In the 3G wireless communication standards, the generic authentication architecture describes a generic architecture adopted by a number of Network Application Functions (NAFs) for verifying the validity of users. By means of generic authentication architecture, it is possible to implement the authentication and verification of a user requesting a service. The above various application functions may include multicast/broadcast service, subscribers certificates service, and instant message supply service, as well as proxy service, e.g. multiple services functions entities may be connected with a proxy entity. The generic authentication architecture handles the proxy as a kind of service where the construction may be very flexible. Moreover, the generic authentication architecture may be adopted for the authentication and verification of users requesting newly developed services.
FIG. 1 is a schematic structure diagram of the generic authentication architecture. Typically, the generic authentication architecture includes a User Equipment (UE) 101, a Bootstrapping Server Function (BSF) 102, a Home Subscriber System (HSS) 103 and an NAF 104. The BSF 102 is used for mutual authentication with the UE 101, and simultaneously generating a secret key shared with the UE 101. A Profile document used for describing the subscriber information is stored in the HSS 103 which will generate authentication information.
When a UE requests a service, if the UE knows that the service requires a mutual authentication procedure in the BSF, the UE will perform a mutual authentication in the BSF directly; otherwise, the UE will first contact the NAF corresponding to the service. If the NAF applying the generic authentication architecture requires the UE to perform a bootstrapping authentication in the BSF, the NAF will instruct the UE to perform a bootstrapping authentication by means of the generic authentication architecture; otherwise, the NAF executes other appropriate processing.
FIG. 2 is a flowchart for authentication by the generic authentication architecture in the prior art.
Step 201: A UE sends to an NAF an application request message.
Step 202: Upon receiving the message, the NAF finds that the UE has not performed a mutual authentication in a BSF, and then instructs the UE to perform a bootstrapping authentication in the BSF.
Step 203: The UE sends to the BSF a bootstrapping request message.
Step 204: Upon receiving the bootstrapping request message from the UE, the BSF conducts inquiry of the necessary authentication information of the UE and the profile document thereof to the HSS, and receives a response from the HSS.
Step 205: Upon receiving the response message from the HSS containing the information inquired, the BSF performs an Authentication and Key Agreement (AKA) protocol based mutual authentication with the UE using the information inquired. When completing the AKA protocol based mutual authentication with the UE, i.e. passing the mutual authentication, the BSF generates a secret key shared with the UE (Ks).
Step 206: The BSF assigns the UE a Transaction Identifier (TID) including only the identity and valid for one or more than one NAFs. The TID is associated with the Ks.
Step 207: Upon receiving the TID assigned by the BSF, the UE resends to the NAF an application request message which contains the information of the TID.
Step 208: Upon receiving the application request message containing the information of the TID sent from the UE, the NAF will first conduct local inquiry, if the NAF finds the information of the TID locally, proceed directly to Step 210; otherwise, send to the BSF a TID inquiring message containing local identity of the NAF, and then proceed to Step 209.
Step 209: Upon receiving the TID inquiring message from the NAF, the BSF will, if finding the TID inquired by the NAF, send to the NAF a response message of success. The NAF stores the contents of the response message and proceeds to Step 210; otherwise, the BSF will send to the NAF a response message of failure, notifying the NAF that there is no information of the UE. The NAF will instruct the UE to perform a bootstrapping authentication in the BSF, and end the procedure.
The response message of success includes the TID found, the Ks corresponding to the TID or a derived secret key generated from the Ks according to the security level of the NAF. As long as receiving a response message of success from the BSF, the NAF will believe that the UE is a legitimate UE passing authentication by the BSF and share the Ks or the derived secret key with the UE.
Step 210: The NAF makes normal communications with the UE, i.e. data transmission, and protects further communications using the Ks or the derived secret key.
After the first communication process between the UE and the NAF is over, the authenticated TID is used for further communications between the UE and the NAF. Since the TID may be used repeatedly and any NAF may inquire the corresponding TID from the BSF if it can not find the TID locally, as long as obtaining a legitimate TID, the UE may make communications with the NAF using the TID for an indefinite period.