CN1867164A - Method for user terminal obtaining BSF as distributed conversation affair mark - Google Patents

Method for user terminal obtaining BSF as distributed conversation affair mark Download PDF

Info

Publication number
CN1867164A
CN1867164A CNA200510070836XA CN200510070836A CN1867164A CN 1867164 A CN1867164 A CN 1867164A CN A200510070836X A CNA200510070836X A CN A200510070836XA CN 200510070836 A CN200510070836 A CN 200510070836A CN 1867164 A CN1867164 A CN 1867164A
Authority
CN
China
Prior art keywords
tid
authentication
bsf
key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA200510070836XA
Other languages
Chinese (zh)
Other versions
CN100486351C (en
Inventor
黄迎新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB200510070836XA priority Critical patent/CN100486351C/en
Publication of CN1867164A publication Critical patent/CN1867164A/en
Application granted granted Critical
Publication of CN100486351C publication Critical patent/CN100486351C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种用户终端获取BSF为其分配的会话事务标识的方法,其关键是,BSF接收到来自UE的鉴权请求且对该UE鉴权成功后,将所生成B-TID以密文的形式发送给用户终端;用户终端解密后获取完整的B-TID并保存。这样,避免了攻击者直接截获B-TID,而且,也避免了攻击者获取该UE的IMPI与其所应用的B-TID的对应关系,进而避免了攻击者对该用户进行追踪,从而保证了用户信息的安全。The invention discloses a method for a user terminal to obtain a session transaction identifier assigned by a BSF. The text is sent to the user terminal; the user terminal obtains the complete B-TID after decryption and saves it. In this way, it prevents the attacker from directly intercepting the B-TID, and also prevents the attacker from obtaining the corresponding relationship between the IMPI of the UE and the B-TID applied thereto, thereby avoiding the attacker from tracking the user, thereby ensuring that the user Information Security.

Description

用户终端获取BSF为其分配的会话事务标识的方法A method for a user terminal to obtain a session transaction identifier assigned to it by BSF

技术领域technical field

本发明涉及第三代无线通信技术领域,特别是指用户终端获取执行用户身份初始检查验证实体(BSF)为其分配的会话事务标识的方法。The present invention relates to the technical field of the third generation wireless communication, and in particular refers to a method for a user terminal to obtain a session transaction identifier assigned to it by a verification entity (BSF) that performs an initial user identity check.

背景技术Background technique

在第三代无线通信标准中,通用鉴权框架是多种应用业务实体使用的一个用于完成对用户身份进行验证的通用结构,应用通用鉴权框架可实现对应用业务的用户进行检查和验证身份。上述多种应用业务可以是多播/广播业务、用户证书业务、信息即时提供业务等,也可以是代理业务。In the third-generation wireless communication standard, the general authentication framework is a general structure used by various application business entities to complete the verification of user identities. The application of the general authentication framework can realize the inspection and verification of users of application services identity. The various application services mentioned above may be multicast/broadcast services, user certificate services, instant information provision services, etc., or proxy services.

图1所示为通用鉴权框架的结构示意图。通用鉴权框架通常由用户终端(UE)101、执行用户身份初始检查验证的实体(BSF)102、用户归属网络服务器(HSS)103和网络应用实体(NAF)104组成。BSF102用于与用户终端101进行互验证身份,同时生成BSF102与用户终端101的共享密钥;HSS103中存储有用于描述用户信息的描述(Profile)文件,该Profile中包括用户身份标识等所有与用户有关的描述信息,同时HSS103还兼有产生鉴权信息的功能。Figure 1 is a schematic structural diagram of a general authentication framework. The general authentication framework usually consists of a user terminal (UE) 101 , an entity (BSF) 102 that performs initial user identity check and verification, a user home network server (HSS) 103 and a network application entity (NAF) 104 . BSF102 is used for mutually verifying identity with user terminal 101, and generates the shared secret key of BSF102 and user terminal 101 at the same time; HSS103 is stored with the description (Profile) file that is used to describe user information, includes user's identification mark etc. Related description information, and HSS103 also has the function of generating authentication information.

用户需要使用某种业务时,如果其知道需要首先与BSF进行互鉴权,则直接与BSF联系以进行互鉴权,否则,用户会首先和该业务对应的NAF联系,如果该NAF使用通用鉴权框架且发现发出请求的UE还未与BSF进行互鉴权,则通知发出请求的UE到BSF进行互鉴权以验证身份。When a user needs to use a certain service, if he knows that he needs to perform mutual authentication with BSF first, he will directly contact the BSF for mutual authentication; otherwise, the user will first contact the NAF corresponding to the service. If the NAF uses general authentication If it finds that the requesting UE has not performed mutual authentication with the BSF, it will notify the requesting UE to perform mutual authentication with the BSF to verify its identity.

UE与BSF进行互验证的过程是:UE向BSF发出鉴权请求,该鉴权请求中包括UE的永久身份标识(IMPI)或由国际移动用户识别码(IMSI)转换得到的IMPI,BSF接到来自UE的鉴权请求后,首先向HSS请求该UE的鉴权信息,该请求中包含了UE的永久身份标识,HSS根据UE的永久身份标识查找到该UE的属性信息并生成鉴权矢量(AV)返回给BSF。鉴权矢量是一个五元组信息,包括完整性密钥IK、加密密钥CK、鉴权随机数RAND、鉴权属性值AUTN和期待返回值XRES。其中鉴权属性值AUTN是由序列号、摘要值及鉴权方式构成的一个复合值。The process of mutual authentication between the UE and the BSF is: the UE sends an authentication request to the BSF, which includes the permanent identity (IMPI) of the UE or the IMPI converted from the International Mobile Subscriber Identity (IMSI), and the BSF receives After the authentication request from the UE, first request the UE's authentication information to the HSS, which contains the permanent identity of the UE, and the HSS finds the attribute information of the UE according to the permanent identity of the UE and generates an authentication vector ( AV) is returned to the BSF. The authentication vector is a five-tuple information, including integrity key IK, encryption key CK, authentication random number RAND, authentication attribute value AUTN and expected return value XRES. The authentication attribute value AUTN is a composite value composed of a serial number, a digest value and an authentication method.

BSF接收到鉴权矢量后,自己保留IK、CK及XRES,将RAND和AUTN以明文的形式发送给UE,UE中的用户设备(ME)将接收到的RAND和AUTN发送给用户标识卡(UICC),由UICC根据接收到的信息计算出用户端鉴权所需的IK、CK和响应值RES。此时用户端有两种处理模式,一种是UICC将计算出的IK、CK和RES都发送给ME,ME保存IK、CK,然后将RES包含在响应信息中返回给BSF;另一种是UICC只将RES发送给ME,ME将RES包含在响应信息中返回给BSF。BSF检查接收到的RES与自身保存的XRES是否匹配,如果匹配则通过鉴权,否则没有通过鉴权。After receiving the authentication vector, the BSF reserves IK, CK and XRES, and sends RAND and AUTN to the UE in plain text, and the user equipment (ME) in the UE sends the received RAND and AUTN to the user identification card (UICC) ), the UICC calculates the IK, CK and response value RES required for user authentication based on the received information. At this time, the user end has two processing modes, one is that the UICC sends the calculated IK, CK and RES to the ME, the ME saves the IK and CK, and then returns the RES to the BSF in the response message; the other is The UICC only sends the RES to the ME, and the ME returns the RES to the BSF in response information. BSF checks whether the received RES matches the XRES stored by itself, and if they match, the authentication is passed, otherwise, the authentication is not passed.

鉴权成功后,UE和BSF之间互相认证了身份并且共享了密钥IK、CK,BSF根据密钥IK、CK生成通信密钥Ks,并为该通信密钥Ks定义一个有效期限,以便密钥Ks进行更新。之后,BSF生成一个用于分配给UE的会话事务标识(B-TID),该B-TID为用户名加BSF域名的形式,其中用户名为鉴权过程中使用的鉴权随机数RAND,即B-TID的格式为:RAND+BSF域名,并且BSF在本地对该B-TID、用户的永久身份标识、密钥Ks及密钥Ks的有效期限等信息进行关联保存,然后向UE发送指示鉴权成功的消息,该消息中包含以明文形式存在的B-TID,同时该消息中包含密钥Ks的有效期限。密钥Ks通常作为根密钥使用,一般不离开UE和BSF,当用户和NAF通信时,将使用由Ks衍生出的密钥Ks_NAF进行通信。After successful authentication, UE and BSF authenticate each other and share keys IK and CK. BSF generates a communication key Ks according to the keys IK and CK, and defines a validity period for the communication key Ks so that the encryption The key Ks is updated. Afterwards, BSF generates a session transaction identifier (B-TID) for allocation to UE. The B-TID is in the form of user name plus BSF domain name, where the user name is the authentication random number RAND used in the authentication process, namely The format of the B-TID is: RAND+BSF domain name, and the BSF locally associates and saves the B-TID, the user's permanent identity, the key Ks and the validity period of the key Ks, and then sends an instruction authentication to the UE. A successful message, the message contains the B-TID in plain text, and the message contains the validity period of the key Ks. The key Ks is usually used as the root key and generally does not leave UE and BSF. When the user communicates with NAF, the key Ks_NAF derived from Ks will be used for communication.

如果用户端采用第一种处理模式,即ME中保存有IK、CK信息,则当UE接收到来自BSF的指示鉴权成功的消息后,UE中的ME直接从该消息中获取B-TID,然后ME应用自身保存的IK和CK生成密钥Ks,再应用由Ks衍生出的密钥Ks_NAF作为与NAF通信时的保护密钥;如果用户端采用另一种处理模式,即ME中没有IK、CK信息,则当UE接收到来自BSF的指示鉴权成功的消息后,UE中的ME也直接从该消息中获取B-TID,然后ME向UICC发送包含RAND的请求,由UICC根据RAND找到与其对应的IK、CK,并应用该IK、CK计算出ME所需的密钥Ks,进而计算出由Ks衍生出的密钥Ks_NAF,并将Ks_NAF返回给ME,然后ME再应用该Ks_NAF与NAF进行通信。If the UE adopts the first processing mode, that is, the ME stores IK and CK information, then when the UE receives a message from the BSF indicating that the authentication is successful, the ME in the UE directly obtains the B-TID from the message, Then ME uses the IK and CK stored by itself to generate the key Ks, and then uses the key Ks_NAF derived from Ks as the protection key when communicating with NAF; if the client adopts another processing mode, that is, there is no IK, CK information, when the UE receives a message from the BSF indicating that the authentication is successful, the ME in the UE also directly obtains the B-TID from the message, and then the ME sends a request including RAND to the UICC, and the UICC finds the B-TID according to the RAND Corresponding IK, CK, and apply the IK, CK to calculate the key Ks required by ME, and then calculate the key Ks_NAF derived from Ks, and return Ks_NAF to ME, and then ME uses the Ks_NAF and NAF to perform communication.

当用户发现密钥Ks即将过期,或NAF要求UE重新与BSF进行鉴权时,用户端就会重复上述的步骤重新到BSF进行鉴权,以得到新的Ks及B-TID。When the user finds that the key Ks is about to expire, or the NAF requires the UE to re-authenticate with the BSF, the UE will repeat the above steps to re-authenticate with the BSF to obtain a new Ks and B-TID.

由上述通信过程可以看出,现有的ME获取BSF为其分配的B-TID的方式非常简单,即从来自BSF的指示鉴权成功的消息中直接获取即可。而其缺陷也正在于此:由于鉴权成功后BSF发送给ME的B-TID是以明文形式进行传送的,这样,很容易使攻击者截获B-TID。再有,UE在向BSF发送鉴权请求时使用的IMPI也是以明文形式进行传送的,因此,很容易使攻击者获取该UE的IMPI与其所应用的B-TID的对应关系,对该用户进行追踪,这样,当UE与NAF通信时,攻击者能够知道该用户正在进行什么业务,从而能够寻找机会攻击该用户的业务。It can be seen from the above communication process that the existing way for the ME to obtain the B-TID allocated by the BSF is very simple, that is, it can be obtained directly from the message indicating successful authentication from the BSF. The defect is also here: because the B-TID sent by the BSF to the ME is transmitted in plain text after successful authentication, it is easy for an attacker to intercept the B-TID. In addition, the IMPI used by the UE when sending the authentication request to the BSF is also transmitted in plain text. Therefore, it is easy for the attacker to obtain the corresponding relationship between the IMPI of the UE and the B-TID it is applied to, and perform an attack on the user. Tracking, in this way, when the UE communicates with the NAF, the attacker can know what business the user is doing, so as to find opportunities to attack the user's business.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种用户终端获取BSF为其分配的会话事务标识的方法,以避免用户终端被追踪攻击。In view of this, the purpose of the present invention is to provide a method for a user terminal to obtain a session transaction identifier allocated to it by the BSF, so as to prevent the user terminal from being tracked and attacked.

为达到上述目的,本发明技术方案是这样实现的:To achieve the above object, the technical solution of the present invention is achieved in that:

一种用户终端获取BSF为其分配的会话事务标识的方法,该方法包括以下步骤:A method for a user terminal to obtain a session transaction identifier assigned by a BSF, the method comprising the following steps:

a、执行用户身份初始检查验证的实体BSF接收到来自用户终端UE的鉴权请求且对该UE鉴权成功后,生成分配给UE的会话事务标识B-TID,应用鉴权时所使用的密钥对该生成的B-TID进行加密,然后向UE发送指示鉴权成功的消息,该消息中至少包含加密的B-TID;a. After receiving the authentication request from the user terminal UE and successfully authenticating the UE, the entity BSF that performs the initial check and verification of the user identity generates a session transaction identifier B-TID assigned to the UE, and applies the key used for authentication Encrypt the generated B-TID, and then send a message indicating successful authentication to the UE, the message at least includes the encrypted B-TID;

b、UE接收到指示鉴权成功的消息后,获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID。b. After receiving the message indicating successful authentication, the UE obtains the same key as described in step a, decrypts the encrypted B-TID, and obtains a complete B-TID.

较佳地,步骤a所述BSF生成的B-TID的格式为:由表示唯一性的字段、抗追踪的字段及鉴权随机数RAND共同构成的用户名,再加上BSF的域名。Preferably, the format of the B-TID generated by the BSF in step a is: a user name composed of a unique field, an anti-tracking field, and an authentication random number RAND, plus the domain name of the BSF.

较佳地,所述表示唯一性的字段为系统当前时间字段,所述抗追踪的字段为BSF任意指定的数构成的字段。Preferably, the field representing uniqueness is the current system time field, and the anti-tracking field is a field composed of any number specified by BSF.

较佳地,步骤a所述BSF应用鉴权时所使用的密钥对B-TID进行加密的方法为:应用鉴权时所使用的密钥对B-TID整体进行加密,或者,对B-TID中的任一部分进行加密,且该加密的部分包含鉴权随机数RAND或不包含鉴权随机数RAND。Preferably, the method for the BSF in step a to encrypt the B-TID with the key used for authentication is: to encrypt the entire B-TID with the key used for authentication, or to encrypt the entire B-TID Any part is encrypted, and the encrypted part contains the authentication random number RAND or does not contain the authentication random number RAND.

较佳地,当BSF对B-TID整体进行加密,且由UE中的用户设备ME执行解密操作时,步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME从自身直接获取与步骤a所述相同的密钥,并应用该密钥对加密的B-TID进行解密,直接获取完整的B-TID。Preferably, when the BSF encrypts the B-TID as a whole, and the user equipment ME in the UE performs the decryption operation, step b obtains the same key as described in step a, and performs encryption on the encrypted B-TID The process of decrypting and obtaining the complete B-TID is as follows: ME directly obtains the same key as described in step a from itself, and applies the key to decrypt the encrypted B-TID to directly obtain the complete B-TID.

较佳地,当BSF对B-TID中的任一部分进行加密,且由UE中的用户设备ME执行解密操作时,步骤a所述指示鉴权成功的消息中还包括未加密部分的B-TID;Preferably, when the BSF encrypts any part of the B-TID, and the user equipment ME in the UE performs a decryption operation, the message indicating successful authentication in step a also includes the unencrypted part of the B-TID ;

步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME从自身直接获取与步骤a所述相同的密钥,并应用该密钥对接加密部分的B-TID进行解密,之后,将解密得到的部分B-TID与未加密部分组合,获得完整的B-TID。Obtain the same key as described in step a in step b, decrypt the encrypted B-TID, and obtain the complete B-TID process as follows: ME directly obtains the same key as described in step a from itself, And apply the key to decrypt the encrypted part of the B-TID, and then combine the decrypted part of the B-TID with the unencrypted part to obtain a complete B-TID.

较佳地,当BSF对B-TID整体进行加密,且由UE中的用户标识卡UICC执行解密操作时,步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME接收到指示鉴权成功的消息后,向UICC转发加密的B-TID,且该转发的消息中还包括ME中已保存的与该B-TID对应的鉴权随机数RAND的明文,UICC根据明文的鉴权随机数RAND,从自身获取与步骤a相同的密钥对接收到的B-TID进行解密,直接获取完整的B-TID并保存,之后将完整的B-TID发送给ME。Preferably, when the BSF encrypts the B-TID as a whole, and the user identity card UICC in the UE performs a decryption operation, step b obtains the same key as that described in step a, and encrypts the encrypted B-TID The process of decrypting and obtaining the complete B-TID is as follows: After the ME receives the message indicating that the authentication is successful, it forwards the encrypted B-TID to the UICC, and the forwarded message also includes the B-TID stored in the ME and the B-TID. The plaintext of the authentication random number RAND corresponding to the TID, the UICC obtains the same key as step a from itself according to the plaintext authentication random number RAND to decrypt the received B-TID, directly obtains the complete B-TID and saves it , and then send the complete B-TID to the ME.

较佳地,当BSF对B-TID中的任一部分进行加密,且由UE中的用户标识卡UICC执行解密操作时,步骤a所述指示鉴权成功的消息中还包括未加密部分的B-TID;Preferably, when the BSF encrypts any part of the B-TID, and the UICC in the UE performs the decryption operation, the message indicating successful authentication in step a also includes the B-TID of the unencrypted part. TID;

步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:Obtain the same key as described in step a in step b, decrypt the encrypted B-TID, and obtain the complete B-TID process as follows:

ME接收到指示鉴权成功的消息后,向UICC转发加密的B-TID,如果加密部分不包含鉴权随机数RAND,则该转发的消息中还包括未加密部分的B-TID,如果加密的部分包含鉴权随机数RAND,则该转发的消息中还包括未加密部分的B-TID和ME中已保存的与该B-TID对应的鉴权随机数RAND的明文,UICC根据明文的鉴权随机数RAND,从自身获取与步骤a相同的密钥对接收到的B-TID进行解密,将解密得到的部分B-TID与未加密部分组合,获得完整的B-TID并保存,之后将完整的B-TID发送给ME。After the ME receives the message indicating that the authentication is successful, it forwards the encrypted B-TID to the UICC. If the encrypted part does not contain the authentication random number RAND, the forwarded message also includes the B-TID of the unencrypted part. part contains the authentication random number RAND, the forwarded message also includes the unencrypted part of the B-TID and the plaintext of the authentication random number RAND corresponding to the B-TID stored in the ME, and the UICC authenticates according to the plaintext Random number RAND, obtain the same key as step a from itself to decrypt the received B-TID, combine the decrypted part of the B-TID with the unencrypted part, obtain the complete B-TID and save it, and then complete the B-TID The B-TID is sent to ME.

较佳地,步骤a所述鉴权时所使用的密钥为完整性密钥IK,或加密密钥CK,或由完整性密钥IK和加密密钥CK生成的通信密钥Ks,或以上三者的任意组合。Preferably, the key used for authentication in step a is the integrity key IK, or the encryption key CK, or the communication key Ks generated by the integrity key IK and the encryption key CK, or the above three any combination of those.

较佳地,UE获得完整的B-TID后,进一步包括:将该B-TID与该B-TID对应的通信密钥关联保存。Preferably, after the UE obtains the complete B-TID, the method further includes: associating and saving the B-TID with the communication key corresponding to the B-TID.

较佳地,BSF接收到来自用户终端的鉴权请求后,进一步包括:判断该请求中是包含B-TID还是用户身份标识,如果是用户身份标识,则按照现有的鉴权方式继续后续处理;如果是B-TID,则BSF判断本地是否存在该B-TID,如果存在,则提取该B-TID对应的用户身份标识,并然后再按照现有的鉴权方式继续后续处理,否则,BSF要求用户发送包含用户身份标识的鉴权请求。Preferably, after receiving the authentication request from the user terminal, the BSF further includes: judging whether the request contains the B-TID or the user identity, and if it is the user identity, continue the subsequent processing according to the existing authentication method ; If it is a B-TID, the BSF judges whether the B-TID exists locally, if it exists, extracts the user identity corresponding to the B-TID, and then continues the follow-up processing according to the existing authentication method, otherwise, the BSF The user is required to send an authentication request containing the user ID.

应用本发明,BSF接收到来自UE的鉴权请求且对该UE鉴权成功后,将所生成B-TID以密文的形式发送给用户终端;用户终端解密后获取完整的B-TID并保存。这样,避免了攻击者直接截获B-TID,而且,也避免了攻击者获取该UE的IMPI与其所应用的B-TID的对应关系,进而避免了攻击者对该用户进行追踪,从而保证了用户信息的安全。Applying the present invention, after receiving the authentication request from the UE and successfully authenticating the UE, the BSF sends the generated B-TID to the user terminal in the form of cipher text; the user terminal obtains the complete B-TID after decrypting and saves it . In this way, the attacker is prevented from directly intercepting the B-TID, and the attacker is also prevented from obtaining the corresponding relationship between the IMPI of the UE and the B-TID applied thereto, thereby preventing the attacker from tracking the user, thus ensuring the user Information Security.

附图说明Description of drawings

图1所示为通用鉴权框架的结构示意图;FIG. 1 is a schematic structural diagram of a general authentication framework;

图2所示为应用本发明实施例一的流程示意图;FIG. 2 is a schematic flow diagram of the application of Embodiment 1 of the present invention;

图3所示为应用本发明实施例二的流程示意图。FIG. 3 is a schematic flow chart of the application of Embodiment 2 of the present invention.

具体实施方式Detailed ways

下面结合附图及具体实施例,对本发明再作进一步地详细说明。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

图2所示为应用本发明实施例一的流程示意图。在本实施例中,ME中保存有鉴权时产生的IK、CK信息。FIG. 2 is a schematic flow chart of Embodiment 1 of the application of the present invention. In this embodiment, the ME stores the IK and CK information generated during authentication.

步骤201,UE向BSF发送鉴权请求,该请求中包含IMPI。In step 201, the UE sends an authentication request to the BSF, and the request includes the IMPI.

步骤202~203,BSF向HSS请求该UE的鉴权信息,该请求中包含该UE的IMPI,HSS根据UE的IMPI查找到该UE的属性信息并生成鉴权矢量(AV)返回给BSF。AV中包括完整性密钥IK、加密密钥CK、鉴权随机数RAND、鉴权属性值AUTN和期待返回值XRES。In steps 202-203, the BSF requests the UE's authentication information from the HSS, and the request includes the UE's IMPI. The HSS finds the UE's attribute information according to the UE's IMPI and generates an authentication vector (AV) to return to the BSF. AV includes integrity key IK, encryption key CK, authentication random number RAND, authentication attribute value AUTN and expected return value XRES.

步骤204,BSF与UE进行互鉴权,鉴权过程中,UE中的UICC计算出的IK、CK,并将所计算出的IK、CK发送给ME,ME保存IK、CK信息。In step 204, the BSF and the UE perform mutual authentication. During the authentication process, the UICC in the UE calculates the IK and CK, and sends the calculated IK and CK to the ME, and the ME stores the IK and CK information.

步骤205,鉴权成功后,BSF生成B-TID,应用鉴权时所使用的密钥对B-TID整体进行加密,或者,对B-TID中的任一部分进行加密,该加密的部分可以包含RAND也可以不包含RAND。Step 205, after the authentication is successful, the BSF generates a B-TID, and encrypts the whole B-TID with the key used in the authentication, or encrypts any part of the B-TID, and the encrypted part may contain RAND It is also possible not to include RAND.

BSF所生成的B-TID的格式为:由表示唯一性的字段、抗追踪的字段及鉴权随机数RAND共同构成的用户名,再加上BSF的域名,其中,用于表示唯一性的字段为系统当前时间字段,用于表示抗追踪的字段为BSF任意指定的数构成的字段,即B-TID的格式可以表示为如下形式:The format of the B-TID generated by BSF is: the user name composed of the uniqueness field, the anti-tracking field and the authentication random number RAND, plus the BSF domain name, among them, the field used to represent the uniqueness It is the current time field of the system, and the field used to indicate anti-tracking is a field composed of any number specified by BSF, that is, the format of B-TID can be expressed as follows:

当前时间+BSF指定的一个数+RAND+BSF的域名Current time + a number specified by BSF + RAND + BSF domain name

其中,划线部分为用户名,且用户名部分的各个字段位置的先后顺序根据系统配置而定。Among them, the underlined part is the user name, and the order of the positions of the fields in the user name part depends on the system configuration.

当对B-TID的整体进行加密时,其形式如式(1)所示:When encrypting the whole B-TID, its form is shown in formula (1):

hash(当前时间+BSF指定的一个数+RAND+BSF的域名)  (1)hash(current time+a number specified by BSF+RAND+BSF domain name) (1)

当对B-TID的部分进行加密,且加密部分包含RAND时,其形式如式(2)所示:When the part of B-TID is encrypted, and the encrypted part contains RAND, its form is shown in formula (2):

hash(当前时间+BSF指定的一个数+RAND)+BSF的域名  (2)hash (current time + a number specified by BSF + RAND) + domain name of BSF (2)

当对B-TID的部分进行加密,且加密部分不包含RAND时,其形式如式(3)所示:When the part of B-TID is encrypted, and the encrypted part does not contain RAND, its form is shown in formula (3):

hash(当前时间+BSF指定的一个数)+RAND+BSF的域名  (3)hash (current time + a number specified by BSF) + RAND + BSF domain name (3)

步骤206,BSF通过指示鉴权成功的消息将加密后的B-TID发送给UE。如果BSF是对B-TID部分进行加密,则该消息中还包含未加密部分的B-TID。In step 206, the BSF sends the encrypted B-TID to the UE through a message indicating successful authentication. If the BSF encrypts the B-TID part, the message also includes the B-TID of the unencrypted part.

步骤207,由于ME中已保存有IK、CK信息,因此,ME应用与BSF加密时所应用的相同密钥对接收到的信息解密,获取完整的B-TID并保存。具体过程为:Step 207, since the IK and CK information has been stored in the ME, the ME applies the same key used for encryption with the BSF to decrypt the received information, acquires and stores the complete B-TID. The specific process is:

如果BSF是对B-TID整体进行加密,则ME从自身获取与BSF加密时应用的相同密钥对接收到的B-TID进行解密,直接获取完整的B-TID;如果BSF是对B-TID部分进行加密,则ME从自身获取与BSF加密时应用的相同密钥对接收到的B-TID进行解密,然后将解密得到的部分B-TID与未加密部分组合,从而获得完整的B-TID。例如部分加密时,加密部分和RAND的值总共是256位,RAND是后面的128位,那么ME解密前面的128位然后与后面的RAND组合,形成完整的B-TID。If BSF encrypts the B-TID as a whole, then ME obtains from itself the same key used for BSF encryption to decrypt the received B-TID and directly obtains the complete B-TID; if BSF encrypts the B-TID Partially encrypted, ME obtains from itself the same key used for BSF encryption to decrypt the received B-TID, and then combines the decrypted part of the B-TID with the unencrypted part to obtain a complete B-TID . For example, during partial encryption, the value of the encrypted part and RAND is 256 bits in total, and RAND is the last 128 bits. Then ME decrypts the first 128 bits and combines them with the latter RAND to form a complete B-TID.

步骤208,UE中的ME应用自身保存的IK和CK生成密钥Ks,并且将该完整的B-TID与其所对应通信密钥Ks等信息关联保存。也就是说,UE将关联保存该B-TID与该B-TID对应的通信密钥。之后,ME再应用由Ks衍生出的密钥Ks_NAF作为与NAF通信时的保护密钥,使用已获取的B-TID与NAF进行正常的通信。In step 208, the ME in the UE generates a key Ks using its own stored IK and CK, and stores the complete B-TID in association with its corresponding communication key Ks and other information. That is to say, the UE will store the B-TID in association with the communication key corresponding to the B-TID. After that, ME applies the key Ks_NAF derived from Ks as the protection key when communicating with NAF, and uses the acquired B-TID to communicate with NAF normally.

图3所示为应用本发明实施例二的流程示意图。在本实施例中,ME中不保存鉴权时产生的IK、CK信息。当ME需要使用鉴权时产生的密钥信息时都向UICC请求。FIG. 3 is a schematic flow chart of the application of Embodiment 2 of the present invention. In this embodiment, the IK and CK information generated during authentication are not saved in the ME. When the ME needs to use the key information generated during authentication, it will request to the UICC.

步骤301至303与图2中的步骤201至203相同。Steps 301 to 303 are the same as steps 201 to 203 in FIG. 2 .

步骤304,BSF与UE进行互鉴权,鉴权过程中,UE中的UICC计算出的IK、CK,并只在自身保存,而不发送给ME。In step 304, the BSF performs mutual authentication with the UE. During the authentication process, the IK and CK calculated by the UICC in the UE are only stored in itself and not sent to the ME.

步骤305至306与步骤205至206相同。Steps 305 to 306 are the same as steps 205 to 206 .

步骤307,ME将接收到的指示鉴权成功的消息后,将其中B-TID信息转发送给UICC。如果BSF对B-TID整体进行加密,则转发的B-TID信息为加密后的B-TID,如果BSF是对B-TID部分进行加密,则该转发的B-TID信息是加密部分的B-TID和未加密部分的B-TID。In step 307, the ME forwards the B-TID information in the received message indicating successful authentication to the UICC. If the BSF encrypts the whole B-TID, the forwarded B-TID information is the encrypted B-TID; if the BSF encrypts the B-TID part, the forwarded B-TID information is the B-TID of the encrypted part. TID and B-TID of the unencrypted part.

由于ME需要UICC执行解密操作,因此,为了能够让UICC从自身保存的信息中获得用于解密的密钥,ME必须将RAND的明文发送给UICC,以便UICC根据已保存的RAND与IK、CK的对应关系得到所需的密钥。也就是说,如果BSF对B-TID整体进行加密即如式(1)的加密方式,或是BSF是对B-TID中的任一部分进行加密且加密部分包含RAND即如式(2)的加密方式,则上述转发的消息中还包括ME中已保存的与该B-TID对应的RAND的明文;如果BSF是对B-TID中的任一部分进行加密,且加密部分不包含RAND,即如式(3)的加密方式,则上述转发的消息中不需要再包含RAND的明文,只包含加密部分的B-TID和未加密部分的B-TID即可。Since ME needs UICC to perform the decryption operation, in order for UICC to obtain the key for decryption from the information saved by itself, ME must send the plain text of RAND to UICC, so that UICC can use the saved RAND and IK, CK Correspondence to get the required key. That is to say, if BSF encrypts the whole B-TID, it is the encryption method of formula (1), or if BSF encrypts any part of B-TID and the encrypted part contains RAND, it is the encryption method of formula (2). method, the forwarded message above also includes the plaintext of the RAND corresponding to the B-TID stored in the ME; if the BSF encrypts any part of the B-TID, and the encrypted part does not contain RAND, that is, the formula (3) encryption method, then the above-mentioned forwarded message does not need to include the plaintext of RAND, but only includes the B-TID of the encrypted part and the B-TID of the unencrypted part.

步骤308,UICC应用与BSF加密时所应用的相同密钥对接收到的信息直接解密,获取完整的B-TID。具体过程为:In step 308, the UICC directly decrypts the received information using the same key used for encryption by the BSF to obtain a complete B-TID. The specific process is:

如果BSF是对B-TID整体进行加密,则UICC从自身获取与BSF加密时所应用的相同密钥对接收到的B-TID进行解密,直接获取完整的B-TID;如果BSF是对B-TID部分进行加密,则UICC从自身获取与BSF加密时所应用的相同密钥对接收到的B-TID进行解密,然后将解密得到的部分B-TID与未加密部分组合,从而获得完整的B-TID。并且,UICC将该完整的B-TID与其所对应通信密钥Ks等信息关联保存。也就是说,UE将关联保存该B-TID与该B-TID对应的通信密钥。If the BSF encrypts the B-TID as a whole, the UICC obtains from itself the same key used for encryption by the BSF to decrypt the received B-TID and directly obtains the complete B-TID; if the BSF encrypts the B-TID The TID part is encrypted, and the UICC obtains from itself the same key as that used by the BSF to decrypt the received B-TID, and then combines the decrypted part of the B-TID with the unencrypted part to obtain a complete B-TID -TID. And, the UICC stores the complete B-TID in association with its corresponding communication key Ks and other information. That is to say, the UE will store the B-TID in association with the communication key corresponding to the B-TID.

步骤309,UICC将完整的B-TID发送给ME,ME进行保存,以便向NAF请求业务。In step 309, the UICC sends the complete B-TID to the ME, and the ME saves it so as to request services from the NAF.

步骤310,UE使用已获取的B-TID与NAF进行正常的通信。当需要密钥时,UE中的ME以B-TID为索引要求UICC进行计算,其具体过程与现有技术相同,再次不再详细描述。In step 310, the UE communicates normally with the NAF using the acquired B-TID. When a key is needed, the ME in the UE uses the B-TID as an index to request the UICC to perform calculations. The specific process is the same as that of the prior art, and will not be described in detail again.

上述两个实施例的主要区别是,在第一个实施例中,由ME执行解密操作,在第二个实施例中由UICC执行解密操作。The main difference between the above two embodiments is that in the first embodiment, the decryption operation is performed by the ME, and in the second embodiment, the decryption operation is performed by the UICC.

上述两个实施例中所述的鉴权时所使用的密钥为完整性密钥IK,或加密密钥CK,或由完整性密钥IK和加密密钥CK生成的通信密钥Ks,或以上三者的任意组合。当然,具体应用哪种密钥是根据系统配置决定的,且加解密双方都是预先已知的。The key used in the authentication described in the above two embodiments is the integrity key IK, or the encryption key CK, or the communication key Ks generated by the integrity key IK and the encryption key CK, or the above Any combination of the three. Of course, which key to use is determined according to the system configuration, and both encryption and decryption parties are known in advance.

另外,对于上述两个实施例而言,UE向BSF发送的鉴权请求中也可以不包含IMPI,而是包含UE已有的B-TID,此时,当BSF接收到来自用户终端的鉴权请求后,先判断该请求中是包含B-TID还是用户身份标识,如果是用户身份标识,则根据该用户身份标识从HSS中获取鉴权矢量,然后按照现有的鉴权方式继续后续处理;如果是B-TID,则BSF判断本地是否存在该B-TID,如果存在,则提取该B-TID对应的用户身份标识,并根据该用户身份标识从HSS中获取鉴权信息,然后再按照现有的鉴权方式继续后续处理,否则,BSF要求用户发送包含用户身份标识的鉴权请求。In addition, for the above two embodiments, the authentication request sent by the UE to the BSF may not contain the IMPI, but may contain the existing B-TID of the UE. At this time, when the BSF receives the authentication request from the user terminal After the request, first judge whether the request includes the B-TID or the user identity, if it is the user identity, then obtain the authentication vector from the HSS according to the user identity, and then continue the follow-up processing according to the existing authentication mode; If it is a B-TID, the BSF judges whether the B-TID exists locally, and if so, extracts the user identity corresponding to the B-TID, and obtains authentication information from the HSS according to the user identity, and then follows the current Some authentication methods continue to follow-up processing, otherwise, the BSF requires the user to send an authentication request including the user ID.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.

Claims (11)

1、一种用户终端获取BSF为其分配的会话事务标识的方法,其特征在于,该方法包括以下步骤:1. A method for a user terminal to obtain a session transaction identifier assigned by a BSF, characterized in that the method comprises the following steps: a、执行用户身份初始检查验证的实体BSF接收到来自用户终端UE的鉴权请求且对该UE鉴权成功后,生成分配给UE的会话事务标识B-TID,应用鉴权时所使用的密钥对该生成的B-TID进行加密,然后向UE发送指示鉴权成功的消息,该消息中至少包含加密的B-TID;a. After receiving the authentication request from the user terminal UE and successfully authenticating the UE, the entity BSF that performs the initial check and verification of the user identity generates a session transaction identifier B-TID assigned to the UE, and applies the key used for authentication Encrypt the generated B-TID, and then send a message indicating successful authentication to the UE, the message at least includes the encrypted B-TID; b、UE接收到指示鉴权成功的消息后,获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID。b. After receiving the message indicating successful authentication, the UE obtains the same key as described in step a, decrypts the encrypted B-TID, and obtains a complete B-TID. 2、根据权利要求1所述的方法,其特征在于,步骤a所述BSF生成的B-TID的格式为:由表示唯一性的字段、抗追踪的字段及鉴权随机数RAND共同构成的用户名,再加上BSF的域名。2. The method according to claim 1, wherein the format of the B-TID generated by the BSF in step a is: a user ID composed of a unique field, an anti-tracking field and an authentication random number RAND. name, plus the BSF domain name. 3、根据权利要求2所述的方法,其特征在于,所述表示唯一性的字段为系统当前时间字段,所述抗追踪的字段为BSF任意指定的数构成的字段。3. The method according to claim 2, wherein the unique field is the system current time field, and the anti-tracking field is a field composed of numbers arbitrarily specified by BSF. 4、根据权利要求2所述的方法,其特征在于,步骤a所述BSF应用鉴权时所使用的密钥对B-TID进行加密的方法为:应用鉴权时所使用的密钥对B-TID整体进行加密,或者,对B-TID中的任一部分进行加密,且该加密的部分包含鉴权随机数RAND或不包含鉴权随机数RAND。4. The method according to claim 2, characterized in that the method of encrypting the B-TID with the key used by the BSF when applying authentication in step a is: using the key pair B-TID when applying authentication The whole is encrypted, or any part of the B-TID is encrypted, and the encrypted part contains the authentication random number RAND or does not include the authentication random number RAND. 5、根据权利要求4所述的方法,其特征在于,当BSF对B-TID整体进行加密,且由UE中的用户设备ME执行解密操作时,步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME从自身直接获取与步骤a所述相同的密钥,并应用该密钥对加密的B-TID进行解密,直接获取完整的B-TID。5. The method according to claim 4, wherein when the BSF encrypts the entire B-TID and the user equipment ME in the UE performs the decryption operation, the acquisition in step b is the same as that in step a Key, to decrypt the encrypted B-TID, the process of obtaining the complete B-TID is: ME directly obtains the same key as described in step a from itself, and applies the key to the encrypted B-TID Decrypt to get the complete B-TID directly. 6、根据权利要求4所述的方法,其特征在于,当BSF对B-TID中的任一部分进行加密,且由UE中的用户设备ME执行解密操作时,步骤a所述指示鉴权成功的消息中还包括未加密部分的B-TID;6. The method according to claim 4, wherein when the BSF encrypts any part of the B-TID, and the user equipment ME in the UE performs the decryption operation, the indication of successful authentication in step a The message also includes the B-TID of the unencrypted part; 步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME从自身直接获取与步骤a所述相同的密钥,并应用该密钥对接加密部分的B-TID进行解密,之后,将解密得到的部分B-TID与未加密部分组合,获得完整的B-TID。Obtain the same key as described in step a in step b, decrypt the encrypted B-TID, and obtain the complete B-TID process as follows: ME directly obtains the same key as described in step a from itself, And apply the key to decrypt the encrypted part of the B-TID, and then combine the decrypted part of the B-TID with the unencrypted part to obtain a complete B-TID. 7、根据权利要求4所述的方法,其特征在于,当BSF对B-TID整体进行加密,且由UE中的用户标识卡UICC执行解密操作时,步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:ME接收到指示鉴权成功的消息后,向UICC转发加密的B-TID,且该转发的消息中还包括ME中已保存的与该B-TID对应的鉴权随机数RAND的明文,UICC根据明文的鉴权随机数RAND,从自身获取与步骤a相同的密钥对接收到的B-TID进行解密,直接获取完整的B-TID并保存,之后将完整的B-TID发送给ME。7. The method according to claim 4, wherein when the BSF encrypts the B-TID as a whole, and the UICC in the UE performs the decryption operation, the acquisition in step b is the same as that in step a key, decrypt the encrypted B-TID, and obtain the complete B-TID process: After the ME receives the message indicating that the authentication is successful, it forwards the encrypted B-TID to the UICC, and the forwarded message contains It also includes the plaintext of the authentication random number RAND corresponding to the B-TID stored in the ME, and the UICC obtains the same key as that in step a from itself according to the authentication random number RAND in the plaintext to process the received B-TID Decrypt, directly obtain and save the complete B-TID, and then send the complete B-TID to ME. 8、根据权利要求4所述的方法,其特征在于,当BSF对B-TID中的任一部分进行加密,且由UE中的用户标识卡UICC执行解密操作时,步骤a所述指示鉴权成功的消息中还包括未加密部分的B-TID;8. The method according to claim 4, wherein when the BSF encrypts any part of the B-TID and the UICC in the UE performs the decryption operation, the step a indicates that the authentication is successful The unencrypted part of the B-TID is also included in the message; 步骤b所述获取与步骤a所述相同的密钥,对已加密的B-TID进行解密,获取完整的B-TID的过程为:Obtain the same key as described in step a in step b, decrypt the encrypted B-TID, and obtain the complete B-TID process as follows: ME接收到指示鉴权成功的消息后,向UICC转发加密的B-TID,如果加密部分不包含鉴权随机数RAND,则该转发的消息中还包括未加密部分的B-TID,如果加密的部分包含鉴权随机数RAND,则该转发的消息中还包括未加密部分的B-TID和ME中已保存的与该B-TID对应的鉴权随机数RAND的明文,UICC根据明文的鉴权随机数RAND,从自身获取与步骤a相同的密钥对接收到的B-TID进行解密,将解密得到的部分B-TID与未加密部分组合,获得完整的B-TID并保存,之后将完整的B-TID发送给ME。After the ME receives the message indicating that the authentication is successful, it forwards the encrypted B-TID to the UICC. If the encrypted part does not contain the authentication random number RAND, the forwarded message also includes the B-TID of the unencrypted part. part contains the authentication random number RAND, the forwarded message also includes the unencrypted part of the B-TID and the plaintext of the authentication random number RAND corresponding to the B-TID stored in the ME, and the UICC authenticates according to the plaintext Random number RAND, obtain the same key as step a from itself to decrypt the received B-TID, combine the decrypted part of the B-TID with the unencrypted part, obtain the complete B-TID and save it, and then complete the B-TID The B-TID is sent to ME. 9、根据权利要求1所述的方法,其特征在于,步骤a所述鉴权时所使用的密钥为完整性密钥IK,或加密密钥CK,或由完整性密钥IK和加密密钥CK生成的通信密钥Ks,或以上三者的任意组合。9. The method according to claim 1, wherein the key used in the authentication in step a is the integrity key IK, or the encryption key CK, or the combination of the integrity key IK and the encryption key The communication key Ks generated by CK, or any combination of the above three. 10、根据权利要求1所述的方法,其特征在于,UE获得完整的B-TID后,进一步包括:将该B-TID与该B-TID对应的通信密钥关联保存。10. The method according to claim 1, wherein after the UE obtains the complete B-TID, further comprising: associating and saving the B-TID with the communication key corresponding to the B-TID. 11、根据权利要求1所述的方法,其特征在于,BSF接收到来自用户终端的鉴权请求后,进一步包括:判断该请求中是包含B-TID还是用户身份标识,如果是用户身份标识,则按照现有的鉴权方式继续后续处理;如果是B-TID,则BSF判断本地是否存在该B-TID,如果存在,则提取该B-TID对应的用户身份标识,并然后再按照现有的鉴权方式继续后续处理,否则,BSF要求用户发送包含用户身份标识的鉴权请求。11. The method according to claim 1, characterized in that after receiving the authentication request from the user terminal, the BSF further includes: judging whether the request contains the B-TID or the user identity, if it is the user identity, Then continue the follow-up processing according to the existing authentication method; if it is a B-TID, the BSF judges whether the B-TID exists locally, and if so, extracts the user identity corresponding to the B-TID, and then follows the existing Otherwise, the BSF requires the user to send an authentication request including the user ID.
CNB200510070836XA 2005-05-19 2005-05-19 Method for user terminal to obtaine conversation affair mark distributed by BSF Expired - Fee Related CN100486351C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200510070836XA CN100486351C (en) 2005-05-19 2005-05-19 Method for user terminal to obtaine conversation affair mark distributed by BSF

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200510070836XA CN100486351C (en) 2005-05-19 2005-05-19 Method for user terminal to obtaine conversation affair mark distributed by BSF

Publications (2)

Publication Number Publication Date
CN1867164A true CN1867164A (en) 2006-11-22
CN100486351C CN100486351C (en) 2009-05-06

Family

ID=37426012

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200510070836XA Expired - Fee Related CN100486351C (en) 2005-05-19 2005-05-19 Method for user terminal to obtaine conversation affair mark distributed by BSF

Country Status (1)

Country Link
CN (1) CN100486351C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104918246A (en) * 2014-03-12 2015-09-16 中兴通讯股份有限公司 Authentication method and system, ProSe (Proximity-based Service) functional entities and UE (User Equipment)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104918246A (en) * 2014-03-12 2015-09-16 中兴通讯股份有限公司 Authentication method and system, ProSe (Proximity-based Service) functional entities and UE (User Equipment)
WO2015135278A1 (en) * 2014-03-12 2015-09-17 中兴通讯股份有限公司 Authentication method and system, prose functional entity, and ue

Also Published As

Publication number Publication date
CN100486351C (en) 2009-05-06

Similar Documents

Publication Publication Date Title
CN111050322B (en) GBA-based client registration and key sharing method, device and system
CN103051628B (en) Obtain the method and system of authentication token based on server
Arkko et al. Mikey: Multimedia internet keying
CN111371730A (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
US8230213B2 (en) Method, system and apparatus for protecting a BSF entity from attack
CN113612797A (en) An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
JP5524176B2 (en) Method and apparatus for authentication and identity management using public key infrastructure (PKI) in an IP-based telephone environment
CN102036238A (en) Method for realizing user and network authentication and key distribution based on public key
CN106101068A (en) Terminal communicating method and system
CN101969638A (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN102379114A (en) Security key management in ims-based multimedia broadcast and multicast services (mbms)
WO2011088658A1 (en) Method, server and system for authenticating identification information in domain name system (dns) messages
CN103166757B (en) A kind of method and system of dynamic protection privacy of user data
Nikooghadam et al. Perfect forward secrecy via an ECC-based authentication scheme for SIP in VoIP: M. Nikooghadam, H. Amintoosi
CN1929371B (en) Method for User and Peripheral to Negotiate a Shared Key
Tschofenig et al. The extensible authentication protocol-Internet key exchange protocol version 2 (EAP-IKEv2) method
CN1859097B (en) An authentication method and system based on a general authentication framework
CN1921682A (en) Method for enhancing key negotiation in universal identifying framework
CN101267663B (en) A method, system and device for user identity validation
CN106877996B (en) User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC
Abid et al. Efficient identity-based authentication for IMS based services access
CN1867164A (en) Method for user terminal obtaining BSF as distributed conversation affair mark
Arkko et al. Rfc 3830: Mikey: multimedia internet keying
US8769280B2 (en) Authentication apparatus and method for non-real-time IPTV system
Dai Secure user authentication protocol for mobile Internet of Things based on SM9

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090506