[go: up one dir, main page]

CN102918878B - File transmitting method and device - Google Patents

File transmitting method and device Download PDF

Info

Publication number
CN102918878B
CN102918878B CN201180001436.7A CN201180001436A CN102918878B CN 102918878 B CN102918878 B CN 102918878B CN 201180001436 A CN201180001436 A CN 201180001436A CN 102918878 B CN102918878 B CN 102918878B
Authority
CN
China
Prior art keywords
user
equipment
imsi
binding relationship
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201180001436.7A
Other languages
Chinese (zh)
Other versions
CN102918878A (en
Inventor
毕军
王优
张伟
胡虹雨
王旸旸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Huawei Technologies Co Ltd
Original Assignee
Tsinghua University
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Huawei Technologies Co Ltd filed Critical Tsinghua University
Publication of CN102918878A publication Critical patent/CN102918878A/en
Application granted granted Critical
Publication of CN102918878B publication Critical patent/CN102918878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明实施例提供了一种报文发送方法和装置,涉及通信领域,所述方法包括:接收来自第一用户设备的认证请求,根据该第一用户标识,向该第一用户的家乡用户服务器HSS发送用户绑定认证请求,使得该第一用户的HSS根据保存的IMSI和用户标识的绑定关系判断该第一用户设备的IMSI和该第一用户标识的绑定关系是否合法;当该第一用户的HSS确定该第一用户设备的IMSI和该第一用户标识的绑定关系合法时,从该第一用户的HSS下载该第一用户设备的IMSI和该第一用户标识的绑定关系,并在第一用户设备与第二用户设备建立通信后,当接收到来自该第一用户设备的报文时,将符合下载的绑定关系的报文发送给第二用户设备。本发明防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。

Embodiments of the present invention provide a message sending method and device, which relate to the field of communications. The method includes: receiving an authentication request from a first user equipment, and sending an authentication request to the home user server of the first user according to the first user ID. The HSS sends a user binding authentication request, so that the HSS of the first user judges whether the binding relationship between the IMSI of the first user equipment and the first user ID is valid according to the saved binding relationship between the IMSI and the user ID; When the HSS of a user determines that the binding relationship between the IMSI of the first user equipment and the first user ID is legal, download the binding relationship between the IMSI of the first user equipment and the first user ID from the HSS of the first user , and after the first user equipment establishes communication with the second user equipment, when receiving the message from the first user equipment, send the message conforming to the downloaded binding relationship to the second user equipment. The invention prevents user identification from being forged during data transmission and improves the security of data transmission.

Description

报文发送方法和装置Message sending method and device

技术领域technical field

本发明涉及通信领域,特别涉及一种报文发送方法和装置。The invention relates to the communication field, in particular to a message sending method and device.

背景技术Background technique

随着互联网中大量移动设备的出现,单个用户拥有多个设备已成为很常见的情况,为了解决互联网在移动性、多宿主和安全性等方面的问题,提出了一种用户标识与地址分离方案UIP(UserIdentifierProtocol,用户标识协议),UIP架构将网络划分为多个域,并引入了两个全局范围的服务,分别是由用户标识到地址的映射服务和域出口路由器的数据封装/解封装服务。UIP架构下,所有的接入用户均被分配唯一的用户标识,通信双方以各自的用户标识建立连接,由查询映射获得对端的地址,并通过域出口路由器的封装/解封装来实现数据报文的传输。该方案解除了在当前互联网通信限制于地址或设备的缺陷,可以很好的解决上文描述的移动性、多宿主和单用户多设备等问题。With the emergence of a large number of mobile devices in the Internet, it has become a common situation for a single user to have multiple devices. In order to solve the problems of the Internet in terms of mobility, multi-homing and security, a scheme for separating user ID and address is proposed. UIP (UserIdentifierProtocol, User Identification Protocol), the UIP architecture divides the network into multiple domains, and introduces two global services, namely the mapping service from user identification to address and the data encapsulation/decapsulation service of the domain egress router . Under the UIP architecture, all access users are assigned a unique user ID, and the communication parties establish a connection with their respective user IDs, obtain the address of the peer end through query mapping, and realize the data packet through the encapsulation/decapsulation of the domain egress router. transmission. This solution removes the defect that the current Internet communication is limited to addresses or devices, and can well solve the problems described above such as mobility, multi-homing, and single-user multi-device.

在实现本发明的过程中,发明人发现现有技术至少存在以下问题:In the process of realizing the present invention, the inventor finds that there are at least the following problems in the prior art:

现有技术中,部署在LTE(LongTermEvolution,长期演进)架构中的UIP在进行通信时无法制止用户标识的伪造。由于网络不对用户的标识进行认证,攻击者可以随意发送伪造用户标识的报文来达到身份假冒的效果,并在此基础上实施网络攻击,造成严重后果,安全性低。In the prior art, the UIP deployed in the LTE (Long Term Evolution, Long Term Evolution) architecture cannot prevent the forgery of user IDs during communication. Since the network does not authenticate the user's identity, attackers can freely send messages with forged user identity to achieve the effect of identity forgery, and carry out network attacks on this basis, causing serious consequences and low security.

发明内容Contents of the invention

为了提高数据传输的安全性,本发明实施例提供了一种报文发送方法和装置。所述技术方案如下:In order to improve the security of data transmission, the embodiments of the present invention provide a message sending method and device. Described technical scheme is as follows:

一种报文发送方法,包括:A message sending method, comprising:

接收来自第一用户设备的认证请求,所述认证请求携带所述第一用户设备的国际移动用户识别码IMSI和第一用户标识,所述第一用户标识用于标识使用所述第一用户设备的第一用户;Receive an authentication request from the first user equipment, where the authentication request carries the International Mobile Subscriber Identity IMSI of the first user equipment and a first user identifier, where the first user identifier is used to identify the user who uses the first user equipment the first user of

根据所述第一用户标识,向所述第一用户的家乡用户服务器HSS发送用户绑定认证请求,使得所述第一用户的HSS根据保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;所述用户绑定认证请求携带所述用户设备的IMSI和第一用户标识;According to the first user ID, send a user binding authentication request to the home user server HSS of the first user, so that the HSS of the first user judges the first Whether the binding relationship between the IMSI of the user equipment and the first user identifier is legal; the user binding authentication request carries the IMSI of the user equipment and the first user identifier;

当所述第一用户的HSS确定所述第一用户设备的IMSI和所述第一用户标识的绑定关系合法时,从所述第一用户的HSS下载所述第一用户设备的IMSI和所述第一用户标识的绑定关系,并在第一用户设备与第二用户设备按照LTE架构建立通信后,当接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给第二用户设备。When the HSS of the first user determines that the binding relationship between the IMSI of the first user equipment and the first user identifier is legal, download the IMSI of the first user equipment and the first user identifier from the HSS of the first user. The binding relationship of the first user identifier, and after the first user equipment establishes communication with the second user equipment according to the LTE architecture, when receiving a message from the first user equipment, it will comply with the downloaded binding relationship The packet is sent to the second user equipment.

一种报文发送方法,包括:A message sending method, comprising:

接收来自MME的用户绑定认证请求;所述认证请求携带所述第一用户设备的IMSI和第一用户标识;receiving a user binding authentication request from the MME; the authentication request carries the IMSI and the first user identifier of the first user equipment;

根据本地保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;judging whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal according to the locally saved binding relationship between the IMSI and the user identifier;

如果是,将所述第一用户设备的IMSI和所述第一用户标识的绑定关系下载到所述MME,使得当所述第一用户设备与第二用户设备按照LTE架构建立通信后,所述MME接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给所述第二用户设备。If yes, download the binding relationship between the IMSI of the first user equipment and the first user identifier to the MME, so that after the first user equipment establishes communication with the second user equipment according to the LTE architecture, the When the MME receives the message from the first user equipment, send the message conforming to the downloaded binding relationship to the second user equipment.

一种网络侧设备,包括:A network side device, comprising:

接收模块,用于接收来自第一用户设备的认证请求,所述认证请求携带所述第一用户设备的国际移动用户识别码IMSI和第一用户标识,所述第一用户标识用于标识使用所述第一用户设备的第一用户;The receiving module is configured to receive an authentication request from the first user equipment, where the authentication request carries the International Mobile Subscriber Identity IMSI of the first user equipment and a first user identifier, and the first user identifier is used to identify the a first user of the first user equipment;

用户绑定认证请求发送模块,用于根据所述第一用户标识,向所述第一用户的家乡用户服务器HSS发送用户绑定认证请求,使得所述第一用户的HSS根据保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;所述用户绑定认证请求携带所述用户设备的IMSI和第一用户标识;A user binding authentication request sending module, configured to send a user binding authentication request to the home user server HSS of the first user according to the first user identifier, so that the HSS of the first user can use the saved IMSI and user The identification binding relationship determines whether the binding relationship between the IMSI of the first user equipment and the first user identification is legal; the user binding authentication request carries the IMSI of the user equipment and the first user identification;

下载模块,用于当所述第一用户的HSS确定所述第一用户设备的IMSI和所述第一用户标识的绑定关系合法时,从所述第一用户的HSS下载所述第一用户设备的IMSI和所述第一用户标识的绑定关系;A download module, configured to download the first user from the HSS of the first user when the HSS of the first user determines that the binding relationship between the IMSI of the first user equipment and the first user identifier is legal A binding relationship between the IMSI of the device and the first user identifier;

通信建立模块,用于按照LTE架构建立第一用户设备和第二用户设备的通信;A communication establishment module, configured to establish communication between the first user equipment and the second user equipment according to the LTE architecture;

报文处理模块,用于在第一用户设备与第二用户设备建立通信后,当接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给第二用户设备。The message processing module is configured to send a message conforming to the downloaded binding relationship to the second user equipment when receiving a message from the first user equipment after the first user equipment establishes communication with the second user equipment. user equipment.

一种网络侧服务器,包括:A network side server, comprising:

接收模块,用于接收来自MME的用户绑定认证请求;所述认证请求携带所述第一用户设备的IMSI和第一用户标识;A receiving module, configured to receive a user binding authentication request from an MME; the authentication request carries the IMSI and the first user identifier of the first user equipment;

判断模块,用于根据本地保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;A judging module, configured to judge whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal according to the locally saved binding relationship between the IMSI and the user identifier;

下载模块,用于如果所述判断模块的判断结果为所述第一用户设备的IMSI和所述第一用户标识的绑定关系合法,将所述第一用户设备的IMSI和所述第一用户标识的绑定关系下载到所述MME,使得当所述第一用户设备与第二用户设备按照LTE架构建立通信后,所述MME接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给所述第二用户设备。A downloading module, configured to download the IMSI of the first user equipment and the first user ID if the judging result of the judging module is that the binding relationship between the IMSI of the first user equipment and the first user identifier is valid. The identified binding relationship is downloaded to the MME, so that after the first user equipment and the second user equipment establish communication according to the LTE architecture, when the MME receives a message from the first user equipment, it will comply with The downloaded packet of the binding relationship is sent to the second user equipment.

本发明实施例提供的技术方案的有益效果是:The beneficial effects of the technical solution provided by the embodiments of the present invention are:

通过根据预先保存的用户设备和用户之间的绑定关系对用户设备进行绑定认证,并在用户设备的绑定关系认证合法时,利用该绑定关系对报文进行合法性检查,将符合绑定关系的报文发送给目的设备,防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。By performing binding authentication on the user equipment according to the pre-saved binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is legal, the binding relationship is used to check the validity of the message, which will meet the The message of the binding relationship is sent to the destination device, which prevents the forgery of the user ID during the data transmission process and improves the security of the data transmission.

附图说明Description of drawings

图1是本发明实施例1提供的的一种报文发送方法的流程图;FIG. 1 is a flow chart of a message sending method provided in Embodiment 1 of the present invention;

图2是本发明实施例1提供的的一种报文发送方法的流程图;FIG. 2 is a flow chart of a message sending method provided in Embodiment 1 of the present invention;

图3是本发明实施例1提供的的一种报文发送方法的流程图;FIG. 3 is a flow chart of a message sending method provided in Embodiment 1 of the present invention;

图4为本发明实施例提供的一种网络侧设备的结构示意图;FIG. 4 is a schematic structural diagram of a network side device provided by an embodiment of the present invention;

图5为本发明实施例提供的一种网络侧设备的结构示意图;FIG. 5 is a schematic structural diagram of a network side device provided by an embodiment of the present invention;

图6为本发明实施例提供的一种网络侧设备的结构示意图;FIG. 6 is a schematic structural diagram of a network side device provided by an embodiment of the present invention;

图7为本发明实施例提供的一种网络侧设备的结构示意图;FIG. 7 is a schematic structural diagram of a network side device provided by an embodiment of the present invention;

图8为本发明实施例提供的一种网络侧服务器的结构示意图;FIG. 8 is a schematic structural diagram of a network side server provided by an embodiment of the present invention;

图9为本发明实施例提供的一种网络侧服务器的结构示意图;FIG. 9 is a schematic structural diagram of a network side server provided by an embodiment of the present invention;

图10为本发明实施例提供的一种网络侧服务器的结构示意图。FIG. 10 is a schematic structural diagram of a network side server provided by an embodiment of the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

图1a为本发明实施例提供的一种报文发送方法的流程图。参见图1b,在LTE网络中,包括:第一用户UIDA正在使用的第一用户设备IMSIA1、第二用户UIDB正在使用的第二用户设备IMSIB1,MME(MobilityManagementEntity,移动管理实体)/SGW(ServingGateway,服务网关)、第一用户的HSS和第二用户的HSS,该MME该实施例的执行主体为MME参见图1,该方法包括:Fig. 1a is a flowchart of a message sending method provided by an embodiment of the present invention. Referring to Figure 1b, in the LTE network, including: the first user equipment IMSIA1 being used by the first user UIDA, the second user equipment IMSIB1 being used by the second user UIDB, MME (MobilityManagementEntity, mobile management entity)/SGW (ServingGateway, service gateway), the HSS of the first user and the HSS of the second user, the execution subject of this embodiment of the MME is the MME. Referring to FIG. 1, the method includes:

101、接收来自第一用户设备的认证请求,该认证请求携带该第一用户设备的IMSI(InternationalMobileSubscriberIdentity,国际移动用户识别码)和第一用户标识,该第一用户标识用于标识使用该第一用户设备的第一用户;101. Receive an authentication request from a first user equipment, where the authentication request carries an IMSI (International Mobile Subscriber Identity, International Mobile Subscriber Identity) of the first user equipment and a first user identity, where the first user identity is used to identify the first the first user of the user equipment;

在本实施例中,网络中的每个用户都被分配有全局唯一的用户标识用来标识用户身份,称为UID(UserIdentifier)。每个支持UIP的用户设备都存储有其用户的标识,即用户的UID。UID可以预先写入用户设备的SIM卡中,也可以由用户手动将其UID配置到用户设备中。本发明使用移动通信网络中的IMSI(InternationalMobileSubscriberIdentity)用于标识用户设备。用户设备可以为网络中的移动终端、具有通信功能的实体等。本实施例的LTE网络中包括:第一用户正在使用的第一用户设备和第二用户正在使用的第二用户设备,以及用于进行中继的MME。在该步骤101之前,该第一用户设备和第二用户设备之间已建立通信,为了提高报文发送的安全性,防止数据传输过程中用户标识伪造的发生,第一用户设备需要经过MME的认证,该过程不同于现有技术中常规的鉴权过程之处在于,第一用户设备在发送的认证请求中还携带了第一用户标识。In this embodiment, each user in the network is assigned a globally unique user identifier to identify the user identity, which is called a UID (UserIdentifier). Each UIP-supporting user equipment stores its user identifier, that is, the user's UID. The UID can be pre-written into the SIM card of the user equipment, or the user can manually configure the UID into the user equipment. The present invention uses the IMSI (International Mobile Subscriber Identity) in the mobile communication network to identify the user equipment. The user equipment may be a mobile terminal in the network, an entity with a communication function, and the like. The LTE network in this embodiment includes: a first user equipment being used by a first user, a second user equipment being used by a second user, and an MME for relaying. Before this step 101, the communication between the first user equipment and the second user equipment has been established. In order to improve the security of message transmission and prevent the occurrence of user identity forgery during data transmission, the first user equipment needs to pass through the MME Authentication, this process is different from the conventional authentication process in the prior art in that the authentication request sent by the first user equipment also carries the first user identifier.

102、根据该第一用户标识,向该第一用户的HSS(HomeSubscriberServer,家乡用户服务器)发送用户绑定认证请求,使得该第一用户的HSS根据保存的IMSI和用户标识的绑定关系判断该第一用户设备的IMSI和该第一用户标识的绑定关系是否合法;该用户绑定认证请求携带该用户设备的IMSI和第一用户标识;102. According to the first user ID, send a user binding authentication request to the first user's HSS (Home Subscriber Server, Home Subscriber Server), so that the first user's HSS judges the binding relationship between the IMSI and the user ID stored. Whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal; the user binding authentication request carries the IMSI of the user equipment and the first user identifier;

在LTE架构下,每个用户对应一个HSS,该用户的HSS可以为该用户所拥有的一台设备所归属的HSS。Under the LTE architecture, each user corresponds to an HSS, and the HSS of the user may be the HSS to which a device owned by the user belongs.

在本实施例中,MME根据第一用户标识,查询该第一用户标识对应的HSS,得到第一用户的HSS,该第一用户的HSS上保存有用户标识UID和IMSI的绑定关系,单个用户可以同时绑定多个用户设备,即一个用户标识UID可以对应多个IMSI。该绑定关系为静态的,可以采用线下的方式实现,优选地,本发明实施例使用用户绑定表来存储UID和用户设备的IMSI的绑定关系,参见表1,表1为用户绑定表的一个示例,UIDA对应多个设备,在表1中表现为UIDA对应IMSIA1、IMSIB1等。In this embodiment, the MME queries the HSS corresponding to the first user ID according to the first user ID, and obtains the HSS of the first user. The HSS of the first user stores the binding relationship between the user ID UID and the IMSI. A user can bind multiple user equipments at the same time, that is, one user identifier UID can correspond to multiple IMSIs. The binding relationship is static and can be implemented offline. Preferably, the embodiment of the present invention uses a user binding table to store the binding relationship between the UID and the IMSI of the user equipment. An example of a fixed table, UIDA corresponds to multiple devices, and in Table 1, it is shown that UIDA corresponds to IMSIA1, IMSIB1, and so on.

表1Table 1

需要说明的是,HHS上还维护每个用户到其当前所使用用户设备的映射关系,即将UID与IMSI的映射关系。单个用户可以同时映射至多个设备,即一个UID可以对应多个IMSI。进一步地,该映射可由用户切换使用的用户设备时动态更新。It should be noted that the HHS also maintains the mapping relationship between each user and the user equipment currently used by it, that is, the mapping relationship between the UID and the IMSI. A single user can be mapped to multiple devices at the same time, that is, one UID can correspond to multiple IMSIs. Further, the mapping can be dynamically updated when the user switches the user equipment used.

优选地,本发明实施例使用用户映射表来存储UID到当前使用的用户设备的IMSI的映射关系,参见表2,表2为用户映射表的一个示例,UIDA对应一个设备,UIDB对应多个设备,在表1中表现为UIDB对应IMSIB1、IMSIB2。Preferably, the embodiment of the present invention uses a user mapping table to store the mapping relationship between the UID and the IMSI of the currently used user equipment, see Table 2, Table 2 is an example of the user mapping table, UIDA corresponds to one device, and UIDB corresponds to multiple devices , which is shown in Table 1 as UIDB corresponding to IMSIB1 and IMSIB2.

表2Table 2

103、当该第一用户的HSS确定该第一用户设备的IMSI和该第一用户标识的绑定关系合法时,从该第一用户的HSS下载该第一用户设备的IMSI和该第一用户标识的绑定关系,并在第一用户设备与第二用户设备建立通信后,当接收到来自该第一用户设备的报文时,将符合下载的绑定关系的报文发送给第二用户设备。103. When the HSS of the first user determines that the binding relationship between the IMSI of the first user equipment and the first user identifier is legal, download the IMSI of the first user equipment and the first user from the HSS of the first user identified binding relationship, and after the first user equipment establishes communication with the second user equipment, when receiving a message from the first user equipment, send a message conforming to the downloaded binding relationship to the second user equipment.

本实施例提供的方法,通过根据预先保存的用户设备和用户之间的绑定关系对用户设备进行绑定认证,并在用户设备的绑定关系认证合法时,利用该绑定关系对报文进行合法性检查,将符合绑定关系的报文发送给目的设备,防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。The method provided in this embodiment performs binding authentication on the user equipment according to the pre-saved binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is legal, uses the binding relationship to authenticate the message Carry out a legality check, send the message that conforms to the binding relationship to the destination device, prevent the forgery of the user ID during the data transmission process, and improve the security of the data transmission.

图2为本发明实施例提供的一种报文发送方法的流程图。该实施例的交互主体为第一用户正在使用的第一用户设备、第一用户的HSS、第二用户正在使用的第二用户设备、第二用户的HSS、源端MME。参见图2,该实施例包括:FIG. 2 is a flowchart of a message sending method provided by an embodiment of the present invention. The interaction subjects in this embodiment are the first user equipment being used by the first user, the HSS of the first user, the second user equipment being used by the second user, the HSS of the second user, and the source MME. Referring to Fig. 2, this embodiment includes:

201、第一用户设备向源端MME发送认证请求,该认证请求携带该第一用户设备的国际移动用户识别码IMSI和第一用户标识,该第一用户标识用于标识使用该第一用户设备的第一用户;201. The first user equipment sends an authentication request to the source MME, where the authentication request carries the International Mobile Subscriber Identity IMSI of the first user equipment and a first user identifier, where the first user identifier is used to identify the first user equipment the first user of

在本发明实施例中,在对用户设备进行认证时,与EPS-AKA协议的不同之处在于,在认证请求中加入了第一用户标识,MME利用第一用户标识以及第一用户设备的IMSI对第一用户设备进行绑定认证。该发送过程中,可以在认证请求消息中增加新的字段,将UID和IMSI放置在认证请求消息的新的字段中;也可以隐式的将UID和IMSI上传,如上传某些指定字符,最终由HSS根据指定字符进行预设算法的计算,得到最终的IMSI和UID。In this embodiment of the present invention, when authenticating the user equipment, the difference from the EPS-AKA protocol is that the first user ID is added to the authentication request, and the MME uses the first user ID and the IMSI of the first user equipment to Perform binding authentication on the first user equipment. During the sending process, a new field can be added to the authentication request message, and the UID and IMSI can be placed in the new field of the authentication request message; the UID and IMSI can also be uploaded implicitly, such as uploading some specified characters, and finally The HSS calculates the preset algorithm according to the specified characters to get the final IMSI and UID.

202、MME接收来自第一用户设备的认证请求;该认证请求携带该第一用户设备的国际移动用户识别码IMSI和第一用户标识,该第一用户标识用于标识使用该第一用户设备的第一用户;202. The MME receives an authentication request from the first user equipment; the authentication request carries the International Mobile Subscriber Identity IMSI of the first user equipment and a first user identifier, where the first user identifier is used to identify the user who uses the first user equipment. first user;

203、MME根据该第一用户标识,向该第一用户的家乡用户服务器HSS发送用户绑定认证请求;该用户绑定认证请求携带该用户设备的IMSI和第一用户标识;203. The MME sends a user binding authentication request to the home subscriber server HSS of the first user according to the first user identifier; the user binding authentication request carries the IMSI of the user equipment and the first user identifier;

本领域技术人员可以获知,本地存有用户标识以及该用户标识到其HHS的映射关系。Those skilled in the art can know that the user ID and the mapping relationship between the user ID and its HHS are stored locally.

204、第一用户的HSS接收用户绑定认证请求,并根据保存的IMSI和用户标识的绑定关系判断该第一用户设备的IMSI和该第一用户标识的绑定关系是否合法;204. The HSS of the first user receives the user binding authentication request, and judges whether the binding relationship between the IMSI of the first user equipment and the first user ID is legal according to the stored binding relationship between the IMSI and the user ID;

在本实施例中,HSS具有存储用户绑定关系和用户映射关系的功能。每个HSS为归属其的用户存储其静态的用户绑定表,用户绑定表中包括用户与用户设备之间的绑定关系,同时存储并正确维护用户映射表,用户映射表中包括用户与该用户正在使用的用户设备之间的映射关系。In this embodiment, the HSS has the function of storing user binding relationships and user mapping relationships. Each HSS stores its static user binding table for its users. The user binding table includes the binding relationship between the user and the user equipment. At the same time, it stores and correctly maintains the user mapping table. The user mapping table includes the user and The mapping relationship between the user equipment being used by the user.

205、第一用户的HSS向MME反馈判断结果;205. The HSS of the first user feeds back the judgment result to the MME;

在本实施例中,若绑定合法则返回认证成功消息,否则,返回认证失败消息并结束认证流程;In this embodiment, if the binding is legal, an authentication success message is returned, otherwise, an authentication failure message is returned and the authentication process ends;

206、当判断结果为绑定关系合法时,MME从第一用户的HSS上下载该第一用户设备的IMSI和该第一用户标识的绑定关系;206. When the judging result is that the binding relationship is legal, the MME downloads the binding relationship between the IMSI of the first user equipment and the first user identifier from the HSS of the first user;

207、MME继续进行EPC-AKA认证协议的后续流程,即向用户设备的HSS请求认证数据,并与用户设备之间完成质询-应答以及密钥协商;207. The MME continues the subsequent process of the EPC-AKA authentication protocol, that is, requests authentication data from the HSS of the user equipment, and completes the challenge-response and key negotiation with the user equipment;

本发明实施例在该认证流程中增加对用户绑定认证的过程,认证在用户设备、本地MME、用户HSS和用户当前使用设备的HSS之间完成。The embodiment of the present invention adds a process of user binding authentication to the authentication flow, and the authentication is completed between the user equipment, the local MME, the user HSS and the HSS of the user's current device.

在本实施例中,相对于LTE架构,用户绑定认证的过程中用户设备在认证请求消息中携带用户的UID,当MME接收到该认证请求时,向用户HSS发送用户绑定认证的消息;由用户HSS根据用户UID查询本地的用户绑定表并对接收到的UID和IMSI的绑定关系进行判断,再将判断结果返回MME,当判断结果为绑定关系合法时,用户所在地MME/SGW下载该绑定关系。In this embodiment, with respect to the LTE architecture, during the user binding authentication process, the user equipment carries the user's UID in the authentication request message, and when the MME receives the authentication request, it sends the user binding authentication message to the user HSS; The user HSS queries the local user binding table according to the user UID and judges the binding relationship between the received UID and IMSI, and then returns the judgment result to the MME. Download the binding.

上述步骤201-207的认证过程可以执行在第一用户设备入网时,该认证过程只需在第一用户设备发起通信之前进行即可,本发明实施例不做具体限定。The above authentication process of steps 201-207 can be performed when the first user equipment is connected to the network, and the authentication process only needs to be performed before the first user equipment initiates communication, which is not specifically limited in this embodiment of the present invention.

208、第一用户设备发起通信请求,通信请求携带第一用户标识、第二用户标识;208. The first user equipment initiates a communication request, and the communication request carries the first user identifier and the second user identifier;

在本实施例中,源端为第一用户设备,目的端为第二用户设备;本领域技术人员可以获知,该通信请求还包括源端口标识和目的端口标识。In this embodiment, the source end is the first user equipment, and the destination end is the second user equipment; those skilled in the art may know that the communication request further includes a source port identifier and a destination port identifier.

209、源端MME接收该通信请求,并根据第二用户标识获取该第二用户正在使用的第二用户设备;209. The source MME receives the communication request, and acquires the second user equipment being used by the second user according to the second user identifier;

需要说明的是,由于第一用户设备已经被源端MME认证合法,所以源端MME接收到该通信请求时,允许第一用户设备和第二用户设备建立通信。It should be noted that since the first user equipment has been authenticated legally by the source MME, the source MME allows the first user equipment to establish communication with the second user equipment when receiving the communication request.

具体地,该步骤209包括:源端MME接收该通信请求,并根据该通信请求中的第二用户标识向第二用户的HSS发起映射查询,第二用户的HSS依据保存的用户映射表得到第二用户当前所使用的用户设备IMSI,并返回源端MME;其中,用户映射表为步骤102中该的用户映射关系,本实施例不做赘述。举例说明,MME向用户UIDC的HSS发起映射查询,HHS根据表2查询得到该UIDC对应的用户设备为IMSIC1,则将IMSIC1反馈给第一用户设备。Specifically, this step 209 includes: the source MME receives the communication request, and initiates a mapping query to the HSS of the second user according to the second user identifier in the communication request, and the HSS of the second user obtains the first user mapping table according to the stored user mapping table. The IMSI of the user equipment currently used by the user is returned to the source MME; wherein, the user mapping table is the user mapping relationship in step 102, which will not be described in this embodiment. For example, the MME initiates a mapping query to the HSS of the UIDC of the user, and the HHS obtains from Table 2 that the user equipment corresponding to the UIDC is IMSIC1, and then feeds back the IMSIC1 to the first user equipment.

210、第一用户设备和第二用户设备之间建立通信;210. Establish communication between the first user equipment and the second user equipment;

本领域技术人员可以获知,该建立通信的过程按照LTE架构本身的通信流程进行。Those skilled in the art can know that the process of establishing communication is performed according to the communication process of the LTE architecture itself.

相对于LTE架构,该通信流程通过源用户设备和目的用户设备的UID为标识建立起通信连接,并且MME根据目的用户设备UID发起映射查询,并获得相应用户设备IMSI的功能。Compared with the LTE architecture, the communication process uses the UIDs of the source user equipment and the destination user equipment to establish a communication connection, and the MME initiates a mapping query according to the UID of the destination user equipment, and obtains the function of the corresponding user equipment IMSI.

当MME接收到来自该第一用户设备的报文时,执行步骤211;When the MME receives the message from the first user equipment, perform step 211;

211、当MME接收到来自该第一用户设备的报文时,MME将符合下载的绑定关系的报文发送给第二用户设备;211. When the MME receives the packet from the first user equipment, the MME sends the packet conforming to the downloaded binding relationship to the second user equipment;

具体地,当MME接收到来自该第一用户设备的报文时,根据该下载的绑定关系检查该报文,当该报文中包含的IMSI和用户标识的绑定关系符合该下载的绑定关系时,将该报文发送给第二用户设备;该报文中包含的IMSI和用户标识的绑定关系不符合该下载的绑定关系时,丢弃该报文。Specifically, when the MME receives a message from the first user equipment, it checks the message according to the downloaded binding relationship, and when the binding relationship between the IMSI and the user identifier contained in the message conforms to the downloaded binding relationship When determining the relationship, the message is sent to the second user equipment; when the binding relationship between the IMSI and the user ID contained in the message does not conform to the downloaded binding relationship, the message is discarded.

若用户绑定认证成功,则用户所在地MME/SGW能够从用户HSS获得的相应的绑定关系。在后续的数据传输过程中,由于用户通信的报文中同时包含UID与IMSI信息,用户所在地MME/SGW就可以据此检查用户报文中UID与IMSI对应关系的合法性,防止用户标识伪造的发生。若用户使用伪造的UID发送数据,相应的报文将被检测为不合法并丢弃。If the user binding authentication succeeds, the MME/SGW where the user is located can obtain the corresponding binding relationship from the user HSS. In the subsequent data transmission process, since the user's communication message contains both UID and IMSI information, the MME/SGW at the user's location can check the validity of the corresponding relationship between the UID and IMSI in the user message to prevent user identity forgery occur. If the user sends data with a forged UID, the corresponding packet will be detected as illegal and discarded.

在数据层面,LTE本身的EPS-AKA协议能够产生相应的密钥来保护用户数据通信的完整性与保密性,并实现设备和用户标识符的隐私保密;本发明提供的方法能够同时防范设备和用户标识的伪造。由于部署在LTE架构中的UIP在控制层面安全性较低,即UIP所维护的从用户标识到其设备的映射表的安全性难以保证,在控制层面,UIP需要保证用户到其当前所使用设备映射关系的正确性,即用户HSS所存储的用户映射表的正确性。当用户设备通过了用户绑定认证后,本发明还包括用户映射更新的流程,该流程在用户设备、本地MME和用户HSS之间完成,如图3所示:At the data level, the EPS-AKA protocol of LTE itself can generate corresponding keys to protect the integrity and confidentiality of user data communication, and realize the privacy and confidentiality of equipment and user identifiers; the method provided by the invention can simultaneously prevent equipment and Forgery of User IDs. Due to the low security of UIP deployed in the LTE architecture at the control plane, that is, the security of the mapping table maintained by UIP from user identification to its equipment is difficult to guarantee. At the control plane, UIP needs to ensure The correctness of the mapping relationship, that is, the correctness of the user mapping table stored in the user HSS. After the user equipment has passed the user binding authentication, the present invention also includes a user mapping update process, which is completed between the user equipment, the local MME and the user HSS, as shown in Figure 3:

301、当第一用户从第一用户设备切换到第三用户设备时,第三用户设备向本地MME发送映射更新请求,该映射更新请求携带第一用户标识和第三用户设备的IMSI;该第三用户设备为该第一用户当前使用的用户设备;301. When the first user switches from the first user equipment to the third user equipment, the third user equipment sends a mapping update request to the local MME, where the mapping update request carries the first user identifier and the IMSI of the third user equipment; the first user equipment The third user equipment is the user equipment currently used by the first user;

302、当接收到该第一用户的映射更新请求时,检查该第一映射标识和该第三用户设备的IMSI的绑定关系是否合法;如果是,执行步骤303;302. When receiving the mapping update request of the first user, check whether the binding relationship between the first mapping identifier and the IMSI of the third user equipment is legal; if yes, perform step 303;

在本实施例中,该映射更新请求携带第一用户标识和第三用户设备的IMSI;该第三用户设备为该第一用户当前使用的用户设备;In this embodiment, the mapping update request carries the first user identifier and the IMSI of the third user equipment; the third user equipment is the user equipment currently used by the first user;

303、MME/SGW将该映射更新请求转发至该第一用户的HSS,使得该第一用户的HSS根据该映射更新请求对保存的用户映射关系进行更新。303. The MME/SGW forwards the mapping update request to the HSS of the first user, so that the HSS of the first user updates the stored user mapping relationship according to the mapping update request.

本实施例中所述的更新是指将HSS中保存的映射关系修改为用户和用户当前使用的用户设备之间的映射关系。用户的HSS更新映射关系后,向MME返回确认消息,MME接收到确认消息后,向第三用户设备返回确认更新消息。相对于LTE架构,用户映射更新的过程中用户设备在用户切换到该用户设备时发送映射更新请求,MME根据该映射更新请求触发报文合法性检查,在合法的情况下进一步向用户HSS转发映射更新请求,由用户HSS识别映射更新请求,并更新本地的用户映射表,返回成功的消息。The updating described in this embodiment refers to modifying the mapping relationship stored in the HSS to the mapping relationship between the user and the user equipment currently used by the user. After updating the mapping relationship, the HSS of the user returns a confirmation message to the MME, and after receiving the confirmation message, the MME returns a confirmation update message to the third user equipment. Compared with the LTE architecture, during the user mapping update process, the user equipment sends a mapping update request when the user switches to the user equipment, and the MME triggers a packet validity check according to the mapping update request, and further forwards the mapping to the user HSS if it is legal. Update request, the user HSS identifies the mapping update request, updates the local user mapping table, and returns a successful message.

本实施例提供的方法,通过根据预先保存的用户设备和用户之间的绑定关系对用户设备进行绑定认证,并在用户设备的绑定关系认证合法时,利用该绑定关系对报文进行合法性检查,将符合绑定关系的报文发送给目的设备,防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。进一步地,通过在绑定关系认证通过后,增加用户映射更新流程,保证用户到其当前所使用设备映射关系的正确性,增强了UIP方案数据层面和控制层面的安全性。The method provided in this embodiment performs binding authentication on the user equipment according to the pre-saved binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is legal, uses the binding relationship to authenticate the message Carry out a legality check, send the message that conforms to the binding relationship to the destination device, prevent the forgery of the user ID during the data transmission process, and improve the security of the data transmission. Furthermore, after the binding relationship authentication is passed, the user mapping update process is added to ensure the correctness of the mapping relationship between the user and the device currently used by the user, and enhance the security of the UIP scheme data layer and control layer.

图4为本发明实施例提供的一种网络侧设备的结构示意图。参见图4,该网络侧设备包括:FIG. 4 is a schematic structural diagram of a network side device provided by an embodiment of the present invention. Referring to Figure 4, the network side equipment includes:

接收模块401,用于接收来自第一用户设备的认证请求,所述认证请求携带所述第一用户设备的国际移动用户识别码IMSI和第一用户标识,所述第一用户标识用于标识使用所述第一用户设备的第一用户;The receiving module 401 is configured to receive an authentication request from a first user equipment, where the authentication request carries an International Mobile Subscriber Identity IMSI and a first user identifier of the first user equipment, and the first user identifier is used to identify the user a first user of said first user equipment;

用户绑定认证请求发送模块402,用于根据所述第一用户标识,向所述第一用户的家乡用户服务器HSS发送用户绑定认证请求,使得所述第一用户的HSS根据保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;所述用户绑定认证请求携带所述用户设备的IMSI和第一用户标识;A user binding authentication request sending module 402, configured to send a user binding authentication request to the home user server HSS of the first user according to the first user identifier, so that the HSS of the first user can use the stored IMSI and The binding relationship of the user identification determines whether the binding relationship between the IMSI of the first user equipment and the first user identification is legal; the user binding authentication request carries the IMSI of the user equipment and the first user identification;

下载模块403,用于当所述第一用户的HSS确定所述第一用户设备的IMSI和所述第一用户标识的绑定关系合法时,从所述第一用户的HSS下载所述第一用户设备的IMSI和所述第一用户标识的绑定关系;A downloading module 403, configured to download the first user ID from the HSS of the first user when the HSS of the first user determines that the binding relationship between the IMSI of the first user equipment and the first user ID is legal. A binding relationship between the IMSI of the user equipment and the first user identifier;

通信建立模块404,用于建立第一用户设备和第二用户设备的通信;a communication establishment module 404, configured to establish communication between the first user equipment and the second user equipment;

报文处理模块405,用于在第一用户设备与第二用户设备建立通信后,当接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给第二用户设备。The message processing module 405 is configured to, after the first user equipment establishes communication with the second user equipment, when receiving a message from the first user equipment, send a message conforming to the downloaded binding relationship to the second user equipment. Two user equipment.

参见图5,所述报文处理模块405具体包括:Referring to FIG. 5, the message processing module 405 specifically includes:

检查单元405a,用于当接收到来自所述第一用户设备的报文时,根据所述下载的绑定关系检查所述报文;A checking unit 405a, configured to, when receiving a message from the first user equipment, check the message according to the downloaded binding relationship;

第一处理单元405b,用于当所述报文中包含的IMSI和用户标识的绑定关系符合所述下载的绑定关系时,将所述报文发送给第二用户设备;The first processing unit 405b is configured to send the message to the second user equipment when the binding relationship between the IMSI and the user identifier included in the message conforms to the downloaded binding relationship;

第二处理单元405c,用于当所述报文中包含的IMSI和用户标识的绑定关系不符合所述下载的绑定关系时,丢弃所述报文。The second processing unit 405c is configured to discard the message when the binding relationship between the IMSI and the user ID included in the message does not conform to the downloaded binding relationship.

参见图6,所通信建立模块404包括:Referring to FIG. 6, the established communication module 404 includes:

接收单元404a,用于接收第一用户设备的通信请求,所述通信请求携带第一用户标识、第二用户标识;The receiving unit 404a is configured to receive a communication request from the first user equipment, where the communication request carries a first user identifier and a second user identifier;

获取单元404b,用于根据第二用户标识,获取所述第二用户正在使用的第二用户设备,使得所述第一用户设备和所述第二用户设备之间建立通信通道。The acquiring unit 404b is configured to acquire a second user equipment being used by the second user according to the second user identifier, so that a communication channel is established between the first user equipment and the second user equipment.

所述获取单元404b具体用于向所述第二用户的HSS发起映射查询,使得所述第二用户的HSS根据保存的用户映射关系返回所述第二用户正在使用的第二用户设备。The obtaining unit 404b is specifically configured to initiate a mapping query to the HSS of the second user, so that the HSS of the second user returns the second user equipment being used by the second user according to the stored user mapping relationship.

参见图7,所述网络侧设备还包括:Referring to Figure 7, the network side device also includes:

检查模块406,用于当接收到所述第一用户的映射更新请求时,所述映射更新请求携带第一用户标识和第三用户设备的IMSI;所述第三用户设备为所述第一用户当前使用的用户设备;检查所述第一映射标识和所述第三用户设备的IMSI的绑定关系是否合法,The checking module 406 is configured to, when receiving the mapping update request of the first user, the mapping update request carries the first user identifier and the IMSI of a third user equipment; the third user equipment is the first user the currently used user equipment; check whether the binding relationship between the first mapping identifier and the IMSI of the third user equipment is legal,

如果是,触发用于将所述映射更新请求转发至所述第一用户的HSS的转发模块407,使得所述第一用户的HSS根据所述映射更新请求对保存的用户映射关系进行更新。If so, trigger the forwarding module 407 for forwarding the mapping update request to the HSS of the first user, so that the HSS of the first user updates the stored user mapping relationship according to the mapping update request.

本发明实施例提供的网络侧设备,通过根据预先保存的用户设备和用户之间的绑定关系对用户设备进行绑定认证,并在用户设备的绑定关系认证合法时,利用该绑定关系对报文进行合法性检查,将符合绑定关系的报文发送给目的设备,防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。The network side device provided by the embodiment of the present invention performs binding authentication on the user equipment according to the pre-stored binding relationship between the user equipment and the user, and uses the binding relationship when the binding relationship authentication of the user equipment is legal Check the validity of the message, send the message that conforms to the binding relationship to the destination device, prevent the forgery of the user ID during the data transmission process, and improve the security of the data transmission.

图8为本发明实施例提供的一种网络侧服务器的结构示意图。参见图8,该网络侧服务器包括:FIG. 8 is a schematic structural diagram of a network side server provided by an embodiment of the present invention. Referring to Figure 8, the network side server includes:

接收模块801,用于接收来自MME的用户绑定认证请求;所述认证请求携带所述第一用户设备的IMSI和第一用户标识;The receiving module 801 is configured to receive a user binding authentication request from the MME; the authentication request carries the IMSI and the first user identifier of the first user equipment;

判断模块802,用于根据本地保存的IMSI和用户标识的绑定关系判断所述第一用户设备的IMSI和所述第一用户标识的绑定关系是否合法;A judging module 802, configured to judge whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal according to the locally saved binding relationship between the IMSI and the user identifier;

下载模块803,用于如果所述判断模块的判断结果为所述第一用户设备的IMSI和所述第一用户标识的绑定关系合法,将所述第一用户设备的IMSI和所述第一用户标识的绑定关系下载到所述MME,使得当所述第一用户设备与第二用户设备建立通信后,所述MME接收到来自所述第一用户设备的报文时,将符合下载的绑定关系的报文发送给所述第二用户设备。The downloading module 803 is configured to download the IMSI of the first user equipment and the first The binding relationship of the user identifier is downloaded to the MME, so that when the first user equipment establishes communication with the second user equipment, the MME will comply with the downloaded message when receiving the message from the first user equipment. The packet of the binding relationship is sent to the second user equipment.

参见图9,所述网络侧服务器还包括:Referring to Figure 9, the network side server also includes:

查询模块804,用于在通信信道建立过程中,当接收到MME发起的映射查询时,根据保存的用户映射关系得到第二用户正在使用的第二用户设备,并将所述第二用户设备返回给所述MME。The query module 804 is configured to obtain the second user equipment being used by the second user according to the saved user mapping relationship when receiving the mapping query initiated by the MME during the communication channel establishment process, and return the second user equipment to to the MME.

参见图10,所述网络侧服务器还包括:Referring to Figure 10, the network side server also includes:

更新模块805,用于当接收到MME转发的映射更新请求时,根据所述映射更新请求对本地保存的用户映射关系进行更新。The update module 805 is configured to, when receiving the mapping update request forwarded by the MME, update the locally stored user mapping relationship according to the mapping update request.

本发明实施例提供的网络侧服务器,通过根据预先保存的用户设备和用户之间的绑定关系对用户设备进行绑定认证,并在用户设备的绑定关系认证合法时,将该绑定关系下载到网络侧设备中,使得网络侧设备根据该绑定关系对报文进行合法性检查,并将符合绑定关系的报文发送给目的设备,防止数据传输过程中用户标识伪造的发生,提高了数据传输的安全性。The network side server provided by the embodiment of the present invention performs binding authentication on the user equipment according to the pre-stored binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is valid, the binding relationship Download to the network-side device, so that the network-side device checks the validity of the message according to the binding relationship, and sends the message that conforms to the binding relationship to the destination device, preventing user ID forgery during data transmission, and improving security of data transmission.

本发明实施例可以利用软件实现,相应的软件程序可以存储在可读取的存储介质中,例如,计算机的硬盘、缓存或光盘中。The embodiment of the present invention can be realized by software, and the corresponding software program can be stored in a readable storage medium, for example, a hard disk, cache or optical disk of a computer.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (16)

1. a file transmitting method, is characterized in that, comprising:
Receive the authentication request from first user equipment, described authentication request carries international mobile subscriber identity IMSI and the first user mark of described first user equipment, and described first user mark is for identifying the first user using described first user equipment;
Identify according to described first user, home subscriber servers HSS to described first user sends the request of user binding authentication, makes the HSS of described first user judge that whether the binding relationship of the IMSI of described first user equipment and described first user mark is legal according to the binding relationship of the IMSI preserved and user ID; IMSI and the first user mark of described first user equipment are carried in the request of described user's binding authentication;
When the HSS of described first user determines that the binding relationship of the IMSI of described first user equipment and described first user mark is legal, the IMSI of described first user equipment and the binding relationship of described first user mark is downloaded from the HSS of described first user, and after described first user equipment and the second subscriber equipment to be set up according to Long Term Evolution LTE framework and communicated, when receiving the message from described first user equipment, the message of the binding relationship meeting download is sent to described second subscriber equipment.
2. method according to claim 1, is characterized in that, when receiving the message from described first user equipment, the message of the binding relationship meeting download being sent to described second subscriber equipment, specifically comprises:
When receiving the message from described first user equipment, described message is checked according to the binding relationship of described download, when the binding relationship of the IMSI comprised in described message and user ID meets the binding relationship of described download, described message is sent to described second subscriber equipment;
When the binding relationship of the IMSI comprised in described message and user ID does not meet the binding relationship of described download, abandon described message.
3. method according to claim 1, is characterized in that, described foundation with the second subscriber equipment communicates, and specifically comprises:
Receive the communication request of described first user equipment, described communication request carries described first user mark, described second user ID;
According to described second user ID, obtain the second subscriber equipment that described second user is using, make to set up communication port between described first user equipment and described second subscriber equipment.
4. method according to claim 3, is characterized in that, obtains the second subscriber equipment that described second user is using, specifically comprises:
HSS to described second user initiates map locating, makes the HSS of described second user return according to user's mapping relations of preserving the second subscriber equipment that described second user using.
5. method according to claim 1, is characterized in that, described method also comprises:
When receiving the map updating request of described first user, check that whether the binding relationship of the IMSI of the first mapped identification and the 3rd subscriber equipment is legal, if, by described map updating request forward to the HSS of described first user, the HSS of described first user is upgraded to user's mapping relations of preserving according to described map updating request; The IMSI of described first user mark and described 3rd subscriber equipment is carried in described map updating request; Described 3rd subscriber equipment is the subscriber equipment of the current use of described first user.
6. a file transmitting method, is characterized in that, comprising:
Receive the user's binding authentication request from MME; IMSI and the first user mark of first user equipment are carried in the request of described user's binding authentication;
The IMSI preserved according to this locality and the binding relationship of user ID judge that whether the binding relationship of the IMSI of described first user equipment and described first user mark is legal;
If, the binding relationship of the IMSI of described first user equipment and described first user mark is downloaded to described MME, make after described first user equipment and the second subscriber equipment to be set up according to Long Term Evolution LTE framework and communicated, when described MME receives the message from described first user equipment, the message of the binding relationship meeting download is sent to described second subscriber equipment.
7. method according to claim 6, is characterized in that, receives the user's binding authentication request from MME, also comprises before:
In communication channel process of establishing, when receiving the map locating that described MME initiates, obtaining according to user's mapping relations of preserving the second subscriber equipment that the second user using, and described second subscriber equipment is returned to described MME.
8. method according to claim 6, is characterized in that, described method also comprises:
When receiving the map updating request that described MME forwards, according to described map updating request, user's mapping relations that this locality is preserved are upgraded.
9. a network equipment, is characterized in that, comprising:
Receiver module, for receiving the authentication request from first user equipment, described authentication request carries international mobile subscriber identity IMSI and the first user mark of described first user equipment, and described first user mark is for identifying the first user using described first user equipment;
User's binding authentication request sending module, for identifying according to described first user, home subscriber servers HSS to described first user sends the request of user binding authentication, makes the HSS of described first user judge that whether the binding relationship of the IMSI of described first user equipment and described first user mark is legal according to the binding relationship of the IMSI preserved and user ID; IMSI and the first user mark of described first user equipment are carried in the request of described user's binding authentication;
Download module, when binding relationship for the IMSI and described first user mark that determine described first user equipment as the HSS of described first user is legal, download the IMSI of described first user equipment and the binding relationship of described first user mark from the HSS of described first user;
Communication building block, for setting up communicating of described first user equipment and the second subscriber equipment according to Long Term Evolution LTE framework;
Message processing module (MPM), after setting up at described first user equipment and described second subscriber equipment and communicating, when receiving the message from described first user equipment, sends to described second subscriber equipment by the message of the binding relationship meeting download.
10. network equipment according to claim 9, is characterized in that, described message processing module (MPM) specifically comprises:
Inspection unit, for when receiving the message from described first user equipment, checks described message according to the binding relationship of described download;
First processing unit, for when the binding relationship of the IMSI comprised in described message and user ID meets the binding relationship of described download, sends to described second subscriber equipment by described message;
Second processing unit, for when the binding relationship of the IMSI comprised in described message and user ID does not meet the binding relationship of described download, abandons described message.
11. network equipments according to claim 9, is characterized in that, institute's communication building block comprises:
Receiving element, for receiving the communication request of described first user equipment, described communication request carries described first user mark, described second user ID;
Acquiring unit, for according to described second user ID, obtains the second subscriber equipment that described second user is using, and makes to set up communication port between described first user equipment and described second subscriber equipment.
12. network equipments according to claim 11, it is characterized in that, described acquiring unit initiates map locating specifically for the HSS to described second user, makes the HSS of described second user return according to user's mapping relations of preserving the second subscriber equipment that described second user using.
13. network equipments according to claim 9, is characterized in that, described network equipment also comprises:
Checking module, for when receiving the map updating request of described first user, check that whether the binding relationship of the IMSI of the first mapped identification and the 3rd subscriber equipment is legal, if, trigger and to be used for described map updating request forward, to the forwarding module of HSS of described first user, the HSS of described first user being upgraded user's mapping relations of preserving according to described map updating request; The IMSI of described first user mark and described 3rd subscriber equipment is carried in described map updating request; Described 3rd subscriber equipment is the subscriber equipment of the current use of described first user.
14. 1 kinds of network side servers, is characterized in that, comprising:
Receiver module, for receiving the user's binding authentication request from MME; IMSI and the first user mark of described first user equipment are carried in the request of described user's binding authentication;
Judge module, the binding relationship for the IMSI that preserves according to this locality and user ID judges that whether the binding relationship of the IMSI of described first user equipment and described first user mark is legal;
Download module, if the judged result for described judge module is that the binding relationship of the IMSI of described first user equipment and described first user mark is legal, the binding relationship of the IMSI of described first user equipment and described first user mark is downloaded to described MME, make after described first user equipment and the second subscriber equipment to be set up according to Long Term Evolution LTE framework and communicated, when described MME receives the message from described first user equipment, the message of the binding relationship meeting download is sent to described second subscriber equipment.
15. network side servers according to claim 14, is characterized in that, described network side server also comprises:
Enquiry module, in communication channel process of establishing, when receiving the map locating that described MME initiates, obtaining according to user's mapping relations of preserving the second subscriber equipment that the second user using, and described second subscriber equipment is returned to described MME.
16. network side servers according to claim 14, is characterized in that, described network side server also comprises:
Update module, for when receiving the map updating request that described MME forwards, upgrades user's mapping relations that this locality is preserved according to described map updating request.
CN201180001436.7A 2011-05-31 2011-05-31 File transmitting method and device Active CN102918878B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/075041 WO2011157142A2 (en) 2011-05-31 2011-05-31 Method and apparatus for message transmission

Publications (2)

Publication Number Publication Date
CN102918878A CN102918878A (en) 2013-02-06
CN102918878B true CN102918878B (en) 2016-03-09

Family

ID=45348623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180001436.7A Active CN102918878B (en) 2011-05-31 2011-05-31 File transmitting method and device

Country Status (2)

Country Link
CN (1) CN102918878B (en)
WO (1) WO2011157142A2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6349328B2 (en) 2013-01-09 2018-06-27 エバーニム インコーポレイテッドEvernym, Inc. Access controlled interaction system and method
CN107911814B (en) * 2017-11-24 2020-08-25 中国科学院信息工程研究所 HSS (home subscriber server) -enhanced user identity information protection method and system
CN111143351B (en) * 2019-11-27 2023-03-21 中国联合网络通信集团有限公司 IMSI data management method and equipment
WO2025013069A1 (en) * 2023-07-11 2025-01-16 Jio Platforms Limited Method and system for synchronizing an international mobile subscriber identifier (imsi) thread binding

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN101784044A (en) * 2009-01-21 2010-07-21 华为技术有限公司 Address checking method and device and network system
CN102045688A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Detection method and device of illegal use of user equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022672B (en) * 2007-02-16 2010-05-26 华为技术有限公司 Method and system for checking legitimacy of mobile users
CN101374050B (en) * 2008-10-23 2011-04-06 普天信息技术研究院有限公司 Apparatus, system and method for implementing identification authentication
CN102075909B (en) * 2009-11-23 2014-01-01 中兴通讯股份有限公司 Checking method and device of binding relationship of IMSI and IMEI
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101784044A (en) * 2009-01-21 2010-07-21 华为技术有限公司 Address checking method and device and network system
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN102045688A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Detection method and device of illegal use of user equipment

Also Published As

Publication number Publication date
WO2011157142A3 (en) 2012-04-26
CN102918878A (en) 2013-02-06
WO2011157142A2 (en) 2011-12-22

Similar Documents

Publication Publication Date Title
US12057963B2 (en) Connecting to a home area network via a mobile communication network
CN110800331B (en) Network verification method, related equipment and system
CN107800664B (en) Method and device for preventing signaling attack
US10708780B2 (en) Registration of an internet of things (IoT) device using a physically uncloneable function
CN104767715B (en) Access control method and equipment
US20060111080A1 (en) System and method for securing a personalized indicium assigned to a mobile communications device
CN101621525B (en) Method and equipment for treating legal entries
WO2018205148A1 (en) Data packet checking method and device
CN104735027A (en) Safety authentication method and authentication certification server
US12238128B2 (en) Data processing method and apparatus
CN102918878B (en) File transmitting method and device
CN109936515A (en) Access configuration method, information providing method and device
CN102611712A (en) Digital home network access and authentication method
CN104518874A (en) Network access control method and system
CN103313245B (en) Based on the Network access method of mobile phone terminal, equipment and system
CN116963050B (en) Trusted communication method and system based on end-to-end IPv6 password identification
CN101931611B (en) HIP (Host Identity Protocol) based method and system for achieving user mobility
CN116711387B (en) Method, device and system for authentication and authorization using edge data network
CN116868609A (en) User equipment authentication and authorization procedure for edge data networks
CN104735749A (en) Network accessing method, wireless router, and portal platform server
EP1662745B1 (en) System and method for securing a personal identification number assigned to a mobile communications device
CN104580186B (en) Communication system and communication means based on HIP
CN117040817A (en) Authentication method and device
Cámara et al. A TELCO ODYSSEY 5G SUCI-CRACKER AND SCTP-HIJACKER
CN107786981A (en) One kind prevents Signaling attack method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant