CN101437017A - Method for implementing user and equipment authentication separately employing diameter protocol - Google Patents

Method for implementing user and equipment authentication separately employing diameter protocol Download PDF

Info

Publication number
CN101437017A
CN101437017A CNA2007101871480A CN200710187148A CN101437017A CN 101437017 A CN101437017 A CN 101437017A CN A2007101871480 A CNA2007101871480 A CN A2007101871480A CN 200710187148 A CN200710187148 A CN 200710187148A CN 101437017 A CN101437017 A CN 101437017A
Authority
CN
China
Prior art keywords
authentication
message
authenticator
dea
der
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101871480A
Other languages
Chinese (zh)
Other versions
CN101437017B (en
Inventor
王春花
时忆杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Samsung Telecommunications Technology Research Co Ltd
Samsung Electronics Co Ltd
Original Assignee
Beijing Samsung Telecommunications Technology Research Co Ltd
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Samsung Telecommunications Technology Research Co Ltd, Samsung Electronics Co Ltd filed Critical Beijing Samsung Telecommunications Technology Research Co Ltd
Priority to CN2007101871480A priority Critical patent/CN101437017B/en
Publication of CN101437017A publication Critical patent/CN101437017A/en
Application granted granted Critical
Publication of CN101437017B publication Critical patent/CN101437017B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

一种采用Diameter协议实现用户和设备分别认证的方法,Authenticator设置Diameter客户端认证状态机的初始状态为IDLE;Authenticator根据收到的有关MS认证的属性值,构造相应的消息DER,并向AAA认证服务器发送所述DER消息;当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息,如果解析的DEA消息包含认证成功的属性值时,则表明第一轮认证成功完成;设置第一轮认证成功标志为TRUE;Authenticator根据收到的有关MS认证的属性值构造相应的DER消息,并向AAA认证服务器发送DER消息;当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息;如果解析的DEA消息包含认证成功的属性值,则转入Open状态,认证完成。本发明即可支持单轮认证也能支持double认证;在原有diameter认证状态机的基础上,稍作改动即可支持二轮认证,且具有后向兼容性。

A method for separately authenticating users and devices using the Diameter protocol. The Authenticator sets the initial state of the Diameter client authentication state machine to IDLE; the Authenticator constructs a corresponding message DER according to the received attribute values of MS authentication, and authenticates to AAA The server sends the DER message; when the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message, and if the parsed DEA message contains the attribute value of successful authentication, it indicates that the first round of authentication is successfully completed; set the first round of authentication The success flag is TRUE; the Authenticator constructs the corresponding DER message according to the received attribute value of MS authentication, and sends the DER message to the AAA authentication server; when the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message; if the parsed If the DEA message contains the attribute value of successful authentication, it will be transferred to the Open state, and the authentication is completed. The invention can support both single-round authentication and double authentication; on the basis of the original diameter authentication state machine, it can support two-round authentication with slight changes, and has backward compatibility.

Description

采用diameter协议实现用户和设备分别认证的方法 A method for separately authenticating users and devices using the diameter protocol

技术领域 technical field

本发明涉及通信系统,特别是移动Wimax系统中一种采用diameter协议实现用户和设备分别认证(Double EAP)的方法。The invention relates to a communication system, in particular to a method for implementing user and equipment separate authentication (Double EAP) by adopting a diameter protocol in a mobile Wimax system.

背景技术 Background technique

在Wimax关于网络结构的最新规范1.0.0版本中定义了四种认证方式:用户认证:User single EAP;设备认证:Device Single EAP;用户和设备同时认证:User/Device Single EAP;用户和设备分别认证:Double EAP(两个EAP过程被执行)。Four authentication methods are defined in the latest version 1.0.0 of Wimax's network structure specification: user authentication: User single EAP; device authentication: Device Single EAP; simultaneous user and device authentication: User/Device Single EAP; user and device respectively Authentication: Double EAP (two EAP procedures are performed).

用户和设备分别认证(即double EAP)的方法,即需要进行两轮认证:第一轮设备认证,第二轮用户认证。如果用户(User)和移动台(MS)的鉴权需要分开执行,就可以选择double EAP的方式。典型的应用场景是:当用户(User)和移动台(MS)的鉴权不在同一个实体,例如位于不同的AAA服务器时。如果用户(User)和移动台(MS)的鉴权发生在同一个实体,可以选用single EAP的鉴权方式。The method of user and device authentication (double EAP) requires two rounds of authentication: the first round of device authentication, and the second round of user authentication. If the authentication of the user (User) and the mobile station (MS) needs to be performed separately, the double EAP method can be selected. A typical application scenario is: when the authentication of the user (User) and the mobile station (MS) are not in the same entity, for example, in different AAA servers. If the authentication of the user (User) and the mobile station (MS) occurs in the same entity, the single EAP authentication method can be selected.

Diameter系列协议是新一代的AAA技术。在ITU,3GPP/3GPP2等国际标准组织中,都已经正式将Diameter协议作为NGN,WCDMA和CDMA2000等未来通信网络的首选AAA协议。在Wimax关于网络结构的未来规范1.5版本,将包括Diameter协议。The Diameter series protocol is a new generation of AAA technology. In ITU, 3GPP/3GPP2 and other international standard organizations, the Diameter protocol has been formally regarded as the preferred AAA protocol for future communication networks such as NGN, WCDMA and CDMA2000. In Wimax's future specification version 1.5 of the network structure, the Diameter protocol will be included.

在Diameter的规范RFC3588给出了采用diameter协议进行认证的session状态机:在Idle模式,Diameter Client向AAA认证服务器发送DER消息,包含认证请求信息;当Diameter client接收到DEA消息,包含认证成功的信息时,将转入OPEN状态,即标志着认证完成,用户可以进行有关的业务例如通话服务等。In the Diameter specification RFC3588, the session state machine using the diameter protocol for authentication is given: in the idle mode, the Diameter Client sends a DER message to the AAA authentication server, including the authentication request information; when the Diameter client receives the DEA message, it includes information about the successful authentication , it will turn into the OPEN state, which means that the authentication is completed, and the user can perform related services such as call services.

根据Diameter协议给出的认证状态机,可以看出这种方式实际上只支持单论认证,即或者是设备认证或者是用户认证,或者是设备认证和用户认证同时进行的三种Single认证方式。一旦一轮认证成功即转入OPEN状态。所以说目前的diameter认证协议不支持用户和设备分别认证的两轮认证(double认证)。According to the authentication state machine provided by the Diameter protocol, it can be seen that this method actually only supports single authentication, that is, either device authentication or user authentication, or three single authentication methods that are simultaneously performed for device authentication and user authentication. Once a round of authentication is successful, it will enter the OPEN state. Therefore, the current diameter authentication protocol does not support two rounds of authentication (double authentication) in which users and devices are authenticated separately.

发明内容 Contents of the invention

本发明的目的是提供一种采用Diameter协议来实现用户和设备两轮认证(double)的方法。The purpose of the present invention is to provide a method for realizing two-round authentication (double) of user and equipment by adopting Diameter protocol.

为实现上述目的,一种采用Diameter协议实现用户和设备分别认证的方法,包括步骤:In order to achieve the above object, a method for implementing separate authentication of users and devices using the Diameter protocol, comprising steps:

a)Authenticator设置Diameter客户端认证状态机的初始状态为IDLE;a) Authenticator sets the initial state of the Diameter client authentication state machine to IDLE;

b)Authenticator根据收到的有关MS认证的属性值,构造相应的消息DER,并向AAA认证服务器发送所述DER消息;b) Authenticator constructs a corresponding message DER according to the received attribute value of MS authentication, and sends the DER message to the AAA authentication server;

c)当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息,如果解析的DEA消息包含认证成功的属性值时,则表明第一轮认证成功完成;c) When the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message, and if the parsed DEA message contains the attribute value of successful authentication, it indicates that the first round of authentication is successfully completed;

d)设置第一轮认证成功标志为TRUE;d) Set the successful flag of the first round of authentication to TRUE;

e)Authenticator根据收到的有关MS认证的属性值构造相应的DER消息,并向AAA认证服务器发送DER消息;e) Authenticator constructs a corresponding DER message according to the received attribute value of MS authentication, and sends the DER message to the AAA authentication server;

f)当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息;f) When the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message;

i)如果解析的DEA消息包含认证成功的属性值,则转入Open状态,认证完成。i) If the parsed DEA message contains the attribute value of successful authentication, then turn to the Open state, and the authentication is completed.

本发明所述方法即可支持单轮认证(Single)也能支持double认证;实现简单,在原有diameter认证状态机的基础上,稍作改动即可支持二轮认证,且具有后向兼容性;实用性强,能用于Wimax Forum、ITU,3GPP/3GPP2等的网络结构NGN中。The method of the present invention can support both single-round authentication (Single) and double authentication; the implementation is simple, on the basis of the original diameter authentication state machine, it can support two-round authentication with slight changes, and has backward compatibility; Strong practicability, can be used in Wimax Forum, ITU, 3GPP/3GPP2 and other network structure NGN.

附图说明 Description of drawings

图1是采用Diameter协议实现用户和设备分别认证(double EAP)的方法;Fig. 1 is a method for implementing separate authentication (double EAP) of users and devices using the Diameter protocol;

图2是MS采用Diameter协议执行double EAP认证的初始接入过程的实施例。Fig. 2 is an embodiment of the initial access process of the MS using the Diameter protocol to perform double EAP authentication.

具体实施方式 Detailed ways

MS初始接入过程中,MS和Authenticator首先交换鉴权能力。由Authenticator选择正确的鉴权方式,通知MS使用该方式开始进行认证。During the MS's initial access process, the MS and the Authenticator first exchange authentication capabilities. The Authenticator selects the correct authentication method and notifies the MS to use this method to start authentication.

在Wimax中定义的EAP-method:设备认证一般采用基于证书的X.509,因此相应的MS应该支持EAP-TLS方法。设备的MAC地址作为NAI的用户名在EAP-Identity/Response传递。对于用户认证,MS应该支持EAP-AKA,EAP-TTLS。他们使用SUBC(Subcription Credential)来产生鉴权向量。EAP-method defined in Wimax: device authentication generally adopts certificate-based X.509, so the corresponding MS should support the EAP-TLS method. The MAC address of the device is passed as the NAI username in EAP-Identity/Response. For user authentication, MS should support EAP-AKA, EAP-TTLS. They use SUBC (Subcription Credential) to generate authentication vectors.

对于设备认证和用户认证分离的double认证方法,两轮认证成功完成,Diameter的认证状态机进入OPEN状态后,Authenticator将根据设备认证过程和用户认证过程两轮认证产生的两个MSK来计算PKMv2所需的有关keys,例如AK等,并将AK发送给BS。MS将使用EMSK来计算其他应用有关的key。For the double authentication method that separates device authentication and user authentication, after the two rounds of authentication are successfully completed and Diameter's authentication state machine enters the OPEN state, the Authenticator will calculate the PKMv2 value based on the two MSKs generated by the two rounds of authentication during the device authentication process and the user authentication process. Relevant keys needed, such as AK, etc., and send AK to BS. MS will use EMSK to calculate other application-related keys.

涉及的主要功能实体包括MS、BS、Authenticator(ACR),AAA server(CSN)。MS作为被鉴权的对象;AAA server是鉴权服务器;Authenticator是鉴权者,也可以理解为relay,主要负责转发MS和AAA Server之间的EAPmessages(协议转换),此外还负责key管理和session管理等。The main functional entities involved include MS, BS, Authenticator (ACR), and AAA server (CSN). MS is the object to be authenticated; AAA server is the authentication server; Authenticator is the authenticator, which can also be understood as a relay, which is mainly responsible for forwarding EAPmessages (protocol conversion) between MS and AAA Server, and is also responsible for key management and session management etc.

一种采用Diameter协议实现用户和设备分别认证(double EAP)的方法,参照图1,其主要步骤包括:A method adopting Diameter protocol to realize user and equipment authentication (double EAP) respectively, with reference to Fig. 1, its main steps include:

1)MS和Authenticator通过BS交换认证策略,Authenticator选择认证方式通知MS,并向MS请求认证标识(EAP-identity)。当Authenticator收到MS EAP-Identiy,置Diameter认证状态机的状态为IDLE;如果Authenticator选择Double认证,则置第一轮认证成功标志的初值为Flase;如果是Single认证,则转步骤6);1) The MS and the Authenticator exchange authentication policies through the BS, and the Authenticator selects an authentication method to notify the MS, and requests an authentication identity (EAP-identity) from the MS. When the Authenticator receives the MS EAP-Identiy, set the state of the Diameter authentication state machine to IDLE; if the Authenticator selects Double authentication, set the initial value of the first-round authentication success flag to False; if it is Single authentication, then go to step 6);

2)Authenticator根据收到的MS的EAP-payload,构造相应的DER消息。向AAA认证服务器发送DER消息,包含设备认证请求信息等,Diameter认证状态机的状态进入Pending状态;2) The Authenticator constructs a corresponding DER message according to the received EAP-payload of the MS. Send a DER message to the AAA authentication server, including device authentication request information, etc., and the state of the Diameter authentication state machine enters the Pending state;

3)在Pending状态,当收到来自AAA认证服务器的DEA消息,Authenticator解析DEA消息,如果其包含认证成功的属性值时,则表明第一轮认证成功完成,转步骤5);否则继续下一步;3) In the Pending state, when receiving the DEA message from the AAA authentication server, the Authenticator parses the DEA message, if it contains the attribute value of successful authentication, it indicates that the first round of authentication is successfully completed, go to step 5); otherwise continue to the next step ;

4)在Pending状态,Authenticator将收到的DEA消息中的EAP-Payload,利用有关协议发送到MS,转步骤2)4) In the Pending state, the Authenticator sends the EAP-Payload in the received DEA message to the MS using the relevant protocol, and then go to step 2)

5)设置第一轮认证成功标志为TRUE,状态仍是Pending state;5) Set the successful flag of the first round of authentication to TRUE, and the state is still Pending state;

6)Authenticator根据收到的MS的EAP-payload,构造相应的DER消息。向AAA认证服务器发送DER消息,Diameter认证状态机的状态处于Pending状态;6) The Authenticator constructs a corresponding DER message according to the received EAP-payload of the MS. Send a DER message to the AAA authentication server, and the state of the Diameter authentication state machine is in the Pending state;

7)在Pending状态,当收到来自AAA认证服务器的DEA消息,Authenticator解析DEA消息,如果其包含认证成功的属性值时,转步骤9);否则继续下一步;7) In the Pending state, when receiving the DEA message from the AAA authentication server, the Authenticator parses the DEA message, and if it contains the attribute value of successful authentication, turn to step 9); otherwise continue to the next step;

8)在Pending状态,Authenticator将收到的DEA消息中的EAP-Payload,利用有关协议发送到MS,转步骤6)8) In the Pending state, the Authenticator sends the EAP-Payload in the received DEA message to the MS using the relevant protocol, and then go to step 6)

9)转入Open状态;认证完成。9) Transfer to the Open state; the authentication is completed.

实施例Example

采用double EAP认证,某MS使用本发明提出的方法的初始接入过程的实施例,参照图2,其主要步骤包括:Using double EAP authentication, a certain MS uses the embodiment of the initial access process of the method proposed by the present invention, with reference to Fig. 2, its main steps include:

1)MS和Authenticator通过BS交换认证策略;1) MS and Authenticator exchange authentication policies through BS;

2)Authenticator选择认证方式,并通过BS向MS发送认证清求AuthRelay_EAP_TRANSFER消息,包含EAP-Request/Identity等信息;2) The Authenticator selects the authentication method, and sends an authentication request AuthRelay_EAP_TRANSFER message to the MS through the BS, including information such as EAP-Request/Identity;

3)MS收到EAP_TRANSFER(EAP-Request/Identity)消息后,通过BS向Authenticator回复EAP_TRANSFER(EAP-response/Identity),上报认证所需的标识;3) After receiving the EAP_TRANSFER (EAP-Request/Identity) message, the MS replies to the Authenticator through the BS with EAP_TRANSFER (EAP-response/Identity), and reports the identity required for authentication;

4)当Authenticator收到MS EAP-Identiy,置Diameter认证状态机的状态为IDLE,第一轮认证成功标志的初值为Flase;并根据收到的MS的EAP-payload,构造DER消息。4) When the Authenticator receives the MS EAP-Identiy, it sets the state of the Diameter authentication state machine to IDLE, and the initial value of the first-round authentication success flag is False; and constructs a DER message according to the received MS EAP-payload.

5)Authenticator向AAA认证服务器发送DER消息,包含设备认证请求信息等;5) The Authenticator sends a DER message to the AAA authentication server, including device authentication request information, etc.;

6)Diameter认证状态机的状态处于Pending状态;6) The Diameter authentication state machine is in the Pending state;

7)MS和AAA server进行端到端的认证;MS和Authenticator之间采用EAP协议承载,Authenticator和AAA之间是diameter协议,即使用DER/DEA消息;7) MS and AAA server perform end-to-end authentication; between MS and Authenticator, EAP protocol is used for carrying, and between Authenticator and AAA is a diameter protocol, that is, DER/DEA messages are used;

8)在AAA服务器端,当第一轮认证成功完成后,构造包含EAP-Success的DEA消息,并向Authenticator发送所述消息;8) At the AAA server side, after the first round of authentication is successfully completed, construct a DEA message that includes EAP-Success, and send the message to Authenticator;

9)Authenticator的认证状态为Pending状态,当收到来自AAA认证服务器的DEA消息,Authenticator解析DEA消息,如果其包含认证成功的属性值时,则表明第一轮认证成功完成,置第一轮认证成功标志为TRUE;9) The authentication status of the Authenticator is Pending. When receiving the DEA message from the AAA authentication server, the Authenticator parses the DEA message. If it contains the attribute value of successful authentication, it indicates that the first round of authentication is successfully completed, and the first round of authentication is set. The success flag is TRUE;

10)Authenticator根据第一轮认证成功的MSK1/PKM1产生EIK,通过消息Context_Rpt发送到BS,BS回复Context_Rpt_Ack Ack消息;10) The Authenticator generates an EIK based on the MSK1/PKM1 that was successfully authenticated in the first round, and sends it to the BS through the message Context_Rpt, and the BS replies with the Context_Rpt_Ack Ack message;

11)Authenticator向BS发送包含EAP-Success属性的消息,BS使用EIK对此消息加密后发送到MS;11) The Authenticator sends a message containing the EAP-Success attribute to the BS, and the BS uses EIK to encrypt the message and sends it to the MS;

12)MS收到包含EAP-Success属性的消息后,首先验证此消息,若成功,发起第二轮认证请求;12) After receiving the message containing the EAP-Success attribute, the MS first verifies the message, and if successful, initiates a second round of authentication request;

13)BS转发MS的第二轮认证请求;13) The BS forwards the MS's second-round authentication request;

14)Authenticator收到MS的第二轮认证请求后,根据收到的消息内容构造DER;14) After the Authenticator receives the second round of authentication request from MS, it constructs DER according to the content of the received message;

15)Authenticator向AAA认证服务器发送DER消息,包含第二轮认证请求信息等,认证状态机处于pending,15) The Authenticator sends a DER message to the AAA authentication server, including the second round of authentication request information, etc., and the authentication state machine is pending.

16)MS和AAA server进行第二轮端到端的认证;MS和Authenticator之间采用EAP协议承载,Authenticator和AAA之间是diameter协议,即使用DER/DEA消息;16) The MS and the AAA server perform the second round of end-to-end authentication; the EAP protocol is used between the MS and the Authenticator, and the diameter protocol is used between the Authenticator and AAA, that is, the DER/DEA message is used;

17)在AAA服务器端,当第二轮认证成功完成后,构造包含EAP-Success的DEA消息,并向Authenticator发送所述消息;17) At the AAA server side, after the second round of authentication is successfully completed, construct a DEA message that includes EAP-Success, and send the message to Authenticator;

18)Authenticator的认证状态为Pending状态,当收到来自AAA认证服务器的DEA消息,Authenticator解析DEA消息,如果其包含认证成功的属性值时,且第一轮认证成功标志为TRUE,则认证完成,转入Open状态;18) The authentication state of the Authenticator is Pending state. When receiving the DEA message from the AAA authentication server, the Authenticator parses the DEA message. If it contains the attribute value of successful authentication, and the successful flag of the first round of authentication is TRUE, the authentication is completed. Go to the Open state;

19)转入Open状态,double认证完成。Authenticator使用两轮认证生成的MSK生成相应的PMK,和AK等;19) Switch to the Open state, and the double authentication is completed. Authenticator uses the MSK generated by the two rounds of authentication to generate the corresponding PMK, AK, etc.;

20)Authenticator向BS发送包含EAP-Success属性的消息;20) The Authenticator sends a message including the EAP-Success attribute to the BS;

21)BS向MS转发包含EAP-Success属性的消息;21) The BS forwards the message containing the EAP-Success attribute to the MS;

22)Authenticator向BS发送AK等信息,BS发送对AK等信息的反馈消息;22) Authenticator sends information such as AK to BS, and BS sends a feedback message for information such as AK;

23)BS和MS校验AK,为所述MS建立安全关联,及为此安全关联使用的合法的TEK等;23) The BS and the MS verify the AK, establish a security association for the MS, and the legal TEK used for this security association, etc.;

24)开始MS的attach过程,和数据链路的建立过程。MS完成初始接入。24) Start the attach process of the MS and the establishment process of the data link. The MS completes the initial access.

上述实施例着重说明采用Diameter协议实现用户和设备分别认证(double EAP)的方法的Authenticator端的认证状态机的变化过程和消息流,其他有关内容有所简略,例如MS和BS间的协议、具体的消息内容,AK,TEK等key的产生过程均有所省略。这些不能理解为是对本发明的限制。The foregoing embodiment focuses on the change process and message flow of the authentication state machine at the Authenticator end using the Diameter protocol to implement separate authentication (double EAP) for users and devices. The content of the message and the process of generating keys such as AK and TEK are omitted. These should not be construed as limitations of the invention.

Claims (5)

1.一种采用Diameter协议实现用户和设备分别认证的方法,包括步骤:1. A method adopting the Diameter protocol to realize user and equipment authentication respectively, comprising steps: a)Authenticator设置Diameter客户端认证状态机的初始状态为IDLE;a) Authenticator sets the initial state of the Diameter client authentication state machine to IDLE; b)Authenticator根据收到的有关MS认证的属性值,构造相应的消息DER,并向AAA认证服务器发送所述DER消息;b) Authenticator constructs a corresponding message DER according to the received attribute value of MS authentication, and sends the DER message to the AAA authentication server; c)当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息,如果解析的DEA消息包含认证成功的属性值时,则表明第一轮认证成功完成;c) When the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message, and if the parsed DEA message contains the attribute value of successful authentication, it indicates that the first round of authentication is successfully completed; d)设置第一轮认证成功标志为TRUE;d) Set the successful flag of the first round of authentication to TRUE; e)Authenticator根据收到的有关MS认证的属性值构造相应的DER消息,并向AAA认证服务器发送DER消息;e) Authenticator constructs a corresponding DER message according to the received attribute value of MS authentication, and sends the DER message to the AAA authentication server; f)当Authenticator收到来自AAA认证服务器的DEA消息时解析DEA消息;f) When the Authenticator receives the DEA message from the AAA authentication server, it parses the DEA message; i)如果解析的DEA消息包含认证成功的属性值,则转入Open状态,认证完成。i) If the parsed DEA message contains the attribute value of successful authentication, then turn to the Open state, and the authentication is completed. 2.根据权利要求1所述的方法,其特征在于在步骤a)中,如果是Double认证方式,则置第一轮认证成功标志的初值为Flase。2. The method according to claim 1, characterized in that in step a), if it is the Double authentication method, the initial value of the first round of authentication success flag is set to False. 3.根据权利要求1所述的方法,其特征在于在步骤b)中,所述DER消息包含设备认证请求消息。3. The method according to claim 1, wherein in step b), the DER message includes a device authentication request message. 4.根据权利要求1所述的方法,其特征在于在步骤b)-f)中,所述Diameter认证状态机的状态为Pending。4. The method according to claim 1, characterized in that in steps b)-f), the state of the Diameter authentication state machine is Pending. 5.根据权利要求1所述的方法,其特征在于在步骤b)中所述DER消息,和步骤c)中所述的DEA消息属于dimeter协议。5. The method according to claim 1, characterized in that the DER message in step b) and the DEA message in step c) belong to the dimeter protocol.
CN2007101871480A 2007-11-16 2007-11-16 Method for implementing user and equipment authentication separately employing diameter protocol Expired - Fee Related CN101437017B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101871480A CN101437017B (en) 2007-11-16 2007-11-16 Method for implementing user and equipment authentication separately employing diameter protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101871480A CN101437017B (en) 2007-11-16 2007-11-16 Method for implementing user and equipment authentication separately employing diameter protocol

Publications (2)

Publication Number Publication Date
CN101437017A true CN101437017A (en) 2009-05-20
CN101437017B CN101437017B (en) 2012-07-04

Family

ID=40711245

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101871480A Expired - Fee Related CN101437017B (en) 2007-11-16 2007-11-16 Method for implementing user and equipment authentication separately employing diameter protocol

Country Status (1)

Country Link
CN (1) CN101437017B (en)

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004083991A2 (en) * 2003-03-18 2004-09-30 Thomson Licensing S.A. Authentication of a wlan connection using gprs/umts infrastructure

Also Published As

Publication number Publication date
CN101437017B (en) 2012-07-04

Similar Documents

Publication Publication Date Title
JP6732095B2 (en) Unified authentication for heterogeneous networks
US10708058B2 (en) Devices and methods for client device authentication
US9232398B2 (en) Method and apparatus for link setup
Arkko et al. Improved extensible authentication protocol method for 3rd generation authentication and key agreement (eap-aka')
US9391776B2 (en) Method and system for authenticating peer devices using EAP
US8774411B2 (en) Session key generation and distribution with multiple security associations per protocol instance
CN101194529B (en) Method for agreeing on a security key between at least one first and one second communications station for securing a communications link
US8881305B2 (en) Methods and apparatus for maintaining secure connections in a wireless communication network
CN101785269A (en) Bootstrapping method for setting up a security association
CN111050322A (en) GBA-based client registration and key sharing method, device and system
KR20120052396A (en) Security access control method and system for wired local area network
CN104683343B (en) A kind of method of terminal quick registration Wi-Fi hotspot
CN101656956A (en) Method, system and gateway for accessing 3GPP network
CN114386020B (en) Quantum-safe fast secondary identity authentication method and system
CN101610507A (en) A method for accessing 3G-WLAN Internet
Tschofenig et al. The extensible authentication protocol-Internet key exchange protocol version 2 (EAP-IKEv2) method
CN103139770B (en) The method and system of pairwise master key is transmitted in WLAN access network
CN102752298B (en) Secure communication method, terminal, server and system
CN102694779B (en) Combination attestation system and authentication method
CN101110673A (en) Method and device for performing multiple authentications by using one EAP process
CN101437017B (en) Method for implementing user and equipment authentication separately employing diameter protocol
CN102131199B (en) WAPI (Wlan Authentication and Privacy Infrastructure) authentication method and access point
CN101364974B (en) Extended diameter method for DHCP related KEY transmission
CN102474503A (en) Method for accessing message storage server securely by client and related devices
WO2009086769A1 (en) A negotiation method for network service and a system thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120704

Termination date: 20151116

EXPY Termination of patent right or utility model