[go: up one dir, main page]

CN101841814B - Terminal authentication method and system - Google Patents

Terminal authentication method and system Download PDF

Info

Publication number
CN101841814B
CN101841814B CN201010145176.8A CN201010145176A CN101841814B CN 101841814 B CN101841814 B CN 101841814B CN 201010145176 A CN201010145176 A CN 201010145176A CN 101841814 B CN101841814 B CN 101841814B
Authority
CN
China
Prior art keywords
authentication
terminal
user
personal information
authentication data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010145176.8A
Other languages
Chinese (zh)
Other versions
CN101841814A (en
Inventor
王斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing ZTE New Software Co Ltd
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201010145176.8A priority Critical patent/CN101841814B/en
Priority to PCT/CN2010/075640 priority patent/WO2011124051A1/en
Publication of CN101841814A publication Critical patent/CN101841814A/en
Application granted granted Critical
Publication of CN101841814B publication Critical patent/CN101841814B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a terminal authentication method and terminal authentication system. In the method, an authentication server performs primary authentication of a terminal according to first authentication data sent by the terminal, wherein the first authentication data is generated according to the user characteristic information of the terminal; the authentication server performs secondary authentication of the terminal according to second authentication data sent by the terminal, wherein the second authentication data is generated according to an authentication secret key, a terminal parameter and a network parameter; and when both the primary authentication and the secondary authentication are successful, the authentication server determines that the terminal authentication is successful. When the technical scheme of the invention is adopted, the safety of the use of the network of the user is improved, the protection of the individual privacy of the user is improved, and the legal right and interests of an operator are protected.

Description

终端鉴权方法及系统Terminal authentication method and system

技术领域 technical field

本发明涉及移动通信领域,具体而言,涉及一种终端鉴权方法及系统。The present invention relates to the field of mobile communication, in particular to a terminal authentication method and system.

背景技术 Background technique

随着移动通讯技术的飞速发展和普及,通讯技术的安全性越来越成为人们关注的热点话题。通讯的安全性,对保护终端用户的个人隐私及利益不受侵害至关重要,目前主要采用以下方法加强终端用户的安全性:With the rapid development and popularization of mobile communication technology, the security of communication technology has increasingly become a hot topic of concern. The security of communication is very important to protect the personal privacy and interests of end users from infringement. At present, the following methods are mainly used to enhance the security of end users:

一、终端和移动通信系统交互的信令和数据(语音,短信等)通过特定的安全算法进行加密,防止明文传送被监听。1. The signaling and data (voice, short message, etc.) exchanged between the terminal and the mobile communication system are encrypted by a specific security algorithm to prevent plaintext transmission from being monitored.

二、采用国际移动台识别码IMSI(International Mobile StationIdentity)或者电子序列号ESN(Electronic Serial Number)作为移动台的标识。2. Use IMSI (International Mobile Station Identity) or ESN (Electronic Serial Number) as the identification of the mobile station.

三、引入了终端鉴权机制。鉴权通常的过程是基站在前向信道给移动台发送一个随机数,移动台根据收到的随机数和自己存储的与鉴权相关的保密数据以及标识码(例如ESN、IMSI等),以及特定预制的网络参数(如CDAM系统中的Key,或者GSM系统中的Ki)通过鉴权算法计算出一个鉴权结果,并把这个鉴权结果由反向信道发给基站。鉴权中心AC(Authentication Centre)根据存储的移动台保密数据,用相同的方法计算出鉴权结果,并对上述两个鉴权结果进行比较,确定终端鉴权是否成功。鉴权实际上是一种基于保密数据的算法,只要保密数据不被泄漏,即使盗用者获取了移动台的标识,也无法计算出正确的鉴权结果,从而无法接入网络。3. The terminal authentication mechanism is introduced. The usual process of authentication is that the base station sends a random number to the mobile station on the forward channel. Specific prefabricated network parameters (such as Key in the CDAM system, or Ki in the GSM system) calculate an authentication result through the authentication algorithm, and send the authentication result to the base station through the reverse channel. The authentication center AC (Authentication Center) uses the same method to calculate the authentication result based on the stored mobile station confidential data, and compares the above two authentication results to determine whether the terminal authentication is successful. Authentication is actually an algorithm based on confidential data. As long as the confidential data is not leaked, even if the pirate obtains the identity of the mobile station, he cannot calculate the correct authentication result and cannot access the network.

为了方便用户,运营商通常采用机卡分离方案,把一些特定的网络参数固化到用户身份识别卡(例如SIM卡)中或在终端销售前固化到终端的非易失存储单元中,这样用户在使用网络的时,只要用户身份识别卡中的参数合法,终端就可以正常使用系统服务。用户身份识别卡的安全性,也是通过特定的加密算法来保护的,卡本身的安全算法也不断的在升级更新。For the convenience of users, operators usually use the machine-card separation scheme to fix some specific network parameters into the user identification card (such as SIM card) or into the non-volatile storage unit of the terminal before the terminal is sold, so that the user can When using the network, as long as the parameters in the user identification card are valid, the terminal can use the system services normally. The security of the user identification card is also protected by a specific encryption algorithm, and the security algorithm of the card itself is constantly being updated.

但是,目前市场上已经出现了很多复制盗卡的工具,通过这类工具,可以很简单的实现,破解SIM卡并把卡中的数据完整的复制到另外一张卡上。所有的参数都会被复制,包括了鉴权算法以及语音加密所需要的所有重要参数。这样如果用户的SIM卡不小心遗失或者被人窃取,个人的隐私及利益(非法窃取用户话费)就可能被侵犯。如果用户获取了这种工具,自己随意的复制卡,比如一卡多号功能(目前移动有这种功能的卡,但要收取额外的费用),或者将一个卡复制成多张卡,也给运营商的管理和利益带来危害。However, many tools for duplicating stolen cards have appeared on the market at present. Through such tools, it can be easily realized to crack the SIM card and completely copy the data in the card to another card. All parameters will be copied, including authentication algorithms and all important parameters required for voice encryption. If the user's SIM card is accidentally lost or stolen, personal privacy and interests (illegally stealing the user's phone bill) may be violated. If the user obtains this tool, he can copy the card at will, such as the function of one card with multiple numbers (currently mobile cards with this function, but an additional fee will be charged), or copy a card into multiple cards, and also give Harm to the management and interests of the operator.

综上所述,现有的终端鉴权机制不足以保证终端用户使用网路的安全性以及运营商的合法权益和利益。To sum up, the existing terminal authentication mechanism is not enough to guarantee the security of terminal users using the network and the legitimate rights and interests of operators.

发明内容 Contents of the invention

本发明的主要目的在于提供一种终端鉴权方法及系统,以至少解决现有的终端鉴权机制不足以保证终端用户使用网路的安全性以及运营商的合法权益和利益的问题。The main purpose of the present invention is to provide a terminal authentication method and system to at least solve the problem that the existing terminal authentication mechanism is not enough to ensure the security of the terminal user using the network and the legal rights and interests of the operator.

根据本发明的一个方面,提供了一种终端鉴权方法,包括:鉴权服务器根据终端发送的第一鉴权数据对终端进行第一鉴权,其中,第一鉴权数据根据终端的用户特征信息生成;鉴权服务器根据终端发送的第二鉴权数据进行第二鉴权,其中,第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成;在第一鉴权及第二鉴权均成功的情况下,鉴权服务器确定终端鉴权成功。According to one aspect of the present invention, a terminal authentication method is provided, including: the authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, wherein the first authentication data is based on the user characteristics of the terminal information generation; the authentication server performs second authentication according to the second authentication data sent by the terminal, wherein the second authentication data is generated according to the authentication key, terminal parameters and network parameters; If all authorizations are successful, the authentication server determines that the terminal authentication is successful.

根据本发明的另一方面,提供了一种终端鉴权系统,包括:终端以及鉴权服务器,其中,终端,包括:第一鉴权数据模块,用于生成第一鉴权数据,并向鉴权服务器发送第一鉴权数据,其中,第一鉴权数据根据终端的用户特征信息生成;第二鉴权数据模块,用于生成第二鉴权数据,并向鉴权服务器发送第二鉴权数据,其中,第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成;鉴权服务器,包括第一鉴权模块,用于根据第一鉴权数据对终端进行第一鉴权,并输出第一鉴权结果;第二鉴权模块,用于在第一鉴权成功的情况下,根据第二鉴权数据进行第二鉴权,并输出第二鉴权结果;鉴权成功判断模块,分别与第一鉴权模块和第二鉴权模块连接,用于判断输入的第一鉴权结果和第二鉴权结果,在第一鉴权结果和第二鉴权结果均成功的情况下,确定终端的鉴权成功。According to another aspect of the present invention, a terminal authentication system is provided, including: a terminal and an authentication server, wherein, the terminal includes: a first authentication data module, configured to generate first authentication data, and send to the authentication The authorization server sends the first authentication data, wherein the first authentication data is generated according to the user characteristic information of the terminal; the second authentication data module is used to generate the second authentication data, and send the second authentication data to the authentication server data, wherein the second authentication data is generated according to the authentication key, terminal parameters, and network parameters; the authentication server includes a first authentication module, configured to perform first authentication on the terminal according to the first authentication data, and Output the first authentication result; the second authentication module is used to perform the second authentication according to the second authentication data when the first authentication is successful, and output the second authentication result; the authentication success judging module , respectively connected to the first authentication module and the second authentication module, for judging the input first authentication result and the second authentication result, in the case that both the first authentication result and the second authentication result are successful , to determine that the authentication of the terminal is successful.

通过本发明提供的技术方案,移动终端在正常使用网络业务时,比如在进行注册,呼叫,短信,数据业务等操作,在现有的鉴权机制上,增加一个用户特征信息鉴权,对终端的两次进行鉴权,并且两次鉴权均成功的情况下,鉴权服务器才能确定该终端的鉴权成功,从而增强了用户使用网络的安全性,也增强了对用户个人隐私的保护,并且可以保护运营商的合法权益和利益。Through the technical solution provided by the present invention, when the mobile terminal normally uses network services, such as registering, calling, short messages, data services and other operations, a user characteristic information authentication is added to the existing authentication mechanism, and the terminal Only when authentication is performed twice, and both authentications are successful, the authentication server can determine that the authentication of the terminal is successful, thereby enhancing the security of the user's use of the network and also enhancing the protection of the user's personal privacy. And can protect the legitimate rights and interests of operators.

附图说明 Description of drawings

此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:

图1是根据本发明实施例的用于终端鉴权的移动通信网路系统结构示意图;FIG. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention;

图2是根据本发明实施例的终端鉴权方法流程图;FIG. 2 is a flow chart of a terminal authentication method according to an embodiment of the present invention;

图3是根据本发明实施例的第一鉴权流程图;Fig. 3 is a first authentication flowchart according to an embodiment of the present invention;

图4是根据本发明实施例的采用加密的第一鉴权数据对所述终端进行第一鉴权的流程图;FIG. 4 is a flow chart of performing first authentication on the terminal using encrypted first authentication data according to an embodiment of the present invention;

图5是根据本发明实施例一的终端鉴权的流程图;FIG. 5 is a flow chart of terminal authentication according to Embodiment 1 of the present invention;

图6是根据本发明实施例二的终端鉴权流程图;FIG. 6 is a flow chart of terminal authentication according to Embodiment 2 of the present invention;

图7是根据本发明实施例的终端鉴权系统的结构示意图;FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention;

图8是根据本发明实施例的第一鉴权数据模块的结构示意图;Fig. 8 is a schematic structural diagram of a first authentication data module according to an embodiment of the present invention;

图9A是根据本发明实施例的第一鉴权模块的结构示意图;Fig. 9A is a schematic structural diagram of a first authentication module according to an embodiment of the present invention;

图9B是根据本发明实施例的优选第一鉴权模块的结构示意图。Fig. 9B is a schematic structural diagram of a preferred first authentication module according to an embodiment of the present invention.

具体实施方式 Detailed ways

下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Hereinafter, the present invention will be described in detail with reference to the drawings and examples. It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.

图1是根据本发明实施例的用于终端鉴权的移动通信网路系统结构示意图,如图1所示,该网络系统中包括,终端10、基站20以及鉴权服务器30,在对终端进行鉴权过程中,终端10通过基站20向鉴权服务器发送第一鉴权数据和第二鉴权数据,鉴权服务器接收到上述两个鉴权数据后,分别进行两次鉴权,在两次鉴权均成功的情况下,允许用户使用当前业务,需要说明的是,上述移动通信网络可以是目前任意一种移动通信网络,例如GSM、CDMA、WCDMA或TD-SCDMA。FIG. 1 is a schematic structural diagram of a mobile communication network system for terminal authentication according to an embodiment of the present invention. As shown in FIG. 1 , the network system includes a terminal 10, a base station 20, and an authentication server 30. During the authentication process, the terminal 10 sends the first authentication data and the second authentication data to the authentication server through the base station 20. After the authentication server receives the above two authentication data, it performs two authentications respectively. If the authentication is successful, the user is allowed to use the current service. It should be noted that the mobile communication network mentioned above can be any current mobile communication network, such as GSM, CDMA, WCDMA or TD-SCDMA.

根据本发明实施例,提供了一种终端鉴权方法。图2是根据本发明实施例的终端鉴权方法流程图,如图2所示,该方法包括:According to an embodiment of the present invention, a terminal authentication method is provided. FIG. 2 is a flow chart of a terminal authentication method according to an embodiment of the present invention. As shown in FIG. 2, the method includes:

步骤S202、鉴权服务器根据终端发送的第一鉴权数据对终端进行第一鉴权,其中,第一鉴权数据根据终端的用户特征信息生成;Step S202, the authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, wherein the first authentication data is generated according to the user characteristic information of the terminal;

步骤S204、鉴权服务器根据终端发送的第二鉴权数据进行第二鉴权,其中,第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成;Step S204, the authentication server performs second authentication according to the second authentication data sent by the terminal, wherein the second authentication data is generated according to the authentication key, terminal parameters and network parameters;

步骤S206、在第一鉴权及第二鉴权均成功的情况下,鉴权服务器确定终端鉴权成功。Step S206, in the case that both the first authentication and the second authentication are successful, the authentication server determines that the terminal authentication is successful.

如前文所述,现有的终端鉴权机制,对终端进行鉴权的重要参数是由运营商固化在用户标识卡中,或在终端前销售固化在终端内的,一旦用户不慎遗失用户标识卡或终端,非法用户就可以破解用户标识卡或终端中的鉴权数据,盗用用户的卡或终端。As mentioned above, in the existing terminal authentication mechanism, important parameters for terminal authentication are fixed in the user ID card by the operator, or fixed in the terminal before the terminal sales, once the user accidentally loses the user ID card or terminal, illegal users can crack the authentication data in the user identification card or terminal, and embezzle the user's card or terminal.

本发明着重考虑由于用户标识卡或终端的鉴权数据被破解,可能带来的安全性问题,对终端鉴权机制进行了改进。增加对用户预先设置的用户特征信息的验证。即鉴权服务器利用第一鉴权数据对终端进行用户特征信息的鉴权,鉴权服务器利用第二鉴权数据,采用现有的鉴权机制对终端进行密钥鉴权。采用上述两次鉴权,即使非法用户获得了破解了用户标识卡或终端,也无法使用复制的用户标识卡或破解的终端进行正常的网络服务。The invention emphatically considers possible security problems caused by cracking authentication data of a user identification card or a terminal, and improves the terminal authentication mechanism. Increase the verification of user characteristic information preset by the user. That is, the authentication server uses the first authentication data to authenticate the user characteristic information of the terminal, and the authentication server uses the second authentication data to authenticate the key of the terminal using an existing authentication mechanism. With the above two authentications, even if an illegal user obtains and cracks a user identification card or a terminal, he cannot use the duplicated user identification card or the cracked terminal to perform normal network services.

在具体实施过程中,上述步骤S202与步骤S204之间不存在执行的先后顺序,只要保证上述第一鉴权和第二鉴权均得到执行,即可根据两次鉴权结果确定终端是否鉴权成功,如果上述两次鉴权中的任一项失败,则该终端的鉴权失败。运营商可以根据业务的特点或需求,选择先执行第一鉴权,第一鉴权成功再触发第二鉴权;也可以选择先执行第二鉴权,第二鉴权成功再触发第一鉴权;也可以选择第一鉴权和第二鉴权并发执行。In the specific implementation process, there is no sequence of execution between the above step S202 and step S204, as long as the above first authentication and the second authentication are guaranteed to be executed, it can be determined whether the terminal is authenticated according to the two authentication results If any one of the above two authentications fails, the authentication of the terminal fails. Operators can choose to perform the first authentication first, and then trigger the second authentication after the first authentication is successful according to the characteristics or needs of the service; they can also choose to perform the second authentication first, and then trigger the first authentication after the second authentication is successful. Authorization; You can also choose to execute the first authentication and the second authentication concurrently.

同样,终端在发送第一鉴权数据和第二鉴权数据也不存在先后顺序,根据运营商的业务特点或协定,终端可以先发送第一鉴权数据,也可以先发送第二鉴权数据,也可以以同一个数据包同时发送第一鉴权数据和第二鉴权数据。Similarly, there is no order in which the terminal sends the first authentication data and the second authentication data. According to the service characteristics or agreement of the operator, the terminal can send the first authentication data first, or the second authentication data first. , the first authentication data and the second authentication data may also be sent simultaneously in the same data packet.

在具体的实施过程中,在网络注册,通话,短信,数据业务的时候,都可能涉及终端鉴,上述第一鉴权可以但不限于在以下情况执行:一、每次网络鉴权的时候都需要执行;二、可以根据通信网络的设置,进行优化控制,随机或者按指定的要求在需要验证的时候进行,这样可以减少验证次数过多,带来的系统开销。In the specific implementation process, terminal authentication may be involved in network registration, calls, short messages, and data services. The above-mentioned first authentication can be performed but not limited to the following situations: 1. It needs to be executed; 2. According to the setting of the communication network, optimization control can be carried out, and it can be carried out randomly or according to the specified requirements when verification is required, which can reduce the system overhead caused by too many verification times.

采用本发明实施例提供的上述终端鉴权方法,在集成了现有的鉴权机制的基础上,增加了对用户预先设定的用户特征信息进行鉴权,使得终端用户也成为终端鉴权的一个决定因素,从而保护了用户的合法权益和利益,增强了用户终端的安全性。Using the above-mentioned terminal authentication method provided by the embodiment of the present invention, on the basis of integrating the existing authentication mechanism, adding the authentication of the user characteristic information preset by the user, so that the terminal user also becomes the terminal authentication A decisive factor, thereby protecting the legitimate rights and interests of users and enhancing the security of user terminals.

优选地,用户特征信息包括:用户预先设置的个人信息以及用户的标识信息。Preferably, the user characteristic information includes: personal information preset by the user and identification information of the user.

在具体实施过程中,用户可以根据个人喜好预先设置个人信息,例如将个人信息设置成证件号码、姓名、生日或其他字符序列。用户的标识信息,可以选择终端上标识卡的标识信息(例如ICCID、UMID或用户的电话号码),也可以选择终端的标识信息(例如IMSI或ESN)或者,为了更加安全,用户的标识信息既包括标识卡的标识信息,也包括终端的标识信息,标识卡的标识信息或终端的标识信息可以方便地利用现有资源设定用户的标识信息。In the specific implementation process, users can preset personal information according to personal preferences, for example, personal information can be set as certificate number, name, birthday or other character sequences. The user's identification information can be selected from the identification information of the identification card on the terminal (such as ICCID, UMID, or the user's phone number), or the terminal's identification information (such as IMSI or ESN) or, for greater security, the user's identification information. The identification information of the identification card includes the identification information of the terminal, and the identification information of the identification card or the identification information of the terminal can conveniently use existing resources to set the identification information of the user.

通过在用户特征信息中设置个人信息以及用户的标识信息,相当于设置了用户的标识信息和个人信息的绑定关系,方便鉴权服务器在接收到第一鉴权数据之后,根据其中的用户标识信息到数据库中获取与该用户标识信息对应的预先存储鉴权数据,通过对上述两个鉴权数据的比较判定用户特征信息的合法性。By setting the personal information and the user's identification information in the user characteristic information, it is equivalent to setting the binding relationship between the user's identification information and personal information, so that after receiving the first authentication data, the authentication server can The information is stored in the database to obtain the pre-stored authentication data corresponding to the user identification information, and the legitimacy of the user characteristic information is determined by comparing the above two authentication data.

图3是根据本发明实施例的第一鉴权流程图,优选地,如图3所示,鉴权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴权包括:Fig. 3 is a flow chart of the first authentication according to an embodiment of the present invention. Preferably, as shown in Fig. 3, the authentication server performing the first authentication on the terminal according to the first authentication data sent by the terminal includes:

步骤S302、接收来自终端的第一鉴权数据;Step S302, receiving first authentication data from the terminal;

步骤S304、获取用户的标识信息,获取个人信息作为第一个人信息;Step S304, obtaining the identification information of the user, obtaining personal information as the first personal information;

步骤S306、在鉴权服务器的数据库中获取与标识信息对应的第二个人信息;Step S306, acquiring second personal information corresponding to the identification information in the database of the authentication server;

步骤S308、比较第一个人信息和第二个人信息,如果相同,则第一鉴权成功,否则,第一鉴权失败。Step S308, comparing the first personal information and the second personal information, if they are the same, the first authentication is successful; otherwise, the first authentication fails.

采用上述流程进行第一鉴权,判断终端发送的第一个人信息和鉴权服务器保存的对应于同一用户标识的第二个人信息是否相同,就可一确定当前终端的用户是否合法。如果非法用户了复制的用户标识卡,但由于缺少正确的个人信息,导致无法通过第一鉴权,从而保证合法用户的个人权益和利益。The first authentication is carried out by using the above process, and it is judged whether the first personal information sent by the terminal is the same as the second personal information corresponding to the same user ID saved by the authentication server, so as to determine whether the current terminal user is legal. If the illegal user has copied the user identification card, but due to the lack of correct personal information, the first authentication cannot be passed, thereby ensuring the personal rights and interests of the legal user.

优选地,可以通过以下方式生成第一鉴权数据:采用预定的加密规则,对用户预先设置的个人信息以及用户的标识信息进行加密生成所述第一鉴权数据。Preferably, the first authentication data may be generated in the following manner: using a predetermined encryption rule, encrypting the personal information preset by the user and the user's identification information to generate the first authentication data.

由于第一鉴权数据在传输过程中,也可能被非法用户获得,如果以明文的方式传输第一鉴权数据将存在很大的安全隐患,因此,在具体的实施过程中,可以对用户预先设置的个人信息以及用户的标识信息进行加密处理生成第一鉴权数据。运营商和终端制造商可以协定具体的加密规则,或者更安全的方法,在具体的业务过程中,由终端与鉴权服务器协商具体的加密规则。因此,通过对加密方式获得第一鉴权数据,进一步保证了用户使用终端的安全性。Since the first authentication data may also be obtained by illegal users during the transmission process, if the first authentication data is transmitted in plain text, there will be a great security risk. Therefore, in the specific implementation process, users can pre-authorize The set personal information and the user's identification information are encrypted to generate the first authentication data. Operators and terminal manufacturers can agree on specific encryption rules, or in a more secure method, the terminal negotiates specific encryption rules with the authentication server during a specific business process. Therefore, by obtaining the first authentication data in an encrypted manner, the security of the user using the terminal is further ensured.

如果第一鉴权数据采用加密方式生成,则鉴权服务器进行第一鉴权的流程会有所不同,图4是根据本发明实施例的采用加密的第一鉴权数据对所述终端进行第一鉴权的流程图,优选地,如图4所示,该流程包括:If the first authentication data is generated in an encrypted manner, the flow of the authentication server performing the first authentication will be different. FIG. A flowchart of authentication, preferably, as shown in Figure 4, the process includes:

步骤S402、接收来自终端的第一鉴权数据;Step S402, receiving first authentication data from the terminal;

步骤S404、根据预定的解密规则解析第一鉴权数据,获取用户的标识信息以及个人信息,并将获取的个人信息作为第一个人信息;Step S404, analyzing the first authentication data according to a predetermined decryption rule, obtaining the identification information and personal information of the user, and using the obtained personal information as the first personal information;

步骤S406、在鉴权服务器的数据库中获取与用户的标识信息对应的第二个人信息;Step S406, acquiring second personal information corresponding to the user's identification information from the database of the authentication server;

步骤S408、比较第一个人信息和第二个人信息,如果相同,则第一鉴权成功,否则,第一鉴权失败。Step S408, comparing the first personal information with the second personal information, if they are the same, the first authentication is successful; otherwise, the first authentication fails.

在具体的实施过程中,解密规则与上述加密规则对应,一起由运营商和终端制造商协定,或者由终端与鉴权服务器协商。通过对加密、解密方式传输用户特征信息,进一步保证了用户使用终端的安全性。In a specific implementation process, the decryption rules correspond to the above encryption rules, and are agreed upon by the operator and the terminal manufacturer, or negotiated between the terminal and the authentication server. By encrypting and decrypting the transmission of user characteristic information, the security of the user's terminal is further ensured.

优选地,在鉴权服务器进行第一鉴权之前,方法还包括:鉴权服务器获取并存储上述终端的用户个人信息以及用户标识信息。Preferably, before the authentication server performs the first authentication, the method further includes: the authentication server acquires and stores user personal information and user identification information of the above-mentioned terminal.

为实现上述第一鉴权,鉴权服务器必须在进行终端鉴权之前预先建立用户特征信息数据库,在该数据库中保存注册用户的个人信息,并且存储的用户个人信息与用户标识一一绑定。In order to realize the above-mentioned first authentication, the authentication server must pre-establish a user characteristic information database before performing terminal authentication, store the personal information of the registered user in the database, and bind the stored user personal information with the user ID one by one.

在具体的实施过程中,需要用户向运营商上报用户特征信息,上报方式有多种,例如可以但不限于在终端入网时,提交用户特征信息。或者登陆运营商网站,录入用户特征信息,一旦信息录入网络侧系统,用户的个人信息就和用户使用的用户标识卡或终端实现一一对应的绑定,只要判断用户标识信息和用户信息不是绑定的关系,就认为用户非法。In the specific implementation process, the user needs to report the user characteristic information to the operator. There are many ways to report, for example, but not limited to submitting the user characteristic information when the terminal is connected to the network. Or log in to the operator's website and enter user characteristic information. Once the information is entered into the network side system, the user's personal information will be bound one-to-one with the user identification card or terminal used by the user. As long as it is judged that the user identification information and user information are not bound If there is no certain relationship, the user is considered illegal.

在具体的实施过程中,用户也可以通过特定的方式更新用户特征信息,例如,以短信的方式、登录运营商网站或直接通过运营商营业网点进行更改。In the specific implementation process, the user can also update the user characteristic information in a specific way, for example, by text message, logging in to the operator's website, or directly changing it through the operator's business outlet.

鉴权服务器在终端鉴权之前获取并维护用户提供的用户特征信息,是进行第一鉴权的前提,只有鉴权服务器保存了正确的个人信息与用户标识信息的绑定关系,第一鉴权才可以顺利实施。The authentication server obtains and maintains the user characteristic information provided by the user before the terminal authentication, which is the premise of the first authentication. Only the authentication server saves the correct binding relationship between personal information and user identification information, and the first authentication to be successfully implemented.

优选地,所述用户的标识信息包括至少以下之一:所述终端的智能卡的标识信息、所述终端的标识信息。Preferably, the identification information of the user includes at least one of the following: identification information of the smart card of the terminal, and identification information of the terminal.

用户的标识信息,可以选择终端上标识卡的标识信息(例如ICCID、UMID或用户的电话号码),也可以选择终端的标识信息(例如IMSI或ESN)或者,为了更加安全,用户的标识信息既包括标识卡的标识信息,也包括终端的标识信息,标识卡的标识信息或终端的标识信息可以方便地利用现有资源设定用户的标识信息。The user's identification information can be selected from the identification information of the identification card on the terminal (such as ICCID, UMID, or the user's phone number), or the terminal's identification information (such as IMSI or ESN) or, for greater security, the user's identification information. The identification information of the identification card includes the identification information of the terminal, and the identification information of the identification card or the identification information of the terminal can conveniently use existing resources to set the identification information of the user.

优选地,用户预先设置的个人信息可以存储于终端的内存或与终端连接的其他存储介质上。由于用户个人信息不存储在终端的标识卡(例如SIM卡)上,因此,即使标识卡遗失,用户个人信息也不会泄露。Preferably, the personal information preset by the user can be stored in the internal memory of the terminal or on other storage media connected to the terminal. Since the user's personal information is not stored on the identification card (such as the SIM card) of the terminal, even if the identification card is lost, the user's personal information will not be leaked.

优选地,终端可以通过短消息或通信信令将第一鉴权数据发送至鉴权服务器。Preferably, the terminal can send the first authentication data to the authentication server through a short message or communication signaling.

在具体的实施过程中,无论采用哪种方式发送第一鉴权数据,鉴权服务器均可以接收并进行第一鉴权操作,多样的发送方式,使得终端鉴权更加灵活,方便运营商实施。In a specific implementation process, no matter which method is used to send the first authentication data, the authentication server can receive and perform the first authentication operation. Various sending methods make terminal authentication more flexible and convenient for operators to implement.

下面结合其他实施例对上述终端鉴权方法进行详细介绍。The above terminal authentication method will be described in detail below in combination with other embodiments.

实施例一Embodiment one

在本实施例中,选择鉴权服务器先执行第一鉴权,第一鉴权成功的情况下,触发第二鉴权。图5是根据本发明实施例一的终端鉴权流程图,如图5所示,该流程包括:In this embodiment, the authentication server is selected to first perform the first authentication, and if the first authentication succeeds, the second authentication is triggered. FIG. 5 is a flow chart of terminal authentication according to Embodiment 1 of the present invention. As shown in FIG. 5, the process includes:

步骤S501、终端开机。Step S501, the terminal is turned on.

步骤S502、终端使用通信网络业务(网络注册,语音,短信,数据等)。Step S502, the terminal uses communication network services (network registration, voice, short message, data, etc.).

步骤S503、根据返回的系统消息,终端判断确认是否要进行第一鉴权。Step S503, according to the returned system message, the terminal determines whether to perform the first authentication.

步骤S504、如果网络要求终端进行第一鉴权,终端根据用户预置的个人信息包括终端的信息,卡的信息并结合特定的加密算法,生成第一鉴权数据,并执行步骤S505;否则,执行步骤S510。Step S504, if the network requires the terminal to perform the first authentication, the terminal generates the first authentication data according to the personal information preset by the user including terminal information and card information combined with a specific encryption algorithm, and executes step S505; otherwise, Execute step S510.

步骤S505、终端发送第一鉴权数据给鉴权服务器。Step S505, the terminal sends the first authentication data to the authentication server.

步骤S506、鉴权服务器接收终端反馈的第一鉴权数据,解析出用户个人信息和用户标识信息,并根据终端上报的用户个人信息,与数据库中存储的个人信息比较,生成第一鉴权结果。Step S506, the authentication server receives the first authentication data fed back by the terminal, parses out the user's personal information and user identification information, and compares the user's personal information reported by the terminal with the personal information stored in the database to generate a first authentication result .

步骤S507、鉴权服务器下发第一鉴权结果给终端。Step S507, the authentication server delivers the first authentication result to the terminal.

步骤S508、终端判断第一鉴权结果,如果失败,执行步骤S509,否则,执行步骤510。Step S508, the terminal judges the first authentication result, if it fails, executes step S509, otherwise, executes step 510.

步骤S509、终端提示用户禁止使用网络服务,结束本次操作过程。In step S509, the terminal prompts the user to prohibit the use of network services, and ends this operation process.

步骤S510、终端发送第二鉴权数据,鉴权服务器执行第二鉴权操作,如果第二鉴权成功,用户正常使用网络业务,否则,提示用户禁止使用网络业务。Step S510, the terminal sends the second authentication data, and the authentication server executes the second authentication operation. If the second authentication is successful, the user uses the network service normally, otherwise, prompts the user to prohibit the use of the network service.

实施例二Embodiment two

在本实施例中,选择鉴权服务器先执行第二鉴权,第二鉴权成功的情况下,触发第一鉴权。图6是根据本发明实施例二的终端鉴权流程图,如图6所示,该流程包括:In this embodiment, the authentication server is selected to perform the second authentication first, and if the second authentication succeeds, the first authentication is triggered. FIG. 6 is a flow chart of terminal authentication according to Embodiment 2 of the present invention. As shown in FIG. 6, the process includes:

步骤S601、终端开机。Step S601, the terminal is turned on.

步骤S602、终端使用通信网络业务(网络注册,语音,短信,数据等)。Step S602, the terminal uses communication network services (network registration, voice, short message, data, etc.).

步骤S603、终端发送第二鉴权数据,鉴权服务器执行第二鉴权操作,如果第二鉴权成功,执行步骤S604,否则,提示用户禁止使用网络业务。Step S603, the terminal sends the second authentication data, and the authentication server executes the second authentication operation, if the second authentication is successful, executes the step S604, otherwise, prompts the user to prohibit using the network service.

步骤S604、根据返回的系统消息,终端判断确认是否要进行第一鉴权。Step S604, according to the returned system message, the terminal determines whether to perform the first authentication.

步骤S605、如果网络要求终端进行第一鉴权,终端根据用户预置的个人信息包括终端的信息,卡的信息并结合特定的加密算法,生成第一鉴权数据;如果不需要进行第一鉴权,则终端鉴权成功,用户正常使用网络业务。Step S605, if the network requires the terminal to perform the first authentication, the terminal generates the first authentication data according to the personal information preset by the user including terminal information, card information and a specific encryption algorithm; if the first authentication is not required authorization, the terminal authentication is successful, and the user can use the network service normally.

步骤S606、终端发送第一鉴权数据给鉴权服务器。Step S606, the terminal sends the first authentication data to the authentication server.

步骤S607、鉴权服务器接收终端反馈的第一鉴权数据,解析出用户个人信息和用户标识信息,并根据终端上报的用户个人信息,与数据库中存储的个人信息比较,生成第一鉴权结果。Step S607, the authentication server receives the first authentication data fed back by the terminal, parses out the user's personal information and user identification information, and compares the user's personal information reported by the terminal with the personal information stored in the database to generate a first authentication result .

步骤S608、鉴权服务器下发第一鉴权结果给终端。Step S608, the authentication server delivers the first authentication result to the terminal.

步骤S609、终端判断第一鉴权结果,如果失败,终端提示用户禁止使用网络服务,结束本次操作过程,否则,终端鉴权通过,用户正常使用网络服务。Step S609, the terminal judges the result of the first authentication, if it fails, the terminal prompts the user to prohibit using the network service, and ends this operation process; otherwise, the terminal passes the authentication, and the user normally uses the network service.

根据本发明实施例,还提供了一种终端鉴权系统,图7是根据本发明实施例的终端鉴权系统的结构示意图,如图7所示,该系统包括:终端71,鉴权服务器72。According to an embodiment of the present invention, a terminal authentication system is also provided. FIG. 7 is a schematic structural diagram of a terminal authentication system according to an embodiment of the present invention. As shown in FIG. 7, the system includes: a terminal 71, an authentication server 72 .

其中,终端71包括:第一鉴权数据模块711、第二鉴权数据模块712。第一鉴权数据模块711,用于生成第一鉴权数据,并向鉴权服务器72发送第一鉴权数据,其中,第一鉴权数据根据终端的用户特征信息生成。第二鉴权数据模块711,用于生成第二鉴权数据,并向鉴权服务器72发送第二鉴权数据,其中,第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成。Wherein, the terminal 71 includes: a first authentication data module 711 and a second authentication data module 712 . The first authentication data module 711 is configured to generate first authentication data and send the first authentication data to the authentication server 72, wherein the first authentication data is generated according to the user characteristic information of the terminal. The second authentication data module 711 is configured to generate second authentication data and send the second authentication data to the authentication server 72, wherein the second authentication data is generated according to the authentication key, terminal parameters and network parameters.

鉴权服务器72包括:第一鉴权模块721、第二鉴权模块722、鉴权成功判断模块723。第一鉴权模块721,用于根据第一鉴权数据对终端进行第一鉴权,并输出第一鉴权结果;第二鉴权模块722,用于在第一鉴权成功的情况下,根据第二鉴权数据进行第二鉴权,并输出第二鉴权结果;鉴权成功判断模块723,分别与第一鉴权模块721和第二鉴权模块722连接,用于判断输入的第一鉴权结果和第二鉴权结果,在第一鉴权结果和第二鉴权结果均成功的情况下,确定终端71的鉴权成功。The authentication server 72 includes: a first authentication module 721 , a second authentication module 722 , and an authentication success judging module 723 . The first authentication module 721 is configured to perform a first authentication on the terminal according to the first authentication data, and output a first authentication result; the second authentication module 722 is configured to, when the first authentication is successful, Carry out the second authentication according to the second authentication data, and output the second authentication result; the authentication success judging module 723 is connected with the first authentication module 721 and the second authentication module 722 respectively, and is used to judge the inputted first authentication module 723 An authentication result and a second authentication result. If both the first authentication result and the second authentication result are successful, it is determined that the authentication of the terminal 71 is successful.

图8是根据本发明实施例的第一鉴权数据模块的结构示意图,优选地,如图8所示,第一鉴权数据模块711包括:存储子模块801、生成子模块802以及发送子模块803,其中,存储子模块801,用于存储用户预先设置的个人信息以及用户的标识信息;生成子模块802,与存储子模块801连接,用于获取个人信息以及用户的标识信息生成第一鉴权数据;发送子模块803,与生成子模块802连接,用于获取第一鉴权数据并发送至鉴权服务器72。Fig. 8 is a schematic structural diagram of the first authentication data module according to an embodiment of the present invention. Preferably, as shown in Fig. 8, the first authentication data module 711 includes: a storage submodule 801, a generation submodule 802 and a sending submodule 803, wherein the storage sub-module 801 is used to store the personal information preset by the user and the user's identification information; the generation sub-module 802 is connected to the storage sub-module 801 and is used to obtain the personal information and the user's identification information to generate the first authentication authorization data; the sending sub-module 803 is connected with the generating sub-module 802 for obtaining the first authentication data and sending it to the authentication server 72.

图9A是根据本发明实施例的第一鉴权模块的结构示意图,优选地,如图9A所示,第一鉴权模块721包括:数据存储子模块901、接收子模块902、第一获取子模块903、第二获取子模块904以及比较子模块905。数据存储模块901,用于存储用户提供的个人信息;接收子模块902,用于接收第一鉴权数据;第一获取子模块903,与接收子模块902连接,用于获取第一鉴权数据的用户的标识信息,并输出至第二获取子模块904,以及获取第一鉴权数据的个人信息作为第一个人信息输出至比较子模块905;第二获取子模块904,分别与数据存储模块901、第一获取子模块903和比较子模块905连接,用于在数据存储模块901中获取与输入的用户的标识信息对应的个人信息作为第二个人信息,并输出至比较子模块905;比较子模块905,分别与第一获取子模块903和第二获取子模块904连接,用于比较输入的第一个人信息和第二个人信息,并生成第一鉴权结果。9A is a schematic structural diagram of the first authentication module according to an embodiment of the present invention. Preferably, as shown in FIG. 9A, the first authentication module 721 includes: a data storage submodule 901, a receiving submodule 902, a first acquisition submodule module 903 , a second acquisition submodule 904 and a comparison submodule 905 . The data storage module 901 is used to store the personal information provided by the user; the receiving submodule 902 is used to receive the first authentication data; the first obtaining submodule 903 is connected to the receiving submodule 902 and is used to obtain the first authentication data The identification information of the user, and output to the second acquisition sub-module 904, and the personal information obtained from the first authentication data is output to the comparison sub-module 905 as the first personal information; the second acquisition sub-module 904, respectively, with the data storage The module 901, the first acquisition submodule 903 and the comparison submodule 905 are connected to acquire the personal information corresponding to the input user identification information in the data storage module 901 as the second personal information, and output it to the comparison submodule 905; The comparison submodule 905 is connected to the first acquisition submodule 903 and the second acquisition submodule 904 respectively, and is used to compare the input first personal information and second personal information, and generate a first authentication result.

优选地,如图9B所示,如果第一鉴权数据采用预定的加密规则加密生成,则第一鉴权模块721还包括:解析子模块906,与接收子模块902和第一获取子模块903连接,用于解析接收子模块902接收的第一鉴权数据,并将解析后的第一鉴权数据输出至第一获取子模块903。Preferably, as shown in FIG. 9B, if the first authentication data is encrypted and generated using a predetermined encryption rule, the first authentication module 721 further includes: a parsing submodule 906, and a receiving submodule 902 and a first obtaining submodule 903 The connection is used for parsing the first authentication data received by the receiving submodule 902 and outputting the parsed first authentication data to the first obtaining submodule 903 .

综上所述,本发明提供的技术方案,采用双重鉴权机制,在继承了现有的鉴权方法的基础上,增加了对用户自己设置的用户特征信息的鉴权操作,不仅增强了用户使用网络的安全性,也增强了对用户个人隐私的保护,并且可以保护运营商的合法权益和利益。In summary, the technical solution provided by the present invention adopts a double authentication mechanism, and on the basis of inheriting the existing authentication method, adds an authentication operation to the user characteristic information set by the user himself, which not only enhances the The security of using the network also enhances the protection of users' personal privacy, and can protect the legitimate rights and interests of operators.

显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that each module or each step of the above-mentioned present invention can be realized by a general-purpose computing device, and they can be concentrated on a single computing device, or distributed in a network formed by multiple computing devices Alternatively, they may be implemented in program code executable by a computing device so that they may be stored in a storage device to be executed by a computing device, and in some cases in an order different from that shown here The steps shown or described are carried out, or they are separately fabricated into individual integrated circuit modules, or multiple modules or steps among them are fabricated into a single integrated circuit module for implementation. As such, the present invention is not limited to any specific combination of hardware and software.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (14)

1.一种终端鉴权方法,其特征在于,包括:1. A terminal authentication method, characterized in that, comprising: 鉴权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴权,其中,所述第一鉴权数据根据所述终端的用户特征信息生成;The authentication server performs first authentication on the terminal according to the first authentication data sent by the terminal, where the first authentication data is generated according to the user characteristic information of the terminal; 所述鉴权服务器根据所述终端发送的第二鉴权数据进行第二鉴权,其中,所述第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成;The authentication server performs second authentication according to the second authentication data sent by the terminal, wherein the second authentication data is generated according to an authentication key, terminal parameters, and network parameters; 在所述第一鉴权及所述第二鉴权均成功的情况下,所述鉴权服务器确定所述终端鉴权成功。If both the first authentication and the second authentication are successful, the authentication server determines that the authentication of the terminal is successful. 2.根据权利要求1所述的方法,其特在在于,所述用户特征信息包括:用户预先设置的个人信息以及用户的标识信息。2. The method according to claim 1, wherein the user characteristic information includes: personal information preset by the user and identification information of the user. 3.根据权利要求2所述的方法,其特征在于,鉴权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴权包括:3. The method according to claim 2, wherein the authentication server performing the first authentication on the terminal according to the first authentication data sent by the terminal comprises: 接收来自所述终端的第一鉴权数据;receiving first authentication data from the terminal; 获取所述用户的标识信息,获取所述个人信息作为第一个人信息;Obtain the identification information of the user, and obtain the personal information as the first personal information; 在所述鉴权服务器的数据库中获取与所述标识信息对应的第二个人信息;Obtain second personal information corresponding to the identification information from the database of the authentication server; 比较所述第一个人信息和所述第二个人信息,如果相同,则第一鉴权成功,否则,第一鉴权失败。Comparing the first personal information and the second personal information, if they are the same, the first authentication is successful; otherwise, the first authentication fails. 4.根据权利要求2所述的方法,其特征在于,通过以下方式生成所述第一鉴权数据:采用预定的加密规则,对所述用户预先设置的个人信息以及用户的标识信息进行加密生成所述第一鉴权数据。4. The method according to claim 2, characterized in that the first authentication data is generated in the following manner: using a predetermined encryption rule, encrypting the personal information preset by the user and the user's identification information The first authentication data. 5.根据权利要求4所述的方法,其特征在于,鉴权服务器根据终端发送的第一鉴权数据对所述终端进行第一鉴权包括:5. The method according to claim 4, wherein the authentication server performing the first authentication on the terminal according to the first authentication data sent by the terminal comprises: 接收来自所述终端的第一鉴权数据;receiving first authentication data from the terminal; 根据预定的解密规则解析所述第一鉴权数据,获取所述用户的标识信息以及所述个人信息,并将获取的所述个人信息作为第一个人信息;Analyzing the first authentication data according to a predetermined decryption rule, obtaining the identification information of the user and the personal information, and using the obtained personal information as the first personal information; 在所述鉴权服务器中获取与所述用户的标识信息对应的第二个人信息;Obtain second personal information corresponding to the user's identification information in the authentication server; 比较所述第一个人信息和所述第二个人信息,如果相同,则第一鉴权成功,否则,第一鉴权失败。Comparing the first personal information and the second personal information, if they are the same, the first authentication is successful; otherwise, the first authentication fails. 6.根据权利要求3或5所述的方法,其特征在于,在所述鉴权服务器进行所述第一鉴权之前,所述方法还包括:所述鉴权服务器获取并存储所述终端的用户个人信息以及用户标识信息。6. The method according to claim 3 or 5, wherein before the authentication server performs the first authentication, the method further comprises: the authentication server acquires and stores the terminal's User personal information and user identification information. 7.根据权利要求2至5任一项所述的方法,其特征在于,所述用户的标识信息包括至少以下之一:所述终端的标识卡的标识信息、所述终端的标识信息。7. The method according to any one of claims 2 to 5, wherein the identification information of the user includes at least one of the following: identification information of an identification card of the terminal, and identification information of the terminal. 8.根据权利要求2至5任一项所述的方法,其特征在于,所述用户预先设置的个人信息存储于所述终端的内存或与所述终端连接的其他存储介质上。8. The method according to any one of claims 2 to 5, wherein the personal information preset by the user is stored in the internal memory of the terminal or on other storage media connected to the terminal. 9.根据权利要求1至5任一项所述的方法,其特征在于,所述终端通过短消息或通信信令将第一鉴权数据发送至所述鉴权服务器。9. The method according to any one of claims 1 to 5, wherein the terminal sends the first authentication data to the authentication server through a short message or communication signaling. 10.一种终端鉴权系统,其特征在于,包括:10. A terminal authentication system, comprising: 终端,包括:terminal, including: 第一鉴权数据模块,用于生成第一鉴权数据,并向鉴权服务器发送所述第一鉴权数据,其中,所述第一鉴权数据根据所述终端的用户特征信息生成;A first authentication data module, configured to generate first authentication data, and send the first authentication data to an authentication server, where the first authentication data is generated according to user characteristic information of the terminal; 第二鉴权数据模块,用于生成第二鉴权数据,并向鉴权服务器发送所述第二鉴权数据,其中,所述第二鉴权数据根据鉴权密钥、终端参数以及网络参数生成;The second authentication data module is configured to generate second authentication data and send the second authentication data to the authentication server, wherein the second authentication data is based on the authentication key, terminal parameters and network parameters generate; 所述鉴权服务器,包括The authentication server includes 第一鉴权模块,用于根据所述第一鉴权数据对所述终端进行第一鉴权,并输出第一鉴权结果;A first authentication module, configured to perform a first authentication on the terminal according to the first authentication data, and output a first authentication result; 第二鉴权模块,用于在所述第一鉴权成功的情况下,根据所述第二鉴权数据进行第二鉴权,并输出第二鉴权结果;A second authentication module, configured to perform a second authentication according to the second authentication data and output a second authentication result if the first authentication is successful; 鉴权成功判断模块,分别与所述第一鉴权模块和所述第二鉴权模块连接,用于判断输入的所述第一鉴权结果和所述第二鉴权结果,在所述第一鉴权结果和第二鉴权结果均成功的情况下,确定所述终端的鉴权成功。The authentication success judging module is connected to the first authentication module and the second authentication module respectively, and is used to judge the input first authentication result and the second authentication result, in the second If both the first authentication result and the second authentication result are successful, it is determined that the authentication of the terminal is successful. 11.根据权利要求10所述的系统,其特征在于,所述第一鉴权数据模块包括:11. The system according to claim 10, wherein the first authentication data module comprises: 存储子模块,用于存储用户预先设置的个人信息以及用户的标识信息;The storage sub-module is used to store the personal information preset by the user and the identification information of the user; 生成子模块,与所述存储子模块连接,用于获取所述个人信息以及用户的标识信息生成第一鉴权数据;A generating submodule, connected to the storage submodule, is used to obtain the personal information and the user's identification information to generate first authentication data; 发送子模块,与所述生成子模块连接,用于获取第一鉴权数据并发送至所述鉴权服务器。The sending submodule is connected with the generating submodule, and is used to obtain the first authentication data and send it to the authentication server. 12.根据权利要求10所述的系统,其特征在于,所述第一鉴权模块包括:12. The system according to claim 10, wherein the first authentication module comprises: 数据存储子模块,用于存储用户提供的个人信息;The data storage sub-module is used to store the personal information provided by the user; 接收子模块,用于接收所述第一鉴权数据;a receiving submodule, configured to receive the first authentication data; 第一获取子模块,与所述接收子模块连接,用于获取所述第一鉴权数据的用户的标识信息,并输出至第二获取子模块,以及获取所述第一鉴权数据的个人信息作为第一个人信息输出至比较子模块;The first acquisition submodule is connected with the receiving submodule, and is used to acquire the identification information of the user of the first authentication data, and output it to the second acquisition submodule, and the individual who acquires the first authentication data The information is output to the comparison sub-module as the first personal information; 所述第二获取子模块,分别与所述数据存储子模块、所述第一获取子模块以及所述比较子模块连接,用于在所述数据存储子模块中获取与输入的所述用户的标识信息对应的个人信息作为第二个人信息,并输出至所述比较子模块;The second acquisition submodule is respectively connected to the data storage submodule, the first acquisition submodule, and the comparison submodule, and is used to acquire and input the user's information in the data storage submodule. The personal information corresponding to the identification information is used as the second personal information, and is output to the comparison sub-module; 所述比较子模块,分别与所述第一获取子模块和所述第二获取子模块连接,用于比较输入的所述第一个人信息和所述第二个人信息,并生成所述第一鉴权结果。The comparison submodule is connected to the first acquisition submodule and the second acquisition submodule respectively, and is used to compare the input first personal information and the second personal information, and generate the first personal information. 1. Authentication result. 13.根据权利要求12所述的系统,其特征在于,如果所述第一鉴权数据采用预定的加密规则加密生成,则所述第一鉴权模块还包括:解析子模块,与所述接收子模块和第一获取子模块连接,用于解析所述接收子模块接收的所述第一鉴权数据,并将解析后的第一鉴权数据输出至所述第一获取子模块。13. The system according to claim 12, wherein if the first authentication data is encrypted and generated using a predetermined encryption rule, the first authentication module further includes: a parsing submodule, which is connected with the receiving The sub-module is connected to the first obtaining sub-module, and is used for analyzing the first authentication data received by the receiving sub-module, and outputting the parsed first authentication data to the first obtaining sub-module. 14.根据权利要求11至13任一项所述的系统,其特征在于,所述用户的标识信息包括至少以下之一:所述终端的智能卡的标识信息、所述终端的标识信息。14. The system according to any one of claims 11 to 13, wherein the identification information of the user includes at least one of the following: identification information of the smart card of the terminal, and identification information of the terminal.
CN201010145176.8A 2010-04-06 2010-04-06 Terminal authentication method and system Active CN101841814B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201010145176.8A CN101841814B (en) 2010-04-06 2010-04-06 Terminal authentication method and system
PCT/CN2010/075640 WO2011124051A1 (en) 2010-04-06 2010-08-02 Method and system for terminal authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010145176.8A CN101841814B (en) 2010-04-06 2010-04-06 Terminal authentication method and system

Publications (2)

Publication Number Publication Date
CN101841814A CN101841814A (en) 2010-09-22
CN101841814B true CN101841814B (en) 2014-07-02

Family

ID=42744856

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010145176.8A Active CN101841814B (en) 2010-04-06 2010-04-06 Terminal authentication method and system

Country Status (2)

Country Link
CN (1) CN101841814B (en)
WO (1) WO2011124051A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469451B (en) * 2010-11-16 2015-06-17 深圳市雄帝科技股份有限公司 Method and system for phone card real-name authentication
CN102158863B (en) * 2011-02-18 2016-04-13 惠州Tcl移动通信有限公司 Based on the mobile terminal authentication system and method for JAVA, server and terminal
CN102158856B (en) * 2011-02-21 2015-06-17 惠州Tcl移动通信有限公司 Mobile terminal identification code authentication system and method, server and terminal
CN104378203B (en) * 2013-08-15 2018-04-27 腾讯科技(深圳)有限公司 Information authentication method, apparatus and terminal
CN105873059A (en) * 2016-06-08 2016-08-17 中国南方电网有限责任公司电网技术研究中心 Joint identity authentication method and system for power distribution communication wireless private network
CN106897631B (en) * 2017-02-03 2020-01-17 Oppo广东移动通信有限公司 Data processing method, device and system
CN108616511B (en) * 2018-04-03 2021-02-05 深圳市宝尔爱迪科技有限公司 Communication method of terminal equipment with encryption system and third-party application installation method
CN116203442A (en) * 2021-11-30 2023-06-02 北京小米移动软件有限公司 Battery authentication method and device of terminal, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1620165A (en) * 2003-11-21 2005-05-25 华为技术有限公司 Identification method of mobile terminal user legalness
CN1684411A (en) * 2004-04-13 2005-10-19 华为技术有限公司 Method for verifying user's legitimate of mobile terminal
CN101521886A (en) * 2009-01-21 2009-09-02 北京握奇数据系统有限公司 Method and device for authenticating terminal and telecommunication smart card

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006011989A (en) * 2004-06-28 2006-01-12 Ntt Docomo Inc Authentication method, terminal device, repeater, and authentication server
CN101656958B (en) * 2009-08-13 2012-07-25 北京握奇数据系统有限公司 Telecommunication intelligent card in Code Division Multiple Access (CDMA) network and authentication method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1620165A (en) * 2003-11-21 2005-05-25 华为技术有限公司 Identification method of mobile terminal user legalness
CN1684411A (en) * 2004-04-13 2005-10-19 华为技术有限公司 Method for verifying user's legitimate of mobile terminal
CN101521886A (en) * 2009-01-21 2009-09-02 北京握奇数据系统有限公司 Method and device for authenticating terminal and telecommunication smart card

Also Published As

Publication number Publication date
CN101841814A (en) 2010-09-22
WO2011124051A1 (en) 2011-10-13

Similar Documents

Publication Publication Date Title
CN101841814B (en) Terminal authentication method and system
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
JP5579938B2 (en) Authentication of access terminal identification information in roaming networks
JP4263384B2 (en) Improved method for authentication of user subscription identification module
US7953391B2 (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
US7142891B2 (en) Device bound flashing/booting for cloning prevention
CN102413224B (en) Methods, systems and equipment for binding and running security digital card
CN102036242B (en) Access authentication method and system in mobile communication network
CN100444545C (en) Use the public key pair in the terminal equipment to allow network operators and business partners to authenticate and authorize telecom users
US20050188219A1 (en) Method and a system for communication between a terminal and at least one communication equipment
JP2004326796A (en) Method for securing terminal and application, communication terminal and identification module in method of executing application requiring high degree of security protection function
EP2879421B1 (en) Terminal identity verification and service authentication method, system, and terminal
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
JP2014524073A (en) Service access authentication method and system
CN101990201B (en) Method, system and device for generating general bootstrapping architecture (GBA) secret key
CN101926188A (en) Security Policy Distribution to Communication Terminals
WO2009094886A1 (en) Method for locking the application program
CN1910531B (en) Method and system for key control of data resources and related network
CN110929231A (en) Digital asset authorization method and device and server
CN105187369B (en) A kind of data access method and device
CN100499453C (en) Method of the authentication at client end
CN104901967A (en) Registration method for trusted device
CN110337100A (en) Block chain-based method, terminal and system for adding secondary cards for No. 1 multi-card business
WO2011144129A2 (en) Machine-card interlocking method, user identity model card and terminal
CN105245526B (en) Call the method and apparatus of SIM card application

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200818

Address after: 210012 Nanjing, Yuhuatai District, South Street, Bauhinia Road, No. 68

Patentee after: Nanjing Zhongxing Software Co.,Ltd.

Address before: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No.

Patentee before: ZTE Corp.