The present invention relates to the telecommunications field, and in particular, to method and system for authentication based on NASS.
Customer Network Gateways (CNGs) are characterized by large quantities and wide distribution. To meet the requirement for CNG Configuration Function (CNGCF) authentication, a unique credential needs to be generated for each CNG. However, the generation, reliable distribution (to the CNG and CNGCF), and update of the huge quantity of credentials (shared keys and digital certificates) are difficulties imposed to the operators.
In the prior art, the unidirectional or bidirectional authentication solution between the CNG and the CNGCF is: A shared credential (such as username or shared key) is deployed statically on the CNG and the CNGCF. Specifically, in the service deployment stage, the operation and maintenance engineers of the telecom operators generate an credential (such as username and shared key) for each CNG; and the credential is configured onto the CNG and the CNGCF, and the CNGCF is correlated with the CNG identifier; the CNG and the CNGCF perform bidirectional or unidirectional authentication according to the credential during the interoperation; the shared authentication mode configured statically in the prior art generates a unique shared key for each of the numerous CNGs, and such unique shared keys need to be configured to the CNG and the CNGCF manually, thus involving complicated work and high costs.
Embodiments of the present invention provide a method and system for authentication based on NASS to implement simple and cost-efficient authentication of the CNG and CNGCF, to reduce the operation cost and to improve the operation efficiency.
A method for t authentication based on Network Attachment Sub-System (NASS) includes:
performing, by a user access authorization module, access authentication for a CNG;
generating, by the user access authorization module, an management credential between the CNG and a CNGCF;
sending, by the user access authorization module, the generated management credential to the CNGCF so that the CNG obtains the management credential;
authenticating, by the CNG, the CNGCF according to the obtained management credential; and, authenticating, by the CNGCF, the CNG according to the management credential.
A system for authentication based on NASS includes:
a user access authorization module, configured to perform access authentication for a CNG, generate an management credential between the CNG and a CNGCF, and send the management credential;
the CNG, configured to obtain the management credential, and authenticate the corresponding CNGCF according to the credential; and
the CNGCF, configured to receive the management credential, and authenticate the corresponding CNG according to the management credential.
The method and system for authentication based on NASS provided herein generate, distribute and modify credentials automatically, thus reducing the operation and maintenance costs of distributing numerous CNGs, and improving the operation efficiency massively.
The present invention is hereinafter described in detail with reference to accompanying drawings and exemplary embodiments.
A NASS-based method for authenticating a CNG and a CNGCF in one of the embodiment of the present invention includes the following steps:
Step 1: A user access authorization module performs access authentication for the CNG.
Step 2: The user access authorization module generates a management credential between the CNG and the CNGCF.
Step 3: The user access authorization module sends the generated management credential to the CNGCF and the CNG, and sets up a correlation between the CNG and the management credential.
The user access authorization module may also send only the key algorithm, initial vector and lifecycle information in the management credential to the CNG, and the CNG generates the key according to the key algorithm, initial vector and lifecycle information.
Step 4: The CNG and the CNGCF in the bidirectional interaction use the stored management credential to authenticate each other and judge whether the operation is authorized. That is, the CNG authenticates the CNGCF according to the management credential; and the CNGCF authenticates the CNG according to the management credential.
The NASS is adapted to: authenticate a user who attempts to log in based on the subscription profile of the user, authorize the user to use network resources, configure the network according to the authorization information, and allocate IP addresses.
The NASS-based architecture includes: a CNG 1, an Access Management Function (AMF) 2, a UAAF 3, a CLF 4, a NACF 5, and a CNGCF 6. The interface between the NACF 5 and the AMF 2 is a1; the interface between the NACF 5 and the CLF 4 is a2; the interface between the AMF 2 and the UAAF 3 is a3; the interface between the UAAF 3 and the CLF 4 is a4; the interface between the CLF 4 and the CNGCF 6 is a5; the interface between the UE 1 and the AMF 2 is e1; the interface of the CLF 4 itself is e2; the interface between the CNGCF 6 and the UE 1 is e3; and the interface of the UAAF 3 itself is e5.
Step 501: The UAAF performs access authentication for the CNG. Specifically, the CNG sends an access authentication request to the UAAF to trigger the security association negotiation between the CNG and the UAAF, with a view to obtaining the security association subsequently. The security association is also known as an management credential.
Step 502: According to the local policy, the UAAF decide whether it is necessary to generate an management credential between the CNG and the CNGCF. If necessary, the UAAF generates an management credential between the CNG and the CNGCF.
The UAAF may use the user access authentication key information or the root key configured by the operator to generate an management credential between the CNG and the CNGCF.
The management credential may include a security protocol, a key algorithm, the key used in the key algorithm, an initial vector, and a lifecycle of the management credential. The management credential is also known as a security association.
Step 503: Through the extended a4 interface and the a5 interface between the CLF and the CNGCF, the UAAF configures the generated management credential to the CNGCF by means of the CLF. The UAAF adds the management credential to an authentication response message and sends the response message to the CNG through the e3 interface connected to the AMF.
The UAAF may also send only the key algorithm, initial vector and lifecycle information in the management credential to the CNG, and the CNG generates the key according to the key algorithm, initial vector and lifecycle information.
Subsequently, when the user attaches to the network, the UAAF uses the key in the management credential generated in the previous login authentication as a root key to generate a new management credential; or still uses the user access authentication key information or other information configured by the operator as a root key, and configures the key to the CNGCF and the CNG in the same way.
Besides, when the user attaches to the network subsequently, according to the policy configured by the operator, the UAAF decides whether a new management credential needs to be generated for every other system access. If it is not necessary the last generated management credential may still be used between the CNG and the CNGCF.
In the actual network deployment, one CLF may correspond to multiple CNGCFs. The CLF may locate the CNGCF in two modes. The first mode is: The CLF sets up a correlation between the CNG and the corresponding CNGCF according to the CNG location information (physical location information or logical location information) pushed by the UAAF for access authentication at the time of user login. Therefore, the CLF needs to configure the mapping between each CNGCF and the physical location or logical location. The other mode is: The CLF sets up the correlation between the CNG and the CNGCF according to the access network identifier allocated by the NACF to the CNG for access authentication at the time of user login, but the prerequisite is that the CLF has configured the mapping relation between each CNGCF and the access network identifier.
Step 504: The CNG and the CNGCF in the bidirectional interaction use the stored management credential to authenticate each other and decide whether the operation is authorized. That is, the CNG authenticates the CNGCF according to the management credential; and the CNGCF authenticates the CNG according to the management credential. If the CNG registers with the CNGCF upon power-on, with a credential being carried in the registration request, the CNGCF compares the received CNG credential with the stored CNG credential. If the CNG credentials are the same, the CNGCF authenticates the CNG successfully and returns an authentication success message. The CNG authenticates the CNGCF in the same way.
The method provided in this embodiment generates, distributes and modifies management credentials automatically, thus enabling authentication between the CNG and the CNGCF fundamentally, reducing the operation and maintenance costs of distributing numerous CNGs, and improving the operation efficiency massively.
Step 701: The UAAF performs access authentication for the CNG.
Step 702: According to the local policy, the UAAF decide whether it is necessary to generate a management credential between the CNG and the CNGCF. If necessary, the UAAF generates a management credential between the CNG and the CNGCF.
The UAAF may use the user access authentication key information or the root key configured by the operator to generate a management credential between the CNG and the CNGCF.
The management credential may include a security protocol, a key algorithm, the key used in the key algorithm, an initial vector, and a lifecycle of the management credential. The management credential is also known as a security association.
Step 703: Through the a6 interface between the UAAF and the CNGCF, the UAAF configures the generated management credential to the CNGCF. The UAAF adds the management credential to an authentication response message and sends the response message to the CNG through the e3 interface connected to the AMF.
The UAAF may also send only the key algorithm, initial vector and lifecycle information in the management credential to the CNG, and the CNG generates the key according to the key algorithm, initial vector and lifecycle information.
Subsequently, when the user attaches to the network, the UAAF uses the key in the management credential generated in the previous attachment process as a root key to generate a new management credential; or still uses the user access authentication key information or other information configured by the operator as a root key, and configures the key to the CNGCF and the CNG in the same way.
Besides, when the user attaches to the network subsequently, according to the policy configured by the operator, the UAAF decides whether a new management credential needs to be generated for every other system access. If it is not necessary the last generated management credential may still be used between the CNG and the CNGCF. In the actual network deployment, one UAAF may correspond to multiple CNGCFs. The UAAF may locate the CNGCF in two modes. The first mode is: The UAAF searches for the home CNGCF corresponding to the CNG according to the CNG location information (physical location information or logical location information) that exists when the user logs in and undergoes access authentication. Therefore, the prerequisite is that the UAAF configures the mapping between each CNGCF and the physical location or logical location. The other mode is that the UAAF searches for the CNGCF corresponding to the CNG according to the access network identifier allocated by the NACF to the CNG (through the a7 interface) when the user logs in, or by using the access network identifier allocated by the NACF to the CNG (through the a4 interface) and forwarded by the CLF, but the prerequisite is that the UAAF configures a mapping relation between each CNGCF and the access network identifier.
Step 704: The CNG and the CNGCF in the bidirectional interaction use the stored management credential to authenticate each other and decide whether the operation is authorized. That is, the CNG authenticates the CNGCF according to the management credential; and the CNGCF authenticates the CNG according to the management credential.
The method provided in this embodiment generates, distributes and modifies management credentials automatically, thus enabling authentication between the CNG and the CNGCF fundamentally, reducing the operation and maintenance costs of distributing numerous CNGs, and improving the operation efficiency massively.
a UAAF 13, adapted to: perform access authentication for a CNG 11, generate an management credential between the CNG 11 and a CNGCF 16, and send the management credential; the CNG 11, adapted to: receive the management credential, and set up a correlation with the management credential;
the CNGCF 16, adapted to: receive the management credential, whereupon the CNG 11 authenticates the CNGCF 16 according to the management credential and the CNGCF 16 authenticates the CNG 11 according to the management credential;
an AMF 12, adapted to forward the CNG location information to the UAAF 13; and
a NACF 15, adapted to: allocate an access network identifier to the CNG and send the access network identifier to the UAAF 13.
a UAAF 23, adapted to generate an management credential between a CNG 21 and a CNGCF 36;
the CNG 21, adapted to: receive the management credential, and perform management authentication according to the management credential;
the CNGCF 26, adapted to: receive the management credential, and perform management authentication according to the management credential;
an AMF 22, adapted to forward the CNG location information to the UAAF 23; and a CLF 24, adapted to forward an access network identifier to the UAAF 23, where the access network identifier is allocated by a NACF 25 to the CNG.
a UAAF 33, adapted to generate an management credential between a CNG 31 and a CNGCF 36;
the CNG 31, adapted to: receive the management credential, and perform management authentication according to the management credential;
the CNGCF 36, adapted to: receive the management credential, and perform authentication according to the credential;
an AMF 32, adapted to forward the CNG location information to the UAAF 33;
a CLF 34, adapted to forward the management credential generated by the UAAF 33 to the CNGCF 36; and
a CLF 34, adapted to forward the management credential generated by the UAAF 33 to the CNGCF 36.
The CNG management authentication system provided in this embodiment generates, distributes and modifies management credentials automatically without manual configuration, thus enabling authentication between the CNG and the CNGCF fundamentally. The system implements automatic control for key distribution, thus providing high security. The system updates the key conveniently, thus reducing the operation and maintenance costs of distributing numerous CNGs, and improving the operation efficiency massively.
Another method for authenticating a CNG and a CNGCF in an embodiment of the present invention includes the following steps:
Step 1: The UAAF performs access authentication for the CNG. The CNG generates a first Pre-Shared Key (PSK), and the access authorization module generates a second PSK.
Step 2: The CNG authenticates the message received from the CNGCF according to the first PSK and the second PSK.
Step 3: The CNGCF authenticates the message received from the CNG according to the first PSK and the second PSK.
Step 801: The CNG sends an access authentication request to the UAAF.
Step 802: In the security association stage of the access authentication, many negotiation processes may occur: Challenge (Session ID, random string S, . . . ).
Step 803: The CNG calculates out the first PSK according to the stored user ID, the original access authentication key, the random string S obtained in the negotiation process, and the authentication session ID, and sends the first PSK to the UAAF.
The calculation method may be the Hash algorithm, namely, the first PSK=HASH (Session ID, random string S, user ID, key).
Step 804: The UAAF calculates out the second PSK according to the stored user ID, the original access authentication key, the random string S obtained in the negotiation process, and the authentication session ID.
The calculation method is the Hash algorithm, namely, the second PSK=HASH (Session ID, random string S, user ID, key).
Step 805: The UAAF performs access authentication according to the second PSK and the first PSK. If the two PSKs are the same, the authentication succeeds; otherwise, the authentication fails.
Step 806: The UAAF sends the second PSK and the correlation between the second PSK and the CNG to the CNGCF.
Step 807: The CNGCF performs authentication according to the first PSK in the message received from the CNG and the second PSK stored in the CNGCF; and the CNG performs authentication according to the second PSK in the message received from the CNGCF and the first PSK stored in the CNG.
The CNG management authentication method in this embodiment shares the same user ID or key with the CNG access authentication, and uses the first PSK and the second PSK generated in the access authentication process, thus simplifying the security association negotiation process of the CNG management authentication, and improving the efficiency while ensuring the security. Therefore, this method reduces the operation and maintenance costs of distributing numerous CNGs and improves the operation efficiency.
a CNG 41, adapted to: send access authentication information, send and receive management authentication information, and generate a first PSK;
a CNGCF 46, adapted to receive and send the management authentication information;
a UAAF 43, adapted to: receive the access authentication information, generate a second PSK, and send the second PSK to the CNGCF 46, whereupon the CNGCF 46 authenticates the message received from the CNG 41 according to the first PSK and the second PSK and the CNG 41 authenticates the message received from the CNGCF 46 according to the first PSK and the second PSK;
an AMF 42, adapted to forward access authentication information between the CNG 41 and the UAAF 43; and
a NACF 45, adapted to: allocate an access network identifier to the CNG 41 and send it to the UAAF 43, whereupon the UAAF 43 searches for the CNGCF corresponding to the CNG according to the CNG and access network identifier information sent by the NACF and forwards the second PSK to the found CNGCF 46.
The authentication process involves no AMF.
a CNG 51, adapted to: send access authentication information, send and receive management authentication information, and generate a first PSK;
a CNGCF 56, adapted to receive and send the management authentication information;
a UAAF 53, adapted to: receive the access authentication information, generate a second PSK, and send the second PSK to a CLF 54;
the CLF 54, adapted to forward the second PSK to the CNGCF 56;
the CNGCF 56, adapted to: authenticate the message received from the CNG 51 according to the first PSK and the second PSK, and authenticate the message received from the CNGCF 56 according to the first PSK and the second PSK; and
an AMF 52, adapted to forward access authentication information between the CNG 51 and the UAAF 53.
The CNG authentication system provided in this embodiment generates, distributes and modifies management credentials automatically, thus enabling authentication between the CNG and the CNGCF fundamentally, reducing the operation and maintenance costs of distributing numerous CNGs, and improving the operation efficiency massively.
Although the invention is described through several exemplary embodiments, the invention is not limited to such embodiments. It is apparent that those skilled in the art can make modifications and variations to the invention without departing from the spirit and scope of the invention. The invention is intended to cover such modifications and variations provided that they fall in the scope of protection defined by the following claims or their equivalents.
Number | Date | Country | Kind |
---|---|---|---|
200710129583.8 | Jul 2007 | CN | national |
The application is a continuation of International Application No. PCT/CN2008/071617, filed on Jul. 11, 2008, which claims priority to Chinese Patent Application No. 200710129583.8, filed on Jul. 11, 2007, both of which are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2008/071617 | Jul 2008 | US |
Child | 12639623 | US |