A wireless communication system such as shown in FIG. 1 is prescribed in the specification decided upon in the WiMAX (Worldwide Interoperability for Microwave Access) Forum.
As shown in FIG. 1, the WiMAX wireless communication system includes: MS (mobile station) 10, BS (Base Station) 20 and ASN-GW (ASN-Gateway) 30 arranged in an ASN (Access Service Network); and HA (Home Agent) 40 and AAA (Authentication, Authorization, Accounting) server 50 arranged in a CSN (Connectivity Service Network) (for example, see Patent Documents 1 and 2, which are Japanese published patent applications JP-A-2008-035248 and JP-A-2008-092577, respectively).
BS 20 is a base station that carries out wireless communication with MS 10, which is a terminal, and ASN-GW 30 is a gateway apparatus that connects MS 10 to CSN by way of BS 20.
HA 40 is a server apparatus that manages the movement of MS 10, and AAA server 50 is a server apparatus that carries out authentication, authorization, and accounting of MS 10. In FIG. 1, HA 40 is connected to the Internet, but HA 40 can also be connected to an IP (Internet Protocol) network (such as an in-company network) other than the Internet.
In a WiMAX wireless communication system, device authentication that authenticates whether MS 10 is connected to the ASN and user authentication that authenticates whether the user of MS 10 is party to a contract for service of the ASN are carried out as authentication for MS 10.
The device/user authentication sequence in a related WiMAX wireless communication system is next described with reference to FIG. 2.
A device/user authentication sequence is here described in which Proxy Mobile IPv4 is applied.
In addition, it is assumed that prior to the device/user authentication sequence shown in FIG. 2, BS 20 acquires from MS 10 the MAC (Media Access Control) address of MS 10 in a DL (Down Link)—MAP (Media Access Protocol) sequence (not shown in the figure), ASN-GW 30 acquires from BS 20 the MAC address of MS 10 in an MS—PreAttachment sequence (not shown in the figure), and MS 10 is identifiable by means of the MAC address within the ASN.
As shown in FIG. 2, ASN-GW 30 in Step S401 uses Auth.Relay protocol to transmit to MS 10 by way of BS 20 an EAP RQ (request)/Identity message that requests the start of device/user authentication and the sending of Identity by means of EAP (Extensible Authentication Protocol).
As a response to the EAP RQ/Identity message, MS 10 in Step S402 next uses EAP to transmit an EAP RP (Response)/Identity message that includes a pseudo-identity, which is the pseudo-NAI (Network Access Identity) of MS 10, and a MAC address to AAA server 50 by way of BS 20 and ASN-GW 30.
In this way, ASN-GW 30 acquires the pseudo-identity of MS 10 and places the pseudo-identity in correspondence with the acquired MAC address. In addition, AAA server 50 acquires the pseudo-identity and MAC address of MS 10.
Upon success in device authentication for MS 10, AAA server 50 next uses EAP to transmit a message reporting the success of the device authentication (the name of this message differs according to the authentication method) to MS 10 by way of ASN-GW 30 and BS 20 in Step S403. In Step S404, AAA server 50 further transmits an EAP RQ message requesting the transmission of the true-identity, which is the true NAI of MS 10, to MS 10 by way of ASN-GW 30 and BS 20.
In Step S405, MS 10 next uses EAP to transmit to AAA server 50 by way of BS 20 and ASN-GW 30 an EAP RP message that contains the true-identity of MS 10 as a response to the EAP RQ message.
AAA server 50 thus acquires the true-identity of MS 10 and places the true-identity in association with the acquired pseudo-identity.
Upon succeeding in the user authentication for MS 10, AAA server 50 next in Step S406 uses EAP to transmit an EAP Success message reporting the success in the user authentication to ASN-GW 30. In Step S407, ASN-GW 30 then uses Auth.Relay protocol to transfer the EAP Success message to MS 10 by way of BS 20.
In order to establish a session, MS 10 next uses DHCP (Dynamic Host Configuration Protocol) to transmit to ASN-GW 30 by way of BS 20 a DHCP Discover message requesting assignment of an IP (Internet Protocol) address.
In Step S409, ASN-GW 30 then uses Mobile IP to transmit to HA 40 an RRQ (Registration Request) message that includes the pseudo-identity of MS 10 requesting connection to the CSN of MS 10.
HA 40 thus acquires the pseudo-identity of MS 10. As a result, HA 40 is subsequently able to use the NAI as user identity information.
At this time, the reason that the NAI that is reported to HA 40 is a pseudo-identity is as follows. Specifically, the NAI that is reported from ASN-GW 30 to HA 40 is included in the Extension field of the Mobile IP, whereby plain data flows to the ASN and CSN unless a security tunnel such as IPsec (Security Architecture for IP) is used. As a result, in a WiMAX wireless communication system, only MS 10 and AAA server 50 use the true-identity and other nodes use the pseudo-identity. As a result, the NAI that is reported from ASN-GW 30 to HA 40 is the pseudo-identity. In addition, the correspondence table of pseudo-identity and true-identity is held only by MS 10 and AAA server 50.
In Step S410, HA 40 next uses an AAA protocol (for example, RADIUS (Remote Access Dial In User Service) protocol) to transmit to AAA server 50 an Access Request message that includes the pseudo-identity of MS 10 requesting the result of authenticating MS 10.
In Step S411, AAA server 50 next uses an AAA protocol to transmit to HA 40 an Access Accept message reporting the result of authenticating MS 10 as a response to the Access Request message.
HA 40 thus verifies the result of authenticating MS 10.
In Step S412, HA 40 next uses Mobile IP to transmit to ASN-GW 30 a RRP (Registration Response) message reporting permission to connect to the CSN of MS 10 as a response to the RRQ message.
In Step S413, ASN-GW 30 then uses DHCP to transmit to MS 10 by way of BS 20 a DHCP Offer message reporting a candidate IP address to be assigned to MS 10 as the response to the DHCP Discover message.
MS 10 thus acquires an IP address and begins the process for establishing a session.
In this way, MS 10 uses three identities: the true-identity, the pseudo-identity, and the MAC address, as its own user identification information in a WiMAX wireless communication system.
BS 20 and ASN-GW 30 are able to use two of these, the pseudo-identity and the MAC address, as the user identification information of MS 10.
HA 40 is able to use only the pseudo-identity as the user identification information of MS 10.
Finally, AAA server 50 is able to use the three identities, the true-identity, the pseudo-identity, and the MAC address, as the user identification information of MS 10.