[go: up one dir, main page]

CN101631309B - Method, device and system for authenticating terminal based on home base station network - Google Patents

Method, device and system for authenticating terminal based on home base station network Download PDF

Info

Publication number
CN101631309B
CN101631309B CN200810040806.8A CN200810040806A CN101631309B CN 101631309 B CN101631309 B CN 101631309B CN 200810040806 A CN200810040806 A CN 200810040806A CN 101631309 B CN101631309 B CN 101631309B
Authority
CN
China
Prior art keywords
random number
access point
base station
home base
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810040806.8A
Other languages
Chinese (zh)
Other versions
CN101631309A (en
Inventor
赵洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huawei Technologies Co Ltd
Original Assignee
Shanghai Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Huawei Technologies Co Ltd filed Critical Shanghai Huawei Technologies Co Ltd
Priority to CN200810040806.8A priority Critical patent/CN101631309B/en
Publication of CN101631309A publication Critical patent/CN101631309A/en
Application granted granted Critical
Publication of CN101631309B publication Critical patent/CN101631309B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了基于家庭基站网络的对终端进行鉴权的方法、设备及系统,包括:生成随机数;通过家庭基站接入点将所述随机数发送至终端;接收所述终端发送的携带鉴权响应参数和所述随机数的请求;检查所述请求携带的随机数与上述发送至所述终端的所述随机数是否相同,如果是,发送鉴权请求消息至所述位置寄存器或认证中心,启动所述终端鉴权流程及相应的设备和系统。本发明中终端鉴权所需要的随机数由安全上有保证的网络侧实体生成,避免了攻击者利用家庭基站接入点实施对鉴权的攻击,从而避免了攻击者获得相应的通信内容。

The invention discloses a method, device and system for authenticating a terminal based on a home base station network, including: generating a random number; sending the random number to the terminal through a home base station access point; receiving the portable authentication sent by the terminal; Authorization response parameters and the request for the random number; check whether the random number carried in the request is the same as the random number sent to the terminal above, and if so, send an authentication request message to the location register or authentication center , starting the terminal authentication process and corresponding equipment and systems. In the present invention, the random number required for terminal authentication is generated by a network side entity with guaranteed security, which prevents an attacker from using a home base station access point to implement an attack on authentication, thereby preventing the attacker from obtaining corresponding communication content.

Description

基于家庭基站网络的对终端进行鉴权的方法、设备及系统Method, device and system for terminal authentication based on home base station network

技术领域 technical field

本发明涉及网络通信技术领域,特别涉及基于家庭基站网络的对终端进行鉴权的方法、设备及系统。The present invention relates to the technical field of network communication, in particular to a method, device and system for authenticating a terminal based on a home base station network.

背景技术 Background technique

家庭基站是小型蜂窝基站,又称为Femto Cell或Home NodeB,是3G领域的前沿技术。所述Femto Cell让住宅中的移动用户通过有线宽带网连接到3G网络,获得增强的移动语音、视频和数据服务,可以与运营商的原有宏蜂窝基站(Macrocell)无缝连接,可以充分使用户已有的宽带接入资源,最终为用户提供了移动和固网融合(FMC,Fixed Mobile Convergence)业务。通过3G家庭基站,大量的移动业务被室内Femto Cell所吸收,可以大大降低运营商宏蜂窝的数量,为运营商节约大量的设备投资费用和维护费用,也可以改善室内覆盖,提高室内宽带接入速率,减少时延,满足用户各种多媒体应用体验。Home base station is a small cellular base station, also known as Femto Cell or Home NodeB, which is the cutting-edge technology in the 3G field. The Femto Cell allows residential mobile users to connect to the 3G network through a wired broadband network to obtain enhanced mobile voice, video and data services, and can be seamlessly connected to the operator's original macrocell The user's existing broadband access resources finally provide users with fixed mobile and fixed network convergence (FMC, Fixed Mobile Convergence) services. Through 3G home base stations, a large number of mobile services are absorbed by indoor Femto Cells, which can greatly reduce the number of operators' macro cells, save operators a lot of equipment investment costs and maintenance costs, and can also improve indoor coverage and increase indoor broadband access. Speed, reduce delay, to meet the user experience of various multimedia applications.

参见图1,Femto Cell网络的结构图,包括移动台/接入终端(MS,MobileStation/AT,Access Terminal)、接入点、安全网关、宏网络、宏网络基站控制器(BSC,Base Station Controller)以及宏基站。Femto Cell接入点和Femto Cell安全网关为网络实体,Femto Cell完成了原来宏网络中基站、BSC等功能。FemtoCell通过非对称数字用户线路(ADSL,Asymmetric Digital Subscriber Line)或电缆调制解调器(CM,Cable Modem)等有线网络接入宏网络的核心网,由于数据和信令需要通过不安全的网络,例如普通的IP网,为了保证安全性增加了所述Femto Cell安全网关这个实体,在所述Femto Cell接入点和所述Femto Cell安全网关之间建立安全的隧道,保证数据和信令的安全。Femto Cell接入点可以支持不同类型终端的接入,如3G网络的终端以及传统的无线终端,为了能保证码分多址(CDMA,Code Division Multiple Access)20001x的MS的接入,所述Femto Cell接入点需要完成各种所述CDMA20001x网络的功能,包括接入鉴权。See Figure 1, the structure diagram of Femto Cell network, including mobile station/access terminal (MS, MobileStation/AT, Access Terminal), access point, security gateway, macro network, macro network base station controller (BSC, Base Station Controller ) and macro base stations. Femto Cell access points and Femto Cell security gateways are network entities, and Femto Cell completes functions such as base stations and BSCs in the original macro network. FemtoCell accesses the core network of the macro network through a wired network such as asymmetric digital subscriber line (ADSL, Asymmetric Digital Subscriber Line) or cable modem (CM, Cable Modem). Since data and signaling need to pass through an unsafe network, such as an ordinary In the IP network, in order to ensure security, the entity of the Femto Cell security gateway is added, and a secure tunnel is established between the Femto Cell access point and the Femto Cell security gateway to ensure the security of data and signaling. The Femto Cell access point can support the access of different types of terminals, such as 3G network terminals and traditional wireless terminals. In order to ensure the access of MSs of Code Division Multiple Access (CDMA, Code Division Multiple Access) 20001x, the Femto The Cell access point needs to complete various functions of the CDMA2000 1x network, including access authentication.

参见图2,现有技术中CDMA2000 1x电路域的鉴权流程图。包括以下步骤:Referring to Fig. 2, the authentication flowchart of CDMA2000 1x circuit domain in the prior art. Include the following steps:

1、BSC在接入控制信道将所生成的随机数(RAND,Random Variable)广播给MS。1. The BSC broadcasts the generated random number (RAND, Random Variable) to the MS on the access control channel.

2、MS根据共享的密钥、所述RAND以及其它参数计算鉴权响应参数(AUTHR,Authentication Response),发送起呼消息至所述BSC。2. The MS calculates an authentication response parameter (AUTHR, Authentication Response) according to the shared secret key, the RAND and other parameters, and sends an origination message to the BSC.

3、所述BSC发送业务请求消息给移动交换中心(MSC,Mobile SwitchingCenter),消息中携带了所述RAND和所述AUTHR。3. The BSC sends a service request message to a mobile switching center (MSC, Mobile Switching Center), and the message carries the RAND and the AUTHR.

4、所述MSC发现消息中包含了所述RAND和所述AUTHR,因此向归属位置寄存器或认证中心(HLR/AC,Home Location Register/Authentication Center)发送鉴权请求消息,消息中包含了所述RAND和所述AUTHR。4. The MSC finds that the RAND and the AUTHR are included in the message, so it sends an authentication request message to the Home Location Register or Authentication Center (HLR/AC, Home Location Register/Authentication Center), and the message includes the AUTHR. RAND and the AUTHR.

5、所述HLR/AC根据得到的所述RAND,利用所述MS计算所述AUTHR的相同方法计算AUTHR,如果计算结果与从所述MSC收到的AUTHR相同,则鉴权成功,表示所述MS拥有合法的共享密钥。所述HLR/AC回送鉴权成功消息给所述MSC,消息中携带了空口信令和话音的加密密钥,即信令消息加密密钥(SENKEY,Signaling Message Encrypting Key)和专用长码掩码(PLCM,PrivateLong Code Mask)。5. According to the obtained RAND, the HLR/AC calculates the AUTHR using the same method used by the MS to calculate the AUTHR. If the calculation result is the same as the AUTHR received from the MSC, the authentication is successful, indicating that the MS has a valid shared key. Described HLR/AC sends back authentication success message to described MSC, and the encryption key of air interface signaling and voice is carried in the message, namely signaling message encryption key (SENKEY, Signaling Message Encrypting Key) and special-purpose long code mask (PLCM, Private Long Code Mask).

6、所述MSC收到所述鉴权成功消息,因此向所述BSC发送空口资源指派消息,该消息中携带了所述SENKEY和PLCM。6. The MSC receives the authentication success message, so it sends an air interface resource assignment message to the BSC, and the message carries the SENKEY and PLCM.

7、所述BSC保存所述SENKEY和PLCM,并向所述MS发送信道指派消息,即分配空口资源,所述MS和BSC建立空口连接,后续的信令使用所述SENKEY进行保护,话音使用所述PLCM进行保护。7. The BSC saves the SENKEY and PLCM, and sends a channel assignment message to the MS, that is, allocates air interface resources, and the MS establishes an air interface connection with the BSC. The subsequent signaling uses the SENKEY for protection, and the voice uses the The above PLCM is protected.

对于所述Femto Cell网络,由于Femto Cell接入点承担CDMA20001x BSC的功能,因此需要生成所述随机数RAND并下发给所述MS,以便MS执行后续的鉴权过程。但在进行本发明创造过程中,发明人发现现有技术中至少存在如下问题:Femto Cell接入点生成RAND存在一定的安全隐患,因为Femto Cell接入点位于家庭或办公室,容易遭受攻击,或者被恶意的用户所利用。例如,如果攻击者记录了某个MS原来鉴权过程中的所述RAND和AUTHR,并且保存了MS与网络通信的数据包;之后攻击者通过修改Femto Cell接入点的程序或者入侵到Femto Cell接入点内部,让Femto Cell接入点发送鉴权消息,而所述鉴权消息中携带了之前记录的RAND和AUTHR,则网络侧通过验证,发现AUTHR值是正确的,因此生成对应的信令和话音密钥,并发送给Femto Cell接入点。由于所述信令和话音密钥与之前的值相同,因此Femto Cell接入点利用得到的所述密钥对之前保存的通信数据包进行解密,从而获知之前的通信内容。如果MS通信的内容是机密或非常敏感的事件,这对于用户和通信对方都十分不利。For the Femto Cell network, since the Femto Cell access point assumes the function of CDMA20001x BSC, it is necessary to generate the random number RAND and send it to the MS, so that the MS performs the subsequent authentication process. However, during the process of creating the present invention, the inventor found that there are at least the following problems in the prior art: there is a certain security risk in the generation of RAND by the Femto Cell access point, because the Femto Cell access point is located in the home or office and is vulnerable to attacks, or exploited by malicious users. For example, if an attacker records the RAND and AUTHR in the original authentication process of a certain MS, and saves the data packets between the MS and the network; then the attacker modifies the program of the Femto Cell access point or invades the Femto Cell Inside the access point, let the Femto Cell access point send an authentication message, and the authentication message carries the previously recorded RAND and AUTHR, then the network side passes the verification and finds that the AUTHR value is correct, so the corresponding information is generated. Token and voice key, and sent to the Femto Cell access point. Since the signaling and voice keys are the same as the previous values, the Femto Cell access point uses the obtained key to decrypt the previously stored communication data packets, thereby knowing the previous communication content. If the content of the MS communication is confidential or very sensitive, this is very disadvantageous to both the user and the communicating party.

发明内容 Contents of the invention

本发明实施例提供基于家庭基站网络的对终端进行鉴权的方法、设备及系统,避免了攻击者利用Femto Cell接入点实施对鉴权的攻击,从而避免了攻击者获得相应的通信内容。Embodiments of the present invention provide a method, device, and system for authenticating a terminal based on a home base station network, which prevents an attacker from using a Femto Cell access point to implement an attack on authentication, thereby preventing the attacker from obtaining corresponding communication content.

本发明实施例提供基于家庭基站网络的对终端进行鉴权的方法,包括:生成随机数;通过家庭基站接入点将所述随机数发送至终端;接收所述终端发送的携带鉴权响应参数和所述随机数的请求;当检查所述请求携带的随机数与上述发送至所述终端的所述随机数一致时,发送鉴权请求消息至位置寄存器或认证中心,计算所述鉴权响应参数,比较与收到的所述鉴权请求消息携带的鉴权响应参数相同时,鉴权成功。An embodiment of the present invention provides a method for authenticating a terminal based on a home base station network, including: generating a random number; sending the random number to the terminal through a home base station access point; receiving an authentication response parameter sent by the terminal and the request for the random number; when checking that the random number carried in the request is consistent with the random number sent to the terminal, send an authentication request message to the location register or authentication center, and calculate the authentication If the response parameter is the same as the authentication response parameter carried in the received authentication request message, the authentication is successful.

本发明实施例还提供一种家庭基站网络设备,包括:生成单元,用于生成随机数;第一发送单元,用于通过家庭基站接入点将所述随机数发送至终端;接收单元,接收所述终端发送的携带鉴权响应参数和所述随机数的请求;检查单元,用于检查所述请求携带的随机数与上述发送至家庭基站接入点的所述随机数相同时,通知第二发送单元;第二发送单元,用于发送鉴权请求至所述位置寄存器或认证中心。An embodiment of the present invention also provides a home base station network device, including: a generating unit, configured to generate a random number; a first sending unit, configured to send the random number to a terminal through a home base station access point; a receiving unit, configured to receive The request carrying the authentication response parameter and the random number sent by the terminal; the checking unit, configured to check that the random number carried in the request is the same as the random number sent to the home base station access point, and notify the first Two sending unit: the second sending unit is used to send the authentication request to the location register or the authentication center.

本发明实施例还提供基于家庭基站网络的对终端进行鉴权的系统,包括:生成随机数的实体、终端、家庭基站接入点、归属位置寄存器或认证中心;所述生成随机数的实体,用于生成所述随机数,发送所述随机数至家庭基站接入点;所述家庭基站接入点,用于广播所述随机数至所述终端;所述终端,用于发送携带鉴权响应参数和所述随机数的请求;所述生成随机数的实体,接收所述请求;检查所述请求携带的随机数与上述发送至家庭基站接入点的所述随机数是否相同,如果是,则发送鉴权请求至所述位置寄存器或认证中心;所述位置寄存器或认证中心,用于用于计算所述鉴权响应参数,比较与收到的所述鉴权请求消息携带的鉴权响应参数相同时,鉴权成功。The embodiment of the present invention also provides a system for authenticating a terminal based on a home base station network, including: an entity generating a random number, a terminal, a home base station access point, a home location register, or an authentication center; the entity generating a random number, It is used to generate the random number and send the random number to the home base station access point; the home base station access point is used to broadcast the random number to the terminal; the terminal is used to send the portable authentication Responding to the request for parameters and the random number; the entity that generates the random number receives the request; checks whether the random number carried in the request is the same as the random number sent to the home base station access point, and if so , then send an authentication request to the location register or the authentication center; the location register or the authentication center is used to calculate the authentication response parameters and compare them with the authentication information carried in the received authentication request message When the response parameters are the same, the authentication is successful.

以上技术方案,终端鉴权所需要的随机数由安全上有保证的网络侧实体生成,所述网络侧实体发送所述随机数至Femto Cell接入点,网络侧实体检查业务请求信息携带的随机数与发送的随机数是否相同,相同则启动终端接入流程。由于所述随机数不是由Femto Cell接入点生成,在安全上有了保证,避免了攻击者利用Femto Cell接入点实施对鉴权的攻击,从而避免了攻击者获得相应的通信内容。In the above technical solution, the random number required for terminal authentication is generated by the security-guaranteed network-side entity, and the network-side entity sends the random number to the Femto Cell access point, and the network-side entity checks the random number carried in the service request information. The number is the same as the random number sent, and if they are the same, the terminal access process will be started. Since the random number is not generated by the Femto Cell access point, the security is guaranteed, and the attacker is prevented from using the Femto Cell access point to implement an attack on authentication, thereby preventing the attacker from obtaining the corresponding communication content.

附图说明 Description of drawings

图1是Femto Cell网络的结构图;Figure 1 is a structural diagram of the Femto Cell network;

图2是现有技术中CDMA2000 1x电路域的鉴权流程图;Fig. 2 is the authentication flowchart of CDMA2000 1x circuit domain in the prior art;

图3是基于本发明第一实施例方法流程图;Fig. 3 is a flow chart of the method based on the first embodiment of the present invention;

图4是基于本发明第二实施例方法流程图;Fig. 4 is a flow chart of a method based on the second embodiment of the present invention;

图5是基于本发明第三实施例方法流程图;Fig. 5 is a flow chart of a method based on the third embodiment of the present invention;

图6是基于本发明第四实施例方法流程图;Fig. 6 is a flow chart of a method based on the fourth embodiment of the present invention;

图7是基于本发明第五实施例方法流程图;Fig. 7 is a flow chart of a method based on the fifth embodiment of the present invention;

图8a、图8b是基于本发明实施例鉴权接入设备示意图;Fig. 8a and Fig. 8b are schematic diagrams of authentication access devices based on the embodiment of the present invention;

图9是本发明实施例网络终端鉴权接入系统结构图;FIG. 9 is a structural diagram of a network terminal authentication access system according to an embodiment of the present invention;

图10是基于本发明系统第一实施例结构图;Fig. 10 is a structural diagram of the first embodiment of the system based on the present invention;

图11是基于本发明系统第二实施例结构图;Fig. 11 is a structural diagram of the second embodiment of the system based on the present invention;

图12是基于本发明系统第三实施例结构图;Fig. 12 is a structural diagram based on the third embodiment of the system of the present invention;

图13是基于本发明系统第四实施例结构图。Fig. 13 is a structural diagram of the fourth embodiment of the system based on the present invention.

具体实施方式 Detailed ways

首先对本发明实施例实现基于家庭基站网络的对终端进行鉴权的方法进行说明,包括:First, the embodiment of the present invention implements a method for authenticating a terminal based on a home base station network, including:

生成随机数;通过家庭基站接入点将所述随机数发送至终端;接收所述终端发送的携带鉴权响应参数和所述随机数的请求;当检查所述请求携带的随机数与上述发送至所述终端的所述随机数一致时,发送鉴权请求消息至位置寄存器或认证中心,计算所述鉴权响应参数,比较与收到的所述鉴权请求消息携带的鉴权响应参数相同时,鉴权成功。Generate a random number; send the random number to the terminal through the access point of the home base station; receive the request carrying the authentication response parameter and the random number sent by the terminal; check that the random number carried in the request is consistent with the above-mentioned When the random number to the terminal is consistent, send an authentication request message to a location register or an authentication center, calculate the authentication response parameter, and compare it with the authentication response parameter carried in the received authentication request message If they are the same, the authentication is successful.

下面结合附图,对本发明的实施例进行详细描述。Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

实施例一:Embodiment one:

参见图3,基于本发明第一实施例方法流程图。Referring to FIG. 3 , it is a flowchart of a method based on the first embodiment of the present invention.

本实施例的网络结构中Femto Cell接入点对外的接口为BSC与MSC接口,即A1/A1p接口,终端为MS。本实施例中,所述随机数RAND由Femto Cell安全网关生成,该方法需要对因特网密钥交换消息(IKE,Intemet KeyExchange)进行扩展。In the network structure of this embodiment, the external interface of the Femto Cell access point is the BSC and MSC interface, that is, the A1/A1p interface, and the terminal is the MS. In this embodiment, the random number RAND is generated by the Femto Cell security gateway, and this method needs to expand the Internet Key Exchange message (IKE, Internet KeyExchange).

101、为了保证Femto Cell接入点和Femto Cell安全网关所传递的Femto网络的信令和用户数据的安全性,Femto Cell接入点首先与Femto Cell安全网关通过IKE协议协商IPsec安全关联(SA,Security Association),并使用所述SA对信令和用户数据进行保护。101. In order to ensure the security of the Femto network signaling and user data transmitted by the Femto Cell access point and the Femto Cell security gateway, the Femto Cell access point first negotiates with the Femto Cell security gateway through the IKE protocol for an IPsec security association (SA, Security Association), and use the SA to protect signaling and user data.

102、Femto Cell接入点通过IKE消息向Femto Cell安全网关请求随机数RAND。102. The Femto Cell access point requests the random number RAND from the Femto Cell security gateway through the IKE message.

103、Femto Cell安全网关生成RAND,并通过IKE消息将所述RAND,以及所述RAND的生命期发送至所述Femto Cell接入点。103. The Femto Cell security gateway generates RAND, and sends the RAND and the lifetime of the RAND to the Femto Cell access point through an IKE message.

104、Femto Cell接入点广播所述RAND至所述MS。104. The Femto Cell access point broadcasts the RAND to the MS.

105、所述MS发送CDMA2000 1x电路域的起呼消息至所述Femto Cell接入点,所述起呼消息包含所述RAND,以及根据所述RAND、MS的设备标识、身份标识计算出的所述AUTHR。105. The MS sends a call initiation message of CDMA2000 1x circuit domain to the Femto Cell access point, and the call initiation message includes the RAND, and all calculated according to the RAND, MS device identifier, and identity identifier described AUTHR.

106、Femto Cell接入点收到所述起呼消息,向MSC发起业务请求消息,所述业务请求消息中携带所述RAND和AUTHR;所述业务请求消息在FemtoCell接入点和Femto Cell安全网关所建立的IPsec安全隧道内传递。106. The Femto Cell access point receives the calling message, and initiates a service request message to the MSC. The service request message carries the RAND and AUTHR; the service request message is sent between the FemtoCell access point and the Femto Cell security gateway transmitted within the established IPsec secure tunnel.

107、Femto Cell安全网关接收所述业务请求消息,检查该消息中携带的所述RAND与步骤103中发送给所述Femto Cell接入点的RAND是否相同,如果是,进入步骤108,否则丢弃该业务请求消息。107. The Femto Cell security gateway receives the service request message, checks whether the RAND carried in the message is the same as the RAND sent to the Femto Cell access point in step 103, if yes, enters step 108, otherwise discards the RAND Business request message.

108、Femto Cell安全网关发送所述业务请求消息至所述MSC。108. The Femto Cell security gateway sends the service request message to the MSC.

109、所述MSC检查所述业务请求消息中是否含有所述RAND和AUTHR,如果含有,则发送鉴权请求消息至HLR/AC。109. The MSC checks whether the service request message contains the RAND and AUTHR, and if so, sends an authentication request message to the HLR/AC.

110、所述HLR/AC根据得到的鉴权请求,查询对应MS的共享密钥,计算网络侧的AUTHR,判断与收到的AUTHR是否相同,如果相同,则鉴权通过,继续计算空口所需的密钥,即SMEKEY和PLCM,发送含有所述密钥的鉴权应答消息至MSC。110. According to the obtained authentication request, the HLR/AC queries the shared key of the corresponding MS, calculates the AUTHR on the network side, and judges whether it is the same as the received AUTHR. The key of the key, namely SMEKEY and PLCM, sends an authentication response message containing the key to the MSC.

111、所述MSC收到所述鉴权应答消息后,发送含有所述SMEKEY和PLCM的指派消息至接入点,其间通过Femto Cell安全网关转发,指示所述Femto Cell接入点为MS分配空口资源。111. After receiving the authentication response message, the MSC sends an assignment message containing the SMEKEY and PLCM to the access point, and forwards it through the Femto Cell security gateway, instructing the Femto Cell access point to allocate an air interface for the MS resource.

112、所述Femto Cell安全网关转发所述指派消息至所述Femto Cell接入点。112. The Femto Cell security gateway forwards the assignment message to the Femto Cell access point.

113、所述Femto Cell接入点保存所述指派消息中的SMEKEY和PLCM,发送所述指派消息至所述MS,为所述MS分配空口资源。113. The Femto Cell access point saves the SMEKEY and PLCM in the assignment message, sends the assignment message to the MS, and allocates air interface resources for the MS.

本实施例中的所述IKE消息优选IKE的信息交换消息,当然也可以选择其他类型的IKE消息来实现本方法。The IKE message in this embodiment is preferably an IKE information exchange message, and of course other types of IKE messages can also be selected to implement this method.

本实施例中步骤103中Femto Cell安全网关发送RAND的生命期至所述Femto Cell接入点,可以改为Femto Cell安全网关周期性发送RAND至所述Femto Cell接入点,两者效果是一样的,即RAND具有时效性,仅在一定时间段内有效。这样有效保证了终端接入的安全性,避免了恶意攻击者中间窃取RAND,鉴权通过接入网络。In step 103 in this embodiment, the Femto Cell security gateway sends the lifetime of RAND to the Femto Cell access point, which can be changed to periodically send RAND to the Femto Cell access point by the Femto Cell security gateway, and the effects of the two are the same Yes, that is, RAND is time-sensitive and is only valid for a certain period of time. This effectively guarantees the security of terminal access, avoids malicious attackers from stealing RAND in the middle, and accesses the network through authentication.

实施例二:Embodiment two:

参见图4,基于本发明第二实施例方法流程图。Referring to FIG. 4 , it is a flowchart of a method based on the second embodiment of the present invention.

实施例二是实施例一中的步骤107检查所述RAND不相同时的处理流程,其中步骤201-206与实施例一中步骤101-106相同,在此不再赘述,仅叙述后续处理流程,如下:Embodiment 2 is the processing flow when the RAND is different when the step 107 in the embodiment 1 checks, wherein the steps 201-206 are the same as the steps 101-106 in the embodiment 1, and will not be repeated here, only the subsequent processing flow is described. as follows:

207、所述Femto Cell安全网关通过所述IKE消息发送更新后的RAND至所述Femto Cell接入点。207. The Femto Cell security gateway sends the updated RAND to the Femto Cell access point through the IKE message.

208、所述Femto Cell接入点收到所述RAND后,广播给所述MS。MS可以重新发送起呼消息,使用更新后的所述RAND。其工作流程与实施例一的流程相同。208. After receiving the RAND, the Femto Cell access point broadcasts it to the MS. The MS can resend the origination message, using the updated RAND. Its work flow is the same as that of Embodiment 1.

本实施例中的所述IKE消息优选IKE的信息交换消息,当然也可以选择其他类型的IKE消息来实现本方法。The IKE message in this embodiment is preferably an IKE information exchange message, and of course other types of IKE messages can also be selected to implement this method.

实施例三:Embodiment three:

参见图5,基于本发明第三实施例方法流程图。Referring to FIG. 5 , it is a flowchart of a method based on the third embodiment of the present invention.

与实施例一相同,本实施例的网络结构中Femto Cell接入点对外的接口为BSC与MSC接口,即A1/A1p接口,终端为所述MS。与实施例一不同的是,本实施例中,所述随机数RAND由MSC生成,该方法需要对A1/A1p进行扩展。Same as Embodiment 1, in the network structure of this embodiment, the external interface of the Femto Cell access point is the BSC and MSC interface, that is, the A1/A1p interface, and the terminal is the MS. Different from Embodiment 1, in this embodiment, the random number RAND is generated by the MSC, and this method needs to extend A1/A1p.

步骤301与实施例一的步骤101相同,在此不再赘述。Step 301 is the same as step 101 in Embodiment 1, and will not be repeated here.

302、Femto Cell接入点通过A1/A1p消息向MSC请求随机数RAND,所述A1/A1p消息中携带了Femto Cell接入点的标识符(FAP ID,Femto Access PointIdentifier)。302. The Femto Cell access point requests the MSC for a random number RAND through an A1/A1p message, and the A1/A1p message carries an identifier (FAP ID, Femto Access PointIdentifier) of the Femto Cell access point.

303、所述MSC生成RAND,并通过A1/A1p消息将所述RAND,以及该RAND的生命期发送给所述Femto Cell接入点。303. The MSC generates a RAND, and sends the RAND and the lifetime of the RAND to the Femto Cell access point through an A1/A1p message.

步骤304-305与实施例一的步骤104-105相同,在此不再赘述。Steps 304-305 are the same as steps 104-105 in Embodiment 1, and will not be repeated here.

306、Femto Cell接入点收到所述起呼消息,向MSC发起业务请求消息,所述业务请求消息中携带所述RAND、AUTHR和FAP ID;所述业务请求消息在Femto Cell接入点和Femto Cell安全网关所建立的IPsec安全隧道内传递。306. The Femto Cell access point receives the calling message, and initiates a service request message to the MSC, and the service request message carries the RAND, AUTHR, and FAP ID; the service request message is sent between the Femto Cell access point and Femto Cell security gateway established IPsec security tunnel transmission.

307、Femto Cell安全网关发送所述业务请求消息至所述MSC。307. The Femto Cell security gateway sends the service request message to the MSC.

308、MSC收到业务请求消息,发现消息中包含有RAND、AUHTR,FAPID,因此检查所述RAND与与步骤103中向该Femto Cell接入点发送的RAND是否相同,如果是,则继续执行,否则丢弃该该业务请求消息。308, MSC receives service request message, finds that RAND, AUHTR, FAPID are included in the message, therefore check whether described RAND is identical with the RAND that sends to this Femto Cell access point in step 103, if yes, then continue execution, Otherwise, the service request message is discarded.

309、MSC向HLR/AC发送认证请求消息。309. The MSC sends an authentication request message to the HLR/AC.

步骤310-313与实施例一的步骤110-113相同,在此不再赘述。Steps 310-313 are the same as steps 110-113 in Embodiment 1, and will not be repeated here.

本实施例中所述A1/A1p消息中可以不携带所述FAP ID,添加了所述FAPID,能使MSC更有效识别接入点,因为所述MSC为每个接入点生成的随机数不同。The FAP ID may not be carried in the A1/A1p message in this embodiment, and the FAP ID is added to enable the MSC to identify the access point more effectively, because the random number generated by the MSC for each access point is different .

实施例四:Embodiment four:

参见图6,基于本发明第四实施例方法流程图。Referring to FIG. 6 , it is a flowchart of a method based on the fourth embodiment of the present invention.

与实施例一不同,本实施例的网络结构中Femto Cell接入点作为IP多媒体子系统(IMS,IP Multimedia Subsystem)网络的一个客户端,对外的接口使用会话初始协议(SIP,Session Initiation Protocol)信令,网络中增加了信令转换实体,完成所述CDMA20001x的移动应用部分(MAP,Mobile Application Part)信令和SIP信令的转换。与实施例一相同的是,本实施例中,终端为所述MS;所述随机数RAND由Femto Cell安全网关生成。Different from Embodiment 1, in the network structure of the present embodiment, the Femto Cell access point is used as a client of the IP Multimedia Subsystem (IMS, IP Multimedia Subsystem) network, and the external interface uses the Session Initiation Protocol (SIP, Session Initiation Protocol) For signaling, a signaling conversion entity is added in the network to complete the conversion of the MAP, Mobile Application Part (MAP, Mobile Application Part) signaling and SIP signaling of the CDMA20001x. Same as Embodiment 1, in this embodiment, the terminal is the MS; the random number RAND is generated by the Femto Cell security gateway.

步骤401与实施例一的步骤101相同,在此不再赘述。Step 401 is the same as step 101 in Embodiment 1, and will not be repeated here.

402、Femto Cell接入点作为IMS客户端接入IMS网络,即IMS注册过程。Femto Cell接入点注册到服务呼叫会话控制功能(S-CSCF,Serving Call SessionControl Function)。402. The Femto Cell access point accesses the IMS network as an IMS client, that is, the IMS registration process. The Femto Cell access point is registered with the Serving Call Session Control Function (S-CSCF, Serving Call Session Control Function).

403、Femto Cell接入点通过IKE消息向Femto Cell安全网关请求随机数RAND。403. The Femto Cell access point requests the random number RAND from the Femto Cell security gateway through the IKE message.

404、Femto Cell安全网关生成RAND,并通过IKE消息将所述RAND,以及所述RAND的生命期发送至所述Femto Cell接入点。404. The Femto Cell security gateway generates RAND, and sends the RAND and the lifetime of the RAND to the Femto Cell access point through an IKE message.

405、Femto Cell接入点广播所述RAND至所述MS。405. The Femto Cell access point broadcasts the RAND to the MS.

406、所述MS发送CDMA2000 1x电路域的起呼消息至所述Femto Cell接入点,所述起呼消息包含所述RAND,以及根据所述RAND、MS的设备标识、身份标识计算出的所述AUTHR。406. The MS sends a call initiation message of CDMA2000 1x circuit domain to the Femto Cell access point, where the call initiation message includes the RAND, and all calculated according to the RAND, MS device identifier, and identity identifier described AUTHR.

407、Femto Cell接入点将所述起呼消息转换成SIP消息,发送所述SIP消息至IMS网络,所述SIP消息在Femto Cell接入点和Femto Cell安全网关所建立的IPsec安全隧道内传递。407. The Femto Cell access point converts the calling message into a SIP message, sends the SIP message to the IMS network, and transmits the SIP message in the IPsec security tunnel established by the Femto Cell access point and the Femto Cell security gateway .

408、Femto Cell安全网关解密收到的SIP消息,检查所述SIP消息的RAND与步骤4中发送至Femto Cell接入点的RAND是否相同,如果是,则执行步骤409,否则丢弃该消息。408. The Femto Cell security gateway decrypts the received SIP message, checks whether the RAND of the SIP message is the same as the RAND sent to the Femto Cell access point in step 4, if yes, executes step 409, otherwise discards the message.

409、Femto Cell安全网关转发所述SIP消息,被路由到所述信令转换实体。409. The Femto Cell security gateway forwards the SIP message, and is routed to the signaling conversion entity.

410、所述信令转换实体将接收的SIP消息转换为CDMA2000 1x的MAP信令,所述信令中包含RAND和AUTHR,信令转换实体发送鉴权请求消息至所述HLR/AC。410. The signaling conversion entity converts the received SIP message into CDMA2000 1x MAP signaling, the signaling includes RAND and AUTHR, and the signaling conversion entity sends an authentication request message to the HLR/AC.

411、所述HLR/AC根据得到的鉴权请求消息,查询对应MS的共享密钥,计算网络侧的AUTHR,判断与收到的AUTHR是否相同,如果相同,则鉴权通过,继续计算空口所需的密钥,即SMEKEY和PLCM,发送含有所述密钥的鉴权应答消息至所述信令转换实体。411. The HLR/AC queries the shared key of the corresponding MS according to the obtained authentication request message, calculates the AUTHR on the network side, and judges whether it is the same as the received AUTHR. The required key, namely SMEKEY and PLCM, sends an authentication response message containing the key to the signaling conversion entity.

412、所述信令转换实体收到所述鉴权应答消息后,发送含有所述SMEKEY和PLCM的SIP消息至接入点,其间由安全网关转发,指示所述Femto Cell接入点为MS分配空口资源。412. After receiving the authentication response message, the signaling conversion entity sends a SIP message containing the SMEKEY and PLCM to the access point, during which it is forwarded by the security gateway, instructing the Femto Cell access point to assign the MS air interface resources.

413、所述Femto Cell安全网关转发所述SIP信令至所述Femto Cell。413. The Femto Cell security gateway forwards the SIP signaling to the Femto Cell.

414、Femto Cell接入点保存所述SIP信令中的SMEKEY和PLCM,发送所述SIP信令至所述MS,为所述MS分配空口资源。414. The Femto Cell access point saves the SMEKEY and PLCM in the SIP signaling, sends the SIP signaling to the MS, and allocates air interface resources for the MS.

本实施例中的所述IKE消息优选IKE的信息交换消息,当然也可以选择其他类型的IKE消息来实现本方法。The IKE message in this embodiment is preferably an IKE information exchange message, and of course other types of IKE messages can also be selected to implement this method.

实施例五:Embodiment five:

参见图7,基于本发明第五实施例方法流程图。Referring to FIG. 7 , it is a flowchart of a method based on the fifth embodiment of the present invention.

本实施例与实施例四具有相同的网络结构,即Femto Cell接入点作为IMS网络的一个客户端,对外的接口使用SIP信令,网络中增加了信令转换实体,完成所述CDMA2000 1x的MAP信令和SIP信令的转换;终端为所述MS。与实施例四不同的是,本实施例中,所述随机数RAND由所述信令转换实体生成。This embodiment has the same network structure as Embodiment 4, that is, the Femto Cell access point is used as a client of the IMS network, and the external interface uses SIP signaling, and a signaling conversion entity is added in the network to complete the implementation of the CDMA2000 1x Conversion of MAP signaling and SIP signaling; the terminal is the MS. Different from Embodiment 4, in this embodiment, the random number RAND is generated by the signaling conversion entity.

步骤501-502与实施例四的步骤401-402相同,在此不再赘述。Steps 501-502 are the same as steps 401-402 in Embodiment 4, and will not be repeated here.

503、所述Femto Cell接入点通过SIP消息向信令转换实体请求随机数RAND。503. The Femto Cell access point requests the random number RAND from the signaling conversion entity through a SIP message.

504、所述信令转换实体生成RAND,并通过SIP信息将所述RAND,以及所述RAND的生命期发送至所述Femto Cell接入点。504. The signaling conversion entity generates RAND, and sends the RAND and the lifetime of the RAND to the Femto Cell access point through SIP information.

步骤505-507与实施例四的405-407相同,在此不再赘述。Steps 505-507 are the same as Steps 405-407 in Embodiment 4, and will not be repeated here.

508、Femto Cell安全网关解密收到的SIP消息,转发所述SIP消息,所述SIP消息被路由到信令转换实体。508. The Femto Cell security gateway decrypts the received SIP message, forwards the SIP message, and routes the SIP message to the signaling conversion entity.

509、所述信令转换实体检查所述SIP信息中的RAND是否是步骤4中发送至Femto Cell接入点的RAND是否相同,如果是,则执行步骤510,否则丢弃该信息。509. The signaling conversion entity checks whether the RAND in the SIP information is the same as the RAND sent to the Femto Cell access point in step 4, if yes, execute step 510, otherwise discard the information.

步骤510-514与实施例四中的步骤410-414相同,在此不再赘述。Steps 510-514 are the same as steps 410-414 in Embodiment 4, and will not be repeated here.

需要说明的是,实施例三至实施例五所述的方法,当鉴权失败时,与实施例二的后续处理流程类似,即发送更新后的RAND,终端根据新的RAND重新发送起呼消息。It should be noted that, when the authentication fails, the method described in Embodiment 3 to Embodiment 5 is similar to the subsequent processing flow of Embodiment 2, that is, the updated RAND is sent, and the terminal resends the calling message according to the new RAND .

需要说明的是,实施例一至实施例五,发送随机数的生命期至所述FemtoCell接入点,即随机数具有时效性,仅在一段时间内有效,这样保证了终端接入的安全性;也可以周期性发送RAND至所述Femto Cell接入点,两者效果是一样的,即RAND具有时效性,仅在一定时间段内有效。这样有效保证了终端接入的安全性,避免了恶意攻击者中间窃取RAND,鉴权通过接入网络。生成随机数的实体发送所述随机数可以为所述Femto Cell接入点先请求再发送,所述Femto Cell接入点的请求中还可以包含FAP ID;也可以为主动发送至所述Femto Cell接入点。It should be noted that, in Embodiments 1 to 5, the lifetime of the random number is sent to the FemtoCell access point, that is, the random number has timeliness and is only valid for a period of time, thus ensuring the security of terminal access; It is also possible to periodically send RAND to the Femto Cell access point, and the effects of the two are the same, that is, RAND is time-sensitive and is only valid within a certain period of time. This effectively guarantees the security of terminal access, avoids malicious attackers from stealing RAND in the middle, and accesses the network through authentication. The random number generated by the entity sending the random number can be requested by the Femto Cell access point before sending, and the request of the Femto Cell access point can also include a FAP ID; it can also be sent to the Femto Cell actively Access Point.

本发明实施例提供一种Femto Cell网络终端接入设备,参见图8a,本发明实施例鉴权接入设备示意图。An embodiment of the present invention provides a Femto Cell network terminal access device, see FIG. 8a, which is a schematic diagram of an authentication access device according to an embodiment of the present invention.

生成单元801,用于生成终端鉴权所需要的具有时效性的RAND;A generating unit 801, configured to generate a time-sensitive RAND required for terminal authentication;

第一发送单元802,发送所述RAND及所述RAND的生命期至Femto Cell接入点,所述Femto Cell接入点广播所述RAND至所述终端;所述终端可以为移动台,也可以为接入终端。所述Femto Cell接入点首先向所述第一发送单元802请求所述RAND。The first sending unit 802 sends the RAND and the lifetime of the RAND to the Femto Cell access point, and the Femto Cell access point broadcasts the RAND to the terminal; the terminal can be a mobile station, or for the access terminal. The Femto Cell access point first requests the RAND from the first sending unit 802.

接收单元803,接收所述终端发送的携带鉴权响应参数和所述RAND的业务请求信息;The receiving unit 803 receives the service request information carrying the authentication response parameter and the RAND sent by the terminal;

检查单元804,检查所述业务请求信息携带的RAND与上述发送至FemtoCell接入点的所述RAND是否相同,如果是,则鉴权通过;The checking unit 804 checks whether the RAND carried in the service request information is the same as the RAND sent to the FemtoCell access point, and if yes, the authentication is passed;

第二发送单元805,发送所述业务请求信息至所述位置寄存器或认证中心。The second sending unit 805 is configured to send the service request information to the location register or the authentication center.

当所述检查单元804检查所述业务请求信息携带的RAND与上述发送至Femto Cell接入点的所述RAND不同时,所述设备还包括图8b中的丢弃单元806,用于丢弃所述业务请求信息。这样就避免了攻击者接入Femto Cell网络,窃取通信内容。When the checking unit 804 checks that the RAND carried in the service request information is different from the RAND sent to the Femto Cell access point, the device further includes a discarding unit 806 in FIG. 8b, configured to discard the service request information. This prevents attackers from accessing the Femto Cell network and stealing communication content.

本发明还提供了一种Femto网络终端接入系统。参见图9,本发明实施例网络终端接入系统结构图。包括生成随机数的实体901、归属位置寄存器/认证中心HLR/AC902、Femto Cell接入点903、终端904。The invention also provides a Femto network terminal access system. Referring to FIG. 9 , it is a structural diagram of a network terminal access system according to an embodiment of the present invention. It includes an entity 901 that generates random numbers, a home location register/authentication center HLR/AC902, a Femto Cell access point 903, and a terminal 904.

Femto Cell接入点903,向生成RAND的实体901请求RAND;The Femto Cell access point 903 requests RAND from the entity 901 that generates RAND;

所述生成随机数的实体901,生成所述RAND,发送所述RAND及所述RAND的生命期至Femto Cell接入点903;The entity 901 that generates the random number generates the RAND, sends the lifetime of the RAND and the RAND to the Femto Cell access point 903;

所述Femto Cell接入点903,广播所述RAND至所述终端904;The Femto Cell access point 903 broadcasts the RAND to the terminal 904;

所述终端904,发送携带鉴权响应参数和所述RAND的业务请求信息至所述生成随机数的实体901;The terminal 904 sends the service request information carrying the authentication response parameter and the RAND to the random number generating entity 901;

所述生成随机数的实体901,检查所述业务请求信息携带的RAND与上述发送至Femto Cell接入点的所述RAND是否相同;如果是,则鉴权通过,发送所述业务请求信息至所述位置寄存器或认证中心902;The entity 901 that generates the random number checks whether the RAND carried by the service request information is the same as the RAND sent to the Femto Cell access point above; if yes, the authentication is passed, and the service request information is sent to the said location register or authentication authority 902;

所述位置寄存器或认证中心902,启动所述终端接入流程。The location register or authentication center 902 starts the terminal access process.

本发明提供一种Femto网络终端接入系统,根据生成随机数的实体不同分为三个实施例,即所述RAND由Femto Cell安全网关生成、MSC生成或信令转换实体生成。The present invention provides a Femto network terminal access system, which is divided into three embodiments according to different entities that generate random numbers, that is, the RAND is generated by a Femto Cell security gateway, an MSC, or a signaling conversion entity.

系统第一实施例:The first embodiment of the system:

Femto Cell安全网关生成所述RAND,系统还包括MSC。参见图10,基于本发明系统第一实施例结构图。包括Femto Cell安全网关1001、MS1002、Femto Cell接入点1003、HLR/AC1004、MSC1005。The Femto Cell security gateway generates the RAND, and the system also includes the MSC. Referring to FIG. 10 , it is a structural diagram of the first embodiment of the system based on the present invention. Including Femto Cell Security Gateway 1001, MS1002, Femto Cell Access Point 1003, HLR/AC1004, MSC1005.

Femto Cell接入点1003,向Femto Cell安全网关1001请求RAND;The Femto Cell access point 1003 requests RAND from the Femto Cell security gateway 1001;

所述Femto Cell安全网关1001,生成所述RAND,发送所述RAND及所述RAND的生命期至Femto Cell接入点1003;The Femto Cell security gateway 1001 generates the RAND, sends the RAND and the lifetime of the RAND to the Femto Cell access point 1003;

所述Femto Cell接入点1003,广播所述RAND至所述MS 1002;The Femto Cell access point 1003 broadcasts the RAND to the MS 1002;

所述MS1002,发送携带鉴权响应参数和所述RAND的业务请求信息至Femto Cell安全网关1001;The MS 1002 sends the service request information carrying the authentication response parameter and the RAND to the Femto Cell security gateway 1001;

所述安全网关1001,检查所述业务请求信息携带的RAND与上述发送至Femto Cell接入点1003的所述RAND是否相同;如果是,则鉴权通过,发送所述业务请求信息至所述HLR/AC1004;The security gateway 1001 checks whether the RAND carried by the service request information is the same as the RAND sent to the Femto Cell access point 1003 above; if yes, the authentication is passed, and the service request information is sent to the HLR /AC1004;

所述HLR/AC1004,启动所述终端接入流程。The HLR/AC 1004 starts the terminal access process.

上述系统中,所述Femto Cell接入点对外接口为BSC与MSC接口。In the above system, the external interface of the Femto Cell access point is the BSC and MSC interface.

系统第二实施例:The second embodiment of the system:

与系统第一实施例不同的是,MSC生成所述随机数。参见图11,基于本发明系统第二实施例结构图。包括Femto Cell安全网关1101、MS 1102、FemtoCell接入点1103、HLR/AC1104、MSC1105。Different from the first embodiment of the system, the MSC generates the random number. Referring to FIG. 11 , it is a structural diagram of the second embodiment of the system based on the present invention. Including FemtoCell security gateway 1101, MS 1102, FemtoCell access point 1103, HLR/AC1104, MSC1105.

与系统实施例一的各部分功能相同,在此不再赘述;不同的是由MSC生成所述随机数,所以最后由MSC来检查RAND是否与原来发送出去的相同。The function of each part is the same as that of the system embodiment 1, and will not be repeated here; the difference is that the MSC generates the random number, so finally the MSC checks whether the RAND is the same as the one originally sent.

系统第三实施例:The third embodiment of the system:

本实施例中,Femto Cell接入点作为IMS网络的一个客户端,Femto Cell安全网关生成随机数。参见图12,基于本发明系统第三实施例结构图。包括Femto Cell安全网关1201、MS 1202、Femto Cell接入点1203、信令转换实体1204、HLR/AC1205、S-CSCF1206。In this embodiment, the Femto Cell access point acts as a client of the IMS network, and the Femto Cell security gateway generates random numbers. Referring to FIG. 12 , it is a structural diagram of the third embodiment of the system based on the present invention. Including Femto Cell Security Gateway 1201, MS 1202, Femto Cell Access Point 1203, Signaling Conversion Entity 1204, HLR/AC1205, S-CSCF1206.

Femto Cell接入点1203作为IMS的客户端,接入IMS网络,首先要注册到S-CSCF1206。The Femto Cell access point 1203, as an IMS client, needs to register with the S-CSCF 1206 to access the IMS network.

Femto Cell接入点1203,向Femto Cell安全网关1201请求RAND。The Femto Cell access point 1203 requests RAND from the Femto Cell security gateway 1201.

所述Femto Cell安全网关1201,生成所述RAND,发送所述RAND及所述RAND的生命期至Femto Cell接入点1203。The Femto Cell security gateway 1201 generates the RAND, and sends the RAND and the lifetime of the RAND to the Femto Cell access point 1203.

Femto Cell接入点1203发送所述RAND至所述MS 1202。The Femto Cell access point 1203 sends the RAND to the MS 1202.

所述MS1202发送寻呼响应至所述Femto Cell接入点1203,所述Femto Cell接入点1203转换所述寻呼响应为SIP消息,发送至Femto Cell安全网关1201。The MS1202 sends a paging response to the Femto Cell access point 1203, and the Femto Cell access point 1203 converts the paging response into a SIP message and sends it to the Femto Cell security gateway 1201.

所述Femto Cell安全网关1201检查所述SIP消息中携带的RAND是否与发送至Femto Cell接入点1203的相同,如果是,Femto Cell安全网关1201转发所述SIP消息,所述SIP消息被路由到所述信令转换实体1204。The Femto Cell security gateway 1201 checks whether the RAND carried in the SIP message is the same as that sent to the Femto Cell access point 1203, if yes, the Femto Cell security gateway 1201 forwards the SIP message, and the SIP message is routed to The signaling conversion entity 1204 .

所述信令转换实体1204向所述HLR/AC1205发送鉴权请求消息。The signaling conversion entity 1204 sends an authentication request message to the HLR/AC 1205 .

所述HLR/AC1205检查所述鉴权请求消息中携带的鉴权响应参数是否正确,如果是,则发送鉴权应答消息至所述信令转换实体1204。The HLR/AC 1205 checks whether the authentication response parameter carried in the authentication request message is correct, and if yes, sends an authentication response message to the signaling conversion entity 1204 .

所述信令转换实体1204通过所述Femto Cell安全网关1201向所述FemtoCell接入点1203发送SIP消息,指示Femto Cell接入点1203为MS分配空口资源。所述信令转换实体可以与所述归属位置寄存器集成在一起。The signaling conversion entity 1204 sends a SIP message to the FemtoCell access point 1203 through the FemtoCell security gateway 1201, instructing the FemtoCell access point 1203 to allocate air interface resources for the MS. The signaling conversion entity may be integrated with the home location register.

系统第四实施例:The fourth embodiment of the system:

本实施例与系统实施例三不同的是由信令转换实体生成随机数。参见图13,基于本发明系统第四实施例结构图。包括Femto Cell安全网关1301、MSThis embodiment is different from the third system embodiment in that the random number is generated by the signaling conversion entity. Referring to FIG. 13 , it is a structural diagram of the fourth embodiment of the system based on the present invention. Including Femto Cell Security Gateway 1301, MS

1302、Femto Cell接入点1303、信令转换实体1304、HLR/AC1305、S-CSCF1306。1302, Femto Cell access point 1303, signaling conversion entity 1304, HLR/AC1305, S-CSCF1306.

本实施例中由信令转换实体1304生成所述随机数,所以由所述信令转换实体1304来检查SIP消息中的随机数与发送至Femto Cell接入点1303的随机数是否相同,其他各部分与实施例三相同,在此不再赘述。In this embodiment, the random number is generated by the signaling conversion entity 1304, so the signaling conversion entity 1304 checks whether the random number in the SIP message is the same as the random number sent to the Femto Cell access point 1303. Parts are the same as those in Embodiment 3, and will not be repeated here.

本领域普通技术人员可以理解实现上述方法实施方式中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于计算机可读取存储介质中,该程序在执行时,可以包括前述的通信方法各个实施方式的内容。这里所称得的存储介质,如:ROM/RAM、磁碟、光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the implementation of the above method can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium. When the program is executed , may include the contents of the foregoing communication method implementations. The storage medium referred to here, such as: ROM/RAM, magnetic disk, optical disk, etc.

综上所述,本发明实施例所提供的基于家庭基站网络的对终端进行鉴权的方法,终端鉴权所需要的随机数由安全上有保证的网络侧实体生成,所述网络侧实体发送所述随机数至Femto Cell接入点,网络侧实体检查业务请求信息携带的随机数与发送的随机数是否相同,相同则启动终端接入流程。由于所述随机数不是由Femto Cell接入点生成,从而安全上有了保证,避免了攻击者利用Femto Cell接入点实施对鉴权的攻击,从而避免了攻击者获得相应的通信内容。To sum up, in the method for authenticating a terminal based on the home base station network provided by the embodiment of the present invention, the random number required for terminal authentication is generated by a security-guaranteed network-side entity, and the network-side entity sends The random number is sent to the Femto Cell access point, and the network side entity checks whether the random number carried in the service request information is the same as the random number sent, and if they are the same, the terminal access process is started. Since the random number is not generated by the Femto Cell access point, the security is guaranteed, and the attacker is prevented from using the Femto Cell access point to implement an attack on authentication, thereby preventing the attacker from obtaining the corresponding communication content.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,包括如下步骤:生成随机数;通过家庭基站接入点将所述随机数发送至终端;接收所述终端发送的携带鉴权响应参数和所述随机数的请求;当检查所述请求携带的随机数与上述发送至所述终端的所述随机数一致时,发送鉴权请求消息至位置寄存器或认证中心,计算所述鉴权响应参数,比较与收到的所述鉴权请求消息携带的鉴权响应参数相同时,鉴权成功。Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be executed during execution , including the following steps: generating a random number; sending the random number to the terminal through the access point of the home base station; receiving the request carrying the authentication response parameter and the random number sent by the terminal; when checking that the request carries When the random number is consistent with the random number sent to the terminal, send an authentication request message to the location register or authentication center, calculate the authentication response parameter, and compare it with the received authentication request message When the carried authentication response parameters are the same, the authentication is successful.

Claims (11)

  1. Based on home base station network terminal is carried out the method for authentication, it is characterized in that, comprising:
    Generate random number;
    By home base station access point described random number is sent to terminal;
    Receive the request of carrying Authentication Response parameter and described random number that described terminal sends;
    When checking that random number that described request is carried is consistent with the above-mentioned described random number that is sent to described terminal, send authentication request message to location register or authentication center, calculate described Authentication Response parameter, when the Authentication Response parameter of relatively carrying with the described authentication request message of receiving is identical, the authentication success;
    The entity that generates described random number is mobile switching centre, and described random number is sent to described home base station access point by interoperability standard A1 or A1p interface message;
    Perhaps, the entity that generates described random number is the home base station network security gateway, and described random number is sent to described home base station access point by the Internet Key Exchange message;
    Perhaps, the entity that generates described random number is the signaling conversion entity, and described random number is sent to described home base station access point by conversation initiating protocol message.
  2. 2. method according to claim 1 is characterized in that, the described Authentication Response parameter of described calculating when the Authentication Response parameter of relatively carrying with the described authentication request message of receiving is identical, is finished by described location register or authentication center.
  3. 3. method according to claim 1, it is characterized in that, further comprise: when checking that random number that described request is carried is not identical with the above-mentioned described random number that is sent to described terminal, abandon described request, resend described random number to home base station access point.
  4. 4. method according to claim 1 is characterized in that, the external interface of described home base station access point is the interface of base station controller and mobile switching centre.
  5. 5. method according to claim 1 is characterized in that, described home base station access point is as a client of IP Multimedia System network, and external interface uses conversation initiating protocol message.
  6. 6. method according to claim 1 is characterized in that, comprises that also the lifetime that sends described random number is to described home base station access point.
  7. 7. method according to claim 1 is characterized in that, comprises that also sending described random number sends described random number to described home base station access point or after receiving the home base station access point request.
  8. 8. method according to claim 7 is characterized in that, the random number request that described home base station access point sends comprises the identify label of described home base station access point.
  9. 9. a home base station network equipment is characterized in that, this equipment is positioned at described home base station network security gateway, mobile switching centre or signaling conversion entity; Comprise:
    Generation unit is used for generating random number;
    The first transmitting element is used for by home base station access point described random number being sent to terminal;
    Receiving element receives the request of carrying Authentication Response parameter and described random number that described terminal sends;
    Inspection unit be used for to check when random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, notifies the second transmitting element;
    The second transmitting element is used for sending authentication request to described location register or authentication center.
  10. 10. equipment according to claim 9 is characterized in that, also comprises discarding unit, when checking random number that described request is carried and the above-mentioned described random number that is sent to home base station access point not simultaneously, abandons described service requesting information.
  11. 11. based on home base station network terminal is carried out the system of authentication, it is characterized in that, comprising: the entity, terminal, home base station access point, attaching position register or the authentication center that generate random number;
    The entity of described generation random number is used for generating described random number, sends described random number to home base station access point;
    Described home base station access point is used for broadcasting described random number to described terminal;
    Described terminal is used for sending the request of carrying Authentication Response parameter and described random number;
    The entity of described generation random number receives described request; Check that whether random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, if so, then sends authentication request extremely described location register or authentication center;
    Described location register or authentication center are used for calculating described Authentication Response parameter, when the Authentication Response parameter of relatively carrying with the described authentication request message of receiving is identical, and the authentication success;
    When the entity of described generation random number was the home base station network security gateway, described system also comprised mobile switching centre, and being used at the described access point of described terminal access process indicating is the terminal distribution interface-free resources;
    Perhaps, when the entity of described generation random number was mobile switching centre, described system also comprised the home base station network security gateway, was used for transmitting described business request information to described mobile switching centre;
    Perhaps, when the entity of described generation random number is the signaling switching entity, also comprise the entity that endpoint registration is provided, be used to terminal to provide to be registered to the service of network.
CN200810040806.8A 2008-07-17 2008-07-17 Method, device and system for authenticating terminal based on home base station network Expired - Fee Related CN101631309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810040806.8A CN101631309B (en) 2008-07-17 2008-07-17 Method, device and system for authenticating terminal based on home base station network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810040806.8A CN101631309B (en) 2008-07-17 2008-07-17 Method, device and system for authenticating terminal based on home base station network

Publications (2)

Publication Number Publication Date
CN101631309A CN101631309A (en) 2010-01-20
CN101631309B true CN101631309B (en) 2013-03-20

Family

ID=41576206

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810040806.8A Expired - Fee Related CN101631309B (en) 2008-07-17 2008-07-17 Method, device and system for authenticating terminal based on home base station network

Country Status (1)

Country Link
CN (1) CN101631309B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8813195B2 (en) 2010-03-09 2014-08-19 Alcatel Lucent Method and apparatus for authenticating a user equipment
CN101854629B (en) * 2010-05-21 2013-02-27 西安电子科技大学 Method for user terminal access authentication and re-authentication in home base station system
CN102546540B (en) * 2010-12-17 2015-02-11 北京中创智信科技有限公司 Data processing method
CN102571337A (en) * 2010-12-17 2012-07-11 北京中创智信科技有限公司 Data processing method
CN102612078A (en) * 2011-01-25 2012-07-25 电信科学技术研究院 Wireless access system and device and data transmission method
CN103096398B (en) 2011-11-08 2016-08-03 华为技术有限公司 A kind of method and apparatus of network switching
CN103945383B (en) * 2014-04-22 2018-03-23 福建三元达网络技术有限公司 A kind of method of Home eNodeB management user equipment access
CN104468314A (en) * 2014-12-09 2015-03-25 北京歌华有线数字媒体有限公司 4G base station network system
WO2019000171A1 (en) * 2017-06-26 2019-01-03 Zte Corporation Methods and computing device for authenticating a user equipment via a home network
CN110048988B (en) * 2018-01-15 2021-03-23 华为技术有限公司 Message sending method and device
CN118714521A (en) * 2023-03-27 2024-09-27 华为技术有限公司 Message processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1561136A (en) * 2004-02-18 2005-01-05 Ut˹�￵ͨѶ���޹�˾ PHS mobile phone network discriminating method
CN1568037A (en) * 2003-06-10 2005-01-19 华为技术有限公司 Authentication method for user of global mobile communication system when roaming to CDMA network
CN1835626A (en) * 2005-03-15 2006-09-20 北京信威通信技术股份有限公司 Power authentication system and method of SCDMA communicating system
CN101026889A (en) * 2007-04-05 2007-08-29 华为技术有限公司 Method, system and base station for locking illegal copy mobile terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1568037A (en) * 2003-06-10 2005-01-19 华为技术有限公司 Authentication method for user of global mobile communication system when roaming to CDMA network
CN1561136A (en) * 2004-02-18 2005-01-05 Ut˹�￵ͨѶ���޹�˾ PHS mobile phone network discriminating method
CN1835626A (en) * 2005-03-15 2006-09-20 北京信威通信技术股份有限公司 Power authentication system and method of SCDMA communicating system
CN101026889A (en) * 2007-04-05 2007-08-29 华为技术有限公司 Method, system and base station for locking illegal copy mobile terminal

Also Published As

Publication number Publication date
CN101631309A (en) 2010-01-20

Similar Documents

Publication Publication Date Title
CN101631309B (en) Method, device and system for authenticating terminal based on home base station network
US10694376B2 (en) Network authentication method, network device, terminal device, and storage medium
CN104285422B (en) For the secure communication of the computing device using adjacent service
CN111885602B (en) A batch handover authentication and key agreement method for heterogeneous networks
Cao et al. A survey on security aspects for LTE and LTE-A networks
US8249554B2 (en) Methods for provisioning mobile stations and wireless communications with mobile stations located within femtocells
CN102036230B (en) Method for implementing local route service, base station and system
WO2020248624A1 (en) Communication method, network device, user equipment and access network device
JP2014161027A (en) Encryption method for secure packet transmission
CN1947453A (en) Improved subscriber authentication for unlicensed mobile access signaling
WO2008131689A1 (en) Method and system for realizing an emergency communication service and corresponding apparatuses thereof
WO2017197596A1 (en) Communication method, network equipment, and user equipment
KR20180026457A (en) Method and system for managing identifiers on multiple planes
CN102547701A (en) Authentication method and wireless access point as well as authentication server
JP2013031211A (en) Method for authenticating mobile unit connected to femtocell operateing according to code division multiple access
Fang et al. Security requirement and standards for 4G and 5G wireless systems
CN101483870A (en) Cross-platform mobile communication security system implementing method
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
CN108235300A (en) The guard method of mobile communications network secure user data and system
CN104518874A (en) Network access control method and system
CN100527875C (en) Method for achieving media flow security and communication system
KR20130009836A (en) A wireless telecommunications network, and a method of authenticating a message
US20140093080A1 (en) Method and system to differentiate and assigning ip addresses to wireless femto cells h(e)nb (home (evolved) nodeb) and lgw (local gateway) by using ikev2 (internet key exchange version 2 protocol) procedure
WO2008148348A1 (en) Communication method, system, and home bs
CN108282775B (en) Dynamic additional authentication method and system for mobile private network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130320