[go: up one dir, main page]

CN101267663B - Method, system and device for user authentication - Google Patents

Method, system and device for user authentication Download PDF

Info

Publication number
CN101267663B
CN101267663B CN2007100882100A CN200710088210A CN101267663B CN 101267663 B CN101267663 B CN 101267663B CN 2007100882100 A CN2007100882100 A CN 2007100882100A CN 200710088210 A CN200710088210 A CN 200710088210A CN 101267663 B CN101267663 B CN 101267663B
Authority
CN
China
Prior art keywords
core network
network element
request
shared information
subscriber equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007100882100A
Other languages
Chinese (zh)
Other versions
CN101267663A (en
Inventor
王晓芸
陈璟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007100882100A priority Critical patent/CN101267663B/en
Publication of CN101267663A publication Critical patent/CN101267663A/en
Application granted granted Critical
Publication of CN101267663B publication Critical patent/CN101267663B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method for user identity validating, comprising that, A, a user equipment identifying a user equipment identity by using user information containing a unidirectional transformed cell during requesting, and sends the request, wherein, the unidirectional transformed cell is obtained by transformation of sharing information of the user equipment and an interact-interacted core network element; B, the interact-interacted core network element validating the user equipment identity based on the unidirectional transformed cell in the request. In addition, the invention also discloses a system and device for user identity validating. By the unidirectional transformation characteristic, spiteful users can not obtain the transformation rule of the sharing information unidirectional transformed cell, and can not a next sent validated value from an acquired current unidirectional transformed cell, thereby preventing DoS attack of the spiteful users to the core network, and increasing the communication safety.

Description

一种用户身份验证的方法、系统及装置Method, system and device for user authentication

技术领域 technical field

本发明涉及移动通信技术,尤其涉及一种用户身份验证的方法、系统及装置。The present invention relates to mobile communication technology, in particular to a method, system and device for user identity verification.

背景技术 Background technique

在移动通信网络中,为了实现用户的身份保密,通常不直接使用用户的国际移动用户识别码(IMSI,International Mobile Subscriber Identity),而采用分配临时身份标识的方法标识用户身份。In a mobile communication network, in order to keep the user's identity confidential, the user's International Mobile Subscriber Identity (IMSI, International Mobile Subscriber Identity) is usually not directly used, but the method of assigning a temporary identity to identify the user's identity.

例如:在全球移动通信系统(GSM)中,为实现用户的身份保密,GSM系统为用户设备分配了临时身份标识号(TMSI,Temporary Mobile SubscriberIdentity)。具体实现时,拜访位置寄存器(VLR,Visitor Location Register)对进入其访问区的每个用户,都会分配一个TMSI,TMSI存储于VLR的数据库中,用户设备只要使用TMSI和位置区域标识即可标识自己的身份。For example: in the Global System for Mobile Communications (GSM), in order to keep the user's identity confidential, the GSM system assigns a Temporary Mobile Subscriber Identity (TMSI) to the user equipment. During specific implementation, the visitor location register (VLR, Visitor Location Register) will assign a TMSI to each user entering its visit area, and the TMSI is stored in the database of the VLR, and the user equipment can identify itself by using the TMSI and the location area identifier identity of.

同样,在通用移动通信系统(UMTS)中,为了实现用户的身份保密,UMTS为电路域的用户分配了TMSI,为分组域的用户分配了分组域临时身份标识号(P-TMSI),分别与位置区域标识和路由区域标识一起使用来标识用户设备的身份。此外,在无线演进网络中,为了实现对于现有网络的后向兼容性,演进中的网络结构也同样采用了分配P-TMSI的方法来实现用户的身份保密。Similarly, in the Universal Mobile Telecommunications System (UMTS), in order to keep the identity of users confidential, UMTS assigns TMSI to users in the circuit domain, and assigns a temporary identity number (P-TMSI) in the packet domain to users in the packet domain. The location area identifier and the routing area identifier are used together to identify the identity of the user equipment. In addition, in the wireless evolving network, in order to achieve backward compatibility with the existing network, the evolving network structure also adopts the method of allocating P-TMSI to realize user identity confidentiality.

可见,在移动通信网络中,为了避免使用IMSI,提供用户使用已经分配的TMSI或P-TMSI来标识自己的身份。同时为了防止DoS等的攻击,使用TMSI或P-TMSI的签名来保证TMSI或P-TMSI的真实性。It can be seen that in a mobile communication network, in order to avoid using IMSI, users are provided to identify their own identities by using the assigned TMSI or P-TMSI. At the same time, in order to prevent attacks such as DoS, the signature of TMSI or P-TMSI is used to ensure the authenticity of TMSI or P-TMSI.

下面以UMTS分组域的情况为例,对利用P-TMSI的签名来保证TMSI真实性的流程进行详细描述。如图1所示,图1为现有技术中进行身份标识及验证的流程图。该流程包括如下步骤:Taking the case of the UMTS packet domain as an example, the process of using the signature of the P-TMSI to ensure the authenticity of the TMSI will be described in detail below. As shown in FIG. 1 , FIG. 1 is a flowchart of identity identification and verification in the prior art. The process includes the following steps:

步骤101,用户设备向当前希望交互的新服务GPRS支持节点(SGSN,Service GPRS Supporting node)发送请求,该请求中包含P-TMSI,P-TMSI签名(Signature),老路由区标识(RAI,Routing Area Identity)。Step 101, the user equipment sends a request to the new service GPRS support node (SGSN, Service GPRS Supporting node) that currently wishes to interact, and the request includes P-TMSI, P-TMSI signature (Signature), old routing area identification (RAI, Routing Area Identity).

步骤102,新SGSN根据P-TMSI和老RAI可找到原先分配P-TMSI的老SGSN,并向老SGSN发出用户设备的身份请求,该身份请求中包括P-TMSI,P-TMSI签名。Step 102, the new SGSN can find out the old SGSN that originally allocated the P-TMSI according to the P-TMSI and the old RAI, and sends the identity request of the user equipment to the old SGSN, and the identity request includes the P-TMSI and the P-TMSI signature.

步骤103,老SGSN根据P-TMSI及P-TMSI签名确认用户身份后,将存有的用户设备的原始信息,如IMSI,认证向量组等,发给新SGSN。Step 103: After confirming the user identity according to the P-TMSI and the P-TMSI signature, the old SGSN sends the stored original information of the user equipment, such as IMSI, authentication vector group, etc., to the new SGSN.

步骤104,新SGSN收到老SGSN发送的信息,取出其中一个认证向量组,并连同一对随机数发送给用户设备。Step 104, the new SGSN receives the information sent by the old SGSN, takes out one of the authentication vector groups, and sends it to the user equipment together with a pair of random numbers.

步骤105,用户设备收到随机数和认证向量后,使用自己的密钥计算认证向量,如果正确,则计算出认证响应发回给新SGSN。Step 105, after receiving the random number and the authentication vector, the user equipment uses its own key to calculate the authentication vector, and if it is correct, calculates the authentication response and sends it back to the new SGSN.

至此完成了用户设备与当前希望交互的新SGSN之间的认证过程。从上述流程可见,如果没有合法的P-TMSI签名,则恶意用户设备可以附带上从网络上窃听到的或者按照生成规则伪造的P-TMSI以及老RAI发送伪造的请求,导致核心网络资源一直被占用,直到步骤105,恶意用户设备无法计算出合法的认证响应为止。现有技术中,P-TMSI签名在一次明文传送后,会被重分配,并且加密传输给用户设备,因此恶意用户设备在无法得到合法P-TMSI签名的情况下,核心网络可以在步骤102后识别出伪造的请求。So far, the authentication process between the user equipment and the new SGSN that currently wants to interact is completed. It can be seen from the above process that if there is no legal P-TMSI signature, the malicious user equipment can attach the P-TMSI that is eavesdropped on the network or forged according to the generation rules and the old RAI to send a forged request, resulting in core network resources being blocked all the time. Occupy, until step 105, the malicious user equipment cannot calculate a legitimate authentication response. In the prior art, the P-TMSI signature will be redistributed after a clear text transmission, and encrypted transmission to the user equipment, so when the malicious user equipment cannot obtain the legal P-TMSI signature, the core network can A forged request is identified.

但实际应用中,在用户去附着和周期性路由更新时,P-TMSI和P-TMSI签名被明文传送后,并不进行重分配。此时,恶意用户在窃听用户设备的请求后,就得到了合法的P-TMSI和P-TMSI签名,并据此可发起拒绝服务(DoS,Denial of Service)攻击,该DoS攻击一直到步骤105才会被识别出来。如果图1所示流程中的认证过程可选,则该攻击会在更后面的本地认证过程中才被识别出来,导致核心网络资源被长时间占用,加大DoS攻击的危害性。However, in practical applications, when the user is deattached and the periodic route is updated, the P-TMSI and the P-TMSI signature are not redistributed after being transmitted in plain text. At this point, the malicious user obtains the legal P-TMSI and P-TMSI signature after eavesdropping on the request of the user equipment, and can initiate a denial of service (DoS, Denial of Service) attack accordingly, and the DoS attack reaches step 105 will be identified. If the authentication process in the process shown in Figure 1 is optional, the attack will be identified later in the local authentication process, resulting in long-term occupation of core network resources and increasing the harm of DoS attacks.

发明内容 Contents of the invention

有鉴于此,本发明实施例中一方面提供一种用户身份验证的方法;另一方面提供一种用户身份验证的系统及装置,以增强通信安全性。In view of this, on the one hand, the embodiments of the present invention provide a method for user identity verification; on the other hand, they provide a system and device for user identity verification, so as to enhance communication security.

本发明实施例中所提供的用户身份验证的方法,包括:The method for user identity verification provided in the embodiment of the present invention includes:

A、用户设备在请求中,利用包含单向变换信元的用户信息标识用户设备身份,将所述请求发送出去,其中,所述单向变换信元是由用户设备与前次交互的核心网网元的共享信息变换得到的;A. In the request, the user equipment uses the user information containing the one-way transformation information element to identify the identity of the user equipment, and sends the request, wherein the one-way transformation information element is the core network that the user equipment interacted with the previous time. It is obtained by transforming the shared information of network elements;

B、前次交互的核心网网元根据所述请求中的所述单向变换信元,对用户设备的身份进行合法性验证。B. The network element of the core network of the previous interaction performs legality verification on the identity of the user equipment according to the one-way transformation information element in the request.

本发明实施例中所提供的用户身份验证的系统,包括:用户设备和老核心网网元,其中,The user identity verification system provided in the embodiment of the present invention includes: user equipment and old core network elements, wherein,

用户设备,用于发起请求时,在请求中利用包含单向变换信元的用户信息标识用户设备身份,将所述请求发送出去,其中,所述单向变换信元是由用户设备与前次交互的核心网网元的共享信息变换得到的;The user equipment is configured to, when initiating a request, identify the identity of the user equipment by using the user information including the one-way transformation information element in the request, and send the request, wherein the one-way transformation information element is obtained from the user equipment and the previous time It is obtained by transforming the shared information of the interacting core network elements;

老核心网网元,用于根据自身与用户设备的共享信息,及请求中的所述单向变换信元对用户设备的身份进行合法性验证。The network element of the old core network is used to verify the legality of the identity of the user equipment according to the shared information between itself and the user equipment, and the one-way conversion information element in the request.

本发明实施例中所提供的用户设备,包括:第一共享信息单向变换模块和请求发送模块,其中,The user equipment provided in the embodiment of the present invention includes: a first shared information one-way transformation module and a request sending module, wherein,

第一共享信息单向变换模块,用于根据所在用户设备与核心网网元的共享信息,得到所述共享信息的单向变换信元,将所述共享信息的单向变换信元提供给请求发送模块;The first shared information one-way transformation module is used to obtain the one-way transformation information element of the shared information according to the shared information between the user equipment and the network element of the core network, and provide the one-way transformation information element of the shared information to the request sending module;

请求发送模块,用于发起请求时,在请求中利用包含第一共享信息单向变换模块提供的所述共享信息的单向变换信元的用户信息标识用户设备身份,将所述请求发送出去。The request sending module is configured to, when initiating a request, use the user information in the one-way transformation information element containing the shared information provided by the first shared information one-way transformation module to identify the identity of the user equipment in the request, and send the request.

本发明实施例中所提供的核心网网元,包括:第二共享信息单向变换模块和验证模块,其中,The core network element provided in the embodiment of the present invention includes: a second shared information unidirectional conversion module and a verification module, wherein,

第二共享信息单向变换模块,用于根据所在核心网网元与用户设备的共享信息,得到所述共享信息的单向变换信元,将所述共享信息的单向变换信元提供给验证模块;The second shared information one-way transformation module is used to obtain the one-way transformation information element of the shared information according to the shared information between the network element of the core network and the user equipment, and provide the one-way transformation information element of the shared information to the verification module;

验证模块,用于根据第二共享信息单向变换模块提供的所述共享信息的单向变换信元,及请求中的所述共享信息的单向变换信元对用户设备的身份进行合法性验证。A verification module, configured to verify the legitimacy of the identity of the user equipment according to the one-way conversion information element of the shared information provided by the second shared information one-way conversion module and the one-way conversion information element of the shared information in the request .

上述方案中,用户设备在请求中,利用包含用户设备与前次交互的核心网网元的共享信息的单向变换信元的用户信息标识用户设备身份,将所述请求发送出去;核心网网元根据所述请求中的所述共享信息的单向变换信元,对用户设备的身份进行合法性验证。可见,本发明实施例利用单向变换信元的单向变换性,使恶意用户无法得到下一个发送的合法值,从而防止了恶意用户对核心网络进行的DoS攻击等,增强了通信的安全性。In the above solution, in the request, the user equipment uses the user information of the one-way conversion information element containing the shared information of the core network element that the user equipment interacted with last time to identify the identity of the user equipment, and sends the request; the core network The element performs legality verification on the identity of the user equipment according to the one-way transformation information element of the shared information in the request. It can be seen that the embodiment of the present invention utilizes the one-way transformability of the one-way transform cell, so that malicious users cannot obtain the legal value to be sent next, thereby preventing malicious users from performing DoS attacks on the core network, etc., and enhancing the security of communication .

附图说明 Description of drawings

图1为现有技术中进行身份标识及验证的流程图;Fig. 1 is the flowchart of identity identification and verification in the prior art;

图2为本发明实施例中用户身份验证的方法的示例性流程图;Fig. 2 is an exemplary flowchart of a method for user identity verification in an embodiment of the present invention;

图3为现有技术中单向哈希链的示意图;FIG. 3 is a schematic diagram of a one-way hash chain in the prior art;

图4为本发明实施例中用户身份验证的系统的示例性结构图;Fig. 4 is an exemplary structural diagram of a system for user identity verification in an embodiment of the present invention;

图5为图4所示系统中用户设备的一种结构示意图;FIG. 5 is a schematic structural diagram of a user equipment in the system shown in FIG. 4;

图6为图4所示系统中核心网网元的一种结构示意图;FIG. 6 is a schematic structural diagram of a core network element in the system shown in FIG. 4;

图7为本发明应用实施例一中用户身份验证的流程图;FIG. 7 is a flow chart of user identity verification in Application Embodiment 1 of the present invention;

图8为本发明应用实施例二中用户身份验证的流程图;FIG. 8 is a flow chart of user identity verification in Application Embodiment 2 of the present invention;

图9为本发明应用实施例三中用户身份验证的流程图;FIG. 9 is a flow chart of user identity verification in Application Embodiment 3 of the present invention;

图10为本发明应用实施例四中用户身份验证的流程图;FIG. 10 is a flow chart of user identity verification in Application Embodiment 4 of the present invention;

图11为本发明应用实施例五中用户身份验证的流程图。Fig. 11 is a flow chart of user identity verification in the fifth application embodiment of the present invention.

具体实施方式 Detailed ways

参见图2,图2为本发明实施例中用户身份验证的方法的示例性流程图。如图2所示,该流程包括如下步骤:Referring to FIG. 2 , FIG. 2 is an exemplary flowchart of a method for user identity verification in an embodiment of the present invention. As shown in Figure 2, the process includes the following steps:

步骤201,用户设备在请求中,利用包含用户设备与前次交互的核心网网元的共享信息的单向变换信元的用户信息标识用户设备身份,将上述请求发送出去。Step 201: In the request, the user equipment uses the user information of the one-way transformation information element including the shared information of the core network element that the user equipment interacted with last time to identify the identity of the user equipment, and sends the request.

本步骤中,用户设备可以向当前希望交互的新核心网网元发送请求,也可以向前次交互的核心网网元发送请求。当用户设备向当前希望交互的新核心网网元发送请求时,步骤201中的前次交互的核心网网元为老核心网网元;当用户设备向前次交互的核心网网元,即老核心网网元发送请求时,步骤201中的前次交互的核心网网元为该老核心网网元。In this step, the user equipment may send a request to the new core network element that currently wants to interact, or may send a request to the previous core network element to interact with. When the user equipment sends a request to the new core network element that currently wishes to interact, the previous core network element in step 201 is the old core network element; when the user equipment interacts with the previous core network element, that is When the old core network element sends the request, the previous core network element interacted with in step 201 is the old core network element.

其中,用户设备与前次交互的核心网网元的共享信息的单向变换信元,即为由用户设备与前次交互的核心网网元的共享信息变换得到的单向变换信元。用户信息中除了包含该单向变换信元以外,还可以包含用户设备的临时身份标识、区域标识等,且根据应用场景,临时身份标识和区域标识可以为:TMSI和位置区域标识;也可以为:P-TMSI和路由区域标识。且区域标识为前次交互的核心网网元的区域标识。Wherein, the one-way conversion information element of the shared information between the user equipment and the previously interacted core network element is the one-way converted information element obtained by converting the shared information between the user equipment and the previous interacted core network element. In addition to the one-way conversion information element, the user information may also include the temporary identity and area identifier of the user equipment, and according to the application scenario, the temporary identity and area identifier may be: TMSI and location area identifier; : P-TMSI and routing area identifier. And the area identifier is the area identifier of the network element of the core network that interacted last time.

步骤202,前次交互的核心网网元根据上述请求中的共享信息的单向变换信元,对用户设备的身份进行合法性验证。In step 202, the network element of the core network interacted with last time performs legality verification on the identity of the user equipment according to the one-way conversion information element of the shared information in the above request.

当用户设备向当前希望交互的新核心网网元发送请求时,本步骤之前进一步包括:新核心网网元根据请求中的用户信息,如临时身份标识和区域标识,找到老核心网网元,将包含所述用户设备与老核心网网元的共享信息的单向变换信元的用户认证信息发送给老核心网网元,如将临时身份标识和用户设备与老核心网网元的共享信息的单向变换信元发送给老核心网网元。本步骤中,老核心网网元根据自身与用户设备的共享信息,及接收的所述共享信息的单向变换信元对用户设备的身份进行合法性验证。When the user equipment sends a request to the new core network element currently wishing to interact, this step further includes: the new core network element finds the old core network element according to the user information in the request, such as a temporary identity identifier and an area identifier, Send the user authentication information of the one-way transformation information element containing the shared information between the user equipment and the old core network element to the old core network element, such as the temporary identity and the shared information between the user equipment and the old core network element The one-way transformed cells are sent to the old core network elements. In this step, the network element of the old core network performs legality verification on the identity of the user equipment according to the shared information between itself and the user equipment, and the received one-way transformation information element of the shared information.

进一步地,老核心网网元对用户设备的身份验证通过时,可将包括用户设备国际移动用户识别码IMSI、用户设备与老核心网网元的共享信息在内的原始信息发送给新核心网网元。Further, when the identity verification of the user equipment by the network element of the old core network is passed, the original information including the International Mobile Subscriber Identity (IMSI) of the user equipment and the shared information between the user equipment and the network element of the old core network can be sent to the new core network. network element.

用户设备向前次交互的核心网网元发送请求时,本步骤具体为:该前次交互的核心网网元根据自身与用户设备的共享信息,及请求中的所述共享信息的单向变换信元对用户设备的身份进行合法性验证。When the user equipment sends a request to the previous interaction of the core network element, this step is specifically: the previous interaction of the core network element according to the shared information between itself and the user equipment, and the one-way conversion of the shared information in the request The cell performs legality verification on the identity of the user equipment.

其中,用户设备与核心网网元的共享信息可以有不限定的多种,比如:共享信息可以是各移动通信网络中分配的临时身份标识签名,并且临时身份标识签名通过加密发送给用户设备。或者,共享信息也可以是用户设备与核心网网元共享的加密密钥,或者完整性密钥等。Among them, the shared information between the user equipment and the core network elements may be of various kinds without limitation. For example, the shared information may be a temporary identity signature assigned in each mobile communication network, and the temporary identity signature is sent to the user equipment through encryption. Alternatively, the shared information may also be an encryption key shared by the user equipment and a network element of the core network, or an integrity key or the like.

其中,对共享信息的单向变换也可以有不限定的多种,比如单向哈希链变换,加密变换等。Among them, there may be unlimited types of one-way transformations for shared information, such as one-way hash chain transformations, encryption transformations, and the like.

如图3所示,图3为现有技术中单向哈希链的示意图。图3中,单向哈希链S0、S1、S2、......、St-1、St,是按图中所示从St逐个反向利用单向哈希函数而生成的,但使用时,从S0开始正向使用。由于单向哈希函数的特性,从S0不能推出S1、S2、......St,同理,从S1不能推出S2、S3、......St等,因此恶意用户不能猜测下一个发送的合法值,只有拥有St的用户才能生成下一个发送的合法项。As shown in FIG. 3 , FIG. 3 is a schematic diagram of a one-way hash chain in the prior art. In Figure 3, the one-way hash chains S0, S1, S2, ..., St-1, St are generated from St one by one in the reverse direction using the one-way hash function as shown in the figure, but When using, use it forward from S0. Due to the characteristics of the one-way hash function, S1, S2, ... St cannot be derived from S0. Similarly, S2, S3, ... St, etc. cannot be derived from S1, so malicious users cannot guess The next legal value to send, only the user who owns St can generate the next legal item to send.

进行加密变换时,可以使用密钥(key)对共享信息和加密序列号进行加密。其中,加密序列号可以是同步序列标识(SYN,Syncronize sequencenumber),如[共享信息|SYN]key,,[]key表示对括号内的值使用key进行加密,其中SYN为当前所用的加密序列号,每次加密所用的序列号都是不同的,并且用户设备每次都将序列号发送给核心网网元,以便核心网能够认证加密值是否正确。此外,加密序列号还可以是其它的值。另外,加密变换现有技术中也可以有其它的变换方法,此处不再赘述。When encryption transformation is performed, the shared information and the encrypted serial number can be encrypted using a key (key). Among them, the encrypted sequence number can be a synchronization sequence number (SYN, Syncronize sequencenumber), such as [shared information | SYN] key , [] key means to encrypt the value in the brackets using a key, where SYN is the currently used encryption sequence number , the serial number used for each encryption is different, and the user equipment sends the serial number to the network element of the core network each time, so that the core network can verify whether the encrypted value is correct. In addition, the encrypted serial number can also be other values. In addition, there may also be other transformation methods in the prior art for encryption transformation, which will not be repeated here.

上述方法流程可应用于GSM网络中;也可应用于UMTS网络中,包括UMTS网络的电路域以及分组域中;还可应用于无线演变网络中;此外,还可应用于所有采用类似原理的网络中。The above method flow can be applied in GSM network; it can also be applied in UMTS network, including circuit domain and packet domain of UMTS network; it can also be applied in wireless evolution network; in addition, it can also be applied to all networks using similar principles middle.

以上对本发明实施例中用户身份验证的方法进行了详细描述,下面再对本发明实施例中用户身份验证的系统进行详细描述。The method for user identity verification in the embodiment of the present invention has been described in detail above, and the system for user identity verification in the embodiment of the present invention will be described in detail below.

参见图4,图4为本发明实施例中用户身份验证的系统的示例性结构图。如图4中实线部分所示,该系统包括:用户设备和老核心网网元。Referring to FIG. 4, FIG. 4 is an exemplary structural diagram of a system for user identity verification in an embodiment of the present invention. As shown by the solid line in Figure 4, the system includes: user equipment and old core network elements.

其中,用户设备,用于发起请求时,在请求中利用包含用户设备与老核心网网元的共享信息的单向变换信元的用户信息标识用户设备身份,将所述请求发送出去。其中,用户设备与老核心网网元的共享信息的单向变换信元,即为由用户设备与前次交互的核心网网元的共享信息变换得到的单向变换信元。该变换可以为单向哈希链变换,也可以为加密变换等。Wherein, when the user equipment is used to initiate a request, the user information of the one-way conversion information element including the shared information of the user equipment and the old core network element is used in the request to identify the identity of the user equipment, and the request is sent out. Wherein, the one-way conversion information element of the shared information between the user equipment and the old core network element is the one-way conversion information element obtained by converting the shared information between the user equipment and the previously interacted core network element. The transformation can be a one-way hash chain transformation, or an encryption transformation, etc.

其中,用户信息中除了包含用户设备与前次交互的核心网网元的共享信息的单向变换信元以外,还可以包含用户设备的临时身份标识、区域标识等,且根据应用场景,临时身份标识和区域标识可以为:TMSI和位置区域标识;也可以为:P-TMSI和路由区域标识。且区域标识为前次交互的核心网网元的区域标识。Among them, in addition to the one-way conversion information element that contains the shared information between the user equipment and the core network element that interacted with the previous time, the user information may also include the temporary identity and area identifier of the user equipment, and according to the application scenario, the temporary identity The identifier and the area identifier can be: TMSI and location area identifier; also can be: P-TMSI and routing area identifier. And the area identifier is the area identifier of the network element of the core network that interacted last time.

老核心网网元,用于根据自身与用户设备的共享信息,及请求中的所述共享信息的单向变换信元对用户设备的身份进行合法性验证。The network element of the old core network is used to verify the legality of the identity of the user equipment according to the shared information between itself and the user equipment, and the one-way conversion information element of the shared information in the request.

此外,如图4中虚线部分所示,该系统还可以进一步包括:新核心网网元,用于根据来自用户设备的请求中的用户信息,如临时身份标识和区域标识,找到老核心网网元,将包含所述用户设备与老核心网网元的共享信息的单向变换信元的用户认证信息发送给老核心网网元,如将临时身份标识和用户设备与老核心网网元的共享信息的单向变换信元发送给老核心网网元。In addition, as shown in the dotted line in Figure 4, the system may further include: a new core network element, configured to find the old core network network element according to the user information in the request from the user equipment, such as a temporary identity identifier and an area identifier. element, and send the user authentication information of the one-way transformation information element containing the shared information between the user equipment and the old core network element to the old core network element, such as the temporary identity and the user equipment and the old core network element The one-way transformation cell of the shared information is sent to the old core network element.

其中,该系统可以为:GSM网络中的系统;也可以为:UMTS网络电路域中的系统,或者分组域中的系统;还可以为:无线演进网络中的系统以及具有类似原理的网络中的系统等。Wherein, the system may be: a system in the GSM network; it may also be: a system in the circuit domain of the UMTS network, or a system in the packet domain; it may also be: a system in the wireless evolution network and a network with similar principles system etc.

具体实现时,用户设备可以有多种实现形式,下面仅列举一种进行详细说明。如图5所示,图5为用户设备的一种结构示意图。包括:第一共享信息单向变换模块和请求发送模块。During specific implementation, the user equipment may have multiple implementation forms, and only one is listed below for detailed description. As shown in FIG. 5 , FIG. 5 is a schematic structural diagram of a user equipment. It includes: a first shared information one-way conversion module and a request sending module.

其中,第一共享信息单向变换模块,用于根据所在用户设备与核心网网元的共享信息,得到所述共享信息的单向变换信元,将所述共享信息的单向变换信元提供给请求发送模块。Wherein, the first shared information one-way transformation module is configured to obtain the one-way transformation information element of the shared information according to the shared information between the user equipment and the network element of the core network, and provide the one-way transformation information element of the shared information Send module to request.

请求发送模块,用于发起请求时,在请求中利用包含第一共享信息单向变换模块提供的所述共享信息的单向变换信元的用户信息标识用户设备身份,将所述请求发送出去。The request sending module is configured to, when initiating a request, use the user information in the one-way transformation information element containing the shared information provided by the first shared information one-way transformation module to identify the identity of the user equipment in the request, and send the request.

其中,用户信息中除了包含用户设备与前次交互的核心网网元的共享信息的单向变换信元以外,还可以包含用户设备的临时身份标识、区域标识等,且根据应用场景,临时身份标识和区域标识可以为:TMSI和位置区域标识;也可以为:P-TMSI和路由区域标识。且区域标识为前次交互的核心网网元的区域标识。Among them, in addition to the one-way conversion information element that contains the shared information between the user equipment and the core network element that interacted with the previous time, the user information may also include the temporary identity and area identifier of the user equipment, and according to the application scenario, the temporary identity The identifier and the area identifier can be: TMSI and location area identifier; also can be: P-TMSI and routing area identifier. And the area identifier is the area identifier of the network element of the core network that interacted last time.

具体实现时,核心网网元也可以有多种实现形式,下面同样仅列举一种进行详细说明。如图6所示,图6为核心网网元的一种结构示意图。包括:第二共享信息单向变换模块和验证模块。During specific implementation, the network elements of the core network may also have multiple implementation forms, and only one of them will be listed below for detailed description. As shown in FIG. 6, FIG. 6 is a schematic structural diagram of a core network element. It includes: a second shared information one-way transformation module and a verification module.

其中,第二共享信息单向变换模块,用于根据所在核心网网元与用户设备的共享信息,得到所述共享信息的单向变换信元,将所述共享信息的单向变换信元提供给验证模块。Wherein, the second shared information one-way transformation module is configured to obtain the one-way transformation information element of the shared information according to the shared information between the network element of the core network and the user equipment, and provide the one-way transformation information element of the shared information to the verification module.

验证模块,用于根据第二共享信息单向变换模块提供的所述共享信息的单向变换信元,及请求中的所述共享信息的单向变换信元对用户设备的身份进行合法性验证。A verification module, configured to verify the legitimacy of the identity of the user equipment according to the one-way conversion information element of the shared information provided by the second shared information one-way conversion module and the one-way conversion information element of the shared information in the request .

为使本发明实施例的目的、技术方案和优点更加清楚明白,下面结合具体应用实施例和附图,对本发明实施例中的方法及系统进一步详细说明。为描述简便,以下应用实施例中均以用户信息包括:用户设备的临时身份标识、区域标识和用户设备与前次交互的核心网网元的共享信息的单向变换信元的情况为例,并且均以用户认证信息包括:用户设备的临时身份标识和用户设备与前次交互的核心网网元的共享信息的单向变换信元的情况为例。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the methods and systems in the embodiments of the present invention will be further described in detail below in combination with specific application examples and accompanying drawings. For simplicity of description, in the following application embodiments, the case where the user information includes: the temporary identity of the user equipment, the area identifier, and the one-way conversion information element of the shared information between the user equipment and the core network element that interacted with the previous time is taken as an example, And all take the case that the user authentication information includes: the temporary identity of the user equipment and the one-way conversion information element of the shared information between the user equipment and the network element of the core network that interacted with the previous time as an example.

应用实施例一:Application example one:

本应用实施例中,以UMTS分组域为例进行说明,且用户设备发起服务请求的是UMTS分组域的服务GPRS支持节点(SGSN),即核心网网元为SGSN。假设该实施例中的系统包括:用户设备(UE)、新SGSN和老SGSN,并假设UE与老SGSN交互后,向一个新SGSN发起请求。In this application embodiment, the UMTS packet domain is taken as an example for illustration, and the user equipment initiates the service request from the Serving GPRS Support Node (SGSN) of the UMTS packet domain, that is, the core network element is the SGSN. It is assumed that the system in this embodiment includes: a user equipment (UE), a new SGSN and an old SGSN, and it is assumed that the UE initiates a request to a new SGSN after interacting with the old SGSN.

参见图7,图7为本发明应用实施例一中用户身份验证的流程图。如图7所示,该流程包括如下步骤:Referring to FIG. 7, FIG. 7 is a flow chart of user identity verification in Application Embodiment 1 of the present invention. As shown in Figure 7, the process includes the following steps:

步骤701,用户设备向当前希望交互的新SGSN发送请求,该请求中包含P-TMSI,A’,老RAI。其中A’是用户设备与老SGSN共享的信息A单向变换后的信元。Step 701, the user equipment sends a request to the new SGSN that currently wants to interact, and the request includes P-TMSI, A', and old RAI. Among them, A' is the information element after one-way transformation of the information A shared by the user equipment and the old SGSN.

其中,A可以为:临时身份标识签名,或加密密钥,或完整密钥。其中,临时身份标识签名可以为TMSI,也可以为P-TMSI等。Among them, A can be: a temporary identity signature, or an encryption key, or a complete key. Wherein, the temporary identity signature may be TMSI, or P-TMSI, etc.

步骤702,新SGSN根据P-TMSI和老RAI能找到原先共享有信息A的老SGSN,并向该老SGSN发出用户设备的身份请求,该身份请求中包括P-TMSI和A’。Step 702, the new SGSN can find the old SGSN that originally shared the information A according to the P-TMSI and the old RAI, and sends the identity request of the user equipment to the old SGSN, and the identity request includes P-TMSI and A'.

步骤703,老SGSN因为存有共享的信息A,因此能验证A’的合法性,从而可以认证该用户设备是否是真实的。若验证通过,则老的SGSN可将用户设备原先的信息,如IMSI,认证向量组以及用户设备与老SGSN共享的信息A等,发给新SGSN。Step 703, because the old SGSN has shared information A, it can verify the legitimacy of A', so as to verify whether the user equipment is authentic. If the verification is passed, the old SGSN can send the original information of the user equipment, such as IMSI, authentication vector group, and information A shared between the user equipment and the old SGSN, to the new SGSN.

可见,以上过程通过步骤701至步骤703三个步骤,便可完成对用户设备的认证过程。It can be seen that the above process passes through three steps from step 701 to step 703 to complete the authentication process of the user equipment.

上述流程中,如果新SGSN不重新分配P-TMSI,也不更改用户设备与老SGSN共享的信息A,则下次用户设备再向该新SGSN发送请求时,将使用共享信息A再次变换后的信元A”来认证自己,依次类推。如果用户设备使用A”来认证自己后,又再次向另一新SGSN发送请求,则此时,用户设备同样会再使用进一步单向变换后的A”’来认证自己。因为这些变换都是单向变换,所以恶意用户既不能从A’推出A,也不能从A’推出A”等,因此这种机制不但能保证对用户设备的认证,同时也防止了恶意终端对核心网络进行的DoS攻击。In the above process, if the new SGSN does not reallocate the P-TMSI and does not change the information A shared by the user equipment and the old SGSN, then the next time the user equipment sends a request to the new SGSN, it will use the changed shared information A A" to authenticate itself, and so on. If the user equipment uses A" to authenticate itself, and then sends a request to another new SGSN again, at this time, the user equipment will also use A" after further unidirectional transformation ' to authenticate themselves. Because these transformations are one-way transformations, malicious users can neither launch A from A', nor launch A from A', etc. Therefore, this mechanism can not only guarantee the authentication of user equipment, but also DoS attacks on the core network by malicious terminals are prevented.

应用实施例二:Application example two:

本应用实施例中,仍以UMTS分组域为例进行说明,且UMTS分组域中的核心网网元为SGSN。假设该实施例中的系统包括:UE和老SGSN,并假设单向变换采用的是单向哈希链,UE和老SGSN共享的信息为P-TMSI签名,即图3中的St为P-TMSI签名。In this application embodiment, the UMTS packet domain is still taken as an example for illustration, and the network element of the core network in the UMTS packet domain is the SGSN. Assume that the system in this embodiment includes: UE and old SGSN, and assume that the one-way transformation adopts a one-way hash chain, and the information shared by UE and old SGSN is P-TMSI signature, that is, S t in Figure 3 is P - TMSI signature.

参见图8,图8为本发明应用实施例二中用户身份验证的流程图。如图8所示,该流程包括如下步骤:Referring to FIG. 8 , FIG. 8 is a flow chart of user identity verification in Application Embodiment 2 of the present invention. As shown in Figure 8, the process includes the following steps:

步骤801,用户设备向当前希望交互的老SGSN发送请求,该请求中包含P-TMSI,[P-TMSI签名]m,m和老RAI。其中数值m表明[P-TMSI签名]m是P-TMSI签名构成的单向哈希链的第m+1项。Step 801, the user equipment sends a request to the old SGSN that currently wants to interact, and the request includes P-TMSI, [P-TMSI signature] m , m and the old RAI. The value m indicates that [P-TMSI signature] m is the m+1th item of the one-way hash chain formed by the P-TMSI signature.

步骤802,由于老SGSN有P-TMSI签名,因此能验证[P-TMSI签名]m的合法性,从而可以认证该用户设备是否是真实的。Step 802, since the old SGSN has a P-TMSI signature, it can verify the legitimacy of [P-TMSI signature] m , thereby verifying whether the user equipment is authentic.

之后,如果P-TMSI不重新分配,下次用户设备使用的是[P-TMSI签名]m+1,即P-TMSI签名构成的单向哈希链的第m+2项,根据单向哈希函数链的特性,只有知道P-TMSI签名的用户才能得到[P-TMSI签名]m+1,因此这种机制能保证对用户设备的认证,同时因为从[P-TMSI签名]m推不出[P-TMSI签名]m+1,所以恶意终端对核心网络进行的DoS攻击可以在步骤802中就被识破。After that, if the P-TMSI is not redistributed, the next time the user equipment uses [P-TMSI signature] m+1 , that is, the m+2th item of the one-way hash chain formed by the P-TMSI signature, according to the one-way hash The characteristic of the Greek function chain, only the user who knows the P-TMSI signature can get [P-TMSI signature] m+1 , so this mechanism can guarantee the authentication of the user equipment, and because the [P-TMSI signature] m cannot be pushed [P-TMSI signature] m+1 is generated, so the DoS attack on the core network by the malicious terminal can be detected in step 802.

应用实施例三:Application Example Three:

本应用实施例中,以无线演进网络为例进行说明,且用户设备发起服务请求的是无线演进网络的移动性管理实体(MME),假设该实施例中的系统包括:UE、老MME和新MME,并假设UE和老SGSN共享的信息为P-TMSI签名,对P-TMSI签名的单向变换采用单向哈希链,即图3中的St为P-TMSI签名。In this application embodiment, the wireless evolved network is taken as an example for illustration, and the user equipment initiates the service request from the mobility management entity (MME) of the wireless evolved network. It is assumed that the system in this embodiment includes: UE, old MME and new MME assumes that the information shared by the UE and the old SGSN is the P-TMSI signature, and the one-way transformation of the P-TMSI signature uses a one-way hash chain, that is, S t in Figure 3 is the P-TMSI signature.

其中MME是无线演进网络的一个逻辑功能实体,负责控制面的移动性管理,包括用户上下文和移动状态管理,分配用户临时身份标识、安全功能等。本实施例中,假设UE与老MME交互后,向一个新MME发起请求。The MME is a logical functional entity of the wireless evolved network, which is responsible for the mobility management of the control plane, including user context and mobility state management, allocation of user temporary identities, and security functions. In this embodiment, it is assumed that the UE initiates a request to a new MME after interacting with the old MME.

参见图9,图9为本发明应用实施例三中用户身份验证的流程图。如图9所示,该流程包括如下步骤:Referring to FIG. 9, FIG. 9 is a flow chart of user identity verification in Application Embodiment 3 of the present invention. As shown in Figure 9, the process includes the following steps:

步骤901,用户设备向当前希望交互的新MME发送请求,该请求中包含P-TMSI,[P-TMSI签名]0,0,老RAI。其中数值0表明[P-TMSI Signature]0是P-TMSI签名生成的单向哈希链的第一项。Step 901, the user equipment sends a request to the new MME that currently wants to interact, and the request includes P-TMSI, [P-TMSI signature] 0, 0, old RAI. The value 0 indicates that [P-TMSI Signature] 0 is the first item of the one-way hash chain generated by the P-TMSI signature.

步骤902,新MME根据P-TMSI和老RAI能找到原先分配P-TMSI和P-TMSI签名的老MME,并向老MME发出用户设备的身份请求,该身份请求中包括P-TMSI和[P-TMSI签名]0,0。Step 902, the new MME can find the old MME that originally assigned P-TMSI and P-TMSI signature according to the P-TMSI and the old RAI, and sends the identity request of the user equipment to the old MME, the identity request includes P-TMSI and [P -TMSI-Signature] 0 , 0.

步骤903,老MME因为存有P-TMSI签名,因此能验证[P-TMSI签名]0的合法性,从而可以认证该用户设备是否是真实的。若验证通过,则老MME可将用户设备原先的信息,如IMSI,认证向量组,P-TMSI签名等,发给新MME。In step 903, the old MME can verify the legitimacy of [P-TMSI signature] 0 because it has the P-TMSI signature, so as to verify whether the user equipment is authentic. If the verification is passed, the old MME can send the original information of the user equipment, such as IMSI, authentication vector set, P-TMSI signature, etc., to the new MME.

上述流程中,如果新MME不重新分配P-TMSI,也不更改用户设备与老MME共享的信息P-TMSI签名,则下次用户设备再向该新MME发送请求时,将使用共享信息再次变换后的信元[P-TMSI签名]1,1来认证自己,依次类推。如果用户设备使用[P-TMSI签名]1,1来认证自己后,又再次向另一新MME发送请求,则此时,用户设备同样会再使用进一步单向变换后的[P-TMSI签名]2,2来认证自己。In the above process, if the new MME does not reallocate the P-TMSI and does not change the information P-TMSI signature shared by the user equipment and the old MME, then the next time the user equipment sends a request to the new MME, it will use the shared information to change again. The following cell [P-TMSI signature] 1 , 1 to authenticate itself, and so on. If the user equipment uses [P-TMSI signature] 1 , 1 to authenticate itself, and then sends a request to another new MME again, then at this time, the user equipment will also use the further one-way transformed [P-TMSI signature] 2 , 2 to authenticate yourself.

应用实施例二和应用实施例三中的系统中的用户设备在具体实现时,可与图5所示用户设备的组成、连接关系及功能的描述一致。另外上述两个应用实施例中的用户设备中的第一共享信息单向变换模块可具体为:第一单向哈希链变换模块,用于对用户设备与核心网网元的共享信息进行单向哈希链变换,得到该共享信息的单向变换信元,将所得到的单向变换信元提供给请求发送模块。The user equipment in the system in the second application embodiment and the third application embodiment may be implemented in accordance with the composition, connection relationship and function description of the user equipment shown in FIG. 5 . In addition, the first shared information one-way conversion module in the user equipment in the above two application embodiments may specifically be: a first one-way hash chain conversion module, which is used to perform one-way conversion of the shared information between the user equipment and the core network element Transform to the hash chain to obtain the one-way transformed information element of the shared information, and provide the obtained one-way transformed information element to the request sending module.

老核心网网元在具体实现时,可与图6所示老核心网网元的组成、连接关系及功能的描述一致。另外上述两个应用实施例中的老核心网网元中的第二共享信息单向变换模块可具体为:第二单向哈希链变换模块,用于对核心网网元与用户设备的共享信息进行单向哈希链变换,得到该共享信息的单向变换信元,将所得到的单向变换信元提供给验证模块。When the network element of the old core network is specifically implemented, it may be consistent with the description of the composition, connection relationship and function of the network element of the old core network shown in FIG. 6 . In addition, the second shared information one-way conversion module in the old core network network element in the above two application embodiments may specifically be: the second one-way hash chain conversion module, which is used to share the core network network element and the user equipment The information is transformed into a one-way hash chain to obtain a one-way transformed information element of the shared information, and the obtained one-way transformed information element is provided to the verification module.

应用实施例四:Application example four:

本应用实施例中,仍以无线演进网络为例进行说明,且核心网网元为MME,假设该实施例中的系统包括:UE、老MME、新MME和归属地用户服务器(HSS),并假设UE和老MME共享的信息为P-TMSI签名,对P-TMSI签名的单向变换采用对P-TMSI签名及当前加密序列号SYN加密来完成,其加密密钥为UE与HSS之间共享的密钥A,或密钥A的变换值。其中,每次加密时,SYN的取值均不同,并且UE每次都将SYN的取值发送给MME。其中A的变换值可以是A经过变换之后的值。In this application embodiment, the wireless evolved network is still taken as an example for illustration, and the network element of the core network is an MME. It is assumed that the system in this embodiment includes: UE, old MME, new MME, and Home Subscriber Server (HSS), and Assuming that the information shared by UE and old MME is P-TMSI signature, the one-way transformation of P-TMSI signature is completed by encrypting P-TMSI signature and current encryption serial number SYN, and the encryption key is shared between UE and HSS The key A, or the transformed value of key A. Wherein, the value of the SYN is different each time of encryption, and the UE sends the value of the SYN to the MME each time. The transformed value of A may be a transformed value of A.

参见图10,图10为本发明应用实施例四中用户身份验证的流程图。如图10所示,该流程包括如下步骤:Referring to FIG. 10 , FIG. 10 is a flow chart of user identity verification in Application Embodiment 4 of the present invention. As shown in Figure 10, the process includes the following steps:

步骤1001,用户设备向当前希望交互的新MME发送请求,该请求中包含P-TMSI,[P-TMSI签名|SYN]A,1,老RAI。其中数值1表明序列号为1,[P-TMSI签名|SYN]A是P-TMSI签名使用A进行加密变换的第一项。Step 1001, the user equipment sends a request to the new MME that currently wants to interact, and the request includes P-TMSI, [P-TMSI signature|SYN] A , 1, old RAI. The value 1 indicates that the serial number is 1, and [P-TMSI signature|SYN] A is the first item of P-TMSI signature using A for encryption transformation.

步骤1002,新MME根据P-TMSI和老RAI能找到原先分配P-TMSI和P-TMSI签名的老MME,并向老MME发出用户设备的身份请求,该身份请求中包括P-TMSI和[P-TMSI签名|SYN]AStep 1002, the new MME can find the old MME that originally assigned the P-TMSI and P-TMSI signature according to the P-TMSI and the old RAI, and sends an identity request of the user equipment to the old MME, the identity request includes P-TMSI and [P -TMSI-Signature|SYN] A.

步骤1003,老MME不能解开[P-TMSI签名|SYN]A,因为A是UE与HSS之间的共享密钥,所以老MME发[P-TMSI签名|SYN]A给HSS。HSS因为存有密钥A,因此能解密并验证[P-TMSI签名|SYN]A的合法性,从而可以认证该用户设备是否是真实的。Step 1003, the old MME cannot unlock [P-TMSI signature | SYN] A , because A is the shared key between UE and HSS, so the old MME sends [P-TMSI signature | SYN] A to HSS. Because the HSS stores the key A, it can decrypt and verify the legitimacy of [P-TMSI signature|SYN] A , so as to verify whether the user equipment is authentic.

步骤1004,HSS发信息给老MME,告知该用户设备是真实的。则验证通过,老的MME可将用户原先的信息,如IMSI,认证向量组以及用户设备与老MME共享的信息P-TMSI签名等,发给新MME。Step 1004, the HSS sends a message to the old MME, informing that the UE is authentic. If the verification is passed, the old MME can send the original information of the user, such as IMSI, authentication vector group and information P-TMSI signature shared by the user equipment and the old MME, to the new MME.

应用实施例五:Application embodiment five:

本应用实施例中,仍以无线演进网络为例进行说明,且核心网网元为MME,假设该实施例中的系统包括:UE,老MME、新MME,并假设UE和老MME共享的信息为P-TMSI签名,对P-TMSI签名的单向变换采用对P-TMSI签名及当前加密序列号Xi加密来完成。其加密密钥为上一次与老MME交互的加密密钥或完整性密钥A。其中,每次加密时,Xi的取值均不同,并且UE每次都将Xi的取值发送给MME。In this application embodiment, the wireless evolved network is still used as an example for illustration, and the network element of the core network is an MME. It is assumed that the system in this embodiment includes: UE, old MME, and new MME, and it is assumed that the information shared by UE and old MME To sign the P-TMSI, the one-way transformation of the P-TMSI signature is completed by encrypting the P-TMSI signature and the current encrypted serial number Xi. Its encryption key is the encryption key or integrity key A last interacted with the old MME. In each encryption, the value of Xi is different, and the UE sends the value of Xi to the MME each time.

参见图11,图11为本发明应用实施例五中用户身份验证的流程图。如图11所示,该流程包括如下步骤:Referring to FIG. 11 , FIG. 11 is a flow chart of user identity verification in the fifth application embodiment of the present invention. As shown in Figure 11, the process includes the following steps:

步骤1101,用户设备向当前希望交互的新MME发送请求,该请求中包含P-TMSI,[P-TMSI签名|Xi]A,1,老RAI。其中数值1表明序列号为1,[P-TMSI签名|Xi]A是P-TMSI签名使用A进行加密变换的第一项。Step 1101, the user equipment sends a request to the new MME that currently wants to interact, and the request includes P-TMSI, [P-TMSI signature|Xi] A , 1, old RAI. The value 1 indicates that the serial number is 1, and [P-TMSI signature|Xi] A is the first item of the P-TMSI signature using A for encryption transformation.

步骤1102,新MME根据P-TMSI和老RAI能找到原先分配P-TMSI和P-TMSI签名的老MME,并向老MME发出用户设备的身份请求,该身份请求中包括P-TMSI和[P-TMSI签名|Xi]AStep 1102, according to the P-TMSI and the old RAI, the new MME can find the old MME that originally assigned the P-TMSI and P-TMSI signature, and send an identity request of the user equipment to the old MME, the identity request includes P-TMSI and [P - TMSI Signature |Xi] A.

步骤1103,老MME可以解开[P-TMSI签名|Xi]A,并验证用户设备是否是真实的,因为A是UE上一次与老MME交互的加密密钥或完整性密钥。验证通过后,老的MME可将用户原先的信息,如IMSI,认证向量组以及用户设备与老MME共享的信息P-TMSI签名等,发给新MME。Step 1103, the old MME can unlock [P-TMSI signature|Xi] A and verify whether the user equipment is authentic, because A is the encryption key or integrity key that the UE interacted with the old MME last time. After passing the verification, the old MME can send the original information of the user, such as IMSI, authentication vector group, and information P-TMSI signature shared by the user equipment and the old MME, to the new MME.

应用实施例四和应用实施例五中的系统中的用户设备在具体实现时,可与图5所示用户设备的组成、连接关系及功能的描述一致。另外上述两个应用实施例中的用户设备中的第一共享信息单向变换模块可具体为:第一单向加密变换模块,用于对用户设备与核心网网元的共享信息进行单向加密变换,得到该共享信息的单向变换信元,将所得到的单向变换信元提供给请求发送模块。The user equipment in the system in the application embodiment 4 and the application embodiment 5 may be implemented in accordance with the composition, connection relationship and function description of the user equipment shown in FIG. 5 . In addition, the first shared information one-way transformation module in the user equipment in the above two application embodiments may specifically be: a first one-way encryption transformation module, which is used to perform one-way encryption on the shared information between the user equipment and the core network element Transform, obtain the one-way transformed information element of the shared information, and provide the obtained one-way transformed information element to the request sending module.

老核心网网元在具体实现时,可与图6所示老核心网网元的组成、连接关系及功能的描述一致。另外上述两个应用实施例中的老核心网网元中的第二共享信息单向变换模块可具体为:第二单向加密变换模块,用于对核心网网元与用户设备的共享信息进行单向加密变换,得到该共享信息的单向变换信元,将所得到的单向变换信元提供给验证模块。When the network element of the old core network is specifically implemented, it may be consistent with the description of the composition, connection relationship and function of the network element of the old core network shown in FIG. 6 . In addition, the second shared information one-way transformation module in the old core network network element in the above two application embodiments may specifically be: a second one-way encryption transformation module, which is used to perform shared information between the core network network element and the user equipment The one-way encryption transformation is used to obtain the one-way transformation information element of the shared information, and the obtained one-way transformation information element is provided to the verification module.

上述应用实施例二至应用实施例五中,为描述简便,均以UE和老SGSN共享的信息为P-TMSI签名,即图3中的St为P-TMSI签名的情况为例进行的描述,对于UE和老SGSN共享的信息为加密密钥,或完整密钥,即图3中的St为加密密钥,或完整密钥的情况,上述四个应用实施例同样适用,只需在上述四个应用实施例中将P-TMSI签名相应地改为加密密钥,或完整密钥即可。In the above application embodiment 2 to application embodiment 5, for the sake of simplicity of description, the information shared by the UE and the old SGSN is the P-TMSI signature, that is, St in Figure 3 is the case of the P-TMSI signature as an example. For the information shared by the UE and the old SGSN is an encryption key, or a complete key, that is, St in Figure 3 is an encryption key, or a complete key, the above four application embodiments are also applicable, only in the above four In an application embodiment, the P-TMSI signature can be changed to an encryption key or a complete key accordingly.

从上述各实施例中可见,通过利用单向变换信元的单向变换性,使恶意用户无法获取共享信息单向变换信元的变换规律,因此不能从窃取的当前单向变换信元推知下一个单向变换信元及共享信息本身,即无法得到下一个发送的合法值,从而防止了恶意用户对核心网络进行的DoS攻击等,增强了通信的安全性。It can be seen from the above embodiments that by utilizing the one-way transformability of the one-way transform cell, the malicious user cannot obtain the transform rule of the shared information one-way transform cell, so the following information cannot be deduced from the stolen current one-way transform cell. A one-way transformation cell and the shared information itself cannot get the legal value to be sent next, thereby preventing malicious users from DoS attacks on the core network, etc., and enhancing communication security.

以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (17)

1. the method for a subscriber authentication is characterized in that, this method comprises:
A, subscriber equipment are in request; Utilization comprises the user profile identifying user equipment identities of monotonic transformation cell; Described request is sent, and wherein, said monotonic transformation cell is to be obtained by the subscriber equipment and the shared information conversion of mutual core network element last time;
B, last time mutual core network element carry out legitimate verification according to the said monotonic transformation cell in the described request to the identity of subscriber equipment.
2. the method for claim 1 is characterized in that, request described in the steps A is: the request that subscriber equipment sends to the mutual new core network element of current hope; Said last time mutual core network element is: old core network element;
Further comprise before the said step B: new core network element finds old core network element according to the said user profile in the described request, and the user authentication information that will comprise said subscriber equipment and the monotonic transformation cell of the shared information of old core network element sends to old core network element.
3. the method for claim 1 is characterized in that, request described in the steps A is: the request that subscriber equipment sends to last time mutual core network element;
Said step B is specially: this last time mutual core network element is according to the shared information of self and subscriber equipment, and the monotonic transformation cell of the said shared information in the request carries out legitimate verification to the identity of subscriber equipment.
4. like each described method in the claim 1 to 3, it is characterized in that said core network element is: Serving GPRS Support Node SGSN; Perhaps mobile management entity MME.
5. like each described method in the claim 1 to 3, it is characterized in that said user profile also comprises: temporary identity identification number TMSI and location area;
Perhaps also comprise: packet domain temporary identity identification number P-TMSI and Tracking Area Identifier.
6. like each described method in the claim 1 to 3, it is characterized in that said subscriber equipment with the shared information of mutual core network element last time is: temporary identity sign signature, or encryption key, or complete key.
7. like each described method in the claim 1 to 3, it is characterized in that said being transformed to: the one-way hash function chain transformaiton; Perhaps be: enciphering transformation.
8. method as claimed in claim 7 is characterized in that, if the said enciphering transformation that is transformed to, then said enciphering transformation is specially: utilize key K ey that said shared information and ciphering sequence number are encrypted.
9. method as claimed in claim 8 is characterized in that, said Key is: subscriber equipment and last time mutual mutual encryption key or the Integrity Key of core network element;
Perhaps be: the subscriber equipment that core network element obtains from ownership place client server HSS and the transformed value of HSS cipher key shared or key.
10. the system of a subscriber authentication is characterized in that, this system comprises: subscriber equipment and old core network element, wherein,
Subscriber equipment; When being used for initiation request, in request, utilize the user profile identifying user equipment identities that comprises the monotonic transformation cell, described request is sent; Wherein, said monotonic transformation cell is to be obtained by the subscriber equipment and the shared information conversion of mutual core network element last time;
Old core network element is used for the shared information according to self and subscriber equipment, and the said monotonic transformation cell in the described request carries out legitimate verification to the identity of subscriber equipment.
11. system as claimed in claim 10; It is characterized in that; This system further comprises: new core network element; Be used for finding old core network element according to the said user profile from the request of subscriber equipment, the user authentication information that will comprise said subscriber equipment and the monotonic transformation cell of the shared information of old core network element sends to old core network element.
12., it is characterized in that said system is: the system in the GSM network like claim 10 or 11 described systems; Perhaps be: the system in the UMTS lattice network territory; Perhaps be: the system in the UMTS network packet territory; Perhaps be: the system in the wireless evolution network.
13. a subscriber equipment is characterized in that, this subscriber equipment comprises: first shares information monotonic transformation module and request sending module, wherein,
First shares information monotonic transformation module, is used for the shared information according to place subscriber equipment and core network element, obtains the monotonic transformation cell of said shared information, and the monotonic transformation cell of said shared information is offered request sending module;
Request sending module, when being used for initiation request, in request, utilize comprise first share the monotonic transformation cell of the said shared information that information monotonic transformation module provides user profile identifying user equipment identities, described request is sent.
14. subscriber equipment as claimed in claim 13; It is characterized in that; Said first shares information monotonic transformation module is: the first one-way hash chain conversion module; Be used for the shared information of subscriber equipment and core network element is carried out the one-way hash function chain transformaiton, obtain the monotonic transformation cell of this shared information, resulting monotonic transformation cell is offered request sending module;
Perhaps be: the first One-Way Encryption conversion module, be used for the shared information of core network element and subscriber equipment is carried out the One-Way Encryption conversion, obtain the monotonic transformation cell of this shared information, resulting monotonic transformation cell is offered request sending module.
15. a core network element is characterized in that, this core network element comprises: second shares information monotonic transformation module and authentication module, wherein,
Second shares information monotonic transformation module, is used for the shared information according to place core network element and subscriber equipment, obtains the monotonic transformation cell of said shared information, and the monotonic transformation cell of said shared information is offered authentication module;
Authentication module be used for the monotonic transformation cell of sharing the said shared information that information monotonic transformation module provides according to second, and the monotonic transformation cell of the said shared information in the request carries out legitimate verification to the identity of subscriber equipment.
16. core network element as claimed in claim 15; It is characterized in that; Said second shares information monotonic transformation module is: the second one-way hash chain conversion module; Be used for the shared information of subscriber equipment and core network element is carried out the one-way hash function chain transformaiton, obtain the monotonic transformation cell of this shared information, resulting monotonic transformation cell is offered authentication module;
Perhaps be: the second One-Way Encryption conversion module, be used for the shared information of core network element and subscriber equipment is carried out the One-Way Encryption conversion, obtain the monotonic transformation cell of this shared information, resulting monotonic transformation cell is offered authentication module.
17., it is characterized in that this core network element is SGSN like claim 15 or 16 described core network elements, or be MME.
CN2007100882100A 2007-03-15 2007-03-15 Method, system and device for user authentication Expired - Fee Related CN101267663B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100882100A CN101267663B (en) 2007-03-15 2007-03-15 Method, system and device for user authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100882100A CN101267663B (en) 2007-03-15 2007-03-15 Method, system and device for user authentication

Publications (2)

Publication Number Publication Date
CN101267663A CN101267663A (en) 2008-09-17
CN101267663B true CN101267663B (en) 2012-02-22

Family

ID=39989719

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100882100A Expired - Fee Related CN101267663B (en) 2007-03-15 2007-03-15 Method, system and device for user authentication

Country Status (1)

Country Link
CN (1) CN101267663B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931662B (en) * 2010-08-30 2015-05-13 清华大学 Method and system for conflicted address detection and address resolution/address unreachable detection
CN108985765A (en) * 2018-08-13 2018-12-11 中国联合网络通信集团有限公司 Enterprise user information processing method, equipment and storage medium
CN110248334B (en) * 2019-06-25 2021-03-26 西南交通大学 LTE-R vehicle-ground communication non-access stratum authentication method
CN116664393B (en) * 2023-07-05 2024-02-27 北京大学 Face data bleaching method, device, computing equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1614923A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for distributing session affairs identifier
CN1694570A (en) * 2005-06-17 2005-11-09 中兴通讯股份有限公司 Method for setting safety channel between mobile user and application server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1614923A (en) * 2003-11-07 2005-05-11 华为技术有限公司 Method for distributing session affairs identifier
CN1694570A (en) * 2005-06-17 2005-11-09 中兴通讯股份有限公司 Method for setting safety channel between mobile user and application server

Also Published As

Publication number Publication date
CN101267663A (en) 2008-09-17

Similar Documents

Publication Publication Date Title
US11757635B2 (en) Client authentication and access token ownership validation
US8352739B2 (en) Two-factor authenticated key exchange method and authentication method using the same, and recording medium storing program including the same
JP5118048B2 (en) Method and apparatus for establishing a security association
CN1977514B (en) Authenticating users
CN101969638B (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
US20060059344A1 (en) Service authentication
CN1929371B (en) Method for negotiating key share between user and peripheral apparatus
US20160365982A1 (en) System and method for secure end-to-end messaging system
CN101039181B (en) Method for preventing service function entity of general authentication framework from attack
CN108964897B (en) Identity authentication system and method based on group communication
CN108964896B (en) Kerberos identity authentication system and method based on group key pool
Patel et al. Vehiclechain: Blockchain-based vehicular data transmission scheme for smart city
CN109525565B (en) Defense method and system for short message interception attack
WO2013034187A1 (en) Secure communication
US11582201B1 (en) Establishing and maintaining trusted relationship between secure network devices in secure peer-to-peer data network based on obtaining secure device identity containers
Dua et al. Replay attack prevention in Kerberos authentication protocol using triple password
Ren et al. PEACE: A novel privacy-enhanced yet accountable security framework for metropolitan wireless mesh networks
CN114339735B (en) Method for authenticating anonymous access of world integrated network based on NTRU
CN105075175A (en) Method and device for establishing session key
He et al. An accountable, privacy-preserving, and efficient authentication framework for wireless access networks
CN101192927B (en) Authorization based on identity confidentiality and multiple authentication method
Kumar et al. Blockchain-enabled secure communication for unmanned aerial vehicle (UAV) networks
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN100499453C (en) Method of the authentication at client end
CN101267663B (en) Method, system and device for user authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20080917

Assignee: APPLE Inc.

Assignor: HUAWEI TECHNOLOGIES Co.,Ltd.

Contract record no.: 2015990000755

Denomination of invention: A method, system and device for user identity validation

Granted publication date: 20120222

License type: Common License

Record date: 20150827

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120222