[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101203030B - Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack - Google Patents

Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack Download PDF

Info

Publication number
CN101203030B
CN101203030B CN2006101651293A CN200610165129A CN101203030B CN 101203030 B CN101203030 B CN 101203030B CN 2006101651293 A CN2006101651293 A CN 2006101651293A CN 200610165129 A CN200610165129 A CN 200610165129A CN 101203030 B CN101203030 B CN 101203030B
Authority
CN
China
Prior art keywords
authentication
module
network
umts
eap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2006101651293A
Other languages
Chinese (zh)
Other versions
CN101203030A (en
Inventor
周阳霖
张孝林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN2006101651293A priority Critical patent/CN101203030B/en
Publication of CN101203030A publication Critical patent/CN101203030A/en
Application granted granted Critical
Publication of CN101203030B publication Critical patent/CN101203030B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a device for carrying out authentication by means of a multimode protocol stack of a mobile terminal, including at least: a mode selecting module (101) used for selecting a working mode for the mobile terminal according to a received signal, a subscriber identity module SIM card-managing module (103) used for managing SIM card drivers of different types and identifying inserted SIM cards of different types, an interface managing module (104), which is used for reading and storing user information through the SIM card managing module (103) and the SIM cards of different types, and receiving authentication request information of a network side through different protocol stacks, as well as sending out an authentication responding message to different network sides through corresponded protocol stacks, and an authentication execution module (102) used for acquiring user information through the interface managing module (104), receiving authentication request information sent out by the network side, and carrying out an authentication operation to the information by means of a corresponded authentication algorithm to generate authentication responding information; and then the generated information is sent out to the interface managing module (104). The invention provides an authentication function after a completion of a UMTS mode, a WiMAX mode and a dual-mode of UMTS/WiMAX in one mobile terminal.

Description

A kind of apparatus and method of utilizing mobile terminal multi-mode protocol stack to carry out authentication
Technical field
The present invention relates to the authentication techniques of moving communicating field, specifically refer to a kind of apparatus and method of utilizing mobile terminal multi-mode protocol stack to carry out authentication.
Background technology
Mobile subscriber's quantity increased fast in recent years, the user is when using voice service, mobile data service is also had higher requirement, it is imperative that high-speed radio inserts, the fusion of heterogeneous network becomes the specific direction of future network development, wherein the fusion of WiMAX network and 3G (Third Generation) Moblie network (3G, 3rdGeneration Mobile Telecommunication Network) is exactly a representative, but WiMAX network and 3G network have the authentication mechanism of oneself separately.
The portable terminal and the internetwork bi-directional device authentication of WiMAX that define among the authentication mechanism support IEEE 802.16e in the WiMAX security architecture, and the authentication of 3G network is by mobility management sub-layer (MM/GMM at portable terminal, Mobilty Manage/GPRS Mobilty Manage) carries out, universal mobile telecommunications system (UMTS when 3G network, Universal Mobile Telecommunication System) after authorizing procedure is performed, between portable terminal and network, just set up the fail safe context of UMTS; For the UMTS authentication of a success, UMTS encryption key, UMTS Integrity Key just are stored in network and the portable terminal.
802.16e the network work group of agreement has been issued the associating networking structure of WiMAX network and 3G network, so the associating authentication techniques of 3G/WIMAX multimode terminal protocol stack is one of its key technology.
The associating networking structure of WiMAX and 3G network mainly contains two kinds of forms:
1. core net merges: this scheme is mainly considered at the wireless interface oral-lateral, WiMAX and 3GPP do not carry out interoperability, just the WiMAX Access Network is linked into the packet-switched domain (PS of 3GPP, PacketSequencing) in the core net, the mobile communication business of utilizing business that the PS core net of 3GPP provides and function to realize the WiMAX network.
2. Access Network merges: on the basis that core net merges, will consider the switching on the interface aloft of two kinds of access technologies, the continuity of business when guaranteeing that network that the user covers from WiMAX moves to the network that 3GPP covers.This fusion is all bigger to the air interface protocol influence of existing 3GPP and WiMAX, therefore can be contemplated for WCDMA among the 3G after R7 is with after-stage is introduced and WiMAX is same OFDM and MIMO technology, and consideration fusion more then becomes the thing that when the water comes, a channel is formed.
For the associating networking of 3G network and WiMAX network, no matter be that core net merges or following Access Network merges, WiMAX/3G dual-mode terminal protocol stack all needs to solve the authentication problem of two access networks; And present WiMAX network also is in the initial stage of development, and the authentication scheme of mentioning all concentrates on network side, and also having no talent for the solution of mobile terminal protocol stack proposes the patent of related art scheme.
Summary of the invention
In view of this, the present invention proposes a kind of method and apparatus that utilizes mobile terminal multi-mode protocol stack to carry out authentication, solve how to finish the UMTS pattern, WiMAX pattern and UMTS ﹠amp at a portable terminal; Authentication functions under double mode these the three kinds of mode of operations of WiMAX.
A kind of device that utilizes mobile terminal multi-mode protocol stack to carry out authentication is applied to portable terminal, and this device comprises at least:
Mode selection module (101) is used for finishing according to the instruction that receives the mode of operation selection of portable terminal;
User identification module SIM card administration module (103) is used to manage dissimilar SIM card drivers, the different SIM card type that identification is inserted; And according to recognition result by the data structure of user profile and the memory space of user profile in the described SIM card driver management SIM card;
Interface management module (104) is used for carrying out reading and storing of user profile by SIM card administration module (103) and dissimilar SIM card; Receive the authentication request information of network side by the different agreement stack, and authentication response message is sent to different network sides by the corresponding protocols stack;
Authentication Executive Module (102), be used for obtaining user profile and receiving the authentication request information that network side sends by interface management module (104), use corresponding authentication arithmetic to carry out authentication operations generation authentication response message, send to interface management module (104) according to described user profile and described authentication request information.
This installs described mode of operation and is divided into the UMTS pattern, WiMAX pattern and UMTS ﹠amp; WiMAX is double mode;
The authentication operations that authentication Executive Module (102) is carried out is for carrying out the authentication arithmetic of UMTS network, WiMAX network.
This device authentication Executive Module (102) comprises at least carries out required f1, f2, f3, f4, the f5 algoritic module of UMTS network authentication;
Authentication Executive Module (102) comprises at least carries out required EAP method module (1022) and the EAP module (1023) of WiMAX network authentication.
EAP method module (1022) in this device authentication Executive Module (102) is carried out the algorithm of different EAP authentications, described EAP authentication comprises EAP-MD5, EAP-SIM, EAP-PEAP, EAP-TTLS, EAP-TLS and EAP-AKA at least, and carries out this authentication corresponding algorithm according to the authentication that system is selected.
This installs in the described interface management module (104) and comprises at least:
SIM card interface module (1042) is used to manage the driver of dissimilar SIM card;
Message buffering module (1043) was carried out buffer memory for the authentication information that sends to UMTS protocol stack/WiMAX protocol stack before this protocol stack receives, receive this authentication information of back deletion; Before authentication Executive Module (102) is operated the authentication information that receives, carry out buffer memory, receive this authentication information of back deletion; For the message that receives before authentication Executive Module (102) is handled, also must buffer memory;
Message routing module (1041), the message routing module (1041) in the described interface management module (104), the authentication request message that will send from the network side that protocol stack receives sends to authentication Executive Module (102); The authentication response message that the authentication Executive Module (102) that receives is sent, type according to authentication response message, send to the corresponding module in the corresponding protocol stack, and message call cache module (1043) carries out buffer memory to this authentication message when the route authentication message.
This installs the different SIM card driver that the SIM card interface module (1042) in the described interface management module (104) managed for SIM card administration module (103) the unified interface to the outside is provided.
The described device that utilizes mobile terminal multi-mode protocol stack to carry out authentication of this device independently exists at portable terminal, perhaps become a part of UMTS terminal protocol stack cell, perhaps become a part of WiMAX terminal protocol stack cell as a plug-in unit as a plug-in unit.
A kind of method of utilizing mobile terminal multi-mode protocol stack to carry out authentication comprises:
A. judge the mode of operation that the current mobile terminal needs enter according to the instruction that receives, if single mode is then carried out the single mode authorizing procedure, if multimode is changeed step B;
B. after receiving the authentication request message of first network side transmitted, portable terminal by with original authorizing procedure of mutual execution first network of first network side;
C. after the authentication of first network was finished, the portable terminal second network of network business whether signatory same operator provides that the inquiry of first network side is current was if change step D, otherwise authentication finishes;
D. first network side sends the authentication request message of second network to portable terminal, portable terminal according to user profile and corresponding authentication arithmetic by carrying out the mutual of authentication message with first network side, the authentication server of the portable terminal and first network side generates master session key respectively, and this authentication server sends to this master session key the base station of second network;
E. the base station of second network generates authorization key according to the described master session key that receives, and portable terminal utilizes the authorization key portable terminal and second network side to carry out follow-up authentication operations according to the master session key generation authorization key that self generates.
Described first network of this method is the UMTS network, and second network is the WiMAX network;
Described step B comprises: the authentication of carrying out the UMTS network according to existing UMTS authorizing procedure;
Described step C comprises: after finishing the authentication of UMTS network, and the WiMAX Network that same operator provides if the affirmation user has contracted, then UMTS network side MSC/VLR sends user's beacon information to the AAA authentication server, otherwise authentication finishes;
Described step D comprises: the MSC/VLR of portable terminal and UMTS network side and AAA authentication server produce master session key MSK through the transmission and the forwarding of authentication message on portable terminal and AAA authentication server;
The AAA authentication server produces shared master key PMK according to MSK and sends to the nearest WiMAX base station, base station that is positioned at the UMTS network;
Described step e comprises: produce authorization key AK in base station and portable terminal, utilize the authorization key AK portable terminal and second network side to carry out follow-up authentication operations.
The described query script of this method step C is inquired about the Network that this mobile terminal user CAMEL-Subscription-Information judges whether the WiMAX that signatory same operator provides for the UMTS network side.
The described authentication message of this method step D comprises EAP-REQUEST/TLS start and the EAP-RESPONSE/TLS start that meets the extended authentication agreement.
In technical solution of the present invention, by increase a device that utilizes mobile terminal multi-mode protocol stack to carry out authentication newly at portable terminal, carry out the UMTS authentication functions of 3G network and the extended authentication agreement (EAP of WiMAX network support, Extensible Authentication Protocol) authentication functions, solved at a portable terminal and finished the UMTS pattern, WiMAX pattern and UMTS ﹠amp; Authentication functions under the double mode three kinds of patterns of WiMAX.
Description of drawings
Fig. 1 carries out the device schematic diagram of authentication for the present invention utilizes mobile terminal multi-mode protocol stack;
Fig. 2 is each submodule schematic diagram of interface management module of the present invention;
Fig. 3 is the information interaction schematic diagram of authentication Executive Module of the present invention;
Fig. 4 is a portable terminal authentication workflow schematic diagram of the present invention;
Fig. 5 is a UMTS pattern authorizing procedure schematic diagram of the present invention;
Fig. 6 carries out f1~f5 algorithm schematic diagram for the authentication Executive Module under the UMTS authentication pattern of the present invention 102;
Fig. 7 is a WiMAX pattern authorizing procedure schematic diagram of the present invention;
Fig. 8 finishes the schematic flow sheet of WiMAX authentication by the UMTS access network for the present invention.
Embodiment
The present invention proposes on the associating networking mode of WiMAX and the fusion of 3G network employing core net.Increase a device that utilizes mobile terminal multi-mode protocol stack to carry out authentication newly at portable terminal, the authentication functions of the UMTS of execution 3G network and the EAP authentication functions of WiMAX network support; The described device that utilizes mobile terminal multi-mode protocol stack to carry out authentication is positioned on the portable terminal of supporting the 3G/WiMAX double working modes.
As shown in Figure 1, the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication comprises mode selection module 101, authentication Executive Module 102, user identification module (SIM) card management module 103,104 4 functional modules of interface management module; Four functional modules function separately is as follows:
Mode selection module 101 is finished the Working mode set of 3G/WiMAX portable terminal, and described mode of operation is divided into the UMTS pattern, double mode three kinds of WiMAX pattern and UMTS/WiMAX.Wherein, at UMTS ﹠amp; Under the double mode operational environment of WiMAX, model selection comprises determines network insertion priority, determines that just the preferential WiMAX of access network carries out the still preferential UMTS of the access network of authentication and carries out authentication.Model selection can manually be provided with by the user, also can be system default, if system default then can be that the preferential access network of UMTS carries out authentication.
Authentication Executive Module 102 is finished the concrete execution work that inserts the UMTS network and insert the authentication arithmetic of WiMAX network, comprising: insert performed f1, f2, f3, f4, the f5 algoritic module 1021 of UMTS network authentication; Insert the EAP method module 1022 and the EAP module 1023 of WiMAX network.When carrying out authentication: receive authentication request (user authentication request) from network side from the MM layer of the UMTS protocol stack that is positioned at portable terminal to inserting the UMTS network, calling interface administration module 104, and in interface management module 104, call SIM card administration module 103 and from SIM card, read master key K, in algoritic module 1021, move f1~f5 algorithm, send Authentication Response (user authentication response) to the MM layer then.When carrying out authentication to inserting the WiMAX network, carry out the EAP authentication protocol, concrete EAP authentication method has multiple, for example EAP-MD5, EAP-SIM, EAP-PEAP, EAP-TTLS, EAP-TLS and EAP-AKA, the algorithm executive program of above-mentioned EAP authentication is general, then being to leave in the EAP method module 1022 among the present invention, be to be selected by operator because adopt which kind of EAP method on earth, so EAP method module of the present invention 1022 must be supported multiple EAP algorithm.
The function of SIM card administration module 103 mainly is to read, preserve according to the driving interface that SIM card manufacturer provides to carry out the required related data of authentication; The SIM card type that the identification user inserts; The data space of unified management UMTSSIM card and WiMAX SIM card.This module and function thereof are placed in the prior art in the UMTS protocol stack and realize, because functions such as data are read, store in the main realization of SIM management from SIM card, the present invention extracts SIM card administration module 103, as utilizing mobile terminal multi-mode protocol stack to carry out a functional module in the device of authentication.
Interface management module 104 is responsible for the distribution of UMTS message and WiMAX message, all has close mutual with UMTS protocol stack and WiMAX protocol stack; As shown in Figure 2, interface management module 104 comprises: message routing module 1041, SIM card interface module 1042, message buffering module 1043.
Wherein, message routing module 1041 is mainly finished the reception and the transmission of message, and for example the authentication message that the network side that receives is sent sends to authentication Executive Module 102; Authentication response message to authentication Executive Module 102 sends according to the type of message, sends to the MM layer of UMTS protocol stack or the EAP package module of WiMAX protocol stack.
SIM card interface module 1042 mainly is responsible for calling the driver of SIM card, the SIM card that WiMAX uses might be the same with the driver of the UMTS SIM card of UMTS, also may be different, SIM card administration module 103 therefore of the present invention is supported polytype SIM card driver, and SIM card interface module 1042 has shielded this otherness of SIM card administration module 103, and the driver of being responsible for calling the dissimilar SIM card that SIM card supplier provides reads and stores the data in the SIM card.
Arrangement for data structure, data content in the SIM card is finished by SIM card administration module 103, and 1042 pairs of foregoings of SIM card interface module do not deal with.
Message buffering module 1043, can not be deleted before the other side receives for the message that sends to UMTS protocol stack and WiMAX protocol stack, necessary buffer memory; For the message that receives before authentication Executive Module 102 is handled, also necessary buffer memory, therefore, message buffering module 1043 is in charge of the data of temporarily depositing in these buffer memorys, and interface externally is provided, handle data in these buffer memorys by the external interface of message routing module 1041 message call cache modules 1043.
Fig. 3 described authentication Executive Module 102 and other modules and and UMTS protocol stack and WiMAX protocol stack between interacting message: authentication Executive Module 102 comprises and inserts performed f1, f2, f3, f4, the f5 algoritic module of UMTS network authentication and the EAP method module 1022 and the EAP module 1023 that insert the WiMAX network; The information of authentication Executive Module 102 and WiMAX SIM card and UMTS SIM card and data interaction realize by interface management module 104 and SIM card administration module 103, SIM card interface module 1042 in the authentication Executive Module 102 calling interface administration modules 104, SIM card interface module 1042 are directly called the transmission that corresponding driving program in the SIM card administration module 103 is finished information and data; With the UMTS protocol stack, mainly be the MM layer, and the WiMAX protocol stack, mainly be the EAP package module, then be to finish alternately by message routing module 1041.
The present invention relates to 3 kinds of authentication processes under the mode of operation, describe portable terminal below in conjunction with concrete condition and how in 3 kinds of mode of operations, to carry out the selection of mode of operation, and the concise and to the point step of the authentication process after selected mode of operation; Then the authentication process under each mode of operation is described in detail.
How portable terminal carries out the selection of mode of operation in 3 kinds of mode of operations flow process is at first described, as shown in Figure 4.
Step 201 after the user opens portable terminal, is provided with or the system default setting according to the user, selects only UMTS mode respectively, only WiMAX mode or UMTS ﹠amp; WiMAX mode, and enter the corresponding authentication flow process.
Enter only UMTS mode, the beginning authentication:
Step 202, MM layer are issued the authentication request parameter of authentication Executive Module 102 from network side.
Step 203, SIM card administration module 103 read the master key K in the SIM card of portable terminal, and issue authentication Executive Module 102.
Step 204, authentication Executive Module 102 is carried out f1~f5 algorithm, obtains the Authentication Response parameter.
Step 205, authentication Executive Module 102 returns to the MM layer to the Authentication Response parameter by SIM card administration module 103.
Step 206 finishes authorizing procedure.
Enter only WiMAX mode, the beginning authentication:
Step 207, the EAP module 1023 that is positioned at portable terminal receive that (BS, authentication request BaseStation) (EAP-Request) sends to authentication Executive Module 102 from the base station.
Step 208, authentication Executive Module 102 are called EAP method module 1022 (EAP-Method) and are carried out authentication arithmetic, obtain EAP-Response, and send to EAP module 1023.
Step 209, EAP module 1023 sends EAP-Response to BS.
Step 210, BS judges whether success of authentication, if success then send to the EAP module 1023EAP-success of portable terminal, the complete active link of EAP.
Step 211, EAP method module 1022 calculates AAA-Key.
Step 212, authentication finishes.
Enter UMTS ﹠amp; WiMAX mode, the beginning authentication.
Step 213, the UMTS Access Network is carried out the UMTS authentication.
Step 214, UMTS network side inquiring user CAMEL-Subscription-Information is confirmed the signatory WiMAX Network of user.
Step 215 is carried out the WiMAX authentication through the UMTS Access Network.
Step 216, authentication finishes.
Wherein, authorizing procedure 202~206,207~212 and 213~216th, the authorizing procedure of portable terminal under three kinds of different authentication patterns, its execution sequence is in no particular order.Situation 1:
As shown in Figure 5, portable terminal begins concrete authorizing procedure after selecting only UMTS mode.Authorizing procedure relates to some equipment, comprise the user attaching environment/user attaching location register (HE/HLR that is positioned at network side, Home Environment/Home Location Registor), Visited Location Registor/support GPRS service node (VLR/SGSN, and portable terminal Visit Location Registor/Serving GatewaySupport Nodes).
Step 301, network side produces subscription authentication request (user authentication request), above-mentioned subscription authentication request sends to the MM layer of UMTS protocol stack by VLR/SGSN, utilizes mobile terminal multi-mode protocol stack to carry out authentication Executive Module 102 in the device of authentication receives the MM layer by interface management module 104 subscription authentication request; Authentication Executive Module 102 calls SIM card administration module 103, and SIM card administration module 103 sends to authentication Executive Module 102 and is used to carry out f1~f5 algorithm with the master key K in the transparent transmission mode reading SIM card, the beginning authentication.
Step 302, in the UMTS authentication process, at first VLR/SGSN carries out authentication to HE/HLR application authentication vector (AV, Authentication Vector) to portable terminal, and HE/HLR generates n group AV.
Described Ciphering Key AV=(RAND||XRES||CK||IK||AUTN); Above-mentioned 5 parameters are respectively random number RA ND, Expected Response value XRES, encryption key CK, Integrity Key IK and authentication token AUTN; Produce at network side by following method respectively:
RAND is produced by f0;
XRES=f2K(RAND);
CK=f3K(RAND);
IK=f4K(RAND);
AUTN = SQN ⊕ ( AK | | AMF | | MAC ) .
In authentication token AUTN, SQN is a sequence number; AK is an Anonymity Key, is used for hiding SQN; AMF is the authentication management territory; MAC is a message authentication code.Above-mentioned algoritic module f1~f5 all exists in the HE/HLR of network side and in the authentication Executive Module 102 of portable terminal, and algorithm is identical, and the f0 algoritic module only exists in network side HE/HLR.
Step 303, HE/HLR sends to VLR/SGSN to the n group AV that generates, and after VLR/SGSN received n group Ciphering Key AV, the MM layer with wherein RAND and AUTN send to portable terminal UTMS protocol stack was used for authentication.
Step 304, authentication Executive Module 102 is obtained RAND and AUTN in the MM layer by interface management module 104; As shown in Figure 6, authentication Executive Module 102 calls f1~f5 algoritic module and begins to carry out f1~f5 algorithm: carry out before the f5 algorithm is placed on the f1 algorithm, the f5 algorithm utilizes RAND to generate Anonymity Key AK, and its computing formula is AK=f5K (RAND).SQN among the AK XOR AUTN, promptly
Figure B2006101651293D00092
Obtain the input data SQN of f1 algorithm; The f1 algorithm utilizes SQN and the AMF among RAND and the AUTN, calculates expectation message authentication code XMAC, and its computing formula is XMAC=f1K (SQN||RAND||AMF).The master key K that deposits in the SIM card is a cipher key shared between portable terminal and the HE/HLR.
Step 305, whether the MAC that authentication Executive Module 102 compares among XMAC and the AUTN mates, as does not match, and then sends the refusal authentication message to network side, abandons this authentication process; If the two equates, then judge the SQN that receives whether in correct number range, if SQN is in correct scope, then portable terminal sends synchronization failure message to VLR/SGSN, and abandons this authentication process; If two top checkings are all passed through, authentication Executive Module 102 utilizes formula RES=f2K (RAND) calculated response value RES, and RES sent to VLR/SGSN as the part to network side authentication request response message, after VLR/SGSN receives response message, the XRES that compares RES and from HE/HLR, obtain, the success of equal then authentication, otherwise failure.
Step 306, finishing after the UMTS authentication of success, the authentication Executive Module 102 that utilizes mobile terminal multi-mode protocol stack to carry out in the device of authentication will be carried out f3 and f4 algorithm, and the encryption key CK that obtains and consistency check key IK by calling SIM card administration module 103, be stored in the SIM card in the transparent transmission mode.
In the situation described above, step 301, the execution of step 302 does not have strict time order and function order.
When portable terminal was chosen in only WiMAX mode and carries out authentication, its concrete authorizing procedure was described in detail in situation 2.
Situation 2:
As shown in Figure 7, after having selected only WiMAX mode, the device that portable terminal utilizes mobile terminal multi-mode protocol stack to carry out authentication is carried out the authorizing procedure that portable terminal inserts the WiMAX network.After the beginning authentication:
Step 401, EAP layer in the EAP authenticator of base station (EAP authenticator) entity sends an EAP-Request message, this message is as EAP identity (EAP-Identity) request, is encapsulated as the PDU of MAC administrative messag and is sent to the WiMAX protocol stack of portable terminal.
Step 402, be arranged in the authentication Executive Module 102 that utilizes mobile terminal multi-mode protocol stack to carry out the device of authentication and receive EAP-Request from the EAP package module of the Security Sublayer of WiMAX protocol stack, and upwards pass to EAP method layer and handle by interface management module 104.
Step 403, EAP-Request obtains EAP-Response after handling through EAP method layer, and authentication Executive Module 102 sends the EAP package module of EAP-Response to the Security Sublayer of WiMAX protocol stack.
All EAP-Response that step 404, EAP package module are transmitted from authentication Executive Module 102 give the AAA authentication server.Described AAA authentication server is meant the authentication server (Authentication Server) of realizing long-range connection by aaa protocol (as RADIUS).
Step 405, through behind one or many EAP-Request/Response mutual, if the whether success of AAA authentication server decision authentication is the success of AAA authentication server decision authentication at the authentication Executive Module 102 of AAA authentication server and portable terminal, change step 406, otherwise change step 408.
Step 406, the AAA authentication server sends EAP-Success message to portable terminal, the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication of portable terminal receives that EAP-Success message activates Radio Link later on fully, remove the transmission restriction, the EAP method layer of authentication Executive Module 102 generates and shares master key AAA-key simultaneously.
Step 407, the EAP layer of authentication Executive Module 102 obtains AAA-key from EAP method layer, passes to the key management module of the Security Sublayer of WiMAX protocol stack, carries out follow-up not relating to and utilizes mobile terminal multi-mode protocol stack to carry out the flow process of the device of authentication; Simultaneously the association key that comprises AAA-key is kept at authentication part in the SIM card by SIM card administration module 103.Carried out by the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication, the WiMAX authorizing procedure that relates to Executive Module EAP layer is finished to this.
Step 408, authentication is unsuccessful, stops authentication.
When at UMTS ﹠amp; When WiMAX mode carried out authentication, its concrete authorizing procedure was described in following examples.
When two networks are carried out authentication, at first finish the authentication of first network according to existing network authentication flow process; Then, portable terminal is handled and is handled and generate authentication response message receiving authentication request message, sends to the first network of network side of finishing authentication, is transmitted to the AAA authentication server then;
According to this authentication response message, produce master session key MSK simultaneously at portable terminal and AAA authentication server, send to the base station that is positioned at the second nearest network of first network base station, set up the bottom link, and produce authorization key AK at second network base station and portable terminal.
At UMTS ﹠amp; WiMAX is double mode down, sets or the priority of the access network of system default according to the user, suppose that UMTS is preferential, so at first will finish access UMTS network, and the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication carries out the UMTS network authentication; Finish after the UMTS network insertion, search WiMAX network is carried out WiMAX network authentication flow process, UMTS﹠amp; The double mode authentication idiographic flow of WiMAX as shown in Figure 8.
When WiMAX network and UMTS network belong under the situation of same operator, during the shared AAA authentication server of two networks, can finish the authorizing procedure of WiMAX network by the UMTS Access Network, its concrete authorizing procedure is as follows:
Step 501, after the mobile terminal-opening, configuration file in system's reading SIM card, according to the information in the configuration file, judge that carrier network allows the user to finish the WiMAX subscription authentication by the UMTS network, then need at first between the Radio Network System (RNS, Radio Network System) of UMTS network side and portable terminal, to set up Radio Link.
Step 502, after execution UMTS network authentication began, network side sent authentication request message AUTHENTICATION REQEST to portable terminal, beginning UMTS network authentication.
Step 503, portable terminal are finished after the UMTS authentication, by authentication response message AUTHENTICATION RESPONSE parameter are returned to network side, and network side is finished the UMTS authentication.
Step 502 is consistent with the authorizing procedure of the 503 whole UMTS that describe with situation 1.
Step 504, after the UMTS network side inquiring user CAMEL-Subscription-Information, confirm user's Network of signatory WiMAX simultaneously, the MSC/VLR of UMTS network side sends user's beacon information (for example IMSI, International Mobile SubscriberIdentification) by the MAP signaling to the AAA authentication server.
Step 505, the AAA authentication server is handled after receiving user's beacon information, and return EAP-RESPONSE message by the MAP signaling and give MSC/VLR, the content of EAP-RESPONSE message is TLS start, and can be expressed as the form of EAP-RESPONSE/TLS start.
Described EAP-RESPONSE/TLS start, its message that comprises is the TLS start that meets the extended authentication agreement, is the response message that is positioned at the realization EAP agreement of transport layer, this message represents that authentication server begins the portable terminal authentication.
Step 506, the MSC/VLR of UMTS network side sends to portable terminal to above-mentioned EAP-RESPONSE/TLS start message by extended authentication request message EAP-REQUEST/TLS start, and its content also is the message TLS start that meets the extended authentication agreement.
Step 507, the EAP method layer that is positioned at authentication Executive Module 102 in the portable terminal is handled above-mentioned EAP-RESPONSE/TLS start, and EAP-RESPONSE/TLS ClientHello is sent to the MSC/VLR of UMTS network side by the extended authentication response message;
MSC/VLR re-uses the MAP signaling above-mentioned message is sent to the AAA authentication server then.
Step 508, portable terminal, the MSC/VLR of UMTS network side and AAA authentication server are through repeatedly message transmission and forwarding, the mobile terminal multi-mode protocol stack that utilizes at portable terminal carries out having produced master session key (MSK, Master Session Key) simultaneously on the device of authentication and the aaa server.
The highest 160bit that step 509, AAA authentication server are got MSK sends to the nearest WiMAX base station, base station that is positioned at UMTS as sharing master key (PMK, Shared Primary Master Key).
Belong under the situation of an operator at WiMAX and UMTS, especially said process is feasible under the situation of UMTS and WiMAX colocation site; In addition, because the region that WiMAX base station radiation scope covers greater than the UMTS base station, so can determine contiguous WiMAX base station by address, UMTS base station.
Step 510, success finish ranging and basic capability negotiating after, the bottom of WiMAX base station sends a logical signal " link activation " to the EAP on upper strata authenticator entity, shows that the bottom link sets up.
Step 511, the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication of WiMAX base station and portable terminal produces authorization key AK according to the regulation among the IEEE802.16e.
Step 512~514, finish after the above-mentioned steps, when finishing that the WiMAX network switches or network when entering, the PMK of owned portable terminal is determined in the base station, this moment, EAP-Establish-Key-Request message was sent to the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication of portable terminal in the base station, carry the Nonce random number of this base station in the message, and may carry EAP-Master-Key-Id, wherein carrying EAP-Master-Key-Id is that optionally EAP-Master-Key-Id is a unique identification of representing PMK; Finish secure federation (SA, Security Association) descriptor assigning process subsequently.
It is can be separately independent to utilize mobile terminal multi-mode protocol stack to carry out the device of authentication, described above is the flow process of carrying out authentication when utilizing device that mobile terminal multi-mode protocol stack carries out authentication separately as standalone module of portable terminal, but the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication also can be placed within 3G terminal protocol stack or the WiMAX terminal protocol stack, become a part of its single mode protocol stack, become a plug-in unit (interface unit) of dual-mode protocol stack.Simultaneously, the device that utilizes mobile terminal multi-mode protocol stack to carry out authentication also can be carried out the authentication of carrying out WiMAX by 3G networks such as WCDMA or CDMA2000.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention; The present invention has realized the pattern to UMTS by constructing a device that utilizes mobile terminal multi-mode protocol stack to carry out authentication, WiMAX pattern and UMTS ﹠amp as can be seen; The support of authentication under double mode these the three kinds of patterns of WiMAX is according to using scene to finish the independent authentication and the associating authentication of two networks automatically; Technology of the present invention has wide practical use in the communications field, and is therefore within the spirit and principles in the present invention all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (11)

1. a device that utilizes mobile terminal multi-mode protocol stack to carry out authentication is characterized in that, is applied to portable terminal, and this device comprises at least:
Mode selection module (101) is used for finishing according to the instruction that receives the mode of operation selection of portable terminal;
User identification module SIM card administration module (103) is used to manage dissimilar SIM card drivers, the different SIM card type that identification is inserted; And according to recognition result by the data structure of user profile and the memory space of user profile in the described SIM card driver management SIM card;
Interface management module (104) is used for carrying out reading and storing of user profile by SIM card administration module (103) and dissimilar SIM card; Receive the authentication request information of network side by the different agreement stack, and authentication response message is sent to different network sides by the corresponding protocols stack;
Authentication Executive Module (102), be used for obtaining user profile and receiving the authentication request information that network side sends by interface management module (104), use corresponding authentication arithmetic to carry out authentication operations generation authentication response message, send to interface management module (104) according to described user profile and described authentication request information.
2. device according to claim 1 is characterized in that described mode of operation is divided into the UMTS pattern, WiMAX pattern and UMTS ﹠amp; WiMAX is double mode;
The authentication operations that authentication Executive Module (102) is carried out is for carrying out the authentication arithmetic of UMTS network, WiMAX network.
3. device according to claim 2 is characterized in that, authentication Executive Module (102) comprises at least carries out required f1, f2, f3, f4, the f5 algoritic module of UMTS network authentication;
Authentication Executive Module (102) comprises at least carries out required EAP method module (1022) and the EAP module (1023) of WiMAX network authentication.
4. device according to claim 3, it is characterized in that, EAP method module (1022) in the authentication Executive Module (102) is carried out the algorithm of different EAP authentications, described EAP authentication comprises EAP-MD5, EAP-SIM, EAP-PEAP, EAP-TTLS, EAP-TLS and EAP-AKA at least, and carries out this authentication corresponding algorithm according to the authentication that system is selected.
5. device according to claim 1 is characterized in that, comprises at least in the described interface management module (104):
SIM card interface module (1042) is used to manage the driver of dissimilar SIM card;
Message buffering module (1043) was carried out buffer memory for the authentication information that sends to UMTS protocol stack/WiMAX protocol stack before this protocol stack receives, receive this authentication information of back deletion; Before authentication Executive Module (102) is operated the authentication information that receives, carry out buffer memory, receive this authentication information of back deletion; For the message that receives before authentication Executive Module (102) is handled, also must buffer memory;
Message routing module (1041), the message routing module (1041) in the described interface management module (104), the authentication request message that will send from the network side that protocol stack receives sends to authentication Executive Module (102); The authentication response message that the authentication Executive Module (102) that receives is sent, type according to authentication response message, send to the corresponding module in the corresponding protocol stack, and message call cache module (1043) carries out buffer memory to this authentication message when the route authentication message.
6. device according to claim 5 is characterized in that, the different SIM card driver that the SIM card interface module (1042) in the described interface management module (104) is managed for SIM card administration module (103) provides the unified interface to the outside.
7. device according to claim 1, it is characterized in that, the described device that utilizes mobile terminal multi-mode protocol stack to carry out authentication independently exists at portable terminal, perhaps become a part of UMTS terminal protocol stack cell, perhaps become a part of WiMAX terminal protocol stack cell as a plug-in unit as a plug-in unit.
8. a method of utilizing mobile terminal multi-mode protocol stack to carry out authentication is characterized in that, comprising:
A. judge the mode of operation that the current mobile terminal needs enter according to the instruction that receives, if single mode is then carried out the single mode authorizing procedure, if multimode is changeed step B;
B. after receiving the authentication request message of first network side transmitted, portable terminal by with original authorizing procedure of mutual execution first network of first network side;
C. after the authentication of first network was finished, the portable terminal second network of network business whether signatory same operator provides that the inquiry of first network side is current was if change step D, otherwise authentication finishes;
D. first network side sends the authentication request message of second network to portable terminal, portable terminal according to user profile and corresponding authentication arithmetic by carrying out the mutual of authentication message with first network side, the authentication server of the portable terminal and first network side generates master session key respectively, and this authentication server sends to this master session key the base station of second network;
E. the base station of second network generates authorization key according to the described master session key that receives, and portable terminal utilizes the authorization key portable terminal and second network side to carry out follow-up authentication operations according to the master session key generation authorization key that self generates.
9. method according to claim 8 is characterized in that, described first network is the UMTS network, and second network is the WiMAX network;
Described step B comprises: the authentication of carrying out the UMTS network according to existing UMTS authorizing procedure;
Described step C comprises: after finishing the authentication of UMTS network, and the WiMAX Network that same operator provides if the affirmation user has contracted, then UMTS network side MSC/VLR sends user's beacon information to the AAA authentication server, otherwise authentication finishes;
Described step D comprises: the MSC/VLR of portable terminal and UMTS network side and AAA authentication server produce master session key MSK through the transmission and the forwarding of authentication message on portable terminal and AAA authentication server;
The AAA authentication server produces shared master key PMK according to MSK and sends to the nearest WiMAX base station, base station that is positioned at the UMTS network;
Described step e comprises: produce authorization key AK in base station and portable terminal, utilize the authorization key AK portable terminal and second network side to carry out follow-up authentication operations.
10. method according to claim 9 is characterized in that, the described query script of step C is inquired about the Network that this mobile terminal user CAMEL-Subscription-Information judges whether the WiMAX that signatory same operator provides for the UMTS network side.
11. method according to claim 9 is characterized in that, the described authentication message of step D comprises EAP-REQUEST/TLS start and the EAP-RESPONSE/TLSstart that meets the extended authentication agreement.
CN2006101651293A 2006-12-13 2006-12-13 Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack Active CN101203030B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006101651293A CN101203030B (en) 2006-12-13 2006-12-13 Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006101651293A CN101203030B (en) 2006-12-13 2006-12-13 Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack

Publications (2)

Publication Number Publication Date
CN101203030A CN101203030A (en) 2008-06-18
CN101203030B true CN101203030B (en) 2010-10-06

Family

ID=39517937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006101651293A Active CN101203030B (en) 2006-12-13 2006-12-13 Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack

Country Status (1)

Country Link
CN (1) CN101203030B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101754443B (en) * 2008-11-28 2012-09-19 爱思开电讯投资(中国)有限公司 Mobile phone, intelligent card and method for using the intelligent card to control the peripheral equipment of the mobile phone
CN101945501A (en) * 2010-08-05 2011-01-12 华为终端有限公司 Method and device for realizing SIM card sharing of convergence terminal
CN102769850B (en) * 2012-04-16 2015-10-28 中兴通讯股份有限公司 Single-card multi-mode multi-operator authentication method and device
CN103781069B (en) * 2012-10-19 2017-02-22 华为技术有限公司 Bidirectional-authentication method, device and system
CN104182703B (en) * 2013-05-22 2017-03-15 中国银联股份有限公司 A kind of safety component SE steerable systems and method
CN104184761B (en) * 2013-05-22 2017-11-21 中国移动通信集团公司 Mobile service confirmation method and device, service server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6125283A (en) * 1998-05-18 2000-09-26 Ericsson Inc. Multi-mode mobile terminal and methods for operating the same
CN1549494A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing customer identification
CN1561119A (en) * 2004-03-10 2005-01-05 中国联合通信有限公司 Network cutover method and device for multi-mode mobile terminal
CN1874598A (en) * 2005-12-13 2006-12-06 华为技术有限公司 Device, system and method of authenticating when terminal to access second system network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6125283A (en) * 1998-05-18 2000-09-26 Ericsson Inc. Multi-mode mobile terminal and methods for operating the same
CN1549494A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing customer identification
CN1561119A (en) * 2004-03-10 2005-01-05 中国联合通信有限公司 Network cutover method and device for multi-mode mobile terminal
CN1874598A (en) * 2005-12-13 2006-12-06 华为技术有限公司 Device, system and method of authenticating when terminal to access second system network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CN 1561119 A,全文.

Also Published As

Publication number Publication date
CN101203030A (en) 2008-06-18

Similar Documents

Publication Publication Date Title
Prasad et al. 3GPP 5G security
EP2060052B1 (en) Security authentication and key management within an infrastructure-based wireless multi-hop network
EP1972125B1 (en) Apparatus and method for protection of management frames
CN101946536B (en) Application specific master key selection in evolved networks
CN101018178B (en) Inter-working function for a communication system
US9668139B2 (en) Secure negotiation of authentication capabilities
CN101573998B (en) Method and apparatus for determining an authentication procedure
CN110235423A (en) Auxiliary certification to user equipment
US20160212617A1 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
CN1549482B (en) Method for realizing high rate group data service identification
CN101203030B (en) Apparatus and method for identifying authority by mobile terminal multi-mode protocol stack
US20120289198A1 (en) Authentication in a Roaming Environment
EP3956792B1 (en) Cryptographic key generation for mobile communications device
CN104982053A (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
CN102378174A (en) Access method, device and system of user terminal of SIM (Subscriber Identity Module) card
CN101765167A (en) Method, system and terminal for realizing roaming service among different standard networks
CN102026184B (en) Authentication method, authentication system and relevant device
WO2024229633A1 (en) Authentication methods and devices
Prasad et al. 2 Evolution of the Trust Model

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant