Nothing Special   »   [go: up one dir, main page]

CN101370007B - Method for reinforcing security and protecting privacy right of positioning service in Wimax network - Google Patents

Method for reinforcing security and protecting privacy right of positioning service in Wimax network Download PDF

Info

Publication number
CN101370007B
CN101370007B CN 200710147019 CN200710147019A CN101370007B CN 101370007 B CN101370007 B CN 101370007B CN 200710147019 CN200710147019 CN 200710147019 CN 200710147019 A CN200710147019 A CN 200710147019A CN 101370007 B CN101370007 B CN 101370007B
Authority
CN
China
Prior art keywords
lbs
authentication
client
service
lbs client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200710147019
Other languages
Chinese (zh)
Other versions
CN101370007A (en
Inventor
刘美丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Samsung Telecommunications Technology Research Co Ltd
Samsung Electronics Co Ltd
Original Assignee
Beijing Samsung Telecommunications Technology Research Co Ltd
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Samsung Telecommunications Technology Research Co Ltd, Samsung Electronics Co Ltd filed Critical Beijing Samsung Telecommunications Technology Research Co Ltd
Priority to CN 200710147019 priority Critical patent/CN101370007B/en
Priority to PCT/KR2008/004707 priority patent/WO2009022858A2/en
Publication of CN101370007A publication Critical patent/CN101370007A/en
Application granted granted Critical
Publication of CN101370007B publication Critical patent/CN101370007B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for enhancing safety and protecting user privacy for positioning service in Wimax network comprises LBS client authentication, for keeping accessible LBS client list at LS, or accomplished by adopting TLS, LLS safety protocol etc; LBS service authentication, for checking if requested LBS service and its QoS matching with signed LBS service; and authorized checking of LBS requester, for LS performing authorized checking, or AAA performing authorized checking. LBS service is prevented to be acquired by illegal LBS client terminal or unsigned LBS service or unauthorized MS, thereby enhancing positioning service safety in Wimax network and protecting user privacy, making up for corresponding blank of present Wimax standard.

Description

In the Wimax network positioning service is strengthened the method for fail safe and the protection right of privacy
Technical field
The present invention relates to moving communicating field, more specifically, relate to a kind of at inserting of microwave (Worldwide Interoperability for Microwave Access that can global interoperability, be designated hereinafter simply as Wimax) in the network authenticated/authorized/charging (being designated hereinafter simply as AAA) to positioning service (Location Based Service, be designated hereinafter simply as LBS) carry out the method that authentication and authorization checks, with the safety of positioning service in the assurance Wimax network, and assurance user's the right of privacy.
Background technology
In third generation partner plan (being designated hereinafter simply as 3GPP) technical specification 3GPP TS 22.071 and 3GPP TS 23.271, stipulated in Wideband Code Division Multiple Access (WCDMA) (the being designated hereinafter simply as WCDMA) network the mechanism aspect the confidentiality inspection of positioning service.Wherein, stipulated that the module relevant with the privacy inspection comprises:
(1) secret context register (Privacy Profile Register is hereinafter to be referred as PPR)
The major function of PPR is to realize privacy inspection, attaching position register (being designated hereinafter simply as HLR) or home subscriber server (being designated hereinafter simply as HSS) are preserved the address of PPR, and ownership mobile positioning center (being designated hereinafter simply as H-GMLC) can be accessed PPR by the Lpp interface.PPR can or be integrated among the H-GMLC CAMEL-Subscription-Information of storage user privacy among the .PPR for an entity independently, forbids all LBS clients (being designated hereinafter simply as LBS client) under the default setting.The privacy attribute comprises:
● code word (being designated hereinafter simply as Codeword): object UE is employed determines which requestor is allowed to or a kind of rank of the locating information of this UE, specific definition does not define in 3GPP, is set up on their own according to the LBS service conditions of oneself by operator.
● the secret exception list: which LBS client, which business, and the LBS client of which classification can be located a certain object UE;
● type of service privacy: determine which type of service allows the LBS client can obtain the position of object UE;
● cross private designator: the applicability of determining the secret exception list;
The requestor it may be noted that targeted customer's code word when the positional information of a certain specific objective subscriber equipment of request (hereinafter to be referred as position UE).Code word can be provided by the requestor, is transmitted to object UE inspection by LBS Client; Also can be registered in advance among the LBS Client by object UE or user, in the LBS server, check.The generation of code word and distribution are not stipulated in the 3GPP standard.The code word that strengthens also comprises the operable special time period of code word, specific number of times etc. except the basic function of above-mentioned code word.
(2) pseudo-name arbitration equipment (Pseudonym Mediation Device is hereinafter to be referred as PMD)
The function of PMD is pseudo-name mapping or is decrypted into the real identifier of UE, such as international mobile subscriber identity (hereinafter to be referred as pseudo-IMSI) or travelling carriage comprehensive service digital net number (being designated hereinafter simply as MSISDN).PMD can be an equipment or be integrated among the PPR independently, in other equipment in Gateway Mobile Location Center (being designated hereinafter simply as GMLC) or the network.The function of detailed PMD is not stipulated in 3GPP.
The flow process of authorization check as shown in Figure 1a among the 3GPP.
Its step is as follows:
101a GMLC sends the positioning service authorization request message to PPR, and described message comprises following parameter:
-object UE identifier (being designated hereinafter simply as ID), one of MSISDN/IMSI or both comprise, optional;
-LBS client id;
-LBS client type, such as value-added service, urgency traffic, Lawful Interception;
-type of service, optional,
-code word, optional;
-location type is such as " current location ", " current or last known location ", " initial position ";
-other.
If PMD is integrated among the PPR, the UE ID in this message will not use the real UE ID of UE, and use the pseudo-name of object UE.
If 102a positioning service authorization request message comprises the pseudo-name of object UE, PPR will start the PMD function to determine the real UE ID of target, such as IMSI or MSISDN.The private information and executing privacy inspection that PPR based target user contracts, its check result will return to GMLC with the positioning service authorization response message.If Location Request is under an embargo, the positioning service authorization response message will only comprise a Location Request and forbid designator, otherwise, will comprise following permission indicators:
-this Location Request does not allow;
-allow this location, do not need to notify UE user;
-allow this location, need notice UE user;
-Location Request need to be notified UE user and be verified by the user, does not only have the Location Request of response just to obtain the authorization by checking or to notice;
-Location Request need to be notified UE user and be verified by the user, only just obtains the authorization by the Location Request of checking;
Although stipulated the method for relevant authorization check (being also referred to as privacy inspection) among the 3GPP, owing to following reason, corresponding method can not directly be indiscriminately imitated in the Wimax network among the 3GPP:
(1) the whole network architecture of 3GPP is fully different from Wimax;
(2) the private checking mechanism of LBS is hard to understand among the 3GPP, and poor practicability does not meet the original intention of the popular practicality of Wimax network;
(3) the private checking mechanism more complicated of LBS among the 3GPP, this does not meet the simple and practical principle of Wimax network yet;
(4) privacy of the LBS among 3GPP checking mechanism leaves too many blank to operator
Given this, stipulated in the standard rough draft aspect the Wimax network LBS second stage (being designated hereinafter simply as stage-2) that the network working group (being designated hereinafter simply as NWG) of Wimax forum (hereinafter referred to as Wimax Forum) admitted in June, 2007 in the Wimax network, the LBS business to be carried out the basic process that authentication and authorization checks, shown in Fig. 1 b:
101b travelling carriage (being designated hereinafter simply as MS) or LBS client are initiated positioning service, can send locating request message to location-server (being designated hereinafter simply as LS) by positioning client terminal or MS, parameter wherein can comprise: initiate the MS of Location Request identifier (being designated hereinafter simply as MO ID), be positioned or the identifier (being designated hereinafter simply as MT ID) of target MS, LBS client, LBS type of service etc.;
102b LS sends authentication and authorization to AAA and checks request message, and request is to the authorization check of this LBS business and location requestors;
103b carries out the authentication and authorization checking process in AAA;
104b is to the response of LS return authentication and authorization check, comprising the result of authentication and authorization inspection for by the authentication and authorization inspection or do not pass through;
Carry out the subsequent processes after authentication and authorization checks in the end-to-end processing procedure of 105b LBS: if the authentication and authorization inspection all passes, then find the register control (being designated hereinafter simply as LC) that is positioned at service access business network gateway (being designated hereinafter simply as ASN-GW), LS sends Location Request to LC, in the inner locating information deterministic process etc. of carrying out of service ASN; If one of authentication and authorization inspection or both do not pass then sends location response message to positioning client terminal, the indication location is rejected;
In the Wimax network that above-mentioned processing procedure only is the LBS business is carried out basic framework and the basic process that authentication and authorization checks, also has following problem to await solving:
(1) how the LBS client is authenticated, to guarantee only having legal LBS client could obtain positioning service;
(2) how the LBS business is authenticated, could obtain service so that the LBS that guarantees to contract is professional, do not have signatory business can not obtain service;
(3) how the LBS business is carried out authorization check, to guarantee that the MS that only is positioned (is also referred to as target MS, be designated hereinafter simply as MT MS) allow Location Request MS (namely to locate others' MS, be designated hereinafter simply as MO MS) locate in the situation of oneself, MO MS could successfully obtain the positional information of MT MS, thereby guarantees to a certain extent user's the right of privacy;
(4) because the protocol stack in the present Wimax network can not transmit and process the message that authentication and authorization checks is carried out in positioning service, adopt which kind of protocol stack to come authentication and authorization in the transmission diagram 1 to check requests/response messages and how to process etc.
Patent application (the application number: 200710126101.3 that the applicant submitted to Patent Office of the People's Republic of China in June, 2007, hereinafter to be referred as patent documentation 1) in, proposed a kind of and in the Wimax network LBS business carried out the method and apparatus that authentication and authorization checks, and proposed following two schemes:
(1) scheme one: AAA realizes the LBS authentication, and LS realizes the authorization check to location requestors;
(2) scheme two, and: AAA realizes the LBS authentication and to the authorization check of location requestors
For scheme one, patent documentation 1 provides detailed scheme to realize in the Wimax network method that authentication and authorization checks being carried out in positioning service.But for scheme two, only be basic framework and basic process in the present Wimax LBS standard namely, do not invent detailed scheme.Thereby also need further refinement and enhancing.In addition, scheme one only provides a kind of method that the LBS client is authenticated of realizing, can also provide another method to select for implementer.
For addressing the above problem, proposed in a kind of Wimax network positioning service to be strengthened the method for its fail safe and the protection right of privacy.Solve the problems referred to above from following 3 aspects:
1. to the authentication of LBS client
This positional information in order to prevent that illegal LBS client from entering the Wimax network and obtaining the user guarantees to only have legal LBS client could obtain positioning service.For realizing this purpose, following two kinds of solutions can be arranged:
(1) preserves permission access LBS client side list among the LS
In LS, preserve the LBS client side list that allows access, LBS comprises the identifier (following referred to as ID) of the LBS client of Location Request in the locating request message that sends to LS, this message can adopt the mode of encryption to transmit or partial parameters is encrypted, and perhaps at least the LBS client id is encrypted.This scheme is elaborated in patent documentation 1.
This scheme is easy-to-understand and realization and easy to use, and it is very high that shortcoming is that the irreversibility to the cryptographic algorithm that the LBS client id is encrypted between LBS client and the LS requires, once this cryptographic algorithm is translated by the hacker is counter, can obtain the LBS client id.This scheme is applicable to simply, be not the professional and such operator of very high LBS to security requirement.
(2) LBS client and LS use the existing security protocols such as SSL/TLS
Secure socket layer protocol (Secure Sockets Layer, be designated hereinafter simply as SSL) be the network security transmission agreement by the exploitation of Netscape (English for Netscape) company, be especially to carry out the topmost agreement that the secure data communication is adopted between Web browser and the server between the upper point-to-point in present internet (hereinafter to be referred as INTERNET).Wide application, implementation cost are low, safe and efficient because SSL has, simple operation and other advantages, make it become the security protocol that is widely used between Web browser and the server.
Transport Layer Security (Transport Layer Security, being designated hereinafter simply as TLS) agreement can think the enhancing agreement of SSL and can substitute SSL, to explain definition in (Request For Comment is designated hereinafter simply as RFC) 2246 in the specification request of Internet Engineering task groups (being designated hereinafter simply as IETF).TLS is for set up the agreement that safety connects between client and server.
The LBS client is before sending locating request message to LS, at first use the Handshake Protocol of the existing security protocols such as SSL/TLS to set up the connection of a safety between LBS client and the LS, and produce and consult what a check value, after handshake procedure is successfully completed, the LBS client sends locating request message to LS again, all LBS message subsequently all use this check value that consults to carry out verification, only have by verification just think the message that legal entity sends, to then abandoning by verification not.
This scheme adopts ripe and complete security protocol, and fail safe is higher.Shortcoming is comparatively complicated, and the workload of realization is larger.This scheme is applicable to security requirement higher operator and LBS professional.
2. to the authentication of LBS business
AAA provides the function that the LBS business is authenticated, and could obtain service so that the LBS that guarantees to contract is professional, does not have signatory business can not obtain service.
At first, operator allows the user to use before the LBS business, need to register this user's LBS business.This just need to add the therewith relevant CAMEL-Subscription-Information information of user LBS business in the AAA of operator database or other memories.Mainly be:
In AAA, preserve the relevant CAMEL-Subscription-Information of LBS that the user registers in the Wimax of operator network.Popular, in AAA, preserve exactly each LBS user and can use professional and corresponding quality of service (the being designated hereinafter simply as QoS) parameter of which LBS, such as LBS type of service, required precision of registration etc., the specifying information of storage is carried out to come definite according to own business by operator, the method in this patent does not limit the parameter of CAMEL-Subscription-Information and form etc.In addition, the user can add, deletes and revise this user's CAMEL-Subscription-Information easily.
LS sends the authentication and authorization request message to AAA after receiving Location Request, comprising the LBS type of service of asking and corresponding qos parameter thereof.CAMEL-Subscription-Information in AAA inquiry MO MS institute, if wherein can find the LBS business of asking, and qos parameter also mates, and then the authentication of LBS business passed through; Otherwise be authentification failure then, (MS or LBS client) sends location response to Location Request side, and indication locate unsuccessfully, and to carry cause value be " the LBS business authentication unsuccessfully ".
3.LBS professional authorization check
The function of this respect is to only have target MS to allow MO MS to locate in the situation of oneself in order to guarantee, MO MS could successfully obtain the positional information of MT MS, thereby is guaranteeing the right of privacy of user at the position message context.
For realizing this function, two kinds of solutions can be arranged:
1. in LS, realize the authorization check to the LBS business
The advantage of this scheme is to consider existing ripe AAA product in the Wimax network, and does not have at present the location server equipment in the Wimax system, if need positioning service, equipment manufacturers need to develop LS equipment again.For reducing the R﹠D costs of Wimax system product provider, should keep as far as possible few to the modification of AAA, and keep AAA that the function of the aspect of authentication only is provided.Shortcoming is that the function of LBS service security aspect is disperseed.Concrete scheme please patent documentation 1.
2. in AAA, realize the authorization check to the LBS business
The advantage that realizes in AAA in the authentication and authorization audit function of LBS business is that function concentrates, and shortcoming is larger a little to the modification of AAA.The present invention mainly invents the scheme of this part.Preferably, in AAA, preserve following information:
The private relevant information that the LBS that the user registers in the Wimax of operator network is relevant, generally, in AAA, preserve to allow exactly which external client and which user can inquire about information aspect this user's the fail safe of this user LBS business of positional information etc., tabulate such as the LBS client side list that allows access, the MS that allows access etc.Concrete which the private information relevant with LBS and the form thereof etc. preserved have and carry out this professional operator and determine among the AAA, do not formulate design parameter and form.The user can add, delete the information relevant with the privacy of revising this user easily.In addition, in following embodiment, mandate, fail safe also refer to privacy, and privacy inspection also is described as authorization check or the security inspection relevant with LBS.
After AAA receives Location Request from LS, check the MS tabulation of the permission location of the MT MS that stores among the AAA, forbid the MS tabulation of locating etc.If MO MS then passes through authorization check in the MS tabulation of the permission location of MT MS.Otherwise, if MO MS in the MS tabulation that MT MS forbids locating, then authorization check failure, to LBS initiator (LBS client or MS) restoring to normal position response message, wherein indication request is rejected, and to carry cause value be the authorization check failure; If MO MS neither in the MS tabulation that the permission of MT MS is located, also not in the MS tabulation of forbidding locating, then inquires to MT MS.If MT MS indicates permission, then enter follow-up LBS process, as be routed to positioning service control (being designated hereinafter simply as Serving LC) and position and measure and calculate etc.If MT MS indication does not allow, then to LBS initiator (LBS client or MS) restoring to normal position response message, wherein indication request is rejected, and to carry cause value be the authorization check failure.
Summary of the invention
For addressing the above problem, the purpose of this invention is to provide the method that in a kind of Wimax network positioning service is strengthened its fail safe and the protection right of privacy.
According to an aspect of the present invention, propose a kind of location-server LS to the method that positioning service LBS client authenticates, comprised step: carry out the negotiation of security capabilities attribute between LBS client and the LS; Carry out authentication and key exchange process between LBS client and the LS; Whether LBS client and LS affirmation authentication and key exchange process be successful, if a check value is then consulted in success; The transmission of the LBS message between LBS client and the LS uses the check value of consulting to carry out.
A kind of method of the location service request person being carried out authorization check in the Wimax network comprises step: location-server LS sends authentication request to AAA; AAA carries out the authentication and authorization inspection to positioning service; Respond to the request of LS return authentication.
Therefore, the present invention is to the authentication of LBS client, prevent illegal LBS client or do not have signatory LBS LBS professional or that do not have the MS of authority not obtain to ask professional to the authentication of LBS business with to three aspects of authorization check of LBS business.Thereby can strengthen the fail safe of positioning service in the Wimax network and protect user's the right of privacy, and can remedy in the present Wimax standard corresponding blank.
Description of drawings
Fig. 1 a is authorization check flow chart among the 3GPP;
Fig. 1 b is that existing authentication and authorization checks processing procedure in the Wimax LBS standard rough draft;
Protocol stack of the interface between Fig. 2 LBS client and the LS;
Fig. 3 is according to the signaling process figure of authentication between LBS client of the present invention and the LS and startup LBS business;
Fig. 4 is according to the structural representation of realizing in AAA in the Wimax network of the present invention the authentication and authorization inspection of LBS business;
The signaling process figure that Fig. 5 AAA according to the present invention authenticates the LBS business;
Fig. 6 is according to the signaling process figure that in the AAA realization location requestors is authenticated in the Wimax network of the present invention.
Embodiment
For achieving the above object, will be described with the method for protecting the right of privacy from following three aspects to the Wimax network according to the present invention positioning service being strengthened fail safe:
1. to the authentication of LBS client
(1) preserves permission access LBS client side list among the LS;
Concrete technical scheme can be referring to patent documentation 1.
(2) LBS client and LS use the existing security protocols such as SSL/TLS
Protocol stack of the interface between LBS client and the LS comprises 201 IP layers, 202 TCP layers, 203 TLS recording layers, 204 tls handshake protocols and 205 LBS key-courses.
LBS client and LS use the flow process of the existing security protocol verification startup LBS business such as SSL/TLS to comprise following 5 steps:
1. set up the security capabilities attribute;
2. server authentication and cipher key change; (optional)
3. authenticated client and cipher key change;
4. finish;
5.LBS positioning service starts.
2. to the authentication of LBS business
Concrete technical scheme can referring to patent documentation 1, repeat no more here.
3.LBS professional authorization check
For realizing this function, two kinds of solutions have been proposed:
1. in LS, realize the authorization check to the LBS business
Concrete technical scheme can referring to patent documentation 1, repeat no more here.
2. in AAA, realize the authorization check to the LBS business
According to the present invention, as shown in Figure 4, realize that the hardware configuration of the method can comprise LBS CAMEL-Subscription-Information memory, grant column list memory, identification processing module and authorization check module.
Describe in detail according to authorization method of the present invention below with reference to Fig. 5:
1. preset information
Use before the LBS business in the Wimax network, following information prestores in Wimax network entity AAA:
(1) the relevant CAMEL-Subscription-Information of the LBS that in the Wimax of operator network, registers of user, the user can add, deletes and revise this user's CAMEL-Subscription-Information easily;
(2) the private relevant information that the LBS that registers in the Wimax of operator network of user is relevant/authorization check relevant information, the user can add, delete the information relevant with this user's of modification authorization check easily.
2. handling process
(1) LS sends authorization check message to AAA;
(2) after AAA receives the authorization check request, MO MS is carried out authorization check, if MO MS then passes through authorization check in the MS tabulation of the permission location of MT MS; Otherwise, if in banned list, then authorization check failure, to positioning service initiator (MS or LBS client) restoring to normal position response message, the indication Location Request is rejected; If MO MS neither allowing location MS tabulation, also not in banned list, then inquires to MT MS, if MT MS indication permission, then by authorization check, if MT MS refusal, then authorization by direction inspection failure.
(3) AAA is to AAA to the LS return authentication with authorization check response, and indication authentication and authorization inspection success or failure are if failure need to be carried its cause value;
More specifically, embodiments of the invention describe from three aspects.For with patent documentation 1 in disclosed identical implementation method, the present invention only as with reference to explanation, no longer describes in detail.
In order in the Wimax network, to strengthen fail safe and to protect the right of privacy for positioning service, preferably realize simultaneously above-mentioned three aspects.But the present invention must not implement the content of three aspects when not being fixed in the Wimax network and strengthening fail safe and the protection right of privacy for positioning service.The implementation person can realize that selectively the content of some aspects or certain two aspect or three aspects all realizes according to own concrete LBS service conditions and concrete network condition of carrying out.
In addition, preferably, can realize in the following order above-mentioned three aspects: at first carry out the authentication to the LBS client; By rear, carry out again the authentication to the LBS business; By after carry out again the authorization check of LBS.Necessarily do not implement according to said sequence but the present invention is also fixing.The implementation person can also suitably adjust said sequence according to the own concrete LBS service conditions of carrying out and concrete network condition.In addition, only be example such as the design parameter that comprises in the message in the undefined detail message flow process, the implementation person can selectively adopt, and also can design other brand-new parameters or add other parameters.
1. to the authentication of LBS client
(1) preserves permission access LBS client side list among the LS;
Concrete technical scheme is referring to patent documentation 1;
(2) LBS client and LS use the existing security protocols such as SSL/TLS
Protocol stack of the interface between LBS client and the LS as shown in Figure 2.Its structure comprises:
201 IP layers
The present network layer in the general transmission control protocol (being designated hereinafter simply as TCP) in internet/Internet protocol (being designated hereinafter simply as IP) protocol stack, it is the function of IP layer, main being responsible for carried out Route Selection to the IP message, in addition, can also realize the functions such as congestion control, internetworking.
202 TCP layers
The TCP layer is transport layer in the general ICP/IP protocol stack in internet, be responsible for that upper layer data carried out segmentation and provide end to end, reliable or insecure transmission.In addition, process in addition the end to end function of error control and flow control.
203 TLS recording layers
Be used for encapsulating high-rise LBS control message, guarantee its confidentiality with symmetric encipherment algorithm, guarantee its integrality with hash message authentication code.
204 tls handshake protocols
This is an agreement that realizes mutual authentication between the client and server, is used for consulted encryption algorithm and key.Can realize the unilateral authentication of client and server, also can be two-way authentication.
205 LBS key-courses
Message aspect this layer of LBS that mainly processes between LBS client and LS mainly comprises LBS Location Request, LBS location response.
The flow process of authentication and startup LBS business as shown in Figure 3 between LBS client and the LS.
Concrete steps are as follows:
301 set up the security capabilities attribute
Exchange Hello message is consensus between LBS client and LS to aspects such as algorithm, exchange random values between LBS client and the LS, so that LBS client and LS use unified version number, random number, cryptographic algorithm etc.
302 server authentications and cipher key change
Server sends the certificate of oneself, and message comprises an X.509 certificate, perhaps a certificate chain.This step is optional process, if server is not authenticated, this step can be omitted.
303 client certificates and cipher key change
To authentication and the cipher key change of client, for preventing the illegal hackers LBS client invasion LS that disguises oneself as, generally to authenticate the LBS client.
304 finish
Be used for checking the whether success of cipher key change and verification process.If a check value is then consulted in success between LBS client and the LS, be used for LBS message is subsequently carried out verification.So far, handshake procedure is finished, the LBS client can and LS between swap data safely.
305 positioning services are initiated
The LBS client sends locating request message to LS, is used for starting LBS professional, and this message and message subsequently thereof all need to be carried out verification according to the check code that the 301-304 step consults.
2. to the authentication of LBS business
Concrete technical scheme is referring to patent documentation 1.
3.LBS professional authorization check
For realizing this function, two kinds of solutions can be arranged:
(1) in LS, realizes authorization check to the LBS business
Concrete technical scheme is referring to patent documentation 1;
(2) in AAA, realize authorization check to the LBS business
Realize in AAA in the Wimax network that hardware configuration that the authentication and authorization to the LBS business checks is as shown in Figure 4:
LS?401
LS is positioned at and connects business network (being designated hereinafter simply as CSN), and major function is the location service request of reception LBS client, and the gateway function for external network of Wimax network is provided, and in addition, the calculating of aspect, location also can provide at LS.
AAA?402
AAA is the entity of existing network in the Wimax network, is not the LBS special entity, and for the LBS business, its function provides authentication, authorization check and collects the data of LBS charging aspect.
403 RADIUS/Diameter clients
Remote customer dialing authentication system (being designated hereinafter simply as RADIUS) is authentication protocol commonly used at present, uses in present Wimax NWG standard 1.0 versions.Diameter is the upgraded version agreement of RADIUS.The RADIUS/Diameter client is positioned on the LS, initiates the authentication request to LBS;
404 RADIUS/Diameter servers
The RADIUS/Diameter server is positioned on the aaa server, receives the request from 403 RADIUS/Diameter clients, carries out the processing to the authentication and authorization inspection of LBS business, and returns result to 403 RADIUS/Diameter clients.
The transmission of 102 authentication and authorization inspection requests and 104 authentication and authorizations inspection response message can adopt advanced radius/Diameter stack message to realize among Fig. 1.
The signaling process figure that the AAA that the present invention proposes authenticates the LBS business as shown in Figure 5, detail message flow processing step is as follows:
501 by LBS client or MS initiation positioning service.The a certain concrete LBS that the user starts is professional, professional such as the location lookup of searching others' position of initiating at Internet, professional according to concrete LBS, send locating request message to LS, comprising parameter initiate the MS of Location Request identifier (being designated hereinafter simply as MO ID), be positioned or the identifier (being designated hereinafter simply as MT ID) of target MS, LBS client, LBS type of service etc.;
The authorization check of 502 pairs of LBS clients is realized according to the embodiment of first aspect;
503 LS send authentication request to AAA, comprising MO ID, and the parameters such as LBS type of service;
504 AAA preferably, take MO ID as index, search LBS business information and QoS thereof that MO MS is contracted in database after receiving the authentication request that sends from LS.If the positioning service of request and QoS thereof, think then that LBS authenticates with signatory consistent and pass through, turn to the processing to the authorization check aspect of LBS; Otherwise, turn to 505;
505 AAA indicate authentification failure, and carry concrete cause value to the response of LS return authentication, and the classification of cause value here and setting are set up on their own by the implementer;
506 LS are to LBS client loopback location response message, and the indication Location Request is failed, and carry former because the failure of LBS business authentication.
The processing procedure that realizes authorization check in AAA is as follows:
601 by LBS client or MS initiation positioning service.The a certain concrete LBS that the user starts is professional, professional such as the location lookup of searching others' position of initiating at Internet, professional according to concrete LBS, send locating request message to LS, comprising parameter initiate the MS of Location Request identifier (being designated hereinafter simply as MO ID), be positioned or the identifier (being designated hereinafter simply as MT ID) of target MS, LBS client, LBS type of service etc.;
602 LS are to the authorization check of LBS client, realize according to the embodiment of first aspect, and this step is optional process;
603 LS send authentication request to AAA, comprising MO ID, and the parameters such as LBS type of service;
604 AAA authenticate the LBS business, and whether LBS business and qos requirement thereof that checking is asked are complementary with the LBS business of being contracted, and this step is an optional step;
605 preferably, and take MT ID as index, the permission access list of inquiry MT if MO ID in the permission access list of MT, thinks that then authorization check passes through, turns to step 613; Otherwise, turn to 606;
606 preferably, and take MT ID as index, the disable access tabulation of inquiry MT is if MO ID in the disable access tabulation of MT, thinks then that this MO MS does not have the positional information of authority inquiry MT MS, turns to step 609; Otherwise, turn to 607;
If 607 MO MS neither at the permission access list of MT MS, also not in the disable access tabulation of MT MS, then send authorization query message to MT MS, whether inquiry allows MO MS to locate this MS;
608 MT MS receive authorization query, are shown to the user by interface or other explicit way, as eject a dialog box, the user of prompting user MT ID will locate this MS, and allow the user at the interface or other explicit way are selected, if user selection permission, then turn to step 612; Otherwise, turn to step 610;
609 AAA send authentication and authorization inspection request to LS, the indicating user refusal.
610 MT MS send authorization response to LS, the indicating user refusal;
(LBS client or MO MS) sends location response to 611 LS to LBS service request side, the failure of indication Location Request, and to carry its cause value be that MO MS does not have authority location MT MS;
If 612 MT MS allow MO MS location, then MT MS sends authorization response to LS, and the authorization by direction inquiry is passed through;
Subsequent processes after 613 authentication and authorization inspections are passed through sends locating request message such as LS to LC, and the location survey of triggering following, location Calculation are also obtained the processes such as MT MS positional information.
The present invention is to the authentication of LBS client, come the Wimax network positioning service to be strengthened its fail safe and the protection right of privacy to the authentication of LBS business with to three aspects of authorization check of Location Request MS.Authentication to the LBS client can prevent illegal LBS client, particularly the invasion of the LBS client of hacker's forgery; Authentication to the LBS business can guarantee not have signatory LBS business can not obtain the LBS service.Authorization check to Location Request MS can prevent from not having the MS of authority to obtain the positional information of target MS, thereby protects to a certain extent user's the right of privacy.The present invention has strengthened its fail safe from above-mentioned three aspects to the positioning service the Wimax network and has protected user's the right of privacy.And remedied in the present Wimax standard corresponding blank.

Claims (8)

  1. One kind in the Wimax network location-server LS method that positioning service LBS client authenticates is comprised step:
    1) carries out the negotiation of security capabilities attribute between LBS client and the LS;
    2) between LBS client and LS, authenticate and cipher key change;
    3) if LBS client and LS confirm authentication and cipher key change success, then consult a check value;
    4) use the check value of consulting that the LBS message that transmits between LBS client and the LS is carried out verification.
  2. 2. method according to claim 1 is characterized in that, in step 1) and 2) also comprise before server authentication and cipher key exchange step.
  3. 3. method according to claim 1 and 2 is characterized in that, the SSL ssl protocol is used in the authentication between LS and LBS client.
  4. 4. method according to claim 1 and 2 is characterized in that, the Transport Layer Security tls protocol is used in the authentication between LS and LBS client.
  5. 5. method according to claim 1 also comprises, after LS passed through the authentication of LBS client, the LBS client sent locating request message to LS.
  6. 6. method according to claim 1 is characterized in that, utilizes the authentication protocol stack to carry out authentication between LBS client and the LS, and described authentication protocol stack comprises at least one among tls handshake protocol, LBS control message layer, TLS recording layer, TCP and the IP.
  7. 7. method according to claim 6 is characterized in that, described LBS control message layer is on the TLS recording layer.
  8. 8. method according to claim 1 is characterized in that, uses tls handshake protocol to consult described check value.
CN 200710147019 2007-08-13 2007-08-13 Method for reinforcing security and protecting privacy right of positioning service in Wimax network Expired - Fee Related CN101370007B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN 200710147019 CN101370007B (en) 2007-08-13 2007-08-13 Method for reinforcing security and protecting privacy right of positioning service in Wimax network
PCT/KR2008/004707 WO2009022858A2 (en) 2007-08-13 2008-08-13 Method for enhancing lbs security and protecting privacy in wimax network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710147019 CN101370007B (en) 2007-08-13 2007-08-13 Method for reinforcing security and protecting privacy right of positioning service in Wimax network

Publications (2)

Publication Number Publication Date
CN101370007A CN101370007A (en) 2009-02-18
CN101370007B true CN101370007B (en) 2013-10-23

Family

ID=40351303

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710147019 Expired - Fee Related CN101370007B (en) 2007-08-13 2007-08-13 Method for reinforcing security and protecting privacy right of positioning service in Wimax network

Country Status (2)

Country Link
CN (1) CN101370007B (en)
WO (1) WO2009022858A2 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8064928B2 (en) * 2008-08-29 2011-11-22 Intel Corporation System and method for providing location based services (LBS) to roaming subscribers in a wireless access network
CN102474503A (en) * 2009-08-14 2012-05-23 上海贝尔股份有限公司 Method for accessing message storage server securely by client and related devices
CN102413419B (en) * 2010-09-26 2015-07-15 中国电信股份有限公司 Third party positioning method, and platform and system for the same
CN103415015B (en) * 2013-06-03 2016-05-25 北京百纳威尔科技有限公司 A kind of localization method and device
US10334392B2 (en) * 2015-06-29 2019-06-25 Convida Wireless, Llc Location-based context delivery
CN109154932A (en) * 2016-05-12 2019-01-04 M2Md科技股份有限公司 The management method and system of different classes of radio communication service are provided from different mobile networks
CN113596820B (en) * 2021-08-06 2022-06-21 深圳市政元软件有限公司 Security management method and system for network big data
WO2024164337A1 (en) * 2023-02-10 2024-08-15 北京小米移动软件有限公司 Location service authorization method and apparatus, and communication device and storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1314221C (en) * 2004-02-01 2007-05-02 中兴通讯股份有限公司 Safety proxy method
CN100579013C (en) * 2005-04-06 2010-01-06 华为技术有限公司 Access authentication system and method for global access mutual operation network
FR2887049A1 (en) * 2005-06-14 2006-12-15 France Telecom METHOD FOR PROTECTING THE PIRACY OF A CLIENT TERMINAL USING A SECURE CONNECTION WITH A SERVER ON A PUBLIC NETWORK
DE102005043364B4 (en) * 2005-09-12 2007-07-05 Siemens Ag Telecommunication system and method for controlling a change of a subscriber terminal between two networks
KR100652336B1 (en) * 2005-09-27 2006-11-29 주식회사 케이티 Mobile access point and its method wireless lan/wide broadband internet
FR2893212B1 (en) * 2005-11-09 2007-12-21 Alcatel Sa METHOD FOR MANAGING INTERWORKING BETWEEN AT LEAST ONE WIRELESS LOCAL NETWORK AND A MOBILE NETWORK, MOBILE STATION SGSN NODE AND TTG GATEWAY CORRESPONDING
US20070140246A1 (en) * 2005-12-15 2007-06-21 Bala Rajagopalan Dynamic quality of service (QoS) provisioning in wireless networks
US20080268871A1 (en) * 2007-04-26 2008-10-30 Samsung Electronics Co.,Ltd. System and method for providing location based services in a mobile communication system

Also Published As

Publication number Publication date
WO2009022858A3 (en) 2009-04-16
WO2009022858A2 (en) 2009-02-19
CN101370007A (en) 2009-02-18

Similar Documents

Publication Publication Date Title
US9768961B2 (en) Encrypted indentifiers in a wireless communication system
EP1880527B1 (en) Method for distributing certificates in a communication system
Funk et al. Extensible authentication protocol tunneled transport layer security authenticated protocol version 0 (EAP-TTLSv0)
CN101370007B (en) Method for reinforcing security and protecting privacy right of positioning service in Wimax network
JP4170912B2 (en) Use of public key pairs at terminals to authenticate and authorize telecommunications subscribers to network providers and business partners
EP1997292B1 (en) Establishing communications
US8837484B2 (en) Methods and devices for a client node to access an information object located at a node of a secured network via a network of information
KR101374810B1 (en) Virtual subscriber identity module
JP5069320B2 (en) Support for calls without UICC
US8726019B2 (en) Context limited shared secret
US9191814B2 (en) Communications device authentication
US20050287990A1 (en) Authenticating users
Perkins et al. Authentication, authorization, and accounting (AAA) registration keys for mobile IPv4
KR20070032805A (en) System and method for managing user authentication and authorization to realize single-sign-on for accessing multiple networks
CN101621801A (en) Method, system, server and terminal for authenticating wireless local area network
DK2924944T3 (en) Presence authentication
US20070036110A1 (en) Access control of mobile equipment to an IP communication network with dynamic modification of the access policies
US11848926B2 (en) Network authentication
CN115361684A (en) Access method and device for sharing Wifi bidirectional authentication by using block chain
RU2282311C2 (en) Method for using a pair of open keys in end device for authentication and authorization of telecommunication network user relatively to network provider and business partners
US7694334B2 (en) Apparatus and method for traversing gateway device using a plurality of batons
TWI448128B (en) Method and apparatus for interworking authorization of dual stack operation
KR100904004B1 (en) Authenticating users
Funk et al. RFC 5281: Extensible authentication protocol tunneled transport layer security authenticated protocol version 0 (EAP-TTLSv0)
Pagliusi Internet Authentication for Remote Access

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20131023

Termination date: 20150813

EXPY Termination of patent right or utility model