Technical background
CDMA 1x and EV-DO are two standards that CDMA 2000 successively forms in evolution.CDMA 1x and EV-DO network can both provide Packet data service, but, the EV-DO network provides the ability of Packet data service to be far longer than CDMA 1x network, therefore, when reality is built CDMA 1x and EV-DO network, CDMA 1x network mainly provides the speech business service, and the EV-DO network mainly provides profuse Packet data service service.
Because CDMA 1x standard occurs early than EV-DO standard, so CDMA 1x network occurs early than EV-DO network, and CDMA 1x network has had a large amount of users when the EV-DO network occurs.Because the EV-DO network can provide profuse Packet data service service, therefore after the EV-DO network occurs, should allow existing CDMA 1x user also can enjoy these services.
Because separation between machine and card has many advantages, therefore, in some countries and regions, the portable terminal of CDMA 1x is separated from each other with the subscriber card (UIM) of identification user identity.Concerning each CDMA 1x user, the UIM card has become its resource that is of great rarity, if the service in order to use the EV-DO network to provide, and must change original UIM card, cause very big loss and inconvenience then will for each CDMA 1x user.For minimum level ground reduces user's loss and inconvenience, the UIM card that allows existing CDMA 1x user be used for the CDMA1x network can insert CDMA 1x, and also to insert the EV-DO network be optimal mode.
In order to allow the user use a UIM card just can visit CDMA 1x and EV-DO network, developed a kind of mode mobile terminal, this mode mobile terminal can be visited CDMA 1x network also can visit the EV-DO network.But when the user used mode mobile terminal to visit the EV-DO network with the UIM card that is used for CDMA 1x network, the EV-DO network but can not be successful to user's access authentication, because the UIM card does not have function and the information relevant with the access authentication of EV-DO network.For this problem is had more clearly understanding, below the access authentication process of CDMA 1x and EV-DO network is simply described.
Before the user can visit CDMA 1x or EV-DO network, CDMA 1x or EV-DO network at first carried out access authentication to the user, to determine user's identity authenticity.CDMA 1X network message and the signaling process different with the EV-DO network using realized access authentication, but has similar inquiry response mechanism, that is: network terminal passes to the random number that authentication of user is used, the user utilizes this random number and the subscription authentication data of preserving in advance (such as, user's shared secure data (SSD), IMSI International Mobile Subscriber Identity (IMSI) and subscriber identification module sign (UIMID) etc.) produce an authenticating result based on the corresponding authentication algorithm, and this authenticating result is returned to network terminal; After network terminal is received this user's authenticating result, utilize this user's subscription authentication data and the random number that sends to this user, produce a authenticating result based on identical authentication arithmetic in network terminal, whether network terminal detects these two authenticating result and equates then, if equate, show that then this user is validated user, allows its access network, otherwise does not allow its access network.Usually, at user side, access authentication is carried out in user's UIM card, the UIM jig has the corresponding authentication algoritic module and preserves the subscription authentication data of himself in advance, and in network terminal, the access authentication of CDMA 1x network is carried out in attaching position register/AUC (HLR/AC), attaching position register/AUC has the authentication arithmetic that CDMA 1x network access authentication uses, and preserve subscription authentication data the user of CDMA 1x network registration, and the access authentication of EV-DO network is carried out in differentiating mandate accounting server (AN-AAA), have the authentication arithmetic that the EV-DO network access authentication uses, and the user's who preserves in the EV-DO network registration subscription authentication data.
Because the EV-DO network uses and the different authentication arithmetic of CDMA 1x network, such as, the access authentication of CDMA 1x network uses the CAVE authentication arithmetic, and the access authentication of EV-DO network uses the MD5 authentication arithmetic, and, the discriminating mandate accounting server (AN-AAA) of EV-DO network only is kept at the EV-DO user's of this network registration subscription authentication data, be not kept at the CDMA 1x user's of CDMA 1x network registration subscription authentication data, therefore, do not do under the situation of any change at CDMA 1x user's UIM card and EV-DO network, the EV-DO network is impossible success to CDMA 1x user's access authentication.
Summary of the invention
The access authentication method and the device that the purpose of this invention is to provide the EV-DO network, adopt this access authentication method and device, do not need to do any change at CDMA 1x user's UIM card, the EV-DO network is only done under the situation of a small amount of change, the EV-DO network just can carry out access authentication to CDMA1x user.
In order to realize goal of the invention of the present invention,, comprise step according to an a kind of access authentication method of differentiating execution in the mandate accounting server (AN-AAA) of the present invention at the EV-DO network:
(a) the CDMA 1x user's that registered at this EV-DO network of storage subscription authentication data, these subscription authentication data comprise at least the user IMSI International Mobile Subscriber Identity (IMSI), share secure data (SSD) and subscriber identification module identifies (UIMID);
(b) receive request that the Access Network (AN) of this EV-DO network sends to a message of carrying out access authentication the CDMA of this network registration 1x user, this request message comprises a random number and this user authenticating result based on this random number at least;
(c) according to this request message, from the CDMA 1x user's of described storage subscription authentication data, the subscription authentication data of searching for this user;
(d) utilize the subscription authentication data of random number that this request message comprises and this user who searches, produce the authenticating result of a network terminal based on the authentication arithmetic that is used for CDMA 1x user access authentication;
(e) whether this user's who comprises in the authenticating result of judging this network terminal and this request message authenticating result equates;
(f) if judged result shows these two authenticating result to be equated, then send a message that allows this user to insert this EV-DO network to this Access Network.
In order to realize goal of the invention of the present invention, the discriminating mandate accounting server (AN-AAA) according to a kind of EV-DO network of the present invention comprising:
A memory cell, the subscription authentication data that are used to store the CDMA1x user who registers at this EV-DO network, these subscription authentication data comprise at least the user IMSI International Mobile Subscriber Identity (IMSI), share secure data (SSD) and subscriber identification module identifies (UIMID);
A receiving element, be used to receive request that the Access Network (AN) of this EV-DO network sends to a message of carrying out access authentication the CDMA of this network registration 1x user, this request message comprises a random number and this user authenticating result based on this random number at least;
A subscription authentication data capture unit is used for according to this request message, from the CDMA 1x user's of described storage subscription authentication data, and the subscription authentication data of searching for this user;
An authenticating unit is used to utilize the subscription authentication data of random number that this request message comprises and this user who searches, and produces the authenticating result of a network terminal based on the authentication arithmetic that is used for CDMA 1x user access authentication;
An authenticating result judging unit, whether the authenticating result that is used for judging this network terminal equates with this user's that this request message comprises authenticating result;
A transmitting element is used for when judged result shows that these two authenticating result equate, sends a message that allows this user to insert this EV-DO network to this Access Network.
Detailed Description Of The Invention
In the present invention, can carry out access authentication to CDMA 1x user, need carry out following setting the EV-DO network in order to make the EV-DO network:
The first, increase the authentication arithmetic module that is used for CDMA 1x user access authentication at the discriminating mandate accounting server (AN-AAA) of EV-DO network.For the convenience of describing, the hypothesis authentication arithmetic that is used for CDMA 1x user access authentication is the CAVE authentication arithmetic in the present invention, therefore, increases CAVE authentication arithmetic module in the accounting server differentiating to authorize;
Second, the registration desire is visited its CDMA 1x user in the EV-DO network, and, in differentiating the mandate accounting server, each CDMA 1x user's that storage has been registered at the EV-DO network subscription authentication data, these subscription authentication data comprise IMSI International Mobile Subscriber Identity (IMSI) at least, share secure data (SSD) and subscriber identification module identifies (UIMID).Simultaneously, also distribute an Access status word for each CDMA 1x user who has registered at the EV-DO network, a failed authentication counter and an authentication success counter, wherein, the Access status word is used to show whether registered CDMA 1x user had visited the EV-DO network, initial condition is set to not visit the EV-DO network, the failed authentication counter is used to write down the number of times that registered CDMA 1x user carries out the access authentication failure at the EV-DO network, and authentication success counter is used to write down the number of times that registered CDMA 1x user carries out the access authentication success based on current shared secure data (SSD).
Above-mentioned setting based on the EV-DO network, below in conjunction with Fig. 1, access authentication with a CDMA 1x user who has registered at the EV-DO network (below abbreviate CDMA1x/EV-DO user U1 as) is an example, describes the access authentication method of EV-DO network of the present invention in detail.
As shown in Figure 1, the mode mobile terminal (AT) 10 with UIM card of CDMA 1x/EV-DO user U1 is set up EV-DO session (S10) with the Access Network (AN) 20 of EV-DO network.
Mode mobile terminal 10 is access authentication initiation PPP and the LCP negotiation (S20) of CDMA 1x/EV-DO user U1 with Access Network 20.
Access Network 20 is that CDMA 1x/EV-DO user U1 produces a random number, and this random number is sent to mode mobile terminal 10 (S30) by challenge message.
After receiving the challenge message of Access Network 20 transmissions, mode mobile terminal 20 produces the Access Network 20 that comprises in this challenge message for CDMA 1x/EV-DO user U1 random number sends to the UIM card of CDMA 1x/EV-DO user U1, CDMA 1x/EV-DO user U1 uses the random number of receiving, and the subscription authentication data of the CDMA 1x/EV-DO user U1 that stores in advance, that is: the IMSI International Mobile Subscriber Identity of user U1 (IMSI), share secure data (SSD) and subscriber identification module sign (UIMID) etc., produce an authenticating result based on built-in CAVE authentication arithmetic, and this authenticating result sent to mode mobile terminal 10, mode mobile terminal 10 sends to Access Network 20 (S40) by challenge responses message with the authenticating result of CDMA 1x/EV-DO user U1 then.
After Access Network 20 receives the challenge responses message of mode mobile terminal 10 transmissions, the authenticating result of the CDMA 1x/EV-DO user U1 that comprises based on this challenge responses message, and before be the random number that CDMA 1x/EV-DO user U1 produces, construct an access authentication request message, and this access authentication request message is sent to discriminating mandate accounting server (AN-AAA) 30 (S50).
After differentiating that mandate accounting server 30 is received the access authentication request message of Access Network 20 transmissions, at first detect the Access status word of CDMA 1x/EV-DO user U1, whether visited EV-DO network (S70) to judge CDMA1x/EV-DO user U1.
One, CDMA 1x/EV-DO user U1 visits the EV-DO network first
If judged result shows that CDMA 1x/EV-DO user U1 visits the EV-DO network first, then differentiate and authorize accounting server 30 that the Access Network 20 that the access authentication request message of receiving comprises is the random number of CDMA 1x/EV-DO user U1 generation and authentication request message of authenticating result formation of CDMA1x/EV-DO user U1, and this authentication request message sent in the CDMA 1x network corresponding attaching position register/AUC (HLR/AC) 40 (S80), execution in step S150 then.
Two, CDMA 1x/EV-DO user U1 visits the EV-DO network first
If judged result shows that CDMA 1x/EV-DO user U1 visits the EV-DO network first, then differentiate the failed authentication counter of authorizing accounting server 30 to detect CDMA 1x/EV-DO user U1, whether reach predetermined threshold value (S90) with the failed authentication number of times of judging CDMA 1x/EV-DO user U1.
If judged result shows that the failed authentication number of times of CDMA 1x/EV-DO user U1 reaches predetermined threshold value, then execution in step S230 that is: sends a message of refusing CDMA 1x/EV-DO user U1 access network to Access Network 20.
If judged result shows that the failed authentication number of times of CDMA 1x/EV-DO user U1 does not reach predetermined threshold value, then differentiate the authentication success counter of authorizing accounting server 30 to detect CDMA 1x/EV-DO user U1, whether reach predetermined threshold value (S100) based on the number of times that current shared secure data (SSD) carries out the access authentication success to judge CDMA 1x/EV-DO user U1.
2.1, share the secure data usage counter and reach predetermined threshold value
If judged result shows that CDMA 1x/EV-DO user U1 reaches predetermined threshold value based on the number of times that current shared secure data (SSD) carries out the access authentication success, execution in step S80 then, that is: differentiate that authorizing the Access Network 20 that comprises in the access authentication request message of accounting server 30 with described reception is that the random number of CDMA 1x/EV-DO user U1 generation and the authenticating result of CDMA 1x/EV-DO user U1 constitute an authentication request message, and this authentication request message is sent to the attaching position register/AUC (HLR/AC) 40 of CDMA 1x/EV-DO user U1 in the CDMA 1x network.
2.2, share the secure data usage counter and do not reach predetermined threshold value
If judged result shows that CDMA 1x/EV-DO user U1 does not reach predetermined threshold value based on the number of times that current shared secure data (SSD) carries out the access authentication success, then differentiate and authorize accounting server 30 from the CDMA 1x user's who the EV-DO network, has registered of storage subscription authentication data, the subscription authentication data (S110) of search CDMA 1x/EV-DO user U1.Then, differentiate to authorize accounting server 30 to use the subscription authentication data of described Access Network 20 as the random number of CDMA1x/EV-DO user U1 generation and the CDMA 1x/EV-DO user U1 that searches, produce the authenticating result (S120) of a network terminal based on the CAVE authentication arithmetic, and the authenticating result of the CDMA 1x/EV-DO user U1 that comprises in the access authentication request message of the authenticating result of this network terminal and described reception is compared (S130).
If comparative result shows two authenticating result and equates, then differentiate and authorize accounting server 30 to judge the success of CDMA 1x/EV-DO user U1 access authentication, the shared secure data usage counter of CDMA 1x/EV-DO user U1 is increased by 1 (S140), execution in step S220 that is: sends a message that allows CDMA 1x/EV-DO user U1 access network to Access Network 20 then.
If comparative result shows that two authenticating result are unequal, execution in step S80 then, that is: differentiate that authorizing the Access Network 20 that comprises in the access authentication request message of accounting server 30 with described reception is that the random number of CDMA 1x/EV-DO user U1 generation and the encrypted result of CDMA 1x/EV-DO user U1 constitute an authentication request message, and this authentication request message is sent to corresponding attaching position register/AUC (HLR/AC) 40 in the CDMA 1x network.
If receive the authentication request message of differentiating that mandate accounting server 30 sends in attaching position register/AUC (HLR/AC) 40 of CDMA 1x, then attaching position register/AUC (HLR/AC) 40 is at first from CDMA 1x user's the subscription authentication data of storage, the subscription authentication data of search CDMA 1x/EV-DO user U1, these subscription authentication data comprise at least: the IMSI International Mobile Subscriber Identity of user U1 (IMSI), share secure data (SSD) and subscriber identification module sign (UIMID) (S150), then, the Access Network 20 that uses this authentication request message to comprise is the random number of CDMA 1x/EV-DO user U1 generation and the subscription authentication data of the user U1 that searches, produce an authenticating result (S160) based on the CAVE authentication arithmetic, and the authenticating result of the CDMA1x/EV-DO user U1 that this authenticating result and this authentication request message are comprised compares (S170).If comparative result shows two authenticating result and equates, the shared secure data (SSD) that comprises based on the subscription authentication data of the user U1 that is searched then, construct an authentication success message, and this authentication success message is sent to discriminating mandate accounting server 30 (S180); If comparative result shows that two authenticating result are unequal, then authorize accounting server 30 to send failed authentication message (S190) to differentiating.
Differentiate and authorize accounting server 30 to receive the message that attaching position register/AUC 40 sends, if the message that receives is the authentication success message, then the shared secure data (SSD) that this authentication success message is comprised is stored as the shared secure data (SSD) of CDMA 1x/EV-DO user U1, and the authentication of CDMA 1x/EV-DO user U1 success counter is initialized as 0 (S200), whether the Access status of judging CDMA 1x/EV-DO user U1 simultaneously was for not visiting the EV-DO network, if do not visit the EV-DO network, then Access status is set to visit the EV-DO network, sends a message (S220) that allows CDMA1x/EV-DO user U1 access network to Access Network 20 then.If the message that receives is failed authentication message, then the failed authentication counter with CDMA 1x/EV-DO user U1 increases by 1 (S210), sends the message (S230) of a refusal CDMA 1x/EV-DO user U1 access network then to Access Network 20.
Access Network 20 receives differentiates the message of authorizing accounting server 30 to send, if the message of this reception is the message that allows CDMA 1x/EV-DO user U1 access network, then Access Network 20 sends an authentication success message (S240) to mode mobile terminal 10; If the message of this reception is the message of refusal CDMA 1x/EV-DO user U1 access network, then send a CHAP failed authentication message (S250) to mode mobile terminal 10.
Mode mobile terminal 10 receives the message that Access Network 20 sends, and this forwards is given the UIM card of CDMA 1x/EV-DO user U1.The message from mode mobile terminal 10 is received in the UIM clamping of CDMA 1x user U1, if this message is a CHAP failed authentication message, does not then insert EV-DO network (S260); If this message is a CHAP authentication success message, then insert EV-DO network (S270).
The access authentication method of the above-mentioned EV-DO of being used for network of the present invention both can use software mode to realize, also can use hardware mode, perhaps used the software and hardware combining mode to realize.
According to can forming as shown in Figure 2 of one embodiment of the present of invention to the hardware of discriminating mandate accounting server (AN-AAA) that carries out the EV-DO network of access authentication the CDMA of EV-DO network registry 1x user, wherein, identical with conventional communication networks parts are not shown in Figure 2.
As shown in Figure 2, differentiate and authorize accounting server (AN-AAA) 30, comprise: a memory cell 301, the subscription authentication data that are used to store the CDMA 1x user who registers at the EV-DO network, these subscription authentication data comprise at least the user IMSI International Mobile Subscriber Identity (IMSI), share secure data (SSD) and subscriber identification module identifies (UIMID); A plurality of failed authentication counters 303, wherein, each failed authentication counter is corresponding the CDMA of EV-DO network registration 1x user with one, is used to calculate this CDMA 1x user carries out the access authentication failure at the EV-DO network number of times; A plurality of authentication success counters 305, wherein, each authentication success counter is corresponding the CDMA of EV-DO network registration 1x user with one, is used to calculate this CDMA 1x user carries out the access authentication success based on the shared secure data of its current use number of times; A receiving element 307, be used to receive request that the Access Network (AN) 20 of EV-DO network sends to a message of carrying out access authentication at the CDMA of this network registration 1x user U1, this request message comprises a random number and the user U1 authenticating result based on this random number at least; A counting judging unit 309, be used to detect authentication success counter and the failed authentication counter of user U1, to judge that user U1 carries out the number of times of access authentication success based on the shared secure data of its current use and whether the number of times of failed authentication reaches predetermined threshold; A subscription authentication data capture unit 311, be used for when authentication success counter that judge to find user U1 and failed authentication counter all do not reach predetermined threshold value, from CDMA 1x user's the subscription authentication data of storage, the subscription authentication data of search subscriber U1; An authenticating unit 313 is used to utilize the subscription authentication data of random number that this request message comprises and the user U1 that searches, and produces the authenticating result of a network terminal based on the authentication arithmetic that is used for CDMA 1x user access authentication; An authenticating result judging unit 315, whether the authenticating result that is used for judging this network terminal equates with the authenticating result of the user U1 that this request message comprises; A transmitting element 317 is used for when judged result shows that these two authenticating result equate, sends a message that allows user U1 to insert this EV-DO network to Access Network 20; The authentication success counter 305 of user U1 is used for when judged result shows that these two authenticating result equate, calculating user U1 carries out the access authentication success once based on the shared secure data of its current use.
This is differentiated and authorizes accounting server (AN-AAA) 30, also comprise: transmitting element 317, be used for judging the authenticating result of finding described network terminal and be not equal to the authenticating result of user U1 when authenticating result judging unit 315, perhaps, counting judging unit 309 is judged when the authentication success counter of finding user U1 or failed authentication counter reach predetermined threshold value, send authentication is carried out in a request to user 1 authentication message to the attaching position register/AUC (HLR/AC) 40 of user U1 in CDMA 1x network, wherein, this authentication message comprises the random number that comprises in the described request message and the user U1 authenticating result based on this random number at least; Whether successful receiving element 307 be used to receive indication user U1 authentication that attaching position register/AUC (HLR/AC) 40 sends message;
If receiving element 307 is received the message of indication user U1 authentication success, wherein, this message comprises a shared secure data (SSD), and then: memory cell 301 is used for shared secure data storage that the message with the success of this indication user U1 authentication the comprises shared secure data for user U1; The authentication of user U1 success counter 305 is used for after shared secure data storage that memory cell 301 will indicate the message of user U1 authentication success to comprise is the shared secure data of user U1, and its count value of initialization is 0; Transmitting element 317 is used for sending a message that allows user U1 to insert this EV-DO network to Access Network 20;
If receiving element 307 is received the message of indication user U1 failed authentication, then: the failed authentication counter 303 of user U1 is used to calculate user U1 failed authentication once; Transmitting element 317 is used for sending the message that a refusing user's U1 inserts this EV-DO network to Access Network 20.
Beneficial effect
By above-mentioned in conjunction with the accompanying drawings to the detailed description of embodiments of the invention, therefrom as can be seen: owing to access authentication method that is used for the EV-DO network that proposes in the present invention and device, in the discriminating mandate accounting server (AN-AAA) of EV-DO network, increased the authentication arithmetic that is used for CDMA 1x user is carried out access authentication, and, each CDMA 1x user's who has also stored in the EV-DO network registration subscription authentication data are so the EV-DO network can be to carrying out access authentication the CDMA of this network registration 1x user.
In addition,, CDMA 1x user's UIM card is not done any change, therefore can not cause any inconvenience and loss the user owing to access authentication method that is used for the EV-DO network that proposes in the present invention and device; And, owing to only the discriminating mandate accounting server (AN-AAA) in the EV-DO network is carried out a spot of change, so improvement cost is very low.
It will be appreciated by those skilled in the art that the access authentication method and the device of the EV-DO of being used for network disclosed in this invention, can also on the basis that does not break away from content of the present invention, make various improvement.Therefore, protection scope of the present invention should be determined by the content of appending claims.