[go: up one dir, main page]

CN1221149C - System and method for public network authentication - Google Patents

System and method for public network authentication Download PDF

Info

Publication number
CN1221149C
CN1221149C CN02124334.4A CN02124334A CN1221149C CN 1221149 C CN1221149 C CN 1221149C CN 02124334 A CN02124334 A CN 02124334A CN 1221149 C CN1221149 C CN 1221149C
Authority
CN
China
Prior art keywords
authentication
authentication proxy
mobile station
travelling carriage
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN02124334.4A
Other languages
Chinese (zh)
Other versions
CN1464760A (en
Inventor
蔡憲明
黄静敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quanta Computer Inc
Original Assignee
Quanta Computer Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quanta Computer Inc filed Critical Quanta Computer Inc
Priority to CN02124334.4A priority Critical patent/CN1221149C/en
Publication of CN1464760A publication Critical patent/CN1464760A/en
Application granted granted Critical
Publication of CN1221149C publication Critical patent/CN1221149C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a public network authentication system, which is characterized by at least comprising: a mobile station; an authentication server; an authentication agent having a subscriber identity module corresponding to the mobile station; wherein the mobile station is authenticated by the authentication agent, which is authenticated by the authentication server using the subscriber identity module. The public authentication system of the invention does not install the user identification module on the mobile station, but installs in the authentication agent, so that the mobile station of the user does not need to change the design, and saves the manufacturing cost of the mobile station. The aim of authenticating the mobile station by the authentication server can also be achieved by the authentication agent performing authentication by the mobile station and the authentication agent performing authentication by the authentication server using the subscriber identity module of the mobile station.

Description

公众网络认证的系统与方法System and method for public network authentication

(1)技术领域(1) Technical field

本发明有关一种公众网络(Public Network),尤指一种无线局域网络(Wireless Local Area Network,WLAN)提供公众服务(Public Services)时的认证系统与方法。The present invention relates to a public network (Public Network), especially an authentication system and method for a wireless local area network (Wireless Local Area Network, WLAN) to provide public services (Public Services).

(2)背景技术(2) Background technology

自全球移动电话系统(Global System for Mobile communication,GSM)启用以来,无线通讯在安全性方面有重大突破。这突破来自GSM将用户识别模块(Subscriber Identity Module,SIM)安装在移动电话上,协助移动网络进行认证(Authentication)与加密(Encryption)。图1是先前技术的GSM认证系统架构图。移动电话100具备SIM卡88,与GSM网络进行认证。在GSM网络中,基地台36(BaseStation,BS)负责交换来自移动电话100的无线电信号与来自移动交换中心(Mobile Switch Center,MSC)70的有线信号。移动交换中心70与参访位置注册器(Visitor Location Register,VLR)75的任务是对移动电话100进行认证的程序。(移动交换中心70与参访位置注册器75通常被设计在一起)。每当移动电话100要求服务时,参访位置注册器75要求移动交换中心70对移动电话100进行认证。移动交换中心70负责对移动电话100发出认证要求(AuthenticationRequest),并接收来自移动电话100的认证响应(Authentication Response),比较移动电话100的认证响应是否认证成功。若认证成功,移动交换中心70知会移动电话100服务接受;若失败,则移动交换中心70知会移动电话100服务拒绝。在GSM网络的其它组件中,认证中心(Authentication Center,AuC)95负责保管移动电话100的认证钥匙Ki,产生认证参数(如:RAND,SRES等),经由本籍位置注册器(Home Location Register,HLR)90传送给参访位置注册器75。记帐中心(Billing Center,BC)80接受移动交换中心70所产生的帐单(Charging DataRecord)86,以便出帐。Since the launch of the Global System for Mobile communication (GSM), wireless communication has made a major breakthrough in security. This breakthrough comes from GSM installing the Subscriber Identity Module (SIM) on the mobile phone to assist the mobile network in Authentication and Encryption. Fig. 1 is a prior art GSM authentication system architecture diagram. The mobile phone 100 is equipped with a SIM card 88 and is authenticated with the GSM network. In the GSM network, the base station 36 (BaseStation, BS) is responsible for exchanging the radio signal from the mobile phone 100 and the wired signal from the mobile switching center (Mobile Switch Center, MSC) 70. The task of the mobile switching center 70 and the visitor location register (Visitor Location Register, VLR) 75 is to authenticate the mobile phone 100. (Mobile switching center 70 and visitor location register 75 are usually designed together). The visitor location register 75 requests the mobile switching center 70 to authenticate the mobile phone 100 whenever the mobile phone 100 requests service. The mobile switching center 70 is responsible for sending an authentication request (AuthenticationRequest) to the mobile phone 100, and receives an authentication response (Authentication Response) from the mobile phone 100, and compares whether the authentication response of the mobile phone 100 is successfully authenticated. If the authentication is successful, the mobile switching center 70 notifies the mobile phone 100 of service acceptance; if it fails, the mobile switching center 70 notifies the mobile phone 100 of service rejection. Among other components of the GSM network, the authentication center (Authentication Center, AuC) 95 is responsible for keeping the authentication key Ki of the mobile phone 100, generating authentication parameters (such as: RAND, SRES, etc.), and passing through the Home Location Register (Home Location Register, HLR) ) 90 to the visitor location register 75. The billing center (Billing Center, BC) 80 accepts the bill (Charging DataRecord) 86 generated by the mobile switching center 70, so as to issue the bill.

近年来,由于无线局域网络(Wireless Local Area Network,WLAN)市场的成长,促使无线局域网络可用于提供公众服务(Public Services)。当大众使用无线局域网络卡,通过服务业者(Service Provider)所铺设的公众无线局域网络取得互联网服务时,安全性便是最重要的课题。因此,国际大厂在无线局域网络卡产品内安装SIM卡,用以提升无线局域网络的安全性。图2是先前技术的公众无线局域网络认证系统架构图。本架构包含四大类组件:客户端、接入网络端、互联网端、与GSM核心网络端。客户端组件包含移动台(Mobile Station,MS)10与无线局域网络卡200,其中无线局域网络卡200具备SIM卡88。接入网络端包含无线局域网络的基地台(Access Point,AP)30、路由器(Router)40与认证网关(AuthenticationGateway,AG)250。互联网端包含互联网50与服务器(Server)60。GSM核心网络端的组件包含移动交换中心70、参访位置注册器75、认证中心95、本籍位置注册器90与记帐中心80(与图1完全相同)。在图2架构中,若移动台10通过认证,则可拥有基地台30与路由器40的使用权(Access Right),连上互联网50,取得服务器60的互联网服务。在认证过程中,当移动台10需要互联网服务时,向认证网关250发出服务要求(Service Request)。认证网关250将此服务要求转送给参访位置注册器75,参访位置注册器75要求移动交换中心70对移动台10发出认证要求。这认证要求经由认证网关250转送到移动台10,移动台10根据无线局域网络卡200的SIM卡88执行认证响应。这认证响应经由认证网关250转送到移动交换中心70,比较是否认证成功。若认证成功,移动交换中心70知会认证网关250服务接受(Services Accept),认证网关250开放移动台10使用基地台30与路由器40连上互联网50;若失败,则移动交换中心70知会认证网关250服务拒绝(ServicesReject)。当移动台10认证成功后,路由器40产生使用记录,认证网关250根据这些使用记录产生帐单86给记帐中心80。所以,认证网关的任务主要是处理移动台的服务要求,转送移动台与移动交换中心的认证信令,控制移动台连上互联网的使用权,及产生帐单给记帐中心。In recent years, due to the growth of the wireless local area network (WLAN) market, the wireless local area network can be used to provide public services (Public Services). When the public uses wireless local area network cards to obtain Internet services through public wireless local area networks laid by service providers, security is the most important issue. Therefore, major international manufacturers install SIM cards in WLAN card products to enhance the security of WLANs. FIG. 2 is a structural diagram of a public wireless local area network authentication system in the prior art. This architecture includes four categories of components: client, access network end, Internet end, and GSM core network end. The client component includes a mobile station (Mobile Station, MS) 10 and a wireless local area network card 200, wherein the wireless local area network card 200 has a SIM card 88. The access network end includes a base station (Access Point, AP) 30 of the wireless local area network, a router (Router) 40 and an authentication gateway (Authentication Gateway, AG) 250 . The Internet end includes an Internet 50 and a server (Server) 60 . The components of the GSM core network include a mobile switching center 70, a visitor location register 75, an authentication center 95, a home location register 90 and a billing center 80 (identical to FIG. 1). In the architecture of FIG. 2, if the mobile station 10 passes the authentication, it can have the access right of the base station 30 and the router 40, connect to the Internet 50, and obtain the Internet service of the server 60. During the authentication process, when the mobile station 10 needs Internet services, it sends a service request (Service Request) to the authentication gateway 250. The authentication gateway 250 forwards the service request to the visitor location register 75, and the visitor location register 75 requires the mobile switching center 70 to issue an authentication request to the mobile station 10. The authentication request is forwarded to the mobile station 10 via the authentication gateway 250 , and the mobile station 10 executes an authentication response according to the SIM card 88 of the WLAN card 200 . The authentication response is forwarded to the mobile switching center 70 via the authentication gateway 250 to compare whether the authentication is successful. If the authentication is successful, the mobile switching center 70 notifies the authentication gateway 250 of service acceptance (Services Accept), and the authentication gateway 250 opens the mobile station 10 to use the base station 30 and the router 40 to connect to the Internet 50; if it fails, the mobile switching center 70 notifies the authentication Gateway 250 Service Reject (ServicesReject). When the mobile station 10 is successfully authenticated, the router 40 generates usage records, and the authentication gateway 250 generates a bill 86 to the billing center 80 according to these usage records. Therefore, the task of the authentication gateway is mainly to process the service requirements of the mobile station, forward the authentication signaling between the mobile station and the mobile switching center, control the use right of the mobile station to connect to the Internet, and generate bills to the billing center.

由于图2的无线局域网络卡200将SIM卡88嵌入,增加无线局域网络卡设计的复杂度。所以,有厂商寻求不改变现有无线局域网络卡的设计,但使移动台具备SIM卡的功能。如图3所示的移动台10,配备无线局域网络卡20,另外通过计算机界面300(如:PCMCIA、USB、RS232等)读取SIM卡88的数据,以向网络进行认证。(图3的网络端组件与图2完全相同)。Since the wireless local area network card 200 in FIG. 2 embeds the SIM card 88, the design complexity of the wireless local area network card is increased. Therefore, some manufacturers seek to make the mobile station have the function of the SIM card without changing the design of the existing WLAN card. Mobile station 10 as shown in Figure 3 is equipped with WLAN card 20, and reads the data of SIM card 88 through computer interface 300 (such as: PCMCIA, USB, RS232 etc.) in addition, to authenticate to the network. (The network side components in Figure 3 are exactly the same as those in Figure 2).

由图1、图2与图3明显得知,SIM卡88皆嵌入在客户端设备中。这些客户端设备如图1的移动电话100、图2的无线局域网络卡200以及图3的笔记本计算机移动台10。在这些先前的认证系统中,客户端设备使用SIM卡与认证服务器(Authentication Server,如:移动交换中心)进行认证。然而,SIM卡嵌入在客户端设备必须在客户端设备中设计SIM卡插槽,这将增加客户端设备设计复杂度与成本。It is obvious from FIG. 1 , FIG. 2 and FIG. 3 that the SIM card 88 is embedded in the client device. These client devices are, for example, the mobile phone 100 in FIG. 1 , the WLAN card 200 in FIG. 2 , and the notebook computer mobile station 10 in FIG. 3 . In these previous authentication systems, a client device uses a SIM card to authenticate with an authentication server (Authentication Server, such as: a mobile switching center). However, if the SIM card is embedded in the client device, a SIM card slot must be designed in the client device, which will increase the design complexity and cost of the client device.

(3)发明内容(3) Contents of the invention

本发明的目的是提出一种公众无线网络认证的系统与方法,可避免变更客户端设备的设计,降低客户端设备的成本,而可进行公众无线网络认证。The object of the present invention is to propose a system and method for public wireless network authentication, which can avoid changing the design of client devices, reduce the cost of client devices, and enable public wireless network authentication.

本发明的公众网络认证的系统,其特点是,该系统至少包括:一移动台;一认证服务器;一认证代理器,具备与该移动台相对应的一用户识别模块;其中该移动台由该认证代理器进行认证,该认证代理器使用该用户识别模块由该认证服务器进行认证。The public network authentication system of the present invention is characterized in that the system at least includes: a mobile station; an authentication server; an authentication agent, equipped with a subscriber identification module corresponding to the mobile station; wherein the mobile station is controlled by the mobile station Authentication is performed by an authentication agent, which is authenticated by the authentication server using the subscriber identity module.

该移动台并不须安装用户识别模块(SIM卡),而将该移动台的SIM卡安装在该认证代理器上,这使得该移动台由该认证代理器进行认证,该认证代理器使用该移动台的SIM卡由该认证服务器进行认证。此外,认证代理器还负责处理移动台的服务要求,控制移动台连上互联网的使用权及产生帐单给记帐中心等工作。The mobile station does not need to install a Subscriber Identity Module (SIM card), but the SIM card of the mobile station is installed on the authentication agent, which makes the mobile station authenticated by the authentication agent, which uses the authentication agent The SIM card of the mobile station is authenticated by the authentication server. In addition, the authentication agent is also responsible for processing the service requirements of the mobile station, controlling the use right of the mobile station to connect to the Internet, and generating bills to the billing center.

为进一步说明本发明的目的、结构特点和效果,以下将结合附图对本发明进行详细的描述。In order to further illustrate the purpose, structural features and effects of the present invention, the present invention will be described in detail below in conjunction with the accompanying drawings.

(4)附图说明(4) Description of drawings

图1是先前技术的GSM认证系统架构图。Fig. 1 is a prior art GSM authentication system architecture diagram.

图2是先前技术的公众无线局域网络认证系统架构图。FIG. 2 is a structural diagram of a public wireless local area network authentication system in the prior art.

图3是先前技术的公众无线局域网络认证系统架构图。FIG. 3 is a structural diagram of a public wireless local area network authentication system in the prior art.

图4是本发明的公众无线网络认证系统架构图。FIG. 4 is a structure diagram of the public wireless network authentication system of the present invention.

图5是本发明的一般移动台于认证系统信令流程图(Signaling Flow Chart)。FIG. 5 is a signaling flow chart (Signaling Flow Chart) of the general mobile station authentication system of the present invention.

图6是本发明的漫游移动台于认证系统信令流程图。FIG. 6 is a signaling flow chart of the roaming mobile station in the authentication system of the present invention.

(5)具体实施方式(5) specific implementation

图4是本发明的公众无线网络认证系统架构图。本架构包含五大类组件:客户端、接入网络端、外部接入网络端、互联网端、与GSM核心网络端。客户端组件包含移动台(Mobile Station,MS)10与无线局域网络卡20。接入网络端包含无线局域网络的基地台30、路由器40与认证代理器(AuthenticationAgent,AA)800。其中,认证代理器800通过计算机界面886连接SIM卡插槽888,SIM卡插槽888包含SIM卡88等。计算机界面886可以是RS232、USB、PCI总线、或PCMCIA等,使认证代理器800可以读取SIM卡88的认证信息。外部接入网络端包含无线局域网络的基地台35、路由器45与使用权控制器(Access Right Controller,ARC)600。互联网端包含互联网50与服务器60。GSM核心网络端的组件包含移动交换中心70、参访位置注册器75、认证中心95、本籍位置注册器90、与记帐中心80(GSM核心网络端的组件与图1完全相同)。FIG. 4 is a structure diagram of the public wireless network authentication system of the present invention. This architecture includes five categories of components: client, access network end, external access network end, Internet end, and GSM core network end. The client component includes a mobile station (Mobile Station, MS) 10 and a wireless local area network card 20. The access network end includes a WLAN base station 30 , a router 40 and an authentication agent (AuthenticationAgent, AA) 800 . Wherein, the authentication agent 800 is connected to a SIM card slot 888 through a computer interface 886, and the SIM card slot 888 includes a SIM card 88 and the like. The computer interface 886 can be RS232, USB, PCI bus, or PCMCIA, etc., so that the authentication agent 800 can read the authentication information of the SIM card 88 . The external access network includes a WLAN base station 35 , a router 45 and an Access Right Controller (ARC) 600 . The Internet side includes the Internet 50 and the server 60 . The components on the GSM core network side include a mobile switching center 70, a visitor location register 75, an authentication center 95, a home location register 90, and a billing center 80 (the components on the GSM core network side are exactly the same as in FIG. 1).

在图4架构中,当移动台10需要互联网服务时,移动台10须与认证代理器800认证,认证代理器800使用移动台10的SIM卡88与移动交换中心70认证。移动台10与认证代理器800间认证的通讯协议,不一定需要标准(Standard),如远程认证嵌入用户服务(Remote Authentication User Service,RADIUS)或Kerberos,也可以由服务提供业者自行定义(Proprietary)。若移动台10认证失败,则服务拒绝。若移动台10通过认证,则可以拥有基地台30与路由器40的使用权,连上互联网50,取得服务器60的互联网服务。当移动台10取得互联网服务,路由器40产生使用记录,认证代理器800根据这些使用记录产生帐单86给记帐中心80。In the architecture of FIG. 4 , when the mobile station 10 needs Internet service, the mobile station 10 must authenticate with the authentication agent 800 , and the authentication agent 800 uses the SIM card 88 of the mobile station 10 to authenticate with the mobile switching center 70 . The authentication communication protocol between the mobile station 10 and the authentication agent 800 does not necessarily need a standard (Standard), such as remote authentication embedded user service (Remote Authentication User Service, RADIUS) or Kerberos, and can also be defined by the service provider (Proprietary) . If the authentication of the mobile station 10 fails, the service is rejected. If the mobile station 10 passes the authentication, it can have the right to use the base station 30 and the router 40 , connect to the Internet 50 , and obtain the Internet service of the server 60 . When the mobile station 10 obtains Internet service, the router 40 generates usage records, and the authentication agent 800 generates a bill 86 to the billing center 80 according to the usage records.

图5是本发明的认证系统信令流程图。在图5中,包含三个认证组件:一个移动台10、一个认证代理器800、一个认证服务器700。其中,认证代理器800具有移动台10的SIM卡88,代理移动台10协助对认证服务器700认证。认证服务器700可以是GSM网络中的移动交换中心70,负责对SIM卡88执行认证。当移动台10需要互联网服务时,向认证代理器800发出服务要求(信令510),并与认证代理器800进行认证(信令520)。若移动台10认证失败,则服务拒绝;若认证成功,认证代理器800对认证服务器700发出服务要求(信令530)。认证服务器700发出认证要求(信令540)给认证代理器800,认证代理器800根据移动台10的SIM卡88执行认证响应(信令550)。当认证服务器700收到认证响应550后,比较是否认证成功。若认证成功,认证服务器700知会认证代理器800服务接受(信令560),认证代理器800再知会移动台10服务接受(信令570),认证代理器800并开放移动台10连上互联网;若失败,则认证服务器700知会认证代理器800服务拒绝(信令580),认证代理器800再知会移动台10服务拒绝(信令590)。Fig. 5 is a signaling flow chart of the authentication system of the present invention. In FIG. 5 , there are three authentication components: a mobile station 10 , an authentication agent 800 , and an authentication server 700 . Wherein, the authentication agent 800 has the SIM card 88 of the mobile station 10, and assists the authentication server 700 to authenticate the mobile station 10 on behalf of the mobile station. The authentication server 700 may be a mobile switching center 70 in the GSM network, responsible for performing authentication on the SIM card 88 . When the mobile station 10 needs Internet service, it sends a service request to the authentication agent 800 (signaling 510), and performs authentication with the authentication agent 800 (signaling 520). If the authentication of the mobile station 10 fails, the service is rejected; if the authentication is successful, the authentication agent 800 sends a service request to the authentication server 700 (signaling 530). The authentication server 700 sends an authentication request (signaling 540) to the authentication agent 800, and the authentication agent 800 executes an authentication response according to the SIM card 88 of the mobile station 10 (signaling 550). After the authentication server 700 receives the authentication response 550, it compares whether the authentication is successful. If the authentication is successful, the authentication server 700 informs the authentication agent 800 that the service is accepted (signaling 560), and the authentication agent 800 notifies the mobile station 10 that the service is accepted (signaling 570), and the authentication agent 800 opens the mobile station 10 to connect Internet; if it fails, the authentication server 700 notifies the authentication agent 800 of the service rejection (signaling 580), and the authentication agent 800 notifies the mobile station 10 of the service rejection (signaling 590).

所以,本发明认证系统的认证代理器具有移动台的SIM卡,任务包含处理移动台的服务要求,与移动台认证,与认证服务器(如:移动交换中心)认证,控制移动台连上互联网的使用权,及产生帐单给记帐中心等。Therefore, the authentication agent of the authentication system of the present invention has the SIM card of the mobile station, and its tasks include processing the service requirements of the mobile station, authenticating with the mobile station, authenticating with the authentication server (such as: mobile switching center), and controlling the mobile station to connect to the Internet. Use rights, and generate bills to the billing center, etc.

在图4架构中,移动台10可能漫游到外部接入网络。若移动台10需要互联网服务,必须先取得基地台35与与路由器45的使用权。在外部接入网络中,基地台35与路由器45的使用权由使用权控制器600监控。所以,移动台10必须向使用权控制器600发出服务要求,直到取得使用权控制器600的服务接受。In the Figure 4 architecture, mobile station 10 may roam to foreign access networks. If the mobile station 10 needs Internet service, it must first obtain the right to use the base station 35 and the router 45 . In the external access network, the usage rights of the base station 35 and the router 45 are monitored by the usage rights controller 600 . Therefore, the mobile station 10 must issue a service request to the usage right controller 600 until the service acceptance of the usage right controller 600 is obtained.

图6是本发明的漫游移动台于认证系统信令流程图。在图6中,包含四个认证组件:一个移动台10、一个使用权控制器600、一个认证代理器800、与一个认证服务器700。当移动台10漫游到外部接入网络并需要互联网服务时,移动台10向使用权控制器600发出服务要求(信令610)。使用权控制器600再向移动台10的认证代理器800发出服务要求(信令615)。认证代理器800开始对移动台10进行认证620。若移动台10认证失败,则服务拒绝;若认证成功,认证代理器800与认证服务器700进行认证(同图5的信令530~580)。若认证成功,认证代理器800知会使用权控制器600服务接受(信令660),再由使用权控制器600知会移动台10服务接受(信令665),使用权控制器600并开放移动台10连上互联网;若失败,则认证代理器800知会使用权控制器600服务拒绝(信令680),再由使用权控制器600知会移动台10服务拒绝(信令685)。FIG. 6 is a signaling flow chart of the roaming mobile station in the authentication system of the present invention. In FIG. 6 , four authentication components are included: a mobile station 10 , a usage right controller 600 , an authentication agent 800 , and an authentication server 700 . When the mobile station 10 roams to an external access network and needs Internet service, the mobile station 10 sends a service request to the usage right controller 600 (signaling 610). The usage right controller 600 then sends a service request to the authentication agent 800 of the mobile station 10 (signaling 615). The authentication agent 800 begins authenticating 620 the mobile station 10 . If the authentication of the mobile station 10 fails, the service is rejected; if the authentication is successful, the authentication agent 800 and the authentication server 700 perform authentication (same as signaling 530~580 in FIG. 5). If the authentication is successful, the authentication agent 800 notifies the right to use controller 600 that the service is accepted (signaling 660), and then the right to use controller 600 notifies the mobile station 10 that the service is accepted (signaling 665), and the right to use controller 600 opens the service The mobile station 10 connects to the Internet; if it fails, the authentication agent 800 notifies the usage right controller 600 of the service rejection (signaling 680), and then the usage right controller 600 notifies the mobile station 10 of the service rejection (signaling 685).

本发明的公众认证系统,不将SIM卡安装在移动台上,而安装在认证代理器内,使得用户的移动台不用变更设计,并节省移动台制造成本。通过移动台由认证代理器进行认证以及认证代理器使用该移动台的SIM卡由认证服务器进行认证,亦达到移动台由认证服务器进行认证的目的。The public authentication system of the present invention does not install the SIM card on the mobile station, but installs it in the authentication agent, so that the design of the user's mobile station does not need to be changed, and the manufacturing cost of the mobile station is saved. The mobile station is authenticated by the authentication agent and the authentication agent uses the SIM card of the mobile station to be authenticated by the authentication server, so that the mobile station is authenticated by the authentication server.

虽本实施例的系统应用于公众无线局域网络,但亦可以应用于公众有线网络。Although the system of this embodiment is applied to a public wireless local area network, it can also be applied to a public wired network.

当然,本技术领域中的普通技术人员应当认识到,以上的实施例仅是用来说明本发明,而并非用作为对本发明的限定,只要在本发明的实质精神范围内,对以上所述实施例的变化、变型都将落在本发明权利要求书的范围内。Of course, those of ordinary skill in the art should recognize that the above embodiments are only used to illustrate the present invention, rather than as a limitation to the present invention, as long as within the scope of the spirit of the present invention, the implementation of the above Changes and modifications of the examples will fall within the scope of the claims of the present invention.

Claims (12)

1. the system of an identifying public network is characterized in that, this system comprises at least:
One travelling carriage;
One certificate server;
One authentication proxy's device possesses and the corresponding subscriber identification module of this travelling carriage;
Wherein this travelling carriage is authenticated by this authentication proxy's device, and this authentication proxy's device uses this subscriber identification module to be authenticated by this certificate server.
2. the system as claimed in claim 1 is characterized in that, this system further comprises:
One access network;
Wherein, this travelling carriage is controlled this access network through this authentication proxy's device authentication success by this authentication proxy's device, connects the Internet to permit this travelling carriage.
3. the system as claimed in claim 1 is characterized in that, this system further comprises:
One booking center;
One router;
Wherein, this authentication proxy's device is controlled this router and is produced bill to this booking center.
4. the system as claimed in claim 1 is characterized in that, this system further comprises:
One external access network comprises a right to use controller;
This travelling carriage roams to this external access network, and this travelling carriage is notified this right to use controller to permit this travelling carriage by this authentication proxy's device and connected the Internet through this authentication proxy's device authentication success.
5. the method for an identifying public network is characterized in that, this method comprises:
One travelling carriage authenticates with one first agreement with the authentication proxy's device that has with the corresponding subscriber identification module of this travelling carriage; And
This authentication proxy's device uses this subscriber identification module and a certificate server to authenticate with one second agreement.
6. method as claimed in claim 5 is characterized in that, this method further comprises:
This travelling carriage, is permitted this travelling carriage and is connected the Internet by this authentication proxy's device control access network through this authentication proxy's device authentication success.
7. method as claimed in claim 5 is characterized in that, this method further comprises:
Control a router by this authentication proxy's device and produce bill to a booking center.
8. method as claimed in claim 5 is characterized in that, this method further comprises:
This travelling carriage roams to an external access network, and this travelling carriage is notified a right to use controller to permit this travelling carriage by this authentication proxy's device and connected the Internet through this authentication proxy's device authentication success.
9. authentication proxy's device of a public network, it is characterized in that, this authentication proxy's utensil has and the corresponding subscriber identification module of a travelling carriage, this authentication proxy's device and this travelling carriage use one first agreement to authenticate, and this authentication proxy's device uses one second agreement to authenticate according to this subscriber identification module and a certificate server.
10. authentication proxy as claimed in claim 9 device is characterized in that, this authentication proxy's device is controlled an access network and connected the Internet to permit this travelling carriage.
11. authentication proxy as claimed in claim 9 device is characterized in that, this authentication proxy's device is controlled a router and is produced bill to a booking center.
12. authentication proxy as claimed in claim 9 device is characterized in that, this authentication proxy's device is notified a right to use controller of an external access network, permits connecting when this travelling carriage roams to this external access network the Internet.
CN02124334.4A 2002-06-12 2002-06-12 System and method for public network authentication Expired - Fee Related CN1221149C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN02124334.4A CN1221149C (en) 2002-06-12 2002-06-12 System and method for public network authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN02124334.4A CN1221149C (en) 2002-06-12 2002-06-12 System and method for public network authentication

Publications (2)

Publication Number Publication Date
CN1464760A CN1464760A (en) 2003-12-31
CN1221149C true CN1221149C (en) 2005-09-28

Family

ID=29743798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN02124334.4A Expired - Fee Related CN1221149C (en) 2002-06-12 2002-06-12 System and method for public network authentication

Country Status (1)

Country Link
CN (1) CN1221149C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132982A (en) * 2021-11-15 2023-05-16 中国移动通信有限公司研究院 Authentication method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100459804C (en) * 2005-12-13 2009-02-04 华为技术有限公司 Device, system and method of authenticating when terminal to access second system network
CN101442516B (en) * 2007-11-20 2012-04-25 华为技术有限公司 DHCP authentication method, system and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132982A (en) * 2021-11-15 2023-05-16 中国移动通信有限公司研究院 Authentication method and device

Also Published As

Publication number Publication date
CN1464760A (en) 2003-12-31

Similar Documents

Publication Publication Date Title
US7505756B2 (en) Dynamic online subscription for wireless wide-area networks
JP5199405B2 (en) Authentication in communication systems
KR101068424B1 (en) Inter-working function for a communication system
EP3308499B1 (en) Service provider certificate management
US20070268888A1 (en) System and method employing strategic communications between a network controller and a security gateway
US20030191939A1 (en) System and method for authentication in public networks
CN105263193B (en) The WIFI connection methods of mobile terminal and system
CN1650664A (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
CN103200159B (en) A kind of Network Access Method and equipment
CN109561429B (en) Authentication method and device
CN108024241A (en) Terminal accessing authentication method, system and authentication server
CN114423010A (en) Network access control method, device, electronic device and storage medium
CN115835202A (en) An authentication method and system
CN1221149C (en) System and method for public network authentication
KR100642459B1 (en) Subscriber authentication service method between heterogeneous mobile communication systems
CN100512111C (en) The method for realizing WAPI-based WLAN operation via the classified terminal certificate
CN102026196A (en) Authentication method, access point and mobile terminal based on WAPI
WO2006079953A1 (en) Authentication method and device for use in wireless communication system
CN102547698B (en) Authentication system, method and intermediate authentication platform
US20240040383A1 (en) Trust based continuous 5g service assessment
CN101031121A (en) Mobile terminal and method for reading SIM card
CN1547405A (en) A wireless local area network terminal user authentication method based on subscriber identity module
KR100291040B1 (en) method for controlling illegal users in PCS
CN1567859A (en) A method of access authentication for WLAN
EP1448000B1 (en) Method and system for authenticating a subscriber

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20050928

Termination date: 20160612

CF01 Termination of patent right due to non-payment of annual fee