[go: up one dir, main page]

CN103024735B - Method and equipment for service access of card-free terminal - Google Patents

Method and equipment for service access of card-free terminal Download PDF

Info

Publication number
CN103024735B
CN103024735B CN201110287756.5A CN201110287756A CN103024735B CN 103024735 B CN103024735 B CN 103024735B CN 201110287756 A CN201110287756 A CN 201110287756A CN 103024735 B CN103024735 B CN 103024735B
Authority
CN
China
Prior art keywords
terminal
card
user key
cardless
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110287756.5A
Other languages
Chinese (zh)
Other versions
CN103024735A (en
Inventor
卢山
路晓明
黄开莉
常辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201110287756.5A priority Critical patent/CN103024735B/en
Priority to PCT/CN2012/081805 priority patent/WO2013044766A1/en
Publication of CN103024735A publication Critical patent/CN103024735A/en
Application granted granted Critical
Publication of CN103024735B publication Critical patent/CN103024735B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

一种无卡终端的业务访问方法,包括:有卡终端接收无卡终端发送的业务认证请求,根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证;所述有卡终端在所述无卡终端认证通过后,根据接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互。本方法用以解决无卡终端难以利用GBA流程直接访问网络业务的问题,增强无卡终端对网络业务访问的便捷性。

A service access method for a cardless terminal, comprising: a cardless terminal receiving a service authentication request sent by a cardless terminal, generating a user key for the cardless terminal according to the service authentication request, and according to the user key, The cardless terminal is authenticated by interacting with the network side; after the cardless terminal passes the authentication, the cardless terminal performs service interaction with the network side according to the received service interaction request sent by the cardless terminal. The method is used to solve the problem that it is difficult for a cardless terminal to directly access network services by using the GBA process, and enhance the convenience of cardless terminals accessing network services.

Description

无卡终端的业务访问方法及设备Service access method and device for cardless terminal

技术领域 technical field

本发明涉及通信技术领域,尤其涉及一种无卡终端的业务访问方法及设备。The invention relates to the field of communication technology, in particular to a service access method and device for a cardless terminal.

背景技术 Background technique

在移动网络环境下,用户使用终端访问某些业务时,需要基于用户密钥实现终端与业务服务器的相互认证并利用用户密钥加密传输某些机密数据,由此可见,用户密钥的生成是用户使用此类业务的前提条件。In the mobile network environment, when a user uses a terminal to access certain services, it is necessary to implement mutual authentication between the terminal and the service server based on the user key and use the user key to encrypt and transmit some confidential data. It can be seen that the generation of the user key is Prerequisites for users to use such services.

从用户使用的设备中是否带有SIM/USIM卡(Subscriber Identity Module/Universal Subscriber Identity Module,用户识别卡/全球用户识别卡)来区分,目前的终端可以分为两类:有卡终端和无卡终端。有卡终端中插有SIM/USIM卡,卡中记录了用户登录移动通信网络的个性化用户根密钥,与网络侧HLR/HSS(Home Location Register/Home Subscriber Server,归属位置寄存器/归属用户服务器)中记录的密钥相同。最常见的有卡终端如手机。由于卡中的密钥已经在网络侧和终端侧共享,所以对于有卡终端,可以基于该密钥实现终端与网络平台的相互认证并生成业务层的共享用户密钥。目前3GPP定义了GBA(Generic Bootstrapping Architecture,通用引导架构),用于对有卡终端生成终端与业务平台共享的用户密钥。To distinguish from whether the device used by the user has a SIM/USIM card (Subscriber Identity Module/Universal Subscriber Identity Module, Subscriber Identity Card/Universal Subscriber Identity Card), the current terminals can be divided into two categories: terminals with cards and terminals without cards terminal. There is a SIM/USIM card inserted in the terminal with a card, which records the personalized user root key for the user to log in to the mobile communication network, and is connected with the network side HLR/HSS (Home Location Register/Home Subscriber Server, Home Location Register/Home Subscriber Server) ) with the same key as recorded. The most common card terminal such as mobile phones. Since the key in the card has been shared between the network side and the terminal side, for a terminal with a card, mutual authentication between the terminal and the network platform can be realized based on the key and a shared user key for the service layer can be generated. At present, 3GPP defines GBA (Generic Bootstrapping Architecture, general bootstrapping architecture), which is used to generate a user key shared between the terminal and the service platform for the terminal with the card.

由于无卡终端中没有插SIM/USIM卡,终端中不包含任何能够用于认证用户身份的密钥或秘密信息,所以无法像有卡终端这样通过GBA流程生成终端与业务平台共享的用户密钥。因此,在现有的终端业务访问技术中,无卡终端难以利用GBA流程直接访问网络业务。Since there is no SIM/USIM card inserted in the terminal without a card, the terminal does not contain any key or secret information that can be used to authenticate the user's identity, so it is impossible to generate the user key shared between the terminal and the service platform through the GBA process like a terminal with a card . Therefore, in the existing terminal service access technology, it is difficult for a cardless terminal to directly access network services through the GBA process.

随着无卡终端(例如,PC、笔记本、机顶盒、平板电脑和电子阅读器等),尤其是以平板电脑为代表的无卡终端越来越流行和普及,由此带来的无卡终端无法利用GBA流程直接访问网络业务的问题亟待解决。As cardless terminals (such as PCs, notebooks, set-top boxes, tablet computers and e-readers, etc.), especially cardless terminals represented by tablet computers become more and more popular and popular, the resulting cardless terminals cannot The problem of using the GBA process to directly access network services needs to be solved urgently.

发明内容 Contents of the invention

本发明实施例提供了一种无卡终端的业务访问方法及设备,用以解决无卡终端难以利用GBA流程直接访问网络业务的问题,增强无卡终端对网络业务访问的便捷性。Embodiments of the present invention provide a service access method and device for a cardless terminal, which are used to solve the problem that it is difficult for a cardless terminal to directly access network services by using a GBA process, and enhance the convenience of cardless terminals accessing network services.

本发明实施例提供的无卡终端的业务访问方法,包括以下步骤:The service access method of the non-card terminal provided in the embodiment of the present invention includes the following steps:

有卡终端接收无卡终端发送的业务认证请求,根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证;The terminal with the card receives the service authentication request sent by the terminal without the card, generates a user key for the terminal without the card according to the service authentication request, and interacts with the network side to perform authentication on the terminal without the card according to the user key. certification;

所述有卡终端在所述无卡终端认证通过后,根据接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互。After the cardless terminal passes the authentication, the cardless terminal performs service interaction with the network side according to the received service interaction request sent by the cardless terminal.

本发明实施例提供的有卡终端,包括:The terminal with a card provided by the embodiment of the present invention includes:

第一接收模块,用于接收无卡终端发送的业务认证请求;以及,接收无卡终端发送的业务交互请求;The first receiving module is configured to receive the service authentication request sent by the cardless terminal; and receive the service interaction request sent by the cardless terminal;

安全模块,用于根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过网络侧对所述无卡终端进行认证;以及,在网络侧对所述无卡终端认证通过后,根据所述第一接收模块接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互。A security module, configured to generate a user key for the cardless terminal according to the service authentication request, and authenticate the cardless terminal through the network side according to the user key; and, at the network side, authenticate the cardless terminal After passing the authentication of the cardless terminal, perform service interaction with the network side according to the service interaction request sent by the cardless terminal received by the first receiving module.

本发明实施例提供的无卡终端,包括:The cardless terminal provided by the embodiment of the present invention includes:

安全模块,用于与有卡终端建立安全通道;A security module, used to establish a security channel with the card terminal;

客户端模块,用于通过所述安全通道向有卡终端发送业务认证请求,以使有卡终端根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证;以及,通过所述安全通道向有卡终端发送业务交互请求,以使有卡终端与网络侧进行业务交互。The client module is configured to send a service authentication request to the terminal with the card through the secure channel, so that the terminal with the card generates a user key for the terminal without the card according to the service authentication request, and according to the user key, Authenticate the cardless terminal by interacting with the network side; and send a service interaction request to the card terminal through the secure channel, so that the card terminal performs service interaction with the network side.

与现有技术相比,本发明的上述实施例具有以下有益技术效果:Compared with the prior art, the above-mentioned embodiments of the present invention have the following beneficial technical effects:

本发明实施例通过有卡终端在接收到无卡终端的发起的认证请求后,根据该业务认证请求为无卡终端生成用户密钥,并根据该用户密钥,通过网络侧对所述无卡终端进行认证,并在网络侧对无卡终端认证通过后,根据接收到的无卡终端发送的业务交互请求与网络侧进行业务交互,由此可以为不具备访问网络能力的无卡终端提供网络接入通道,使其可以访问业务平台,增强了无卡终端对网络业务访问的便捷性。In the embodiment of the present invention, after receiving the authentication request initiated by the cardless terminal, the cardless terminal generates a user key for the cardless terminal according to the service authentication request, and according to the user key, the cardless terminal is authenticated by the network side. The terminal authenticates, and after passing the authentication of the cardless terminal on the network side, it conducts business interaction with the network side according to the received service interaction request sent by the cardless terminal, thereby providing network access for cardless terminals that do not have the ability to access the network. The access channel enables it to access the service platform, which enhances the convenience of cardless terminals accessing network services.

附图说明 Description of drawings

图1为本发明实施例提供的无卡终端的业务访问方法的步骤流程图;Fig. 1 is a flow chart of steps of a service access method for a cardless terminal provided in an embodiment of the present invention;

图2为本发明实施例提供的无卡终端的业务访问方法的信令示意图;FIG. 2 is a schematic signaling diagram of a service access method for a cardless terminal provided by an embodiment of the present invention;

图3为本发明实施例提供的有卡终端的中间件生成无卡终端用户密钥以及无卡终端的用户密钥的引导标识的步骤流程图;Fig. 3 is a flow chart of the steps of generating the user key of the cardless terminal and the guide identification of the user key of the cardless terminal by the middleware of the card terminal provided by the embodiment of the present invention;

图4为本发明实施例提供的BSF生成无卡终端用户密钥的验证密钥的步骤流程图;Fig. 4 is the flow chart of the steps of generating the verification key of the cardless terminal user key by the BSF provided by the embodiment of the present invention;

图5为本发明实施例提供的有卡终端的结构示意图;FIG. 5 is a schematic structural diagram of a terminal with a card provided by an embodiment of the present invention;

图6为本发明实施例提供的无卡终端的结构示意图。FIG. 6 is a schematic structural diagram of a cardless terminal provided by an embodiment of the present invention.

具体实施方式 Detailed ways

下面结合附图对本发明的技术方案进行清楚、完整的描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The following is a clear and complete description of the technical solution of the present invention in conjunction with the accompanying drawings. Apparently, the described embodiments are part of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

本发明实施例所适用的业务访问系统架包括:有卡终端、无卡终端、网络应用平台(Network Application Function,NAF)和初始化服务器(Bootstrappingserver function,BSF)。其中,NAF在本实施例中主要用于与有卡终端进行业务认证以及业务交互;BSF主要用于生成无卡终端的用户密钥并发送给NAF,以使NAF与有卡终端进行业务认证;有卡终端是不带有SIM/USIM卡的设备,例如PC、笔记本、机顶盒、平板电脑和电子阅读器等;无卡终端是具有SIM/USIM卡的设备,例如手机等。The service access system frame applicable to the embodiment of the present invention includes: a terminal with a card, a terminal without a card, a network application platform (Network Application Function, NAF) and an initialization server (Bootstrapping server function, BSF). Among them, NAF is mainly used for business authentication and business interaction with the card terminal in this embodiment; BSF is mainly used for generating the user key of the terminal without the card and sending it to the NAF, so that the NAF and the terminal with the card perform business authentication; Terminals with cards are devices without SIM/USIM cards, such as PCs, notebooks, set-top boxes, tablet computers, and e-readers; terminals without cards are devices with SIM/USIM cards, such as mobile phones.

本系统中的有卡终端作为无卡终端的代理,为无卡终端提供用户密钥生成、用户认证、网络接入等功能。无卡终端不参与用户密钥生成、用户认证、网络接入等功能的实现,无卡终端上的业务客户端无需关心密钥协商、用户认证等流程和业务通道安全性,只需要按业务客户端逻辑向有卡终端发起业务交互流程,再由有卡终端通过代理机制向NAF发送。The terminal with card in this system acts as the agent of the terminal without card, and provides functions such as user key generation, user authentication, and network access for the terminal without card. The cardless terminal does not participate in the realization of functions such as user key generation, user authentication, and network access. The business client on the cardless terminal does not need to care about key negotiation, user authentication, etc. The terminal logic initiates the service interaction process to the terminal with the card, and then the terminal with the card sends it to the NAF through the proxy mechanism.

基于前述系统架构,本发明实施例提供的无卡终端的业务访问流程可如图1所示,包括:Based on the aforementioned system architecture, the service access process of the cardless terminal provided by the embodiment of the present invention can be shown in Figure 1, including:

步骤101,无卡终端与有卡终端之间建立安全通道。In step 101, a secure channel is established between a terminal without a card and a terminal with a card.

具体实施时,无卡终端与有卡终端可利用各自存储的共享密钥(PSK)相互认证并建立安全通道。During specific implementation, the terminal without a card and the terminal with a card can use their respective stored shared keys (PSK) to authenticate each other and establish a secure channel.

步骤102,无卡终端需要接入NAF进行业务访问时,通过安全通道向有卡终端发送业务认证请求。Step 102, when the terminal without the card needs to access the NAF for service access, send a service authentication request to the terminal with the card through the secure channel.

步骤103,有卡终端根据该业务认证请求为该无卡终端生成用户密钥。Step 103, the terminal with the card generates a user key for the terminal without the card according to the service authentication request.

具体实施时,所述业务认证请求中可携带NAF ID(NAF标识)、Device ID(发起该业务认证请求的无卡终端的设备标识)等参数,有卡终端可根据该业务认证请求中携带的NAF ID和Ks(Ks是有卡终端与BSF之间的共享密钥,即根密钥)计算得到业务访问密钥Ks_NAF,然后根据Ks_NAF、Device ID等参数生成用户密钥TempK_NAF和TB-TID,TB-TID即临时B-TID(Bootstrapping transaction identifier,引导业务标识)。During specific implementation, parameters such as NAF ID (NAF identification) and Device ID (the device identification of the non-card terminal that initiates the service authentication request) can be carried in the service authentication request, and the card terminal can carry the parameters according to the information carried in the service authentication request. NAF ID and Ks (Ks is the shared key between the card terminal and BSF, i.e. the root key) is calculated to obtain the service access key Ks_NAF, and then the user key TempK_NAF and TB-TID are generated according to Ks_NAF, Device ID and other parameters, TB-TID is temporary B-TID (Bootstrapping transaction identifier, bootstrapping transaction identifier).

步骤104,有卡终端使用该用户密钥,通过网络侧对该无卡终端进行业务认证。Step 104, the terminal with the card uses the user key to perform service authentication on the terminal without the card through the network side.

具体实施时,有卡终端向NAF发起业务认证请求,其中携带有为该无卡终端生成的TB-TID,NAF向BSF发起获取用户密钥的请求,其中携带有TB-TID和NAF ID;BSF解析TB-TID得到DeviceID、B-TID和用户密钥的效期(Expire Date),并根据NAF ID和Ks计算得到业务访问密钥Ks_NAF,然后根据Ks_NAF、DeviceID等参数生成用户密钥TempK_NAF,并返回给NAF;NAF和有卡终端之间基于为无卡终端生成的TempK_NAF对该无卡终端进行业务认证。During specific implementation, the terminal with the card initiates a service authentication request to the NAF, which carries the TB-TID generated for the terminal without the card, and the NAF initiates a request to the BSF to obtain the user key, which carries the TB-TID and NAF ID; BSF Analyze TB-TID to get DeviceID, B-TID and user key expiration date (Expire Date), and calculate service access key Ks_NAF according to NAF ID and Ks, then generate user key TempK_NAF according to Ks_NAF, DeviceID and other parameters, and return to the NAF; the NAF and the terminal with the card perform business authentication on the terminal without the card based on the TempK_NAF generated for the terminal without the card.

步骤105,若该无卡终端认证通过,则该无卡终端可通过与有卡终端之间的安全通道向有卡终端发送业务交互请求,该有卡终端将该业务交互请求发送给NAF,并在接收到NAF返回的业务响应后,通过该安全通道将该业务响应发送给该无卡终端。其间,根据业务需要,有卡终端可以使用为该无卡终端生成的用户密钥TempK_NAF对发送给NAF的数据进行加密;NAF可使用该无卡终端的用户密钥TempK_NAF对业务响应进行加密后发送给有卡终端,此种情况下,有卡终端可以使用为该无卡终端生成的用户密钥TempK_NAF对接收到的业务响应数据进行解密,然后将解密后的业务响应发送给无卡终端。Step 105: If the cardless terminal passes the authentication, the cardless terminal can send a service interaction request to the carded terminal through the secure channel with the carded terminal, and the carded terminal sends the service interaction request to NAF, and After receiving the service response returned by the NAF, the service response is sent to the cardless terminal through the secure channel. Meanwhile, according to business needs, the terminal with the card can use the user key TempK_NAF generated for the terminal without the card to encrypt the data sent to the NAF; the NAF can use the user key TempK_NAF of the terminal without the card to encrypt the service response before sending For a terminal with a card, in this case, the terminal with a card can use the user key TempK_NAF generated for the terminal without a card to decrypt the received service response data, and then send the decrypted service response to the terminal without a card.

通过以上流程可以看出,本发明实施例具有以下优点:It can be seen from the above process that the embodiment of the present invention has the following advantages:

1、为不具备访问网络能力的无卡终端提供网络接入通道,使其可以访问业务平台,增强了无卡终端对网络业务访问的便捷性。1. Provide network access channels for non-card terminals that do not have the ability to access the network, so that they can access the business platform, and enhance the convenience of non-card terminals to access network services.

2、无卡终端不参与用户密钥生成、网络接入以及用户认证等流程,只需要向有卡终端发起业务交互请求,再由有卡终端通过代理机制向业务平台发送,实现有卡终端作为无卡终端的代理接入网络访问业务平台。2. The terminal without a card does not participate in the processes of user key generation, network access, and user authentication. It only needs to initiate a service interaction request to the terminal with the card, and then the terminal with the card sends it to the service platform through the proxy mechanism, so that the terminal with the card can act as an The proxy of the cardless terminal accesses the network to access the service platform.

3、无卡终端利用有卡终端通过代理方式接入网络访问业务平台,有卡终端接入的网络与业务平台所属网络相同,保证了无卡终端访问业务平台链路的QoS(Quality of Service,服务质量),可以通过统一的网络规划和升级来降低信令响应时延和数据包丢失。3. The terminal without a card uses the terminal with a card to access the network to access the service platform through an agent. The network that the terminal with a card accesses is the same as the network to which the service platform belongs, which ensures the QoS (Quality of Service, Quality of Service), the signaling response delay and packet loss can be reduced through unified network planning and upgrading.

4、无论TempK_NAF还是Ks_NAF都不出有卡终端,有效消除了无卡终端通过TempK_NAF推算出有卡终端Ks_NAF的风险,提高了有卡终端上业务客户端用户密钥的安全性。4. Neither TempK_NAF nor Ks_NAF will issue a terminal with a card, which effectively eliminates the risk of a terminal without a card calculating the Ks_NAF of a terminal with a card through TempK_NAF, and improves the security of the user key of the business client on the terminal with a card.

5、有卡终端使得无卡终端在有限的时间内以有卡终端的用户身份使用业务,有效期过后,为无卡终端生成的用户密钥作废,另外,在有卡终端与无卡终端之间建立安全通道,以保证设备的认证和连接的保密性。5. The terminal with the card allows the terminal without the card to use the service as the user of the terminal with the card within a limited period of time. After the validity period, the user key generated for the terminal without the card becomes invalid. Establish a secure channel to guarantee the authentication of the device and the confidentiality of the connection.

本发明实施例在具体实施时,可通过在有卡终端和无卡终端上分别部署一个安全模块(Secure Module,SeM),来实现有卡终端代理无卡终端进行业务认证和网络接入的功能。无卡终端上的SeM模块包括接口层,有卡终端上的SeM模块包括接口层和中间件。其中,接口层可以采用多种软件或硬件形式,来保证有卡终端上中间件与无卡终端的业务客户端间接口的通信安全。有卡终端上的SeM模块中的中间件作为一种通用能力,可以为多个无卡终端、多个业务客户端提供用户密钥生成、用户认证、网络接入等功能。In the specific implementation of the embodiment of the present invention, a security module (Secure Module, SeM) can be respectively deployed on the terminal with the card and the terminal without the card to realize the function of the terminal with the card acting as the terminal without the card to perform business authentication and network access . The SeM module on the terminal without a card includes an interface layer, and the SeM module on a terminal with a card includes an interface layer and middleware. Among them, the interface layer can adopt various software or hardware forms to ensure the communication security of the interface between the middleware on the terminal with the card and the service client of the terminal without the card. As a general capability, the middleware in the SeM module on a terminal with a card can provide functions such as user key generation, user authentication, and network access for multiple cardless terminals and multiple service clients.

基于以上有卡终端和无卡终端的结构,本发明实施例提供的无卡终端的用户密钥生成、用户认证、网络接入以及业务交互过程的信令流程可如图2所示。Based on the above structure of the card terminal and the cardless terminal, the signaling process of the cardless terminal user key generation, user authentication, network access and service interaction process provided by the embodiment of the present invention can be shown in FIG. 2 .

其中,在GBA初始化过程中,有卡终端中的密钥运算模块和BSF之间协商共享密钥,即,有卡终端的GBA密钥运算模块利用SIM/USIM卡计算鉴权信息与BSF认证,实现GBA初始化过程,并生成有卡终端的根密钥Ks。Among them, during the GBA initialization process, the key calculation module in the terminal with a card and the BSF negotiate a shared key, that is, the GBA key calculation module of the terminal with a card uses the SIM/USIM card to calculate authentication information and BSF authentication, Realize the GBA initialization process and generate the root key Ks of the card terminal.

以下结合图1及图2详细说明GBA初始化过程之后的用户密钥生成、用户认证以及业务交互过程,如图2所示,该过程包括:The user key generation, user authentication and business interaction process after the GBA initialization process are described in detail below in conjunction with Figure 1 and Figure 2, as shown in Figure 2, the process includes:

无卡终端和有卡终端之间建立安全通道(对应图1中的步骤101)A secure channel is established between the terminal without a card and the terminal with a card (corresponding to step 101 in Figure 1)

其中,无卡终端的SeM模块的接口层与有卡终端的SeM模块的接口层利用各自存储的共享密钥(PSK)相互认证并建立安全通道。其中,该共享密钥既可以是预存的,也可以是用户临时输入的口令等。Wherein, the interface layer of the SeM module of the terminal without a card and the interface layer of the SeM module of the terminal with a card use their respective stored shared keys (PSK) to authenticate each other and establish a secure channel. Wherein, the shared key may be pre-stored, or a password temporarily entered by the user.

有卡终端代理无卡终端进行的业务认证过程(对应图1中的步骤102-104)The business authentication process carried out by the terminal with the card on behalf of the terminal without the card (corresponding to steps 102-104 in Figure 1)

无卡终端在需要接入NAF时,无卡终端的NAF客户端向有卡终端的SeM模块中的中间件发起认证请求,其中携带有需要访问的网络应用平台标识(NAF ID)和该无卡终端标识(Device ID)。When a cardless terminal needs to access NAF, the NAF client of the cardless terminal initiates an authentication request to the middleware in the SeM module of the cardless terminal, which carries the network application platform identification (NAF ID) that needs to be accessed and the cardless terminal ID. Terminal ID (Device ID).

有卡终端的中间件向该有卡终端SIM/USIM中的密钥运算模块发送密钥请求,以请求获取该无卡终端的业务密钥Ks_NAF;SIM/USIM中的密钥运算模块接收到中间件的密钥请求后生成Ks_NAF并发送给中间件,该Ks_NAF对应无卡终端所请求的业务平台标识NAF ID。具体的,有卡终端的密钥运算模块利用Ks、NAF ID及IP多媒体私有标识(IP Multimedia Private Identity,IMPI)等生成Ks_NAF。密钥运算模块既可以是在SIM/USIM中,也可以在SIM/USIM之外,比如在终端上的软件或硬件。有卡终端的中间件根据获得的Ks_NAF生成无卡终端的用户密钥TempK_NAF以及无卡终端的用户密钥的临时TB-TID。The middleware of the card terminal sends a key request to the key operation module in the card terminal SIM/USIM to request to obtain the service key Ks_NAF of the cardless terminal; the key operation module in the SIM/USIM receives the intermediate Generate Ks_NAF after the key request of the software and send to the middleware, this Ks_NAF corresponds to the service platform identification NAF ID requested by the cardless terminal. Specifically, the key calculation module of the card terminal uses Ks, NAF ID and IP Multimedia Private Identity (IP Multimedia Private Identity, IMPI), etc. to generate Ks_NAF. The key calculation module can be in the SIM/USIM or outside the SIM/USIM, such as software or hardware on the terminal. The middleware of the terminal with the card generates the user key TempK_NAF of the terminal without the card and the temporary TB-TID of the user key of the terminal without the card according to the obtained Ks_NAF.

有卡终端的中间件向NAF发起业务认证请求,其中携带有为无卡终端生成的TB-TID;NAF接收到中间件发送的业务认证请求后,向BSF发起密钥请求,该密钥请求中携带有自己的NAF ID以及从业务认证请求中获取到的TB-TID;BSF接收到该密钥请求后生成无卡终端的用户密钥TempK_NAF,并将该无卡终端的TempK_NAF发送给NAF;有卡终端的中间件与NAF基于为该无卡终端生成的TempK_NAF为该无卡终端进行认证,即,中间件与NAF基于TempK_NAF完成HTTP Digest相互认证,认证通过后在有卡终端和NAF之间建立业务通信安全通道。The middleware of the terminal with the card sends a service authentication request to the NAF, which carries the TB-TID generated for the terminal without the card; after receiving the service authentication request sent by the middleware, the NAF sends a key request to the BSF, and the key request contains Carry its own NAF ID and the TB-TID obtained from the service authentication request; BSF generates the user key TempK_NAF of the cardless terminal after receiving the key request, and sends the TempK_NAF of the cardless terminal to NAF; The middleware of the card terminal and NAF authenticate the cardless terminal based on the TempK_NAF generated for the cardless terminal, that is, the middleware and NAF complete HTTP Digest mutual authentication based on TempK_NAF, and establish a Business communication secure channel.

NAF与有卡终端中间件对无卡终端认证通过后,中间件将该认证结果发送给无卡终端的NAF客户端。After the middleware of the NAF and the terminal with the card passes the authentication of the terminal without the card, the middleware sends the authentication result to the NAF client of the terminal without the card.

优选的,有卡终端可以在用户界面上向用户提示无卡终端的业务认证请求,并等待用户选择是否同意,若接收到用户提交的拒绝信息,则有卡终端拒绝无卡终端的认证请求,若接收到用户提交的确认信息,则有卡终端的中间件向密钥运算模块请求业务访问密钥(Ks_NAF)。Preferably, the terminal with the card can prompt the user with the service authentication request of the terminal without the card on the user interface, and wait for the user to choose whether to agree, if the rejection information submitted by the user is received, the terminal with the card rejects the authentication request of the terminal without the card, If the confirmation information submitted by the user is received, the middleware of the card terminal requests the service access key (Ks_NAF) from the key calculation module.

有卡终端代理无卡终端进行的业务交互过程(对应图1中的步骤105)The business interaction process performed by the terminal with the card on behalf of the terminal without the card (corresponding to step 105 in Figure 1)

认证通过后的无卡终端的NAF客户端向有卡终端中间件发起下一步业务交互请求;有卡终端的中间件将该业务交互请求通过有卡终端的接入网络发送给NAF(即通过该有卡终端与NAF之间建立的业务安全通道发送该业务交互请求);NAF接收到有卡终端中间件发来的业务交互请求后进行相应处理,并将业务响应发送给有卡终端的中间件;有卡终端的中间件接收到NAF发送的业务响应后将其发送给无卡终端的NAF客户端;无卡终端的NAF客户端收到业务响应后进行相应业务处理操作。After passing the authentication, the NAF client of the cardless terminal initiates a next-step service interaction request to the card terminal middleware; the card terminal middleware sends the service interaction request to the NAF through the access network of the card terminal (that is, through the The business security channel established between the card terminal and NAF sends the service interaction request); NAF receives the service interaction request sent by the card terminal middleware and performs corresponding processing, and sends the business response to the card terminal middleware ; The middleware of the terminal with the card receives the service response sent by the NAF and sends it to the NAF client of the terminal without the card; the NAF client of the terminal without the card receives the service response and performs corresponding service processing operations.

优选的,有卡终端中间件根据业务交互的安全级别,可以选择对从无卡终端收到的业务交互请求利用该无卡终端的TempK_NAF进行加密,并将加密后的业务交互请求发送给NAF;NAF也可以根据业务交互的安全级别对发送给有卡终端中间件的业务响应,使用该无卡终端的TempK_NAF进行加密。如果有卡终端的中间件接收到的业务响应进行了加密处理,则该中间件使用对应的TempK_NAF对该业务响应进行解密,并将解密后的业务响应发送给无卡终端的NAF客户端。Preferably, the terminal middleware with card can choose to encrypt the service interaction request received from the cardless terminal using the TempK_NAF of the cardless terminal according to the security level of the service interaction, and send the encrypted service interaction request to NAF; The NAF can also use the TempK_NAF of the cardless terminal to encrypt the service response sent to the card terminal middleware according to the security level of the service interaction. If the service response received by the middleware of the terminal with card is encrypted, the middleware uses the corresponding TempK_NAF to decrypt the service response, and sends the decrypted service response to the NAF client of the terminal without card.

在前述步骤103中,中间件根据获得的Ks_NAF生成无卡终端的用户密钥以及无卡终端的用户密钥的引导标识(参见图3所示),具体包括以下步骤:In the foregoing step 103, the middleware generates the user key of the cardless terminal and the guide identification (seeing shown in Figure 3) of the user key of the cardless terminal according to the obtained Ks_NAF, specifically comprising the following steps:

步骤301,中间件根据策略为无卡终端的用户密钥设置有效期(ExpireDate),该用户密钥的有效期可针对不同的用户以及需要访问的业务内容不同而灵活设定,以满足不同用户、不同业务的需要。具体操作时,根据无卡设备标识(Device ID)所携带的终端类型进行判断:如果是机顶盒、家庭设备等家庭内的终端,则密钥有效期长度可以为1天,则Expire Date可以为2010-3-2012:00:00:2010-3-21 12:00:00;如果是公共PC等设备,则有效期可以为1小时,则Expire Date可为2010-3-20 12:00:00:2010-3-21 13:00:00。Step 301, the middleware sets the validity period (ExpireDate) for the user key of the cardless terminal according to the policy. The validity period of the user key can be flexibly set for different users and different business contents that need to be accessed, so as to satisfy different users, different business needs. During the specific operation, judge according to the type of terminal carried by the device ID without a card: if it is a terminal in the home such as a set-top box or a home device, the validity period of the key can be 1 day, and the Expire Date can be 2010- 3-2012:00:00: 2010-3-21 12:00:00; if it is a public PC and other equipment, the validity period can be 1 hour, and the Expire Date can be 2010-3-20 12:00:00: 2010 -3-21 13:00:00.

步骤302,中间件根据Ks_NAF、Expire Date和Device ID生成用户密钥(TempK_NAF)以及该无卡终端用户密钥的引导标识(TB-TID)。Step 302, the middleware generates the user key (TempK_NAF) and the boot identifier (TB-TID) of the cardless terminal user key according to Ks_NAF, Expire Date and Device ID.

具体的,TempK_NAF=KDF(Ks_NAF,Device ID,Expire Date);其中,KDF是单向摘要函数,其包括MD5,SHA1、SHA256,或者HMAC算法。Specifically, TempK_NAF=KDF(Ks_NAF, Device ID, Expire Date); wherein, KDF is a one-way digest function, which includes MD5, SHA1, SHA256, or HMAC algorithm.

同时,中间件为无卡终端的NAF Client生成引导标识TB-TID。具体的,At the same time, the middleware generates a boot identifier TB-TID for the NAF Client of the cardless terminal. specific,

有卡终端的密钥运算模块将Expire Date及TempK_NAF传送至有卡终端的中间件;有卡终端的中间件根据有效期、无卡终端设备标识及引导业务标识(Bootstrapping transaction identifier,B-TID)生成无卡终端的临时引导标识TB-TID,例如无卡终端的临时引导业务标识为:终端标识有效期引导业务标识;其中,B-TID是有卡终端执行过GBA初始化后,由BSF为有卡终端生成的;B-TID用于标识有卡终端的用户密钥Ks。The key calculation module of the terminal with the card transmits the Expire Date and TempK_NAF to the middleware of the terminal with the card; the middleware of the terminal with the card generates it according to the validity period, the device identification of the terminal without the card and the bootstrapping transaction identifier (B-TID) Temporary guidance identifier TB-TID of a terminal without a card, for example, the temporary guidance service identifier of a terminal without a card is: terminal identification validity period guidance service identifier; among them, B-TID is the terminal with a card after the terminal has performed GBA initialization, and the terminal with a card is assigned by the BSF Generated; B-TID is used to identify the user key Ks of the card terminal.

在前述步骤104中,BSF生成无卡终端用户密钥的验证密钥(参见图4所示),具体包括以下步骤:In the aforementioned step 104, the BSF generates the verification key (seeing shown in Figure 4) of the cardless terminal user key, which specifically includes the following steps:

步骤401,BSF接收到NAF发送的密钥请求后,解析该密钥请求中携带的TB-TID,取出B-TID、Device ID和Expire Date。Step 401, after receiving the key request sent by the NAF, the BSF parses the TB-TID carried in the key request, and takes out the B-TID, Device ID and Expire Date.

步骤402,BSF判断该TB-TID的Expire Date是否仍然有效,若有效,根据B-TID查找Ks_NAF,否则给中间件返回认证未通过的消息。In step 402, the BSF judges whether the Expire Date of the TB-TID is still valid, and if it is valid, searches for Ks_NAF according to the B-TID; otherwise, returns a message that the authentication fails to the middleware.

步骤403,BSF根据Ks_NAF计算无卡终端用户密钥的验证密钥,TempK_NAF=KDF(Ks_NAF,Device ID,,Expire Date)。其中,KDF是单向摘要函数,其包括MD5,SHA1、SHA256,或者HMAC算法。Step 403, BSF calculates the verification key of the cardless terminal user key according to Ks_NAF, TempK_NAF=KDF(Ks_NAF, Device ID, Expire Date). Among them, KDF is a one-way digest function, which includes MD5, SHA1, SHA256, or HMAC algorithm.

通过以上流程可以看出,本发明实施例还具有以下优点:It can be seen from the above process that the embodiment of the present invention also has the following advantages:

1、本发明实施例将认证和生成业务层的共享用户密钥的功能集中在有卡终端的SeM模块中,无卡终端上的业务客户端无需关心认证流程和业务通道安全性,降低了无卡终端上业务客户端的复杂度,减少了有卡终端和无卡终端SeM模块间交互复杂度,提高了功能稳定性。1. In the embodiment of the present invention, the functions of authentication and generation of the shared user key of the service layer are concentrated in the SeM module of the terminal with a card. The complexity of the business client on the card terminal reduces the interaction complexity between the card terminal and the cardless terminal SeM module, and improves the functional stability.

2、有卡终端SeM模块中的中间件作为一种通用能力,可以为多个终端、多个客户端提供认证流程和业务通道安全性,降低各客户端的开发成本和融合难度。中间件基于相同的GBA方案、相同的SIM卡可以为自身业务客户端和其他若干个无卡终端上的业务客户端产生不同的身份标识和不同的业务密钥,保证不同的业务客户端可以用不同的身份进行认证。2. As a general capability, the middleware in the SeM module of the card terminal can provide authentication process and business channel security for multiple terminals and multiple clients, reducing the development cost and integration difficulty of each client. Based on the same GBA scheme and the same SIM card, the middleware can generate different identities and different service keys for its own service client and service clients on several other cardless terminals, ensuring that different service clients can use Different identities are authenticated.

本发明实施例还提供一种有卡终端,参见图5所示,为本发明实施例提供的有卡终端的结构示意图,该有卡终端包括:An embodiment of the present invention also provides a terminal with a card. Referring to FIG. 5 , it is a schematic structural diagram of a terminal with a card provided by an embodiment of the present invention. The terminal with a card includes:

第一接收模块501,用于接收无卡终端发送的业务认证请求;以及,接收无卡终端发送的业务交互请求;The first receiving module 501 is configured to receive the service authentication request sent by the cardless terminal; and receive the service interaction request sent by the cardless terminal;

安全模块502,用于根据业务认证请求为无卡终端生成用户密钥,并根据用户密钥,通过网络侧对无卡终端进行认证;以及,在网络侧对无卡终端认证通过后,根据第一接收模块501接收到的无卡终端发送的业务交互请求与网络侧进行业务交互。The security module 502 is configured to generate a user key for the cardless terminal according to the service authentication request, and authenticate the cardless terminal through the network side according to the user key; A receiving module 501 performs service interaction with the network side from the service interaction request sent by the cardless terminal.

具体的,安全模块502具体用于,为无卡终端生成用户密钥和该用户密钥的临时引导标识,向网络应用平台NAF发起业务认证请求,其中携带有临时引导标识,以使NAF将所述临时引导标识发送给初始化服务器BSF,并从BSF获取其根据该临时引导标识生成的用户密钥;Specifically, the security module 502 is specifically configured to generate a user key and a temporary boot identifier of the user key for a cardless terminal, and initiate a service authentication request to the network application platform NAF, which carries a temporary boot identifier, so that NAF will The temporary boot ID is sent to the initialization server BSF, and the user key generated by it according to the temporary boot ID is obtained from the BSF;

安全模块502还用于,与NAF基于为无有卡终端生成的用户密钥进行认证。The security module 502 is also used for performing authentication with the NAF based on the user key generated for the cardless terminal.

本发明实施例提供的有卡终端还包括密钥运算模块503,用于根据网络侧的网络平台标识NAF ID以及有卡终端与网络侧的共享密钥Ks生成业务访问密钥Ks_NAF;The card terminal provided by the embodiment of the present invention also includes a key calculation module 503, which is used to generate the service access key Ks_NAF according to the network platform identification NAF ID of the network side and the shared key Ks between the card terminal and the network side;

安全模块502还用于,为无卡终端的用户密钥设置有效期,根据Ks_NAF、有效期和无卡终端的设备标识生成无卡终端的用户密钥,根据所述有效期、所述无卡终端的设备标识和用户密钥的引导标识生成无卡终端的用户密钥的临时引导标识。The security module 502 is also used to set the validity period for the user key of the cardless terminal, generate the user key of the cardless terminal according to Ks_NAF, the validity period and the device identification of the cardless terminal, and generate the user key of the cardless terminal according to the validity period, the device The ID and the boot ID of the user key generate a temporary boot ID of the user key of the cardless terminal.

该有卡终端还包括:第二接收模块504,该第二接收模块504用于接收网络侧返回的业务响应;The terminal with a card also includes: a second receiving module 504, the second receiving module 504 is used to receive the service response returned by the network side;

安全模块502还用于,将所述第二接收模块504接收的业务响应发送给无卡终端。The security module 502 is further configured to send the service response received by the second receiving module 504 to the cardless terminal.

具体的,安全模块502还用于,使用为无卡终端生成的用户密钥对接收到的业务交互请求进行加密,并将加密后的业务交互请求发送给网络侧;以及,使用为无卡终端生成的用户密钥对网络侧返回的业务响应进行解密,并将解密后的业务响应发送给所述无卡终端。Specifically, the security module 502 is also configured to use the user key generated for the cardless terminal to encrypt the received service interaction request, and send the encrypted service interaction request to the network side; The generated user key decrypts the service response returned by the network side, and sends the decrypted service response to the cardless terminal.

本发明实施例还提供一种无卡终端,参见图6所示,为本发明实施例提供的无卡终端的结构示意图,该无卡终端包括:The embodiment of the present invention also provides a cardless terminal, as shown in FIG. 6, which is a schematic structural diagram of the cardless terminal provided by the embodiment of the present invention. The cardless terminal includes:

安全模块601,用于与有卡终端建立安全通道;A security module 601, configured to establish a security channel with a terminal with a card;

客户端模块602,用于通过安全通道向有卡终端发送业务认证请求,以使有卡终端根据业务认证请求为所述无卡终端生成用户密钥,并根据用户密钥,通过与网络侧交互对无卡终端进行认证;以及,通过安全通道向有卡终端发送业务交互请求,以使有卡终端与网络侧进行业务交互。The client module 602 is configured to send a service authentication request to the terminal with the card through the secure channel, so that the terminal with the card generates a user key for the terminal without the card according to the service authentication request, and interacts with the network side according to the user key. Authenticating the terminal without the card; and sending a service interaction request to the terminal with the card through a secure channel, so that the terminal with the card performs service interaction with the network side.

具体的,客户端模块602还用于,接收有卡终端返回的业务响应。Specifically, the client module 602 is also configured to receive a service response returned by a terminal with a card.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是手机,个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is a better implementation Way. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to make a A terminal device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) executes the methods described in various embodiments of the present invention.

本领域技术人员可以理解,实施例中的装置中的模块可以按照实施例描述进行分布于实施例的装置中,也可以进行相应变化位于不同于本实施例的一个或多个装置中。上述实施例的模块可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the modules in the device in the embodiment may be distributed in the device in the embodiment according to the description in the embodiment, or may be located in one or more devices different from the embodiment according to corresponding changes. The modules in the above embodiments can be combined into one module, and can also be further split into multiple sub-modules.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.

Claims (8)

1.一种无卡终端的业务访问方法,其特征在于,包括: 1. A service access method of a cardless terminal, characterized in that, comprising: 有卡终端接收无卡终端发送的业务认证请求,根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证; The terminal with the card receives the service authentication request sent by the terminal without the card, generates a user key for the terminal without the card according to the service authentication request, and interacts with the network side to perform authentication on the terminal without the card according to the user key. certification; 所述有卡终端在所述无卡终端认证通过后,根据接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互; After the card-free terminal passes the authentication, the card-present terminal performs service interaction with the network side according to the received service interaction request sent by the card-free terminal; 所述有卡终端根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证,包括: The card-present terminal generates a user key for the card-free terminal according to the service authentication request, and authenticates the card-free terminal by interacting with the network side according to the user key, including: 有卡终端为所述无卡终端生成用户密钥和该用户密钥的临时引导标识; The terminal with a card generates a user key and a temporary boot identifier of the user key for the terminal without a card; 所述有卡终端向网络应用平台NAF发起业务认证请求,其中携带有所述临时引导标识;NAF向初始化服务器BSF发起密钥请求,其中携带有所述临时引导标识; The card-bearing terminal initiates a service authentication request to the network application platform NAF, which carries the temporary guidance identifier; NAF initiates a key request to the initialization server BSF, which carries the temporary guidance identifier; 所述BSF根据所述临时引导标识生成用户密钥,并返回给所述NAF; The BSF generates a user key according to the temporary bootstrap identifier, and returns it to the NAF; 所述有卡终端与所述NAF基于为所述无卡终端生成的用户密钥对所述无卡终端进行认证; The terminal with the card and the NAF authenticate the terminal without the card based on the user key generated for the terminal without the card; 所述有卡终端为所述无卡终端生成用户密钥和该用户密钥的临时引导标识,具体包括: The terminal with a card generates a user key and a temporary boot identifier of the user key for the terminal without a card, specifically including: 有卡终端根据网络平台标识NAF ID以及有卡终端与网络侧的共享密钥Ks生成业务访问密钥Ks_NAF; The card terminal generates the service access key Ks_NAF according to the network platform identification NAF ID and the shared key Ks between the card terminal and the network side; 所述有卡终端为无卡终端的用户密钥设置有效期; The terminal with the card sets the validity period for the user key of the terminal without the card; 所述有卡终端根据Ks_NAF、所述有效期和所述无卡终端的设备标识生成无卡终端的用户密钥,根据所述有效期、所述无卡终端的设备标识和用户密钥的引导标识生成所述无卡终端的用户密钥的临时引导标识; The terminal with the card generates the user key of the cardless terminal according to Ks_NAF, the validity period and the device identification of the cardless terminal, and generates the user key according to the validity period, the device identification of the cardless terminal and the guide identification of the user key The temporary guide identification of the user key of the cardless terminal; 所述BSF根据所述临时引导标识生成用户密钥,具体包括: The BSF generates a user key according to the temporary bootstrap identifier, specifically including: BSF通过解析临时引导标识得到无卡终端用户密钥的引导标识、设备标识和用户密钥的有效期; BSF obtains the cardless terminal user key's boot ID, device ID and validity period of the user key by parsing the temporary boot ID; 所述BSF判断解析得到的用户密钥的有效期是否有效,并在判断为有效时,根据用户密钥的引导标识查找对应的业务访问密钥,并根据该业务访问密钥、无卡终端的设备标识和有效期生成用户密钥。 The BSF judges whether the validity period of the user key obtained by parsing is valid, and when it is judged to be valid, searches for the corresponding service access key according to the guide identification of the user key, and according to the service access key, the device of the cardless terminal ID and validity period to generate a user key. 2.如权利要求1所述的方法,其特征在于,该方法还包括: 2. The method of claim 1, further comprising: 所述有卡终端与网络侧进行业务交互后,将网络侧返回的业务响应发送给无卡终端。 After the terminal with the card performs service interaction with the network side, it sends the service response returned by the network side to the terminal without the card. 3.如权利要求2所述的方法,其特征在于,所述有卡终端根据接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互,包括: 3. The method according to claim 2, wherein the terminal with a card performs service interaction with the network side according to the received service interaction request sent by the terminal without a card, including: 所述有卡终端使用为所述无卡终端生成的用户密钥对接收到的业务交互请求进行加密,并将加密后的业务交互请求发送给网络侧; The terminal with the card uses the user key generated for the terminal without the card to encrypt the received service interaction request, and sends the encrypted service interaction request to the network side; 所述有卡终端将网络侧返回的业务响应发送给无卡终端,包括: The terminal with the card sends the service response returned by the network side to the terminal without the card, including: 所述有卡终端使用为所述无卡终端生成的用户密钥对网络侧返回的业务响应进行解密,并将解密后的业务响应发送给所述无卡终端。 The terminal with the card uses the user key generated for the terminal without the card to decrypt the service response returned by the network side, and sends the decrypted service response to the terminal without the card. 4.一种有卡终端,其特征在于,包括: 4. A terminal with a card, characterized in that it comprises: 第一接收模块,用于接收无卡终端发送的业务认证请求;以及,接收无卡终端发送的业务交互请求; The first receiving module is configured to receive the service authentication request sent by the cardless terminal; and receive the service interaction request sent by the cardless terminal; 安全模块,用于根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过网络侧对所述无卡终端进行认证;以及,在网络侧对所述无卡终端认证通过后,根据所述第一接收模块接收到的所述无卡终端发送的业务交互请求与网络侧进行业务交互; A security module, configured to generate a user key for the cardless terminal according to the service authentication request, and authenticate the cardless terminal through the network side according to the user key; and, at the network side, authenticate the cardless terminal After passing the card-free terminal authentication, perform service interaction with the network side according to the service interaction request sent by the card-free terminal received by the first receiving module; 所述安全模块具体用于,为所述无卡终端生成用户密钥和该用户密钥的临时引导标识,向网络应用平台NAF发起业务认证请求,其中携带有所述临时引导标识,以使NAF将所述临时引导标识发送给初始化服务器BSF,并从BSF获取其根据该临时引导标识生成的用户密钥; The security module is specifically used to generate a user key and a temporary boot identifier of the user key for the cardless terminal, and initiate a service authentication request to the network application platform NAF, which carries the temporary boot identifier, so that the NAF Send the temporary boot ID to the initialization server BSF, and obtain from BSF the user key generated according to the temporary boot ID; 所述安全模块还用于,与NAF基于为所述无卡终端生成的用户密钥进行认证; The security module is also used to authenticate with the NAF based on the user key generated for the cardless terminal; 所述有卡终端,还包括: The card terminal also includes: 密钥运算模块,用于根据网络侧的网络平台标识NAF ID以及有卡终端与网络侧的共享密钥Ks生成业务访问密钥Ks_NAF; The key calculation module is used to generate the service access key Ks_NAF according to the network platform identification NAF ID on the network side and the shared key Ks between the card terminal and the network side; 所述安全模块还用于,为无卡终端的用户密钥设置有效期,根据Ks_NAF、所述有效期和所述无卡终端的设备标识生成无卡终端的用户密钥,根据所述有效期、所述无卡终端的设备标识和用户密钥的引导标识生成所述无卡终端的用户密钥的临时引导标识。 The security module is also used to set the validity period for the user key of the cardless terminal, generate the user key of the cardless terminal according to Ks_NAF, the validity period and the equipment identification of the cardless terminal, and generate the user key of the cardless terminal according to the validity period, the The device identifier of the cardless terminal and the boot identifier of the user key generate the temporary boot identifier of the user key of the cardless terminal. 5.如权利要求4所述的有卡终端,其特征在于,还包括:第二接收模块; 5. The card-present terminal according to claim 4, further comprising: a second receiving module; 所述第二接收模块,用于接收网络侧返回的业务响应; The second receiving module is configured to receive a service response returned by the network side; 所述安全模块还用于,将所述第二接收模块接收的业务响应发送给无卡终端。 The security module is further configured to send the service response received by the second receiving module to the cardless terminal. 6.如权利要求5所述的有卡终端,其特征在于, 6. The terminal with a card as claimed in claim 5, characterized in that, 所述安全模块还用于,使用为所述无卡终端生成的用户密钥对接收到的业务交互请求进行加密,并将加密后的业务交互请求发送给网络侧;以及,使用为所述无卡终端生成的用户密钥对网络侧返回的业务响应进行解密,并将解密后的业务响应发送给所述无卡终端。 The security module is further configured to use the user key generated for the cardless terminal to encrypt the received service interaction request, and send the encrypted service interaction request to the network side; The user key generated by the card terminal decrypts the service response returned by the network side, and sends the decrypted service response to the cardless terminal. 7.一种无卡终端,其特征在于,包括: 7. A cardless terminal, characterized in that it comprises: 安全模块,用于与有卡终端建立安全通道; A security module, used to establish a security channel with the card terminal; 客户端模块,用于通过所述安全通道向有卡终端发送业务认证请求,以使有卡终端根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证;以及,通过所述安全通道向有卡终端发送业务交互请求,以使有卡终端与网络侧进行业务交互; The client module is configured to send a service authentication request to the terminal with the card through the secure channel, so that the terminal with the card generates a user key for the terminal without the card according to the service authentication request, and according to the user key, Authenticate the cardless terminal by interacting with the network side; and send a service interaction request to the carded terminal through the secure channel, so that the carded terminal performs service interaction with the network side; 其中,所述有卡终端根据所述业务认证请求为所述无卡终端生成用户密钥,并根据所述用户密钥,通过与网络侧交互对所述无卡终端进行认证,包括: Wherein, the terminal with the card generates a user key for the terminal without the card according to the service authentication request, and authenticates the terminal without the card by interacting with the network side according to the user key, including: 有卡终端为所述无卡终端生成用户密钥和该用户密钥的临时引导标识; The terminal with a card generates a user key and a temporary boot identifier of the user key for the terminal without a card; 所述有卡终端向网络应用平台NAF发起业务认证请求,其中携带有所述临时引导标识;NAF向初始化服务器BSF发起密钥请求,其中携带有所述临时引导标识; The card-bearing terminal initiates a service authentication request to the network application platform NAF, which carries the temporary guidance identifier; NAF initiates a key request to the initialization server BSF, which carries the temporary guidance identifier; 所述BSF根据所述临时引导标识生成用户密钥,并返回给所述NAF; The BSF generates a user key according to the temporary bootstrap identifier, and returns it to the NAF; 所述有卡终端与所述NAF基于为所述无卡终端生成的用户密钥对所述无卡终端进行认证; The terminal with the card and the NAF authenticate the terminal without the card based on the user key generated for the terminal without the card; 所述有卡终端为所述无卡终端生成用户密钥和该用户密钥的临时引导标识,具体包括: The terminal with a card generates a user key and a temporary boot identifier of the user key for the terminal without a card, specifically including: 有卡终端根据网络平台标识NAF ID以及有卡终端与网络侧的共享密钥Ks生成业务访问密钥Ks_NAF; The card terminal generates the service access key Ks_NAF according to the network platform identification NAF ID and the shared key Ks between the card terminal and the network side; 所述有卡终端为无卡终端的用户密钥设置有效期; The terminal with the card sets the validity period for the user key of the terminal without the card; 所述有卡终端根据Ks_NAF、所述有效期和所述无卡终端的设备标识生成无卡终端的用户密钥,根据所述有效期、所述无卡终端的设备标识和用户密钥的引导标识生成所述无卡终端的用户密钥的临时引导标识; The terminal with card generates the user key of the cardless terminal according to Ks_NAF, the validity period and the device identification of the cardless terminal, and generates the user key according to the validity period, the device identification of the cardless terminal and the guide identification of the user key The temporary guide identification of the user key of the cardless terminal; 所述BSF根据所述临时引导标识生成用户密钥,具体包括: The BSF generates a user key according to the temporary bootstrap identifier, specifically including: BSF通过解析临时引导标识得到无卡终端用户密钥的引导标识、设备标识和用户密钥的有效期; BSF obtains the cardless terminal user key's boot ID, device ID and validity period of the user key by parsing the temporary boot ID; 所述BSF判断解析得到的用户密钥的有效期是否有效,并在判断为有效时,根据用户密钥的引导标识查找对应的业务访问密钥,并根据该业务访问密钥、无卡终端的设备标识和有效期生成用户密钥。 The BSF judges whether the validity period of the user key obtained by parsing is valid, and when it is judged to be valid, searches for the corresponding service access key according to the guide identification of the user key, and according to the service access key, the device of the cardless terminal ID and validity period to generate a user key. 8.如权利要求7所述的无卡终端,其特征在于,所述客户端模块还用于,接收有卡终端返回的业务响应。 8 . The cardless terminal according to claim 7 , wherein the client module is further configured to receive a service response returned by a terminal with a card.
CN201110287756.5A 2011-09-26 2011-09-26 Method and equipment for service access of card-free terminal Active CN103024735B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110287756.5A CN103024735B (en) 2011-09-26 2011-09-26 Method and equipment for service access of card-free terminal
PCT/CN2012/081805 WO2013044766A1 (en) 2011-09-26 2012-09-24 Service access method and device for cardless terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110287756.5A CN103024735B (en) 2011-09-26 2011-09-26 Method and equipment for service access of card-free terminal

Publications (2)

Publication Number Publication Date
CN103024735A CN103024735A (en) 2013-04-03
CN103024735B true CN103024735B (en) 2015-07-01

Family

ID=47972772

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110287756.5A Active CN103024735B (en) 2011-09-26 2011-09-26 Method and equipment for service access of card-free terminal

Country Status (2)

Country Link
CN (1) CN103024735B (en)
WO (1) WO2013044766A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104244241B (en) * 2013-06-08 2019-03-12 中兴通讯股份有限公司 Access authentication method, device and the terminal device of network
CN104348801B (en) * 2013-07-31 2018-05-04 华为技术有限公司 Authentication method, the method and relevant apparatus for generating credential
CN104735606B (en) * 2015-02-10 2019-03-05 惠州Tcl移动通信有限公司 Communication means and system based on wearable device
CN105554751B (en) * 2015-08-19 2019-06-11 宇龙计算机通信科技(深圳)有限公司 A kind of method, equipment and the system of card-free terminal registration mobile network
CN107623668A (en) 2016-07-16 2018-01-23 华为技术有限公司 A network authentication method, related equipment and system
CN111162901B (en) * 2019-12-11 2022-05-27 上海邮电设计咨询研究院有限公司 Application shared key obtaining method of non-SIM terminal

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111759A (en) * 2009-12-28 2011-06-29 中国移动通信集团公司 Authentication method, system and device
CN102149079A (en) * 2010-02-08 2011-08-10 中国移动通信集团公司 Method, device and system for obtaining user identity identifier
CN102196426A (en) * 2010-03-19 2011-09-21 中国移动通信集团公司 Method, device and system for accessing IMS (IP multimedia subsystem) network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009111522A1 (en) * 2008-03-04 2009-09-11 Alcatel-Lucent Usa Inc. System and method for securing a base station using sim cards

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111759A (en) * 2009-12-28 2011-06-29 中国移动通信集团公司 Authentication method, system and device
CN102149079A (en) * 2010-02-08 2011-08-10 中国移动通信集团公司 Method, device and system for obtaining user identity identifier
CN102196426A (en) * 2010-03-19 2011-09-21 中国移动通信集团公司 Method, device and system for accessing IMS (IP multimedia subsystem) network

Also Published As

Publication number Publication date
CN103024735A (en) 2013-04-03
WO2013044766A1 (en) 2013-04-04

Similar Documents

Publication Publication Date Title
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
KR101459802B1 (en) Delegation of authentication based on re-verification of encryption credentials
US8438385B2 (en) Method and apparatus for identity verification
US9608971B2 (en) Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers
CN1929371B (en) Method for User and Peripheral to Negotiate a Shared Key
WO2016177052A1 (en) User authentication method and apparatus
WO2017028593A1 (en) Method for making a network access device access a wireless network access point, network access device, application server, and non-volatile computer readable storage medium
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
US20030070068A1 (en) Method and system for providing client privacy when requesting content from a public server
US8397281B2 (en) Service assisted secret provisioning
CN101039181B (en) Method for Preventing Service Functional Entities in Universal Authentication Framework from Attacking
EP1999567A2 (en) Proactive credential distribution
US8234497B2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
CN103906052B (en) A kind of mobile terminal authentication method, Operational Visit method and apparatus
WO2017185450A1 (en) Method and system for authenticating terminal
JP2020078067A (en) System and method for securely enabling user with mobile device to access capabilities of standalone computing device
CN103024735B (en) Method and equipment for service access of card-free terminal
CN116233832A (en) Verification information sending method and device
CN112311543A (en) GBA key generation method, terminal and NAF network element
CN101944216A (en) Double-factor online transaction security authentication method and system
CN114079921B (en) Session key generation method, anchor point function network element and system
Shashidhara et al. On the design of lightweight and secure mutual authentication system for global roaming in resource-limited mobility networks
CN103781026B (en) The authentication method of common authentication mechanism
CN116248290A (en) Identity authentication method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant