权时, 若双方的共享密钥没有过期, 对用 户终端进行通用鉴权架构鉴权和身份标识网页业务网络架构鉴权。  The method for authenticating an identity identification webpage service network system according to claim 13 or 14, wherein: the local security policy is configured on the authentication service entity or the authentication service module: If the shared key of the two parties does not expire, the user terminal is authenticated by the universal authentication framework and the authentication of the identity page web service network architecture.
PCT/CN2007/000762 2006-03-16 2007-03-09 An identity web service framework system and authentication method thereof WO2007104245A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610034493.6 2006-03-16
CN200610034493A CN101039311B (en) 2006-03-16 2006-03-16 Identification web page service network system and its authentication method

Publications (1)

Publication Number Publication Date
WO2007104245A1 true WO2007104245A1 (en) 2007-09-20

Family

ID=38509049

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000762 WO2007104245A1 (en) 2006-03-16 2007-03-09 An identity web service framework system and authentication method thereof

Country Status (2)

Country Link
CN (1) CN101039311B (en)
WO (1) WO2007104245A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
WO2018010150A1 (en) * 2016-07-14 2018-01-18 华为技术有限公司 Authentication method and authentication system
CN111756733A (en) * 2020-06-23 2020-10-09 恒生电子股份有限公司 Identity authentication method and related device
CN112311543A (en) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN113518349A (en) * 2020-10-23 2021-10-19 中国移动通信有限公司研究院 Service management method, device, system and storage medium
CN114422258A (en) * 2022-01-25 2022-04-29 百安居信息技术(上海)有限公司 Single sign-on method, medium and electronic equipment based on multiple authentication protocols

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101822082B (en) * 2007-10-05 2013-06-12 交互数字技术公司 Techniques for secure channelization between UICC and terminal
WO2010125535A1 (en) * 2009-05-01 2010-11-04 Nokia Corporation Systems, methods, and apparatuses for facilitating authorization of a roaming mobile terminal
JP6370215B2 (en) * 2011-04-15 2018-08-08 サムスン エレクトロニクス カンパニー リミテッド Machine-to-machine node erase procedure
CN102869010A (en) * 2011-07-04 2013-01-09 中兴通讯股份有限公司 Method and system for single sign-on
CN103051594A (en) * 2011-10-13 2013-04-17 中兴通讯股份有限公司 Method, network side equipment and system of establishing end-to-end security of marked net
CN105553923A (en) * 2014-11-04 2016-05-04 中兴通讯股份有限公司 Method for obtaining user identifier and network side equipment
EP3414927B1 (en) * 2016-02-12 2020-06-24 Telefonaktiebolaget LM Ericsson (PUBL) Securing an interface and a process for establishing a secure communication link
EP3253020A1 (en) * 2016-06-03 2017-12-06 Gemalto Sa A method and an apparatus for publishing assertions in a distributed database of a mobile telecommunication network
CN111404933B (en) * 2020-03-16 2022-04-15 维沃移动通信有限公司 Authentication method, electronic equipment and authentication server
CN113840280A (en) * 2020-06-04 2021-12-24 中国电信股份有限公司 Call encryption method, system, guide server, terminal and electronic equipment
CN113596830B (en) * 2021-07-27 2023-03-24 中国联合网络通信集团有限公司 Communication method, communication apparatus, electronic device, storage medium, and program product

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286104B1 (en) * 1999-08-04 2001-09-04 Oracle Corporation Authentication and authorization in a multi-tier relational database management system
US20040117493A1 (en) * 2002-11-28 2004-06-17 International Business Machines Corporation Method and system for accessing internet resources through a proxy using the form-based authentication
CN1614903A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for authenticating users
CN1642079A (en) * 2004-01-16 2005-07-20 华为技术有限公司 Method for obtaining user identification information for network application entity
US20060021004A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for externalized HTTP authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6286104B1 (en) * 1999-08-04 2001-09-04 Oracle Corporation Authentication and authorization in a multi-tier relational database management system
US20040117493A1 (en) * 2002-11-28 2004-06-17 International Business Machines Corporation Method and system for accessing internet resources through a proxy using the form-based authentication
CN1614903A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for authenticating users
CN1642079A (en) * 2004-01-16 2005-07-20 华为技术有限公司 Method for obtaining user identification information for network application entity
US20060021004A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for externalized HTTP authentication

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9736165B2 (en) 2015-05-29 2017-08-15 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US10673858B2 (en) 2015-05-29 2020-06-02 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
US11425137B2 (en) 2015-05-29 2022-08-23 At&T Intellectual Property I, L.P. Centralized authentication for granting access to online services
WO2018010150A1 (en) * 2016-07-14 2018-01-18 华为技术有限公司 Authentication method and authentication system
CN111756733A (en) * 2020-06-23 2020-10-09 恒生电子股份有限公司 Identity authentication method and related device
CN113518349A (en) * 2020-10-23 2021-10-19 中国移动通信有限公司研究院 Service management method, device, system and storage medium
CN112311543A (en) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN112311543B (en) * 2020-11-17 2023-04-18 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN114422258A (en) * 2022-01-25 2022-04-29 百安居信息技术(上海)有限公司 Single sign-on method, medium and electronic equipment based on multiple authentication protocols

Also Published As

Publication number Publication date
CN101039311A (en) 2007-09-19
CN101039311B (en) 2010-05-12

Similar Documents

Publication Publication Date Title
WO2007104245A1 (en) An identity web service framework system and authentication method thereof
US8543814B2 (en) Method and apparatus for using generic authentication architecture procedures in personal computers
US10411884B2 (en) Secure bootstrapping architecture method based on password-based digest authentication
US8572708B2 (en) Method and arrangement for integration of different authentication infrastructures
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
EP2005702B1 (en) Authenticating an application
EP3120591B1 (en) User identifier based device, identity and activity management system
WO2007093115A1 (en) A combined authentication structure and a realizing method thereof
KR20050064119A (en) Server certification validation method for authentication of extensible authentication protocol for internet access on user terminal
WO2012058896A1 (en) Method and system for single sign-on
CN109121135A (en) Client registers and key sharing method, apparatus and system based on GBA
CN101426190A (en) Service access authentication method and system
WO2006072209A1 (en) A method for agreeing upon the key in the ip multimedia sub-system
KR20200130106A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
WO2013044766A1 (en) Service access method and device for cardless terminal
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
CN102694779B (en) Combination attestation system and authentication method
KR20200130141A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
WO2013053305A1 (en) Identification network end-to-end security establishing method, network side device and system
WO2013127342A2 (en) Ims single sign on combined authentication method and system
CN103428694A (en) Split terminal single sign-on combined authentication method and system
TWI755951B (en) Communication system and communication method
WO2013064040A1 (en) Combined authentication method and system for ims sso
WO2009086769A1 (en) A negotiation method for network service and a system thereof
CN1953371A (en) A method for authentication aiming at the client or agent of free enabled

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07720360

Country of ref document: EP

Kind code of ref document: A1