CN100466803C - A method for realizing terminal-to-network authentication in a code division multiple access network - Google Patents
A method for realizing terminal-to-network authentication in a code division multiple access network Download PDFInfo
- Publication number
- CN100466803C CN100466803C CNB2006101505367A CN200510005161A CN100466803C CN 100466803 C CN100466803 C CN 100466803C CN B2006101505367 A CNB2006101505367 A CN B2006101505367A CN 200510005161 A CN200510005161 A CN 200510005161A CN 100466803 C CN100466803 C CN 100466803C
- Authority
- CN
- China
- Prior art keywords
- network
- authentication
- mobile terminal
- random number
- msc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种在CDMA网络中实现移动终端对网络鉴权的方法。在该方法中,在移动终端发起主叫、接收被叫或收发短消息时,移动终端生成一个随机数,然后独立发起基站查询流程,通过基站向CDMA网络中的MSC/VLR发送基站查询请求消息,所述基站请求消息中携带有所述随机数。MSC/VLR将根据该随机数得到的鉴权计算结果通过基站查询响应消息返回给移动终端。移动终端比较接收自MSC/VLR的鉴权计算结果和自己根据随机数得到的鉴权计算结果,如果二者一致,判定网络合法;否则判定网络非法。本发明可以在现有的CDMA网络中实现移动终端对网络的鉴权,从而极大地提高了移动终端的安全性。
The invention discloses a method for realizing network authentication by a mobile terminal in a CDMA network. In this method, when the mobile terminal initiates a call, receives a called party, or sends and receives a short message, the mobile terminal generates a random number, then independently initiates a base station query process, and sends a base station query request to the MSC/VLR in the CDMA network through the base station message, and the base station request message carries the random number. The MSC/VLR returns the authentication calculation result obtained according to the random number to the mobile terminal through the base station inquiry response message. The mobile terminal compares the authentication calculation result received from the MSC/VLR with the authentication calculation result obtained by itself based on the random number, and if the two are consistent, it determines that the network is legal; otherwise, it determines that the network is illegal. The invention can realize the authentication of the mobile terminal to the network in the existing CDMA network, thereby greatly improving the security of the mobile terminal.
Description
技术领域 technical field
本发明涉及码分多址(CDMA)通信系统中的鉴权技术,具体涉及一种CDMA网络中实现终端对网络鉴权的方法。The invention relates to an authentication technology in a code division multiple access (CDMA) communication system, in particular to a method for realizing terminal-to-network authentication in a CDMA network.
背景技术 Background technique
随着科技的进步和社会的发展,移动通讯越来越普及,移动电话已经成了人们日常生活和工作中不可缺少的一部分。与此相对应,移动终端的安全性也越来越受到人们的关注。Along with the progress of science and technology and the development of society, mobile communication becomes more and more popular, and mobile phone has become an indispensable part in people's daily life and work. Correspondingly, the security of mobile terminals has also attracted more and more attention.
目前在CDMA网络中,为了保障移动终端的安全性,提出了鉴权技术。也就是在移动终端接入网络时,网络对移动终端进行鉴权,以验证该移动终端是否是合法的移动终端,并且网络只对合法的移动终端提供服务。通过这种鉴权,如果一个非法用户使用一个合法用户的信息登陆网络,例如非法用户窃取合法用户的用户标识模块(UIM)卡的国际移动用户标识(IMSI)信息和电子序列号(ESN)信息,然后将该信息烧制到一张非法的UIM卡上,并使用非法的UIM卡接入网络,此时CDMA网络经过鉴权会识别出该UIM卡为非法的用户卡,从而拒绝该UIM卡的接入,从而提高了合法用户的终端安全性,保障了合法用户的利益。At present, in the CDMA network, in order to ensure the security of the mobile terminal, an authentication technology is proposed. That is, when a mobile terminal accesses the network, the network authenticates the mobile terminal to verify whether the mobile terminal is a legitimate mobile terminal, and the network only provides services to legal mobile terminals. Through this authentication, if an illegal user uses a legitimate user's information to log in to the network, for example, the illegal user steals the International Mobile Subscriber Identity (IMSI) information and Electronic Serial Number (ESN) information of the legal user's User Identity Module (UIM) card , and then burn the information to an illegal UIM card, and use the illegal UIM card to access the network. At this time, the CDMA network will recognize the UIM card as an illegal user card after authentication, and reject the UIM card access, thereby improving the terminal security of legitimate users and protecting the interests of legitimate users.
现有的CDMA网络,例如CDMA IS-95A和CDMA 2000 1X网络在电路域的鉴权所涉及的网络实体包括:基站子系统(BSS)、移动交换中心(MSC)/拜访位置寄存器(VLR)、归属位置寄存器(HLR)/鉴权中心(AC)等。现有的鉴权流程包括广播鉴权、独特查询、共享加密数据(SSD)更新、呼叫历史计数(COUNT)更新等。在所有的这些鉴权流程中,大多数都是网络对UIM卡的认证,只有在SSD更新过程中有终端/UIM卡对网络的认证。但是这种终端/UIM卡对网络的认证必须是在SSD更新的过程中进行,而SSD更新流程其实是由网络控制并执行的,因此在现有技术中,并没有严格意义上的终端对网络的认证操作。Existing CDMA networks, such as the network entities involved in the authentication of CDMA IS-95A and CDMA 2000 1X networks in the circuit domain include: Base Station Subsystem (BSS), Mobile Switching Center (MSC)/Visitor Location Register (VLR), Home Location Register (HLR)/Authentication Center (AC), etc. Existing authentication procedures include broadcast authentication, unique inquiry, shared encrypted data (SSD) update, call history count (COUNT) update, etc. In all these authentication processes, most of them are the authentication of the UIM card by the network, and only the terminal/UIM card authenticates the network during the SSD update process. However, this authentication of the terminal/UIM card to the network must be performed during the SSD update process, and the SSD update process is actually controlled and executed by the network. Therefore, in the prior art, there is no strict terminal-to-network authentication. authentication operation.
没有终端对网络的认证操作导致的直接后果是极大地降低了移动终端的安全性。首先,非法人员可以通过一个冒充的网络来欺骗用户,例如设置一个增大了功率的终端用作冒充的基站,然后在一个局部地区将现有的CDMA网络屏蔽掉,而使得该地区内的终端都接入到该冒充的基站。在这些终端接入到该冒充的基站后,非法用户可以获取用户的终端信息和修改用户的终端信息,从而使用户不能正常地使用该移动终端,另外,非法用户甚至可以向用户的终端发送病毒,从而在用户的终端上执行一些非法操作,给用户造成更大的损害。The direct result of no authentication operation of the terminal to the network is that the security of the mobile terminal is greatly reduced. First of all, illegal personnel can deceive users through a fake network, for example, setting a terminal with increased power as a fake base station, and then shielding the existing CDMA network in a local area, so that the terminals in the area are connected to the fake base station. After these terminals access the fake base station, illegal users can obtain user terminal information and modify user terminal information, so that users cannot use the mobile terminal normally. In addition, illegal users can even send viruses to user terminals. , so as to perform some illegal operations on the user's terminal, causing greater damage to the user.
再有,如果用户的终端丢失了,由于没有终端对网络的认证,那么可能盗抢该终端的非法用户可以在其他地区的网络正常使用该终端,这样不利于终端的防盗,因此也损害了移动终端的安全性。Moreover, if the user's terminal is lost, since there is no authentication of the terminal to the network, the illegal user who may steal the terminal can use the terminal normally in the network in other regions, which is not conducive to the anti-theft of the terminal, and thus also damages the mobile network. Terminal security.
有鉴于此,能在CDMA网络中实现移动终端对网络的鉴权是一个迫切需要解决的问题,特别是对于军用网络或者对安全性要求比较高的网络来说尤其如此。In view of this, it is an urgent problem to be solved to realize the authentication of the mobile terminal to the network in the CDMA network, especially for military networks or networks with relatively high security requirements.
发明内容 Contents of the invention
本发明的主要目的是提供一种在CDMA网络中实现移动终端对网络进行鉴权的方法,以提高CDMA网络的移动终端的安全性。The main purpose of the present invention is to provide a method for implementing mobile terminal authentication on the network in a CDMA network, so as to improve the security of the mobile terminal in the CDMA network.
本发明的上述目的是通过如下的技术方案予以实现的:Above-mentioned purpose of the present invention is achieved by following technical scheme:
一种在CDMA网络中实现移动终端对网络鉴权的方法,至少包括:A method for realizing mobile terminal network authentication in a CDMA network, at least comprising:
a.在移动终端发起主叫、接收被叫或收发短消息时,移动终端生成一个随机数,然后发起基站查询流程,通过基站向CDMA网络中的移动交换中心/拜访位置寄存器MSC/VLR发送基站查询请求消息,所述基站请求消息中携带有所述随机数;a. When the mobile terminal initiates a calling, receives a called or sends and receives a short message, the mobile terminal generates a random number, then initiates the base station query process, and sends it to the mobile switching center/visitor location register MSC/VLR in the CDMA network through the base station A base station query request message, where the base station request message carries the random number;
b.MSC/VLR将根据该随机数得到的鉴权计算结果通过基站查询响应消息返回给移动终端;b. MSC/VLR returns the authentication calculation result obtained according to the random number to the mobile terminal through the base station inquiry response message;
c.移动终端比较接收自MSC/VLR的鉴权计算结果和自己根据随机数得到的鉴权计算结果,如果二者一致,判定网络合法;否则判定网络非法。c. The mobile terminal compares the authentication calculation result received from the MSC/VLR with the authentication calculation result obtained by itself based on the random number. If the two are consistent, it determines that the network is legal; otherwise, it determines that the network is illegal.
其中,根据随机数得到的鉴权计算结果是对随机数和SSD数据进行计算得到的鉴权计算结果。Wherein, the authentication calculation result obtained according to the random number is an authentication calculation result obtained by calculating the random number and SSD data.
较佳地,所述计算是CAVE计算。Preferably, said calculation is a CAVE calculation.
步骤b中MSC/VLR将鉴权计算结果返回给移动终端之前可以进一步包括:Before the MSC/VLR returns the authentication calculation result to the mobile terminal in step b, it can further include:
MSC/VLR根据随机数和自己保存的SSD数据进行计算得到鉴权计算结果。MSC/VLR calculates the authentication calculation result according to the random number and the SSD data saved by itself.
或者,步骤b中MSC/VLR将鉴权计算结果返回给移动终端之前进一步包括:Or, before the MSC/VLR returns the authentication calculation result to the mobile terminal in step b, it further includes:
MSC/VLR将来自移动终端的随机数透传给归属位置寄存器/鉴权中心HLR/AC;MSC/VLR transparently transmits the random number from the mobile terminal to the home location register/authentication center HLR/AC;
HLR/AC根据随机数和自己保存的SSD数据进行计算得到鉴权计算结果;HLR/AC calculates the authentication calculation result according to the random number and the SSD data saved by itself;
HLR/AC将鉴权计算结果返回给MSC/VLR。HLR/AC returns the authentication calculation result to MSC/VLR.
该方法进一步包括,在移动终端连接网络时,执行所述移动终端生成一个随机数,然后独立发起基站查询流程的操作。The method further includes, when the mobile terminal connects to the network, performing an operation in which the mobile terminal generates a random number and then independently initiates a base station inquiry process.
本发明的方法中移动终端根据随机数生成鉴权计算结果的步骤可以包含在步骤a中或者步骤c中In the method of the present invention, the step of the mobile terminal generating the authentication calculation result according to the random number may be included in step a or step c
本发明的方法可以进一步包括在移动终端中配置鉴权参数的步骤。具体地说,配置鉴权参数是配置是否允许移动终端对网络进行鉴权的参数、配置是否允许在接入网络时对网络鉴权的参数、配置是否允许在主叫时对网络鉴权的参数、配置是否允许在被叫时对网络鉴权的参数、配置是否允许在收发短消息时对网络鉴权的参数和配置对网络鉴权的失败最大次数中的任意一项或者任意组合。The method of the present invention may further include the step of configuring authentication parameters in the mobile terminal. Specifically, configuring the authentication parameters is to configure whether to allow the mobile terminal to authenticate the network, to configure whether to allow the network authentication when accessing the network, to configure whether to allow the network authentication when calling , Configure any one or any combination of whether to allow network authentication parameters when being called, configure whether to allow network authentication parameters when sending and receiving short messages, and configure the maximum number of network authentication failures.
较佳地,在判定网络非法之后进一步包括移动终端执行关机操作、重新启动操作或者断开话路操作。Preferably, after it is determined that the network is illegal, the mobile terminal further includes shutting down, restarting or disconnecting the call.
本发明中移动终端生成随机数和比较鉴权计算结果是由移动终端程序生成随机数并比较鉴权计算结果,或者是由移动终端内的用户标识模块UIM卡生成随机数并比较鉴权计算结果。In the present invention, the mobile terminal generates the random number and compares the authentication calculation result by the mobile terminal program generating the random number and comparing the authentication calculation result, or the user identification module UIM card in the mobile terminal generates the random number and compares the authentication calculation result.
从本发明的技术方案可以看出,本发明由移动终端生成一个随机数,然后将该随机数发送给网络侧的MSC/VLR。网络侧的MSC/VLR将根据该随机数计算得到的结果返回给移动终端。然后移动终端比较由MSC/VLR返回的结果和自己根据随机数得到的计算结果是否一致,如果一致,判定网络合法,否则判定网络非法。这样,通过由移动终端发起的鉴权流程,可以实现移动终端对网络的鉴权。这里,移动终端的比较可以是移动终端程序本身进行比较,也可以是由移动终端将相关信息发送给UIM卡,然后由UIM卡进行比较。It can be seen from the technical scheme of the present invention that the mobile terminal generates a random number in the present invention, and then sends the random number to the MSC/VLR on the network side. The MSC/VLR at the network side returns the result calculated according to the random number to the mobile terminal. Then the mobile terminal compares whether the result returned by the MSC/VLR is consistent with the calculation result obtained by itself according to the random number. If they are consistent, it determines that the network is legal, otherwise it determines that the network is illegal. In this way, through the authentication process initiated by the mobile terminal, the authentication of the mobile terminal to the network can be realized. Here, the comparison by the mobile terminal may be performed by the mobile terminal program itself, or the mobile terminal may send relevant information to the UIM card, and then the UIM card will perform the comparison.
由于实现了移动终端对网络的鉴权,本发明可以防止因为网络欺骗而造成的移动终端数据泄露或者被更改的安全性问题,从而极大地提高了移动终端的安全性。并且,通过对当前网络的鉴权,避免了遗失的移动终端被非法用户在其他地区的网络或者其他网络使用的现象,从动机上防止了移动终端被盗抢,进一步提高了移动终端的安全性。Since the authentication of the mobile terminal to the network is realized, the present invention can prevent the security problem of mobile terminal data leakage or modification caused by network deception, thereby greatly improving the security of the mobile terminal. Moreover, through the authentication of the current network, the phenomenon that the lost mobile terminal is used by an illegal user in a network in other regions or other networks is avoided, and the mobile terminal is prevented from being stolen from the motive, and the security of the mobile terminal is further improved .
进一步,本发明借鉴了现有的终端查询流程,对网络设备的改动很小,使得应用本发明的网络升级成本很小,从而便于本发明的实际应用。Further, the present invention borrows from the existing terminal query process, and the changes to network equipment are small, so that the network upgrade cost of the application of the present invention is very small, thus facilitating the practical application of the present invention.
附图说明 Description of drawings
图1是本发明的总体流程图。Fig. 1 is the general flowchart of the present invention.
图2是根据本发明的第一实施例的鉴权流程图。Fig. 2 is an authentication flowchart according to the first embodiment of the present invention.
图3是根据本发明的第二实施例的鉴权流程图。Fig. 3 is an authentication flowchart according to the second embodiment of the present invention.
图4是在MS接入网络时的鉴权处理的消息交互流程图。Fig. 4 is a flow chart of message interaction of authentication processing when the MS accesses the network.
图5是在MS进行通信操作时的鉴权处理的消息交互流程图。Fig. 5 is a flow chart of message interaction of authentication processing when the MS performs communication operations.
具体实施方式 Detailed ways
下面结合附图和具体实施例对本发明进行详细说明。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.
本发明使用现有的基站查询流程来实现移动终端(MS)对网络的鉴权,从而最大限度地和现有的通信协议兼容,以利于本发明方案的实际应用。The present invention uses the existing base station inquiry process to realize the authentication of the mobile terminal (MS) to the network, so as to be compatible with the existing communication protocol to the greatest extent, so as to facilitate the practical application of the scheme of the present invention.
根据本发明,需要对现有的CDMA终端进行改进,具体包括要求终端能在控制信道和业务信道中独立发起基站查询流程,并且终端能对网络鉴权需要用到的各种数据进行配置。对于现有的基站,要求能接收和处理独立的基站查询消息。对于现有的HLR/AC,则不需要进行任何修改。According to the present invention, it is necessary to improve the existing CDMA terminal, specifically including requiring the terminal to independently initiate the base station inquiry process in the control channel and the traffic channel, and the terminal to be able to configure various data required for network authentication. For existing base stations, it is required to be able to receive and process independent base station inquiry messages. For the existing HLR/AC, no modification is required.
下面参照图1说明本发明的总体流程。The overall process of the present invention will be described below with reference to FIG. 1 .
在步骤101,MS生成一个随机数RANDB,并使用RANDB和自己保存的SSD参数生成鉴权计算结果MS_AUTHR。In
这里,MS可以通过自己的随机数产生器来生成RANDB,或者可以使用移动通信网络广播的鉴权随机数作为RANDB。SSD参数是在SSD更新过程中保存在MS上的,此处理为本领域技术人员所公知,这里不再详述。MS可以使用CAVE算法来根据RANDB和SSD参数得到MS_AUTHR,也就是对RANDB和SSD参数进行CAVE计算得到MS_AUTHR。Here, the MS can generate the RANDB through its own random number generator, or can use the authentication random number broadcasted by the mobile communication network as the RANDB. The SSD parameters are saved on the MS during the SSD update process, which is well known to those skilled in the art and will not be described in detail here. The MS can use the CAVE algorithm to obtain MS_AUTHR according to the RANDB and SSD parameters, that is, perform CAVE calculation on the RANDB and SSD parameters to obtain MS_AUTHR.
在步骤102,MS发起基站查询流程,通过基站向MSC/VLR发送基站查询请求消息,该请求消息中携带有RANDB。In
在步骤103,MSC/VLR得到根据RANDB和网络侧保存的SSD参数计算得到的鉴权计算结果AC_AUTHR,然后通过基站查询响应消息将其发送给MS。当然,这里的AC_AUTHR也是对RANDB和网络侧保存的SSD参数通过CAVE计算得到的。In
在步骤104,MS比较接收自MSC/VLR的鉴权计算结果AC_AUTHR和自己生成的鉴权计算结果MS_AUTHR是否相同,如果是,在步骤105,MS判定网络合法;否则在步骤106,MS判定网络非法。In
这样,通过由MS主动发起基站查询流程,即可实现MS对网络的鉴权。In this way, by actively initiating the base station inquiry process by the MS, the MS can authenticate the network.
当然,本发明也可以在步骤101中不根据随机数和SSD参数进行计算得到MS_AUTHR,而是在步骤104中,MS在接收到来自MSC/VLR的AC_AUTHR之后再进行计算,也可以达到同样的效果。对于下述具体实施例来说同样如此,在后面不再对此重复说明。Certainly, in the present invention, the MS_AUTHR may not be calculated according to the random number and SSD parameters in
另外,本发明所述的由MS进行判断,可以是由MS程序本身来生成随机数、生成鉴权结果并进行判断操作,也可以是由MS内的UIM卡来生成随机数、生成鉴权结果并进行判断操作。在后一种情况下,UIM卡向MSC/VLR发送随机数以及接收来自MSC/VLR的鉴权计算结果都需要通过MS程序来透传。In addition, the determination by the MS in the present invention may be that the MS program itself generates random numbers, generates authentication results, and performs judgment operations, or may use the UIM card in the MS to generate random numbers and generate authentication results. and make judgments. In the latter case, the UIM card sends the random number to the MSC/VLR and receives the authentication calculation result from the MSC/VLR, which needs to be transparently transmitted through the MS program.
在MS判定网络合法后,MS可以正常地使用该网络进行通话、收发短消息等操作。而在MS判定网络非法之后,MS可以直接关闭终端,从而防止自身受到非法网络的侵害。After the MS determines that the network is legal, the MS can normally use the network to make calls, send and receive short messages, and other operations. After the MS determines that the network is illegal, the MS can directly close the terminal, thereby preventing itself from being violated by the illegal network.
上述步骤103中,如果MSC/VLR共享SSD数据,则由MSC/VLR直接根据RANDB和自己保存的SSD参数计算得到AC_AUTHR,其具体处理流程如图2所示。如果MSC/VLR不共享SSD数据,则由MSC/VLR向HLR/AC透传基站查询请求消息,然后HLR/AC生成AC_AUTHR,MSC/VLR再将来自HLR/AC的AC_AUTHR透传给MS,其具体处理流程如图3所示。In the
图2示出了根据本发明第一实施例的鉴权流程,其中MSC/VLR共享SSD数据。如图2所示,在步骤201,MS生成一个随机数RANDB,并使用RANDB和自己保存的SSD参数通过CAVE计算生成鉴权计算结果MS_AUTHR。Fig. 2 shows the authentication process according to the first embodiment of the present invention, wherein MSC/VLR share SSD data. As shown in FIG. 2, in
在步骤202,MS发起基站查询流程,通过基站向MSC/VLR发送基站查询请求消息,该请求消息中携带有RANDB。In
在步骤203,MSC/VLR在接收到来自MS的基站查询请求消息后,使用该消息中携带的RANDB和自己保存的SSD数据通过相同的CAVE计算得到鉴权计算结果AC_AUTHR。In
在步骤204,MSC/VLR将自己计算得到的AC_AUTHR通过基站查询响应消息发送给MS。In
在步骤205,MS比较接收自MSC/VLR的鉴权计算结果AC_AUTHR和自己生成的鉴权计算结果MS_AUTHR是否相同,如果是,在步骤206,MS判定网络合法;否则在步骤207,MS判定网络非法。In
图3示出了根据本发明第二实施例的鉴权流程,其中MSC/VLR不共享SSD数据,也就是MSC/VLR没有保存对应MS的SSD数据。如图3所示,在步骤301,MS生成一个随机数RANDB,并使用RANDB和自己保存的SSD参数通过CAVE计算生成鉴权计算结果MS_AUTHR。Fig. 3 shows the authentication process according to the second embodiment of the present invention, wherein MSC/VLR does not share SSD data, that is, MSC/VLR does not save SSD data corresponding to MS. As shown in FIG. 3 , in
在步骤302,MS发起基站查询流程,通过基站向MSC/VLR发送基站查询请求消息,该请求消息中携带有RANDB。In
在步骤303,MSC/VLR在接收到来自MS的基站查询请求消息后,将该消息透传给HLR/AC。In
在步骤304,HLR/AC使用该消息中携带的RANDB和自己保存的SSD数据通过相同的CAVE计算得到鉴权计算结果AC_AUTHR。In
在步骤305,HLR/AC将AC_AUTHR通过基站查询响应消息发送给MSC/VLR。In
在步骤306,MSC/VLR将来自HLR/AC的基站查询响应消息透传给MS。In
在步骤307,MS比较接收自MSC/VLR的鉴权计算结果AC_AUTHR和自己生成的鉴权计算结果MS_AUTHR是否相同,如果是,在步骤308,MS判定网络合法;否则在步骤309,MS判定网络非法。In
在实际使用时,可以在MS接入网络时由终端发起对网络的鉴权,也可以在MS发起主叫、接收被叫或者收发短消息之前进行终端对网络的鉴权,下面将对此进行详细说明。In actual use, the terminal can initiate network authentication when the MS accesses the network, or the terminal can perform network authentication before the MS initiates a call, receives a called party, or sends and receives short messages. The following will discuss this Describe in detail.
图4是在MS接入网络时由终端对网络进行鉴权的消息流程图,这里假定MSC/VLR不共享SSD数据。如图4所示,在步骤401,MS开机后,向MSC/VLR发送位置更新请求。Fig. 4 is a message flow chart of authentication of the network by the terminal when the MS accesses the network, where it is assumed that the MSC/VLR does not share SSD data. As shown in Figure 4, in step 401, after the MS is turned on, it sends a location update request to the MSC/VLR.
在步骤402,MSC/VLR向HLR/AC发送位置更新请求。In step 402, the MSC/VLR sends a location update request to the HLR/AC.
在步骤403,HLR/AC进行位置更新操作,向MSC/VLR返回位置更新响应消息。In step 403, the HLR/AC performs a location update operation, and returns a location update response message to the MSC/VLR.
在步骤404,MSC/VLR向MS返回位置更新接受消息。In step 404, the MSC/VLR returns a location update accept message to the MS.
上述步骤401至404和现有的位置更新操作相同,通过此操作,完成MS的位置登记操作和网络对MS的鉴权。The above steps 401 to 404 are the same as the existing location update operation, through this operation, the location registration operation of the MS and the authentication of the MS by the network are completed.
然后,在步骤405,MS在接收到表示位置登记成功的位置登记响应后,生成随机数RANDB,并使用RANDB和自己保存的SSD参数通过CAVE计算生成鉴权计算结果MS_AUTHR,然后MS向MSC/VLR发送基站查询请求消息,在该请求消息中携带有随机数RANDB。Then, in step 405, after receiving the location registration response indicating that the location registration is successful, the MS generates a random number RANDB, and uses RANDB and the SSD parameters saved by itself to generate the authentication calculation result MS_AUTHR through CAVE calculation, and then the MS sends MSC/VLR A base station query request message is sent, and the request message carries a random number RANDB.
在步骤406,MSC/VLR在接收到来自MS的基站查询请求消息后,将该消息透传给HLR/AC。In step 406, after receiving the base station query request message from the MS, the MSC/VLR transparently transmits the message to the HLR/AC.
在步骤407,HLR/AC使用该消息中携带的RANDB和自己保存的SSD数据通过相同的CAVE计算得到鉴权计算结果AC_AUTHR,然后将AC_AUTHR通过基站查询响应消息发送给MSC/VLR。In step 407, the HLR/AC uses the RANDB carried in the message and the SSD data saved by itself to calculate the authentication calculation result AC_AUTHR through the same CAVE, and then sends AC_AUTHR to the MSC/VLR through the base station query response message.
在步骤408,MSC/VLR将来自HLR/AC的基站查询响应消息透传给MS。In step 408, the MSC/VLR transparently transmits the base station query response message from the HLR/AC to the MS.
在步骤409,MS比较接收自MSC/VLR的鉴权计算结果AC_AUTHR和自己生成的鉴权计算结果MS_AUTHR是否相同,如果是,MS判定网络合法;否则判定网络非法。In step 409, the MS compares the authentication calculation result AC_AUTHR received from the MSC/VLR with the authentication calculation result MS_AUTHR generated by itself. If yes, the MS determines that the network is legal; otherwise, the MS determines that the network is illegal.
图5是在MS发起主叫、接收被叫或者收发短消息时由终端对网络进行鉴权的消息流程图,这里同样假定MSC/VLR不共享SSD数据。如图5所示,在步骤501,当MS发起主叫、接收被叫或者收发短消息时,首先生成随机数RANDB,并使用RANDB和自己保存的SSD参数通过CAVE计算生成鉴权计算结果MS_AUTHR,然后MS向MSC/VLR发送基站查询请求,在该请求中携带有随机数RANDB。Fig. 5 is a message flow diagram of the terminal authenticating the network when the MS initiates a call, receives a called party, or sends and receives a short message. Here, it is also assumed that the MSC/VLR does not share SSD data. As shown in Figure 5, in step 501, when the MS initiates a call, receives a call, or sends and receives a short message, it first generates a random number RANDB, and uses RANDB and the SSD parameters saved by itself to generate the authentication calculation result MS_AUTHR through CAVE calculation , and then the MS sends a base station query request to the MSC/VLR, and the request carries a random number RANDB.
这里发起主叫时是指MS发起主叫之前,接收被叫时是指MS在接收到被叫寻呼后,发送短消息时是指在MS发送短消息之前,接收短消息时是指接收到寻呼后。另外,这里的主叫和被叫不仅包括语音业务的主叫和被叫,也包括数据业务的主叫和被叫。When initiating a calling here means before the MS initiates a calling, when receiving a called means that after the MS receives the called page, when sending a short message means before the MS sends a short message, and when receiving a short message means receiving After paging. In addition, the calling and called here include not only the calling and called of the voice service, but also the calling and called of the data service.
在步骤502,MSC/VLR在接收到来自MS的基站查询请求消息后,将该消息透传给HLR/AC。In step 502, after receiving the base station query request message from the MS, the MSC/VLR transparently transmits the message to the HLR/AC.
在步骤503,HLR/AC使用该消息中携带的RANDB和自己保存的SSD数据通过相同的CAVE计算得到鉴权计算结果AC_AUTHR,然后将AC_AUTHR通过基站查询响应消息发送给MSC/VLR。In step 503, the HLR/AC uses the RANDB carried in the message and the SSD data stored by itself to calculate the authentication calculation result AC_AUTHR through the same CAVE, and then sends AC_AUTHR to the MSC/VLR through the base station query response message.
在步骤504,MSC/VLR将来自HLR/AC的基站查询响应消息透传给MS。In step 504, the MSC/VLR transparently transmits the base station query response message from the HLR/AC to the MS.
在步骤505,MS比较接收自MSC/VLR的鉴权计算结果AC_AUTHR和自己生成的鉴权计算结果MS_AUTHR是否相同,如果是,MS判定网络合法,然后继续后续的主叫、被叫、收发短消息流程;否则判定网络非法,不再执行后续的主叫、被叫、收发短消息流程。In step 505, the MS compares the authentication calculation result AC_AUTHR received from the MSC/VLR with the authentication calculation result MS_AUTHR generated by itself. message process; otherwise, it is determined that the network is illegal, and the subsequent process of calling, called, and sending and receiving short messages will not be executed.
在本发明中,如果判定网络非法,可以重新发送验证操作,也就是MS重新生成MS_AUTHR,然后向网络侧发起基站查询流程。当然,可以设定重复次数,例如如果重复3次依然不能成功认证网络,则判定网络非法,不再进行下一次的鉴权操作。In the present invention, if it is determined that the network is illegal, the verification operation can be resent, that is, the MS regenerates MS_AUTHR, and then initiates a base station query process to the network side. Of course, the number of repetitions can be set. For example, if the network cannot be successfully authenticated after repeated 3 times, it is determined that the network is illegal, and the next authentication operation will not be performed.
在最终判定网络非法之后,MS可以执行关机操作,也可以执行断开话路、重新启动MS等操作。当然,也可以执行其他一些诸如报警等操作,本发明对此不进行任何限制。After the final determination that the network is illegal, the MS can shut down the computer, disconnect the call, restart the MS, and so on. Of course, other operations such as alarming can also be performed, which is not limited in the present invention.
另外,可以在MS上设置对网络的鉴权操作。例如,可以设置是否进行对网络的鉴权。这样,MS在开机并完成位置登记操作后,首先读取设置的值,确定是否设置了对网络的鉴权,如果是,执行本发明的处理,否则直接执行现有技术的处理即可。In addition, the authentication operation to the network can be set on the MS. For example, it can be set whether to authenticate the network. In this way, after the MS starts up and completes the location registration operation, it first reads the set value to determine whether authentication to the network is set, and if so, executes the processing of the present invention, otherwise directly executes the processing of the prior art.
除了对是否对网络鉴权进行设置之外,还可以设置是否允许在接入网络时对网络鉴权、是否允许在主叫时对网络鉴权、是否允许在被叫时对网络鉴权、是否允许在收发短消息时对网络鉴权。另外也可以设置对网络鉴权的失败最大次数,设置在网络鉴权失败后的进一步操作,例如关机、重新启动或者断开话路等等。所有的这些设置都可以通过MS程序提供,并显示在MS的屏幕上,用户可以通过操作键盘来选择屏幕上显示的设置选项,从而在MS中增加、删除或者修改不同的设置。In addition to setting whether to authenticate the network, you can also set whether to allow network authentication when accessing the network, whether to allow network authentication when calling, whether to allow network authentication when being called, whether to Allows authentication of the network when sending and receiving short messages. In addition, you can also set the maximum number of network authentication failures, and set further operations after network authentication failures, such as shutting down, restarting, or disconnecting the call. All these settings can be provided by the MS program and displayed on the MS screen, and the user can select the setting options displayed on the screen by operating the keyboard, so as to add, delete or modify different settings in the MS.
除了在图4和图5所示的情况下发起对网络的鉴权之外,还可以设置由用户主动发起。用户通过操作屏幕来在任意时间主动发起对网络的鉴权,并且MS可以将鉴权结果通过屏幕显示反馈给用户。In addition to initiating the authentication to the network in the situations shown in FIG. 4 and FIG. 5 , it can also be set to be initiated by the user. The user actively initiates authentication to the network at any time by operating the screen, and the MS can feed back the authentication result to the user through the screen display.
可以理解,上述仅仅是对本发明精神的展示,而不是限制。It can be understood that the above is only a demonstration of the spirit of the present invention, rather than a limitation.
Claims (11)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101505367A CN100466803C (en) | 2005-01-28 | 2005-01-28 | A method for realizing terminal-to-network authentication in a code division multiple access network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101505367A CN100466803C (en) | 2005-01-28 | 2005-01-28 | A method for realizing terminal-to-network authentication in a code division multiple access network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812620A CN1812620A (en) | 2006-08-02 |
| CN100466803C true CN100466803C (en) | 2009-03-04 |
Family
ID=36845219
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101505367A Expired - Fee Related CN100466803C (en) | 2005-01-28 | 2005-01-28 | A method for realizing terminal-to-network authentication in a code division multiple access network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100466803C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105792194B (en) * | 2016-04-25 | 2019-06-28 | 中国联合网络通信集团有限公司 | Authentication method, authentication device, the network equipment, the Verification System of base station legitimacy |
| CN106028331B (en) * | 2016-07-11 | 2020-03-10 | 华为技术有限公司 | Method and equipment for identifying pseudo base station |
| CN106211169A (en) * | 2016-07-28 | 2016-12-07 | 努比亚技术有限公司 | Pseudo-base station identification device and method |
| CN108076460B (en) * | 2016-11-15 | 2021-07-30 | 中国移动通信有限公司研究院 | A method and terminal for authentication |
| CN109769250B (en) * | 2017-11-09 | 2022-03-29 | 中国电信股份有限公司 | Method, terminal and system for identifying pseudo base station |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1311608A (en) * | 2000-03-01 | 2001-09-05 | 于强敏 | Method for realizing telephone set/card separation on CDMA mobile communication net |
| US20030114155A1 (en) * | 2001-12-14 | 2003-06-19 | Nikhil Jain | Method and system for GSM mobile station roaming to IS-41 |
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
-
2005
- 2005-01-28 CN CNB2006101505367A patent/CN100466803C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1311608A (en) * | 2000-03-01 | 2001-09-05 | 于强敏 | Method for realizing telephone set/card separation on CDMA mobile communication net |
| US20030114155A1 (en) * | 2001-12-14 | 2003-06-19 | Nikhil Jain | Method and system for GSM mobile station roaming to IS-41 |
| CN1549526A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing radio local area network authentication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1812620A (en) | 2006-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106028331B (en) | Method and equipment for identifying pseudo base station | |
| US7565142B2 (en) | Method and apparatus for secure immediate wireless access in a telecommunications network | |
| CN1767430B (en) | Authentication method | |
| US20070293192A9 (en) | Identification of a terminal to a server | |
| CN112291064B (en) | Authentication system, registration and authentication method, device, storage medium and electronic equipment | |
| KR20130089651A (en) | Authentication of access terminal identities in roaming networks | |
| CN110944319B (en) | 5G communication identity verification method, equipment and storage medium | |
| CN105101167A (en) | Data service transmission method and user terminal | |
| WO2013185709A1 (en) | Call authentication method, device, and system | |
| CN111050324B (en) | 5G terminal equipment access method, equipment and storage medium | |
| KR20160143333A (en) | Method for Double Certification by using Double Channel | |
| Patel | Weaknesses of North American wireless authentication protocol | |
| US8229398B2 (en) | GSM authentication in a CDMA network | |
| CN111314919A (en) | Enhanced 5G authentication method for protecting user identity privacy at authentication server | |
| CN100466803C (en) | A method for realizing terminal-to-network authentication in a code division multiple access network | |
| CN108174380A (en) | Method for accessing network equipment, terminal equipment, and network equipment | |
| CN1317903C (en) | Method for sharing mobile terminal by multi-user | |
| CN101431754B (en) | Method for preventing clone terminal access | |
| Lee et al. | An efficient authentication protocol for mobile communications | |
| CN102014388B (en) | Method and system for determining legal terminal | |
| KR100292289B1 (en) | System that prevents use after copying information of authentication terminal by using non-authentication terminal | |
| CN102036246B (en) | Call historical count (abbreviated as count) updating method and device | |
| CN1747384A (en) | Authenticated key set | |
| CN110557745A (en) | System and method for managing locking of user equipment | |
| CN118828492A (en) | Authentication method, related equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090304 Termination date: 20130128 |