KR100377195B1 - Method For Authenticating Visiting User In Intelligent Network Interworking System - Google Patents

Abstract

1. TECHNICAL FIELD OF THE INVENTION

The present invention relates to a visiting user authentication method in an intelligent network interworking system.

2. The technical problem to be solved by the invention

An object of the present invention is to provide a visiting user authentication method for encrypting authentication data in a service control function of a visit area, decrypting data encrypted in a service control function of a home area, and extracting user information to perform user authentication. .

3. Summary of Solution to Invention

According to the present invention, in a visited user authentication method applied to an intelligent network interworking system, a service control function (SCF ⁺ _VD ) of a visited area encrypts a message with its own private key, and a service control function (SCF ⁺ _HD) of a home area. A first step of encrypting and transmitting a message with a public key of; A second step of detecting that the SCF ⁺ _HD, a message transmitted from the visited network to decrypt and decode their own private key and the message with the public key of the SCF ⁺ _VD, through the verify the signature of the SCF ⁺ _VD; The SCF ⁺ _HD is the lowest serial number (n) that are sent to the SCF ⁺ _HD from the decrypted message, the predetermined bit value (n _s) for extraction, and the lowest predetermined bits of the serial number (n ') to be input is expected to A third step of first verifying whether a difference between the value n _s ' and the value of n _s exists within an error tolerance range; A fourth step of, upon successful first authentication, calculating n _s to n, and calculating an authentication code AC 'using the extended n, the private secret key K, and the one-way function f; A fifth step of verifying whether the SCF ⁺ _HD matches the authentication code (AC ') calculated by the authentication code (AC) and the SCF ⁺ _HD of the visited network; And a sixth step of replacing n 'with n + 1 if a match is found in the fifth step and notifying a service user of a success, and notifying a failure if there is a match.

4. Important uses of the invention

The present invention is used in the intelligent network interworking system.

Description

Method for Authenticating Visiting User In Intelligent Network Interworking System}

The present invention provides a computer-readable recording medium recording a visiting user authentication method for determining whether a user has legitimate use authority when initiating a call in a visiting network in an intelligent network interworking system and a program for realizing the same. It is about.

Recently, the information and communication sector in Korea has been implemented as a multi-carrier system in all sectors, and the competitive emergence of new wired and wireless communication operators and the increase in mobility of users are the same if the carriers start commercial services in the future. Even if the service is a very confusing situation will come to the user moving between different service providers. Moreover, when services are provided in different countries, the manganese information exchanged in the environment in which the service is provided through interworking between operators is exposed to various types of potential security threats. If there is no response mechanism, network control information, service subscriber information, access information, and theft or alteration of user's password required for service processing are large society in the current situation where most of various social activities are conducted using communication network. It can cause confusion.

In addition, until now, the development of intelligent network has focused on R & D activities to build an independent platform to provide one intelligent network service in each country. The need has arisen. In addition, the increased mobility of users has required subscribers to provide services that can use the same services in any network they visit. Recognizing the importance of this requirement, the International Telecommunication Union (ITU-T) 's SG11 / WP4 has made recommendations on interlocking intelligent networks in IN CS-2, and before that, in Europe between 1996 and 1998, In order to provide the intelligent network service, we carried out the Pan-European Intelligent Network platforms project. PEIN proposes an interlocking structure that enables intelligent network services throughout Europe through the interconnection of intelligent network platforms for each country and service provider, which have been established in a unique way. However, one of the biggest obstacles in the provision of services between service providers and across countries is the issue of how to block the security threats that may occur in the network domain interworking relationship. In order to solve this problem, ITU-T IN CS-2 not only expands the functions defined in CS-1 to provide services to users in the same way even when they have different levels of intelligent network structure. Rather, the service control function (SCF) -service control function, in addition to the relationship between the service control function (SCF) and the service data function (SDF) defined in CS-1 for interworking between networks, We further stipulated the relationship between SCF, Service Management Function (SMF) -Service Management Function (SMF), and Service Data Function (SDF) -Service Data Function (SDF). In addition, although ITU-T Recommendations Q.1221 and Q.1224 work on standardization of intelligent network security requirements for the construction of systems considering safety and reliability, a detailed methodology for user authentication in an interworking environment is presented. It is not.

In addition, the development of communication technology and the development of new networks are providing users with new communication capabilities such as Integrated Information Communication Network (ISDN), Intelligent Network, and Mobile Communication Network. The development of the network capability provides a new level of service to the user, and will be utilized more widely in the future, so that the overall activities of society will be performed using the communication network.

However, network-based breaches are intensifying and attack methods are becoming more intelligent, with communication equipment connected to networks worldwide and the explosion of interconnections across networks. In addition, if information communication lacks safety for the purpose of simply exchanging information or sharing resources at the present time of increasingly complex and diverse information communication, the damage caused by illegal users and the loss of resources caused by this will increase. It will be more serious.

Therefore, there is a growing need for a network security device that can protect communication information and resources from them and ensure the safety of communication services. Security is now an important requirement in the design and manufacture of almost all communication systems. In this respect, security capabilities in intelligent networks are no exception. In the strict sense, it cannot be concluded that there is no security capability in the intelligent network. The reason is that when using the current intelligent network service, the service user enters the service subscriber number and password and uses the service only when it is determined that the relationship is justified. This is designed to be possible. However, with the expansion of intelligent network construction and the spread of services, the necessity of wide-area intelligent network services that can be interworked between multiple businesses and countries emerges.In particular, as the movement of individuals between countries becomes active due to the widening of social activities, certain services are subscribed in one country. The importance of developing service-linked technologies that allows one subscriber to receive the same service in another country he is visiting is accelerating. This necessity for network interworking ability is due to the increased mobility of users, and the services that can represent such a situation include a universal personal telecommunication service (UPT) or a virtual private network (VPN) service. Can be mentioned. However, in the case of applying the service interworking technology through the interworking platform in a multi-entry environment, important information such as the profile of the service subscriber or the location information related to the personal identity is transmitted through a plurality of interlocking channels. Thus, in situations where security mechanisms or user authentication capabilities are not sufficiently taken into account, the possibility of information leakage or alteration, either intentionally or accidentally, during the information transfer or authentication process is increased. In general, the intelligent network service applies a simple authentication method that determines whether a call is connected and connected by checking the correspondence between the service subscriber number and the password.

Therefore, although ITU-T Recommendations Q.1221 and Q.1224 have been standardizing the security requirements for intelligent network for system construction considering safety and reliability in the related art, However, the intelligent network service has a problem of applying a simple authentication method that determines the connection and access of the call by checking the correspondence between the service subscriber number and the password.

Therefore, the present invention has been proposed to solve the above problems, to protect the communication network information and resources in the intelligent network interworking system, to encrypt the authentication data in the service control function of the visit area to ensure the safety of the communication service To provide a computer-readable recording medium recording a visited user authentication method for decrypting the data encrypted by the service control function of the home area, extracting user information to perform user authentication, and a program for realizing the same. There is this.

1 is an exemplary configuration diagram of an intelligent network interworking system to which the present invention is applied.

2A and 2B are flowcharts of one embodiment of a visitor user authentication method according to the present invention;

* Explanation of symbols for main parts of the drawings

101: outgoing network 102: access control function

103, 109: call control agent function unit 104, 110: call control function unit

105, 111: service exchange function unit

106: service control function of the visit area

107, 113: key store 108: home network

112: service control function of the home area

In the present invention for achieving the above object, in a visited user authentication method applied to an intelligent network interworking system, the service control function (SCF ⁺ _VD ) of the visited area encrypts the message with its own private key, the service of the home area A first step of encrypting and transmitting a message with a public key of a control function unit (SCF ⁺ _HD ); A second step of detecting that the SCF ⁺ _HD, a message transmitted from the visited network to decrypt and decode their own private key and the message with the public key of the SCF ⁺ _VD, through the verify the signature of the SCF ⁺ _VD; The SCF ⁺ _HD is the lowest serial number (n) that are sent to the SCF ⁺ _HD from the decrypted message, the predetermined bit value (n _s) for extraction, and the lowest predetermined bits of the serial number (n ') to be input is expected to A third step of first verifying whether a difference between the value n _s ' and the value of n _s exists within an error tolerance range; A fourth step of, upon successful first authentication, calculating n _s to n, and calculating an authentication code AC 'using the extended n, the private secret key K, and the one-way function f; A fifth step of verifying whether the SCF ⁺ _HD matches the authentication code (AC ') calculated by the authentication code (AC) and the SCF ⁺ _HD of the visited network; And a sixth step of replacing n 'with n + 1 if it matches, notifying the service user of a success, and notifying a failure if it does not match.

Meanwhile, the present invention encrypts a message with its own private key by a service control function unit (SCF ⁺ _VD ) in a visited area, and discloses a service control function unit (SCF ⁺ _HD ) in a home area. A first function of encrypting and transmitting a message with a key; A second function for detecting that the SCF ⁺ _HD, a message transmitted from the visited network to decrypt and decode their own private key and the message with the public key of the SCF ⁺ _VD, through the verify the signature of the SCF ⁺ _VD; The SCF ⁺ _HD is the lowest serial number (n) that are sent to the SCF ⁺ _HD from the decrypted message, the predetermined bit value (n _s) for extraction, and the lowest predetermined bits of the serial number (n ') to be input is expected to A third function of first verifying that a difference between the value n _s ' and the value of n _s exists within an error tolerance; A fourth function of expanding n _s to n upon first authentication success and calculating the authentication code AC 'using the extended n, the private secret key K, and the one-way function f; The SCF ⁺ _HD is the fifth function to determine whether the authentication code (AC ') calculated by the authentication code (AC) and the SCF ⁺ _HD of the visited network match; And as a result of confirming the fifth function, if it matches, replaces n 'with n + 1, notifies the service user of success, and if not, reads a program for realizing a sixth function of notifying the failure. Provide a record carrier.

The above objects, features and advantages will become more apparent from the following detailed description taken in conjunction with the accompanying drawings. Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is an exemplary configuration diagram of an intelligent network interworking system to which the present invention is applied, and includes an outgoing network 101, an access control function (ACCF) 102, and a call control agent function (CCAF). (103, 109), call control function (CCF: 104, 110), service switching function (SSF: service switching funtion) (105, 111), service control function of the visiting area (SCF ⁺ _VD : Service Control Function of Visiting Domain (106), Key Stores (107, 113), Home Network (108), Service Control Function of Home Area (SCF ⁺ _HD ) 112, Service Data Function (SDF) : Service Data Function (SRF) and Specialized Resource Function (SRF).

As shown in FIG. 1, FIG. 1 illustrates an interworking structure between functional entities between an originating network 101 and a home network 108 for user authentication on an intelligent network distribution plane.

In this interworking structure, if terms are defined as follows to describe the mechanism required for the user authentication procedure, AC (Authentication Code) represents a variable authentication code calculated in the ACCF (102), AC ' _HD is the SCF of the home network 108 ⁺ _Denotes a variable authentication code calculated by _HD 112, and in AC ' _HD = f (n', K), f represents a one-way function as an algorithm for calculating a variable authentication code, and this algorithm represents an intelligent network access device and a home network. Service control functions 108 of SCF ⁺ _HD 112 are on both sides and are in the same algorithm.

In addition, K is a private secret key stored in the access device and the SCF ⁺ _HD 112, n is a sequence number generated by the access device, and has a 64-bit size. Incremented by 1 ', this serial number is used to change the variable authentication code AC value as an input parameter of the authentication algorithm f, where n _s is the lowest 16 of n transmitted to the SCF ⁺ _HD 112 of the home network 108. Bit represents a significant significant bit, n 'represents the value stored in SCF ⁺ _HD 112 as the next expected serial number, and n' _s represents the least significant 16 bits of n '. D is an error tolerance range between the serial number n stored in the access device and the n 'value stored in the SCF ⁺ _HD 112 of the home network, and defines the maximum allowable error value as 2 ⁸ (= 256).

In addition, in the program code of the one-way authentication algorithm f, K and the program code for the authentication algorithm should not be readable. It can not be stored arbitrarily.

The ACCF 102 serves as an interface with an access device for accessing the intelligent network when the service user tries to use the intelligent network service in the outgoing network 101. The intelligent network access device, which is a user terminal, has a serial number n (Sequence Number), ID _HD which is the ID of the home network 108 registered by the user, a personal identification number (PIN), a secret key K, and a one-way authentication algorithm code. f and a user identifier ID _{A which} is its ID are stored.

The secret key k, the personal password (PIN), the serial number (n), and the function f are delivered to the user secretly by the operator of the home network 108 at the time of joining the service and are stored in the terminal as read-only. This information cannot be changed arbitrarily. The ACCF 102 reads these six pieces of information (n, ID _HD , PIN, ID _A , K, f) in turn. Service User A uses the Service Access Code (SAC), Personal Password (PIN), Calling Network ID _VD (Identification of Visiting Domain), and his User Identification ID _A (Identification of Service User A). When input through the ACCF 102 compares the ID _A , and PIN entered by the user A and the ID _A and PIN stored in the ACCF 102 to verify and verify the match. When the verification is completed, the ACCF 102 generates an authentication code AC by applying the authentication algorithm f using n, K, and f. Where AC = f (n, K) and f is a one-way function.

The ACCF 102 stores a user identifier (ID _A ), a home network ID (ID _HD ), a service identification code (SAC) entered by the user, an authentication code AC calculated by the function f, and the least significant 16 bits n _s of the serial number. After converting to a decimal number, message M in Table 1 below is transmitted to CCAF 103. After sending, increase the value of n by one.

CCAF (103) is, and when trigger a call to send a message M to the CCF (104) detects that the SSF (105) are intelligent network call by the service identification code, SAC, and transmits it to the _{^{SCF + VD (106), SCF}} + VD (106 ) Looks at the user identifier ID _A from message M and finds out that service user A is a visitor.

SCF ⁺ _VD (106) is the key store 107, his or her private key is used to encrypt the message M E S _{SCF_VD} from: I S _ _{SCF VD} (M) which provides the digital signature. Then, the message E: S _SCF _ _VD (M) signed with the private key is used by using the public key V _{SCF_HD} of the home network 108 to provide confidentiality to prevent exposure while data is transmitted through the network interworking channel. _{Encrypted with} V _{SCF_HD} [E: S _{SCF_VD} (M)] and transmitted to SCF ⁺ _HD 112, which is user A's home network 108. The SCF ⁺ _HD 112 of the home network 108 receives the message E: V _{SCF_HD} [E: S _{SCF_VD} (M)] sent by the originating network 101, and the private key S _{SCF_HD} and the private key S _{SCF_HD} are received from the key storage 113. The public key V _{SCF_VD} of the source network 101 is extracted. First, the message E: V _{SCF_HD} [E: S _{SCF_VD} (M)] sent by SCF ⁺ _VD is _decrypted using its private key S _{SCF_HD} .

Again, E: S _{SCF_VD} (M) is decrypted with V _{SCF_VD} , the public key of SCF ⁺ _VD 106 of originating network 101, and if the signature is authenticated, SCF ⁺ _HD 112 determines that message M is the identity of the originating network (ID). It can be assured that it is from _VD ) 101. Comparing the least significant 16-bit value (the least significant bits) and n _s the value of the next n 'a n _s extracted from the decrypted message M to ensure that n _s between the allowable error range of 256. If the value of n _s exceeds the tolerance, then authentication is considered a failure, which means primary authentication. The reason for this primary authentication process is that n has a 64-bit size and all of it is transmitted. Since the load is added to the network, only the lowest 16 bits of the 64 bits are extracted and sent, and the home service compares the 16 bits of its serial number n '. Compare results to be confined to the tolerance range of 256 considered the authentication fails, the reason is as follows .n value n 'is a value equal to there is authentication succeeds, n _s -n' _s can be a large difference between 64-bit There is a big difference between n value and n 'value, which means that authentication fails. In this way, the process of checking the tolerance range eliminates the need for the final certification process of checking whether the next certification process, the variable certification code AC and AC ', is unnecessary, so that the process of calculating the AC value and the AC' value can be omitted. If the first authentication process is successful, the process goes directly to the final authentication process. In this process, it is determined whether the value of the visitor service's serial number n and the home service's serial number n 'match. By comparing the variable authentication code AC with the value of AC ', it is checked whether all bits match. Varying authentication codes of AC and AC 'to generate the value of n and n' to find out the value, to calculate the value _s n and n _'s car value X (X = n _s -n a' _s) for this purpose extension We will calculate the total 64-bit value. If n matches exactly n ', then X has a value of zero. Otherwise, the value of AC '= f (n, K) calculated by extending n to n' + X will have a different value when the received AC value is compared, which means authentication failed. If the authentication succeeds, SCF ⁺ _HD 112 expands n _s to n as follows. First, calculate X (X = n _s -n ' _s ), which is the difference between n _s and n' _s. If X is in the range "0 <= X <= d", SCF ⁺ _HD 112 returns n. = n '+ X. If the value of X is less than or equal to d-2 ¹⁶ , SCF ⁺ _HD 112 expands n to n = n '+ 2 ¹⁶ + X. AC 'is calculated using the expanded n, K, and f. If the variable authentication code AC generated by ACCF 102 and AC 'match, user A is successfully authenticated. In this case, SCF ⁺ _HD 112 replaces n' with n + 1. If the values of AC and AC 'differ, authentication ends with failure.

2A and 2B are a flowchart illustrating one embodiment of a visited user authentication method according to the present invention.

As shown in the figure, SCF ⁺ _VD encrypts message M with the private key of SCF ⁺ _VD (201), encrypts E [M] with the public key of SCF ⁺ _HD (202), and E [E [M]]. The message is transmitted to the home network SCF ⁺ _HD (203).

Subsequently, the SCF ⁺ _HD decrypts E [E [M]] with its private key and the public key of the SCF ⁺ _VD (204), verifies the signature of the SCF ⁺ _VD (205), and notifies the user of the authentication failure if the signature is incorrect. Notify (206), if the signature is correct, extract n _s from message M (207).

Then, check whether the X value is within the error tolerance (208) and notify the user of the authentication failure if it is not within the error tolerance (209), and if it is within the error tolerance, SCF ⁺ _HD expands n _s to n. Then, AC 'is calculated using n, k, and f (210), and if the received AC' and AC are identical (211), if not the same, the user is notified of the authentication failure (209), and n is equal. Is replaced by n + 1 by SCF ⁺ _HD (212), and notifies the user of the success of authentication (213). The method of the present invention as described above is implemented as a program and a computer-readable recording medium (CD-ROM). , RAM, ROM, floppy disk, hard disk, magneto-optical disk, etc.).

The present invention described above is capable of various substitutions, modifications, and changes without departing from the spirit of the present invention for those skilled in the art to which the present invention pertains, and the above-described embodiments and accompanying It is not limited to the drawing.

Therefore, the present invention as described above can be utilized in the design of a response mechanism that can block network control information, subscriber data, service profile information, billing information, etc., which are easily exposed in the interlocking environment, from security threats. If a mechanism that further strengthens the system is developed and expanded, it can be used as the core technology for providing UPT services in multiple countries, and can provide international intelligent network services through interconnection between intelligent networks, or provide intelligent network services among domestic telecommunication operators. When network interworking is established, the application scope is very broad in that the intelligent network has control capability for public switched telephone network (PSTN), integrated telecommunication network (ISDN), mobile network, and broadband-to-wide telecommunication network (B-ISDN). It works.

Claims (7)

In the visiting user authentication method applied to the intelligent network interworking system, A first step in which the service control function unit SCF ⁺ _VD of the visited area encrypts the message with its private key, and encrypts the message with the public key of the service control function unit SCF ⁺ _HD of the home area; A second step of detecting that the SCF ⁺ _HD, a message transmitted from the visited network to decrypt and decode their own private key and the message with the public key of the SCF ⁺ _VD, through the verify the signature of the SCF ⁺ _VD; The SCF ⁺ _HD is the lowest serial number (n) that are sent to the SCF ⁺ _HD from the decrypted message, the predetermined bit value (n _s) for extraction, and the lowest predetermined bits of the serial number (n ') to be input is expected to A third step of first verifying whether a difference between the value n _s ' and the value of n _s exists within an error tolerance range; A fourth step of, upon successful first authentication, calculating n _s to n, and calculating an authentication code AC 'using the extended n, the private secret key K, and the one-way function f; A fifth step of verifying whether the SCF ⁺ _HD matches the authentication code (AC ') calculated by the authentication code (AC) and the SCF ⁺ _HD of the visited network; And A sixth step of replacing n 'with n + 1 if a match is found and notifying the service user of a success; Visiting user authentication method in an intelligent network interworking system comprising a. The method of claim 1, The first step is, _A seventh step of the service user _A inputting the service identification code SAC, the personal password PIN, the visit area ID ID _VD and his user identifier ID _A through the intelligent network access device; Access control unit (ACCF) the eighth step to determine whether they match each other by comparing the ID _A and the PIN stored in the ACCF the ID _A and the PIN entered by the service user A; The ACCF calculates an authentication code (AC) using a one-way function, ID _A , ID of the home area (ID _HD ), SAC, AC, and n _s (where n _s is the lowest predetermined bit of n). (N represents a serial number generated by the access device), a ninth step of transmitting a message M having a call control agent function unit (CCAF); A tenth step of detecting, by the SAC, the intelligent network call by the SAC when the CCAF sends a message M to the call control function unit (CCF) and transmits it to the SCF ⁺ _VD ; Step 11, which encrypts a _SCF S _ _VD (M) performing a digital signature;: a message M by using its own private key (S _{SCF_VD)} is the SCF ⁺ _VD from the key store E And The message E: S _SCF _ _VD (M) signed with the private key is encrypted with E: V _{SCF_HD} [E: S _{SCF_VD} (M)] using the public key (V _{SCF_HD} ) of the home zone. Twelfth step of transmitting in the SCF ⁺ _HD Visiting user authentication method in an intelligent network interworking system comprising a. The method according to claim 1 or 2, The second step, A _{thirteenth step} when the SCF ⁺ _HD receives the message E: V _{SCF_HD} [E: S _{SCF_VD} (M)], _extracting its private key (S _{SCF_HD} ) and the public key of the visited area (V _{SCF_VD} ) from the key store; A 14th step in which the SCF ⁺ _{HD decrypts} the message E: V _{SCF_HD} [E: S _{SCF_VD} (M)] sent by the SCF ⁺ _VD using its private key (S _{SCF_HD} ); And A fifteenth step of verifying a signature by decrypting E: S _{SCF_VD} (M) with V _{SCF_VD which} is a public key of SCF ⁺ _VD of the visited area ^; Visiting user authentication method in an intelligent network interworking system comprising a. delete delete delete In the intelligent network interworking system equipped with a processor, A first function in which the service control function unit SCF ⁺ _VD of the visited area encrypts the message with its private key, and encrypts the message with the public key of the service control function unit SCF ⁺ _HD of the home area; A second function for detecting that the SCF ⁺ _HD, a message transmitted from the visited network to decrypt and decode their own private key and the message with the public key of the SCF ⁺ _VD, through the verify the signature of the SCF ⁺ _VD; The SCF ⁺ _HD is the lowest serial number (n) that are sent to the SCF ⁺ _HD from the decrypted message, the predetermined bit value (n _s) for extraction, and the lowest predetermined bits of the serial number (n ') to be input is expected to A third function of first verifying that a difference between the value n _s ' and the value of n _s exists within an error tolerance; A fourth function of expanding n _s to n upon first authentication success and calculating the authentication code AC 'using the extended n, the private secret key K, and the one-way function f; The SCF ⁺ _HD is the fifth function to determine whether the authentication code (AC ') calculated by the authentication code (AC) and the SCF ⁺ _HD of the visited network match; And A sixth function that replaces n 'with n + 1 if it matches, notifies the service user of a success, and notifies if it does not match; A computer-readable recording medium having recorded thereon a program for realizing this.