主权项 |
1. A method for single sign-on, comprising:
a terminal sending an authentication request carrying a user identity identification to an application server (RP), and the RP redirecting the authentication request to an authentication center; the authentication center authenticating the terminal by means of session initiation protocol digest authentication (SIP Digest) and redirecting an authentication result to the RP via the terminal; and the RP providing services for the terminal according to the authentication result; wherein the user identity identification is an open identity identification (OpenID) and the authentication center is an OpenID Provider (OP); or, the user identity identification is an identity identification inputted into the terminal or an identity identification acquired when the terminal registers in an Internet Protocol Multimedia Subsystem (IMS) and the authentication center is a single sign-on authentication center (IdP); wherein, in the case that the user identity identification is the identity identification inputted into the terminal or the identity identification acquired when the terminal is registered in the IMS and the authentication center is the IdP and the authentication of the authentication center is successful, the method further comprises: the authentication center generating a third random number nonce1 and generating a second key K1 according to the nonce1 and the first shared key K0 between the authentication center and the terminal; the authentication center encrypting the nonce1 and an authentication result RP_Auth for the RP by using the K0 to obtain K0(nonce1, RP_Auth), and encrypting the K1 and an authentication result UE_Auth for the terminal by using a shared key Kr,i between the authentication center and the RP to obtain Kr,i(K1, UE_Auth); the terminal obtaining the K0(nonce1,RP_Auth) and the Kr,i(K1,UE_Auth) and redirecting the Kr,i(K1,UE_Auth) to the RP; the terminal decrypting the K0(nonce1,RP_Auth) to obtain the authentication result for the RP and generating the second key K1; and the RP decrypting the Kr,i(K1,UE_Auth) and encrypting service contents by using the K1 and sending the service contents to the terminal; and the terminal using the K1 to perform decryption to obtain the service contents; and wherein, in the case that the user identity identification is the Open ID, the authentication center is the OP, and the authentication of the authentication center is successful, the method further comprises: the authentication center generating a third random number nonce1 and generating a second key K1 according to the nonce1 and the first shared key K0 between the authentication center and the terminal; the authentication center encrypting the nonce1 and an authentication assertion RP_Assert for the RP by using the K0 to obtain K0(nonce1,RP_Assert), and encrypting the K1 and an authentication assertion UE_Assert for the terminal by using a shared key Kr,i between the authentication center and the RP to obtain Kr,i(K1,UE_Assert); the terminal obtaining the K0(nonce1,RP_Assert) and the Kr,i(K1,UE_Assert) and redirecting the Kr,i(K1,UE_Assert) to the RP; the terminal decrypting the K0(nonce1,RP_Assert) to obtain the authentication assertion for the RP and generating the second key K1; and the RP decrypting the Kr,i(K1,UE_Assert) and encrypting service contents by using the K1 and sending the service contents to the terminal; and the terminal using K1 to perform decryption to obtain the service contents. |