With the diversification and development of communication services, both the service provider and the user require a reliable security mechanism to ensure legal use of services. For example, in the Internet Protocol Multimedia Subsystem (IMS)-based Multimedia Broadcast and Multicast Service (MBMS), the User Equipment (UE) is generally authenticated before the user accesses a protected MBMS service through the UE. FIG. 1 shows a common authentication process in the prior art. The authentication process includes two steps:
I. Key Negotiation
Through the key negotiation process, the UE and an authentication service device that provides a security mechanism negotiate the shared key-related data. Specifically, the key negotiation is generally performed through a Generic Bootstrapping Architecture (GBA). In the GBA, the device that provides the security mechanism is a Bootstrapping Server Function (BSF). After completion of the GBA process, both the UE and the BSF have recorded the key-related data of the GBA process, including Bootstrapping Transaction Identifier (B-TID), IP Multimedia Private Identity (IMPI), Cipher Key (CK), and Integrity Key (IK). The UE and the BSF may use the CK and the IK to generate keys (Ks) shared between them.
II. Security Association
The security association process associates the Ks negotiated between the UE and the BSF to the AS which provides the Network Application Function (NAF). After completion of the GBA process, the Ks is shared between the UE and the BSF, and the UE may use the AS identifier (NAF_Id) and the Ks to calculate the relevant keys (Ks_NAF). However, the KS has not obtained the key information yet. To negotiate the keys shared between the UE and the AS, the following steps need to be performed:
1. The UE sends a HyperText Transfer Protocol (HTTP) request to the AS, and the request carries a B-TID.
2. The AS sends an HTTP request to the BSF, and the request carries the B-TID and the host name of the AS.
3. After the BSF authenticates the request of the AS, the BSF calculates out the relevant keys (Ks_NAF) according to the Ks negotiated with the UE and the received host name. Afterward, the BSF sends an HTTP response to the AS. The response may carry the validity period of the keys and the security settings of the user.
4. After receiving the response from the BSF, the AS calculates the authentication response data according to the Ks_NAF, and sends the data to the UE through an HTTP response.
After the UE authenticates the response from the AS according to the recorded Ks_NAF, the authentication process is finished, and the UE and the AS may start secure communications through the established shared keys (Ks_NAF).
During the research and practice of the present invention, the inventor finds that to complete a sophisticated service, multiple service functions need to work together at the server side; namely, multiple as is needed to implement a complete service. For example, for the MBMS service on a mobile network, an AS1 which provides a demonstration portal enables the UE to obtain the service guide, and an AS2 which provides a subscription portal enables the user to subscribe to the MBMS service. In this case, according to the current authentication mode, the UE needs to perform the foregoing key negotiation process and security association process with different ASs. Too many message interactions are involved, and the application response speed is delayed.