1. Field of the Invention
The present invention relates to a method for inclusive authentication and management of a service provider, a terminal and a user identity device, and a system and a terminal device using the method.
2. Description of the Related Art
With the rapid development of wireless Internet and communication technologies, various data or Internet services can be received through user identity modules (“UIM”) and mobile terminals. However, more and more of such services are becoming pay services. Recently, copyright protection technologies, such as digital rights management (“DRM”), have been introduced to protect the copyright of the content of the pay services.
DRM is one of the most effective methods for controlling the use of content and protecting the content ownership and copyright. Basically, DRM technologies allow free distribution of encrypted content between users. In order to use the content, however, a user rights object (“RO”) is required. The ease of illegal copying and distribution of content in the digital environment has brought about a massive increase of copyright infringement and losses to content providers. In response to these concerns, DRM technologies based on flexibility and convenience of each user's rights object focus on security and thus permit only authorized users to access content. Mutual authentication between devices is necessary to ensure security.
FIG. 1 is a diagram showing a process of mutual authentication between a BSF (Bootstrapping Server Function) and a UE (User Equipment) in general 3GPP (3d Generation Partnership Project) system. 3GPP GBA (Generic Bootstrapping Architecture) is a generic authentication scheme used between a universal ID card (UICC)-based UE and a BSF. This authentication scheme is implemented through the following process, as specified in the technical specifications 3GPP TS 33.220 and 33.102.
At step 30, a UE 10 may send a message requesting for user authentication to a BSF 20. The request message sent to the BSF 20 includes user identity information of the UE 10. Upon receiving the message, the BSF 20 calculates an authentication vector associated with a UICC (Universal IC Card) included in the UE 10 at step 40. More specifically, the BSF 20 calculates an authentication vector consisting of RAND, AUTN, XRES, CK and IK. RAND refers to a random number. AUTN refers to an authentication token necessary for the UE 10 to do a network authentication. XRES refers to an expected response which is compared with a response (RES) transmitted by the UICC to authenticate the UICC. CK is a cipher key. Lastly, IK is an integrity key.
Upon calculation of the authentication vector, the BSF 20 proceeds to step 50 to send the random number RAND and the authentication token AUTN to the UE 10. The UE 10 then delivers the RAND and the AUTN to the UICC. The UICC verifies the AUTN to confirm whether the message is sent from a valid network. Subsequently, the UICC calculates the integrity key and the cipher key to produce a session key Ks at step 60. Also, the UICC sends an authentication response message RES to the UE 10 which will then deliver the RES to the BSF 10 at step 70. The BSF 20 performs authentication through verification of the response message at step 80, and concatenate the cipher key and the integrity key to generate the session key Ks at step 90.