CN100396156C - Synchronous SQN processing method - Google Patents
Synchronous SQN processing method Download PDFInfo
- Publication number
- CN100396156C CN100396156C CNB2005100362234A CN200510036223A CN100396156C CN 100396156 C CN100396156 C CN 100396156C CN B2005100362234 A CNB2005100362234 A CN B2005100362234A CN 200510036223 A CN200510036223 A CN 200510036223A CN 100396156 C CN100396156 C CN 100396156C
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- msc
- vlr
- hlr
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention provides a synchronous SQN processing method, particularly a method of MSC/VLR processing synchronous processing result messages returned by HLR/AUC. The method comprises that the MSC/VLR executes corresponding processing operation according to different content information contained in the synchronous processing result messages after receiving the synchronous processing result messages sent by the HLR/AUC. The method can conveniently and safely realize that a terminal transfers information to the HLR/AUC and the HLR/AUC makes different feedback to MSC/VLR after processing the information. Particularly, the terminal transfers effective information to the HLR/AUC before establishing connection with a network, such as during the process of authenticating authority, and the HLR/AUC makes corresponding feedback to the MSC/VLR.
Description
Technical field
The present invention relates to the communication security technology, be specifically related to a kind of processing method of synchronous SQN.
Background technology
Authorizing procedure in the existing 3-G (Generation Three mobile communication system), in portable terminal, preserve IMSI International Mobile Subscriber Identity IMSI, KI KI and sequence number SQNMS, preserve IMSI, KI and sequence number SQNHE at this portable terminal correspondence among the HLR/AUC, to be used for portable terminal and network mutual authentication.
The existing authorizing procedure of 3G communication system is mainly: HLR/AUC produces random number RA ND, produces Expected Response XRES, encryption key CK, Integrity Key IK according to random number RA ND and KI; Produce MAC-A according to random number RA ND, sequence number SQNHE, KI KI and authentication management field AMF, according to MAC-A, SQNHE, AK and AMF obtain authentication signature AUTN (Authentication Token).Form the authentication five-tuple by RAND and XRES, CK, IK and AUTN, this five-tuple is sent to MSC/VLR preserve.Certainly, in the middle of the reality, HLR/AUC is that corresponding one or more five-tuples of answering the request of MSC/VLR just will produce send to MSC/VLR's.During authentication, MSC/VLR sends to terminal with RAND and AUTN in the corresponding five-tuple, and terminal if consistency checking does not pass through, is then returned failed authentication information to MSC/VLR according to the consistency of the KI checking AUTN that oneself preserves; If consistency checking passes through, judge then whether SQNHE belongs to acceptable scope: if belong to, then terminal judges goes out network authentication is passed through, terminal is returned the Authentication Response that oneself produces to MSC/VLR, and upgrade SQNMS according to the SQNHE among the AUTN, whether the XRES in the Authentication Response that the MSC/VLR comparison terminal returns and the corresponding five-tuple the consistent legitimacy of judging terminal; Do not belong to tolerance interval if judge SQNHE, then terminal produces sync mark AUTS (Resynchronisation Token) according to SQNMS again, MSC/VLR is returned synchronization request or synchronization failure (Synchronisation failure) message again, enclosing the AUTS of sync mark again of generation simultaneously, also is to comprise AUTS in the message.When MSC/VLR receives sync mark AUTS again, RAND in AUTS and the corresponding five-tuple is sent to HLR/AUC, and HLR/AUC judges the legitimacy of AUTS according to correspondence KI that preserves and the RAND that receives, if illegal, then HLR/AUC returns the AUTS information unauthorized to MSC/VLR; If it is legal to judge AUTS, then HLR/AUC upgrades SQNHE according to the SQNMS among the AUTS, and produce a new authentication five-tuple and send to MSC/VLR, after MSC/VLR received new five-tuple, the corresponding old five-tuple of deletion also utilized new five-tuple again to terminal authentication.
Whether SQNMS and the SQNHE in AUTN of terminal by relatively more own preservation satisfies predetermined condition and judges whether SQNHE can accept, this predetermined condition can be that the difference of SQNHE and SQNMS is in a preset range, for example, whether (SQNHE-SQNMS) is greater than 0, and perhaps whether (SQNHE-SQNMS) is greater than 0 and less than 256.If it is acceptable that the difference of SQNHE and SQNMS in described preset range, is then judged SQNHE; Otherwise judge SQNHE is unacceptable.
About the detailed content of 3G authorizing procedure, can be with reference to the 3GPP standard, for outstanding emphasis of the present invention, this paper is not described in detail it.
Therefore in the existing authorizing procedure of 3G communication system, SQNMS be mainly used in judge among the AUTN SQNHE whether be up-to-date or SQNHE whether in tolerance interval, and use when upgrading SQNHE.And the synchronous SQN flow process also is mainly used in to HLR/AUC and transmits real SQNMS.
In the middle of reality, there is subscriber card clone phenomenon, this phenomenon is not only brought loss to validated user, also can have influence on the service quality of operator.The someone found afterwards, by constantly upgrading the KI of subscriber card, can avoid or find that the validated user card is cloned.Detailed process is that terminal produces a random number, calculates a new KI with random number and former KI, and sends the more order of new key to HLR/AUC, has comprised described random number in the order; After HLR/AUC receives the key updating order, also calculate, produce a new KI with described random number and former KI.Like this, terminal and network all use new KI to carry out authentication when next authentication.Be not difficult to find out, there are the following problems for this key updating process: after the key updating, if have the authentication five-tuple that uses up among the MSC/VLR or not, how HLR/AUC allows MSC/VLR remove these old five-tuples, and new five-tuple sent to MSC/VLR, address this problem, just need between HLR/AUC and MSC/VLR, increase corresponding protocol.
Whether also have a kind of situation, terminal may need the ability with terminal equipment when connecting network, such as whether supporting the GPS location, be that GSM/WCDMA dual-mode handset or the like information sends network to.
Also have a kind of situation, terminal adopts the mode of key escrow HLR/AUC to realize anti-theft feature, when the user is provided with anti-theft feature and cancellation anti-theft feature, all needs to send corresponding notification message to HLR/AUC.In realizing the theft preventing method of this key escrow HLR/AUC, also have a kind of KI replacement scenario, promptly realize mutual authentication with network side with the KI of the safe key alternate user card of terminal.In this case, when HLR/AUC produced the authentication tuple, the terminal security key alternate user card key of the correspondence of use produced the authentication five-tuple.In this process, terminal not only will transmit to HLR/AUC and be provided with antitheft and the antitheft command information of cancellation, HLR/AUC also will will send to MSC/VLR according to the authentication five-tuple that safe key produces when anti-theft feature is set, and will allow MSC/VLR delete old authentication tuple; Equally, HLR/AUC also will will send to MSC/VLR according to the authentication five-tuple that KI produces, and allow MSC/VLR delete old authentication tuple when the cancellation anti-theft feature.Realize these functions, obviously need to increase the agreement of terminal, and increase the agreement of HLR/AUC to MSC/VLR to HLR/AUC.
Also has a kind of situation, terminal adopts the mode of key escrow HLR/AUC to realize locking the net function, when terminal is moved for the first time, need tell that the network terminal is a lock net mobile phone, require the KI of the key alternate user card of network using terminal to carry out authentication, in this case, terminal transmits lock net cellphone information to HLR/AUC, and HLR/AUC obtains the initial key of counterpart terminal according to after obtaining this information, and produces new authentication tuple according to initial key, new authentication tuple is sent to MSC/VLR, carry out authentication by MSC/VLR according to new authentication tuple, this process also needs to increase the agreement of mobile phone to HLR/AUC and HLR/AUC to MSC/VLR.
Above-mentioned various situation, the increase agreement all will cause a large amount of changes to HLR/AUC and MSC/VLR, therefore, realize that cost is higher.In addition, above-mentioned terminal also exists dummy terminal HLR/AUC to be taked the attack of message-replay when HLR/AUC transmits order.How on the basis that does not increase existing communication agreement, signal resource and operation cost, solve terminal easily, and HLR/AUC is a problem that is worth solution to the information transmission of MSC/VLR to HLR/AUC.
Summary of the invention
In view of this, the present invention wants the technical solution problem to provide a kind of processing method of synchronous SQN, realizes easily and safely by this method that terminal transmits to HLR/AUC and makes different feedbacks to MSC/VLR after information and HLR/AUC handle this information.Especially, before terminal and network connect, for example in the process of authentication, transmit effective information and HLR/AUC makes corresponding feedback to MSC/VLR to HLR/AUC.
The technical scheme that addresses the above problem provided by the invention is: a kind of processing method of synchronous SQN, MSC/VLR is when carrying out authentication to terminal, the corresponding authentication parameter that is received from the authentication five-tuple of HLR/AUC is sent to terminal by authentication request message, the KI KI and the sequence number of authentification SQNMS of terminal basis oneself carry out authentication to network, said method comprising the steps of:
A. after terminal was passed through network authentication, terminal replaced SQNMS to produce sync mark AUTS again with the particular value of agreement, and network is sent synchronous request command again and encloses the described AUTS of sync mark again;
B. network side HLR/AUC receives described synchronous request command again, and described HLR/AUC judges whether described AUTS is legal, if illegal, then returns the Synchronous Processing results messages that comprises illegal synchronizing information to MSC/VLR; If it is legal, then HLR/AUC judges whether the SQNMS among the described AUTS is the particular value of described agreement, if, then carry out the operation of described particular value correspondence, and return the Synchronous Processing object information that comprises special synchronizing information to MSC/VLR, otherwise, SQNHE upgraded according to SQNMS, and produce the authentication tuple again, return the Synchronous Processing object information that comprises new authentication tuple and need re-authenticate information to MSC/VLR.;
After c.MSC/VLR receives the Synchronous Processing results messages of HLR/AUC transmission, according to the different content information and executing corresponding process operations that comprises in the Synchronous Processing results messages.
According to the preferred embodiments of the invention, wherein, described MSC/VLR comprised further that before terminal is carried out authentication terminal sends the order or the request that can cause authorizing procedure to network side, and described order or request can be position updating request or service request.
Wherein, described authentication five-tuple comprises: random number RA ND, Expected Response XRES, encryption key CK, Integrity Key IK and authentication signature AUTN; Described authentication signature AUTN comprises sequence number of authentification SQNHE, authentication management field AMF and message authentication coding MAC-A; Described corresponding authentication parameter comprises random number RA ND and authentication signature AUTN.
Preferably, among the step a, after terminal is passed through network authentication, further comprise SQNMS according to the renewal of the SQNHE among the described AUTN oneself.
Preferably, described terminal to network authentication by being meant: terminal is carried out consistency according to the RAND of own KI KI and reception to the AUTN that receives and is judged and pass through, and according to the SQNHE among the SQNMS judgement AUTN of oneself in tolerance interval.
Preferably, step a also comprises: the KI KI of terminal basis oneself and the RAND of reception carry out the consistency judgement to the AUTN that receives and pass through, and when not belonging in the tolerance interval according to the SQNHE among the SQNMS judgement AUTN of oneself, directly produce sync mark AUTS again, network is sent synchronous request command again and encloses the described AUTS of sync mark again according to SQNMS.
Preferably, among the step a, terminal directly produces again according to SQNMS that sync mark AUTS is meant: terminal is directly calculated and is produced sync mark AUTS again according to oneself SQNMS, KI KI and the AMF among RAND that receives and the AUTN.
Preferably, among the step a, terminal replace SQNMS to produce again with the particular value of agreement sync mark AUTS is meant: terminal replaces SQNMS to come KI KI, the RAND that receives of basis oneself and the AMF among the AUTN to calculate with the particular value of agreement producing sync mark AUTS again.
Preferably, among the described step b: HLR/AUC upgrades SQNHE according to SQNMS when judging that the described AUTS of sync mark again is legal and the SQNMS among the sync mark AUTS is not the particular value of described agreement again.
Preferably, described special Synchronous Processing information can be to be used for indicating the one or more of following content: terminal authentication passed through, and the new authentication tuple that produces, whether new authentication tuple is to be used for authentication, the wheel synchronization type information that particular value is indicated, and whether need again to terminal authentication.
Preferably, described step c further comprises: MSC/VLR judges whether comprised illegal synchronizing information in the Synchronous Processing results messages after receiving the Synchronous Processing results messages that HLR/AUC sends, if, end process flow process then; Otherwise, MSC/VLR judges whether comprised new authentication tuple information in the Synchronous Processing results messages: if comprised new authentication tuple information, then delete old authentication, and further judge whether comprised needs in the Synchronous Processing results messages again to terminal authentication information, re-authenticate if desired then and terminal is initiated authentication again with new authentication tuple, otherwise, preserve new authentication tuple to be used for subsequent authentication, judge to terminal authentication by and handle accordingly; If do not comprise the first rent information of described new authentication, then MSC/VLR directly judges terminal authentication is passed through, and handles accordingly according to the corresponding special Synchronous Processing information that comprises.
Preferably, described needs are to expand by the Synchronous Processing results messages that has the authentication tuple that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's to terminal authentication information again.
Preferably, corresponding special Synchronous Processing information is to expand by the illegal Synchronous Processing results messages that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's.
Preferably, corresponding special Synchronous Processing information can be to be used for terminal synchronously and HLR/AUC consults antitheft key and anti-theft feature is set, can be to be used for terminal and HLR/AUC negotiation cancellation anti-theft feature synchronously, can be to be used for terminal synchronously to transmit specific information to HLR/AUC, described specific information can be: terminal is the GSM/WCDMA dual-mode terminal, terminal is supported the GPS positioning function, the terminal support transfers the call to the fixed network function automatically, and terminal is returned the special operational execution result information to HLR/AUC.
Preferably, the particular value of described agreement is meant value or certain or a plurality of occurrence of agreement in a certain scope.
Preferably, described execution agreement content can be the execution key updating, carries out the authentication arithmetic renewal, carries out antitheft checking, cancel antitheft checking, obtains relevant information and return in the special operational execution result information one or more.
Another technical scheme that addresses the above problem provided by the invention is: provide a kind of MSC/VLR to handle the method for the Synchronous Processing results messages that HLR/AUC returns, described method comprises: after MSC/VLR receives the Synchronous Processing results messages of HLR/AUC transmission, judge and whether comprised illegal synchronizing information in the Synchronous Processing results messages, if, end process flow process then; Otherwise, MSC/VLR judges whether comprised new authentication tuple information in the Synchronous Processing results messages: if comprised new authentication tuple information, then delete old authentication, and judge whether comprised needs in the Synchronous Processing results messages again to terminal authentication information, re-authenticate if desired, then terminal is initiated authentication again with new authentication tuple, otherwise, preserve new authentication tuple to be used for subsequent authentication, judge to terminal authentication by and handle accordingly; If do not comprise new authentication tuple information, then MSC/VLR directly judges terminal authentication is passed through, and handles accordingly according to the corresponding special Synchronous Processing information that comprises.
Preferably, described needs are to expand by the Synchronous Processing results messages that has the authentication tuple that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's to terminal authentication information again.
Preferably, corresponding special Synchronous Processing information is to expand by the illegal Synchronous Processing results messages that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's.
Description of drawings
Fig. 1 is the flow chart of the specific embodiment of the present invention.
Fig. 2 is the flow chart of first embodiment of the specific embodiment of the present invention.
Fig. 3 is the flow chart of second embodiment of the specific embodiment of the present invention.
Embodiment
The processing method of synchronous SQN of the present invention is passed through SQN value space dividing, make that can utilize the Synchronous Processing flow process to finish terminal uploads to network and after the operation of special command and HLR/AUC carry out corresponding operating MSC/VLR is carried out adaptive feedback, and finish some specific functions by the special command uploaded with to the adaptive feedback of MSC/VLR.For example, terminal is carried out the processing of corresponding authentication tuple to HLR/AUC transmission renewal key information and MSC/VLR, or the like.This scheme can guarantee that terminal arrives HLR/AUC and the HLR/AUC integrality to the flow process of MSC/VLR.
When terminal need be when network side transmits the specific information for example need new authentication secret key more etc., can utilize existing authorizing procedure, by expansion transformation Synchronous Processing flow process wherein, promptly the network side authentication is passed through in terminal, also be terminal according to the own KI that preserves the consistency checking of AUTN is passed through and AUTN in the situation of SQNHE in tolerance interval under, also produce sync mark again and send synchronous request command again, and utilize the SQNMS of terminal in synchronous request command again that network side sends and the appended AUTS of sync mark again to come for example to transmit the more specific information of new key to HLR/AUC.After terminal is passed through the network side authentication among the present invention, particular value with agreement replaces SQNMS, for example replace SQNMS to produce sync mark AUTS again with 128, send synchronous request command and enclose this sync mark again to network side, when HLR/AUC receives described synchronous request command, judge whether AUTS is legal,, then return the Synchronous Processing results messages that comprises illegal synchronizing information to MSC/VLR if illegal; If it is legal to judge AUTS, judge then whether SQNMS among the AUTS is the particular value 128 of agreement, if, then carry out the content of agreement, promptly carry out the operation of for example key updating, and produce new authentication tuple and send to MSC/VLR; Otherwise handle by the normal synchronized handling process, promptly upgrade SQNHE and make subsequent treatment according to SQNMS.Correspondingly, MSC/VLR after receiving the Synchronous Processing object information of HLR/AUC, according to different result judge to terminal authentication whether by, synchronously whether legal, whether obtain new authentication tuple and whether needs are again to terminal authentication or the like.Method of the present invention has made full use of existing authentication parameter and has transmitted information to HLR/AUC easily, and after HLR/AUC handles it according to corresponding information, difference feedback, MSC/VLR that MSC/VLR is carried out do corresponding processing at the difference feedback, this method is in the function of having enriched the Synchronous Processing flow process, when handling again synchronous request command owing to HLR/AUC again AUTS has been carried out legitimate verification, therefore improved fail safe and the integrality of terminal to network side transmission information.
Synchronous SQN flow process provided by the invention not only is applied to terminal and transmits key updating message to HLR/AUC, and whether the ability support that can also transmit terminal to HLR/AUC supports the GPS location such as terminal, whether supports the Bluetooth function of automatic calling transfer, or the like.
Below in conjunction with accompanying drawing the specific embodiment of the present invention is described in detail:
See also Fig. 1, Fig. 1 is the flow chart of the specific embodiment of the invention.
In step 101, terminal is initiated position updating request to network side.
This step also can be to initiate service request to network side.Can be that any network side that can cause that terminal sends carries out the message of authentication to terminal in the middle of actual.
Described authentication tuple can comprise random number RA ND, Expected Response XRES, encryption key CK, Integrity Key IK and authentication signature AUTN (Authentication Token).
Described corresponding authentication parameter comprises RAND and AUTN.
When producing the authentication tuple, HLR/AUC calculates XRES, CK, IK respectively with randomizer RAND that produces and the KI KI that self preserves.Also produce AUTN according to RAND, KI, sequence number SQNHE, authentication management field AMF.
Long 16 bytes of described authentication signature AUTN, comprise following content: 1) SQNHE^AK, the also SQNHE that has promptly encrypted, wherein long respectively 6 bytes of sequence number SQNHE and Anonymity Key AK with AK, SQNHE refers to be kept at the SQN of network side, to be different from the SQNMS that is kept at terminal; When needs were encrypted SQNHE, HLR/AUC produced AK according to RAND and KI, used AK that SQNHE is made XOR, thereby encrypted SQNHE; When not needing SQNHE encrypted, AK=0; 2) long 2 bytes of authentication management field AMF.3) long 8 bytes of message authentication coding MAC-A; MAC-A is used to verify the data integrity of RAND, SQNHE, AMF, is used for terminal HLR/AUC is carried out authentication.HLR/AUC calculates message authentication coding MAC-A among the AUTN according to RAND, SQNHE, KI and AMF.
Like this, formed the authentication five-tuple by RAND, AUTN, XRES, CK, IK etc.
HLR/AUC sends to MSC/VLR with corresponding international mobile subscriber identity IMSI and authentication five-tuple RAND, CK, IK, XRES and AUTN after having produced the authentication five-tuple.MSC/VLR is a circuit domain equipment, and for the network of packet domain, corresponding equipment can be SGSN.During authentication, random number RA ND and authentication signature AUTN that the MSC/VLR of network side will be received from the authentication tuple of HLR/AUC send terminal MS to.
The described AUTS of sync mark again comprises following content: 1) SQNMS^AK, and the also SQNMS that has promptly encrypted with AK, long respectively 6 bytes of sequence number SQNMS and Anonymity Key AK wherein, SQNMS refers to be kept at the SQN of end side, to be different from the SQNHE that is kept at network side; When needs were encrypted SQNMS, terminal produced AK according to RAND and KI, used AK that SQNMS is made XOR, thereby encrypted SQNMS; When not needing SQNMS encrypted, AK=0; 2) long 8 bytes of message authentication coding MAC-S; MAC-S is used to verify the data integrity of RAND, SQNMS, also is used for HLR/AUC terminal is carried out authentication, also, is used for the legitimacy of HLR/AUC checking AUTS.General, terminal calculates MAC-S according to oneself SQNMS, KI and RAND that receives and AMF etc., produces sync mark AUTS again according to SQNMS, AK and MAC-S again.
Specifically, terminal according to the SQNHE among the RAND that receives and the KI KI that self preserves and the AUTN that receives and AMF adopt with HLR/AUC calculating AUTN in the consistent algorithm computation of MAC-A go out MAC-A, carry out consistency checking then, promptly, relatively whether the MAC-A among MAC-A that oneself calculates and the AUTN that receives is consistent, for example whether identical, if inconsistent, then return failed authentication information to MSC/VLR; If unanimity judges further then whether SQNHE belongs to acceptable scope: if belong to, then terminal judges goes out the authentication of network side is passed through; Do not belong to tolerance interval if judge SQNHE, then produce sync mark AUTS again according to SQNMS, promptly, calculate MAC-S according to SQNMS, KI and RAND that receives and AMF etc., produce sync mark AUTS again according to SQNMS, AK and MAC-S again, promptly SQNMS is encrypted, ciphertext and MAC-S are made up produce AUTS with AK.After terminal has produced AUTS, network side MSC/VLR is returned synchronous request command or synchronization failure (Synchronisation failure) message again, enclose the AUTS of sync mark again of generation simultaneously.
After terminal is passed through the network side authentication, particular value with agreement replaces SQNMS to come to calculate MAC-S according to oneself KI and RAND that receives and AMF etc., replace SQNMS to come to produce sync mark AUTS again according to this particular value again with AK and MAC-S, promptly this particular value is encrypted, ciphertext and MAC-S are made up produce AUTS with AK.Terminal sends synchronous request command again and encloses the described AUTS of sync mark again to network side after having produced AUTS, perhaps sends synchronization failure message to network side, and comprise AUTS in this message.
About concrete generation AUTS process, and the algorithm that uses when producing can also not repeat them here with reference to the 3GPP related specifications.
The described SQNMS of parsing is meant: when SQNMS has adopted encryption mode, then HLR/AUC calculates AK according to KI and RAND earlier, decrypts SQNMS expressly from AUTS with AK; When SQNMS has adopted expressly pattern, promptly AK value is set under 0 the situation, and HLR/AUC directly obtains the SQNMS plaintext from AUTS.Can be with reference to the 3GPP related specifications.
For example, special synchronizing information can be used to consult to carry out antitheft checking synchronously, to tell MSC/VLR, terminal synchronizes is not that SQNMS causes with SQNHE is inconsistent, but terminal need transmit the corresponding information of the antitheft checking of execution of consulting to network side.
In step 110, after MSC/VLR judges terminal authentication is passed through, can further create user profile, the relevant treatment flow process receive Authentication Response with MSC/VLR and judge Authentication Response that terminal produces and the authentication five-tuple of this authentication of correspondence in the Expected Response subsequent treatment unanimity of carrying out when consistent.
Can further include the information that whether needs again terminal to be carried out authentication in the Synchronous Processing results messages.This information can be expressed in several ways: whether for example, can classify to the Synchronous Processing results messages, using classification code to distinguish needs again terminal to be carried out authentication; Whether also can expand a cell in message expresses and needs again terminal to be carried out authentication.When not comprising new authentication tuple in the special synchronization message of all situations, also be, only have in the synchronous flow process that causes because of SQNHE is asynchronous with SQNMS, HLR/AUC sends to when new authentication tuple is just arranged in the Synchronous Processing object information of MSC/VLR, MSC/VLR can learn that needs re-authenticate according to new authentication tuple, therefore, can not need in the Synchronous Processing results messages, to comprise especially and whether need the information that re-authenticates, in other words, in this case, new authentication tuple itself has just implied the information that need re-authenticate.
Certainly, for when having comprised illegal synchronizing information in the Synchronous Processing results messages, just do not have in this message to comprise that needs have not carried out the information of authentication to terminal again.
In the middle of the reality, can also when not needing again terminal to be carried out authentication, in message, comprise the information that does not need terminal is carried out authentication; And when needs carry out authentication to terminal again, in message, do not comprise the information that does not need terminal is carried out authentication, rather than in message, comprise the information that to carry out authentication to terminal.Otherwise, can also when needs carry out authentication to terminal again, in message, comprise the information that need carry out authentication to terminal; And when not needing again terminal to be carried out authentication, in message, do not comprise the information that to carry out authentication to terminal, rather than in message, comprise the information that does not need terminal is carried out authentication.
Terminal and HLR/AUC make an appointment: if HLR/AUC when judging SQNMS for the particular value of agreement, then carries out corresponding agreement content according to this particular value after receiving the synchronous request command again of terminal, also promptly carry out respective operations.The described content of carrying out corresponding agreement can be that execution key updating, execution authentication arithmetic upgrade, carry out antitheft checking, cancel antitheft checking, or the like.
Above-mentioned steps 105 and later step thereof, after HLR/AUC received synchronous request command again, the step that the AUTS legitimacy is judged also can be carried out after being placed on the step of the particular value whether SQNMS that judges again among the sync mark AUTS is agreement.Specific as follows:
One, after HLR/AUC receives synchronous request command again, when HLR/AUC judges SQNMS and is the particular value of described agreement, earlier draw MAC-S according to employing algorithm computation consistent such as RAND, KI, SQMMS and AMF with terminal, again with it with the AUTS that receives in MAC-S relatively, if it is consistent, it is legal to judge AUTS, otherwise it is illegal to judge AUTS.HLR/AUC judges that message to MSC/VLR returns the Synchronous Processing result had comprised synchronization failure information when AUTS was illegal in the message.HLR/AUC judges when AUTS is legal, carries out the content of described agreement, then returns the Synchronous Processing results messages to MSC/VLR, has comprised special synchronizing information in the message.
Two, after HLR/AUC receives synchronous request command again, when HLR/AUC judges SQNMS and is not the particular value of described agreement, by the normal synchronized flow processing, promptly judge when AUTS is legal, upgrade SQNHE according to SQNMS, and produce new authentication tuple, and return the Synchronous Processing results messages to MSC/VLR, comprise new authentication tuple in the message and re-authenticate information; Judge when AUTS is illegal, return the Synchronous Processing results messages, comprise illegal synchronizing information in the message to MSC/VLR.
After MSC/VLR receives the Synchronous Processing results messages, still according to the above-mentioned steps 110 described respective handling of carrying out.Can be about the normal synchronized handling process with reference to the 3GPP standard.
In order to represent thought of the present invention and meaning better, will come below that the present invention will be described in detail by several specific embodiments.
See also Fig. 2, Figure 2 shows that first embodiment of the specific embodiment of the invention, this enforcement is to use synchronization processing method of the present invention to carry out the flow process that KI upgrades, and in the present embodiment, terminal and HLR/AUC consult KI is upgraded.Here agreement is represented more new authentication secret key with particular value 128, and the agreement content of this particular value correspondence also is that the content that network side is carried out when recognizing this particular value is " producing new KI to carry out authentication according to new KI ".
In step 201, terminal is initiated position updating request to network;
This step also can be to initiate service request to network side.Can be that any network side that can cause that terminal sends carries out the message of authentication to terminal in the middle of actual.
In step 202, after network side MSC/VLR receives described request, terminal is carried out authentication, and by terminal being sent authentication request, will send to terminal to authentication parameter RAND and the AUTN in should the current authentication five-tuple of terminal.
Specifically, HLR/AUC produces random number RA ND according to randomizer, calculates Expected Response XRES, encryption key CK, Integrity Key IK respectively according to RAND and KI KI.Produce message authentication coding MAC-A according to random number RA ND, sequence number SQNHE, KI KI and AMF calculating, produce authentication signature AUTN according to MAC-A, SQNHE, Anonymity Key AK and authentication management field AMF again.Here, when needs were encrypted SQNHE, HLR/AUC produced AK according to RAND and KI, used AK that SQNHE is made XOR, thereby encrypted SQNHE; When not needing SQNHE encrypted, AK=0;
HLR/AUC sends to MSC/VLR together with five-tuple and the corresponding IMSI that RAND, AUTN, XRES, CK and IK form then.HLR/AUC just sends to MSC/VLR's with the authentication tuple that produces after the request of the request authentication five-tuple that receives MSC/VLR.More detailed details sees also 3GPP related protocol regulation, owing to be known technology, repeats no more here.
During authentication, MSC/VLR initiates authentication request to terminal, and simultaneously authentication parameter RAND and AUTN in the five-tuple is sent to terminal.
Step 203 when terminal receives authentication request, is carried out consistency checking according to the KI that oneself preserves to RAND and the AUTN that receives earlier, also promptly according to the KI and the described RAND that oneself preserve AUTN is carried out consistency checking earlier, if checking is passed through, then execution in step 205, otherwise, execution in step 204.
Specifically, when terminal receives from the RAND of MSC/VLR and AUTN, the KI that preserves according to self, the SQNHE among RAND that receives and the AUTN that receives and AMF adopt with HLR/AUC and calculate the consistent algorithm generation MAC-A of MAC-A among the AUTN, terminal MAC-A that self is generated and the MAC-A among the AUTN compare then, if equating the consistency checking of then judging RAND and AUTN passes through, otherwise the consistency checking of judging RAND and AUTN does not pass through.
In the step 204, terminal is returned the information of " failed authentication " to network, finishes this then and consults the flow process that KI upgrades.
Step 208 when the MSC/VLR of network side receives the synchronization failure message of terminal transmission, sends to HLR/AUC in the lump with the RAND in AUTS in the message and the corresponding five-tuple.Execution in step 209 then.
In the middle of the reality, when the MSC/VLR of network side receives the synchronization failure message that terminal sends, ask new authentication tuple, comprised the AUTS that is received from terminal and the RAND in the corresponding authentication five-tuple in the request message to HLR/AUC.
Need to prove that if SQNMS encrypts according to AK among the AUTS, HLR/AUC can decipher the SQNMS ciphertext according to RAND and KI generation AK, obtains SQNMS expressly.Because this is a 3GPP protocol specification content, therefore, it is not described in detail here.
By expanding cell, specifically can handle regulation in the present embodiment referring to the related protocol of the relevant authentication of 3GPP to the information that MSC/VLR represents whether to need again terminal to be carried out authentication.
By expanding cell, specifically can handle regulation in the present embodiment referring to the related protocol of the relevant authentication of 3GPP to the information that MSC/VLR represents whether to need again terminal to be carried out authentication.
Step 213 sends the Synchronous Processing results messages to MSC/VLR, has comprised illegal synchronizing information in the message.Execution in step 214 then.
Step 216 uses new authentication tuple to initiate again terminal authentication, then process ends.
Step 217 is judged terminal authentication is passed through, then process ends.
MSC/VLR judge to terminal authentication by the time, can carry out follow-up processing, such as the authorizing procedure that causes for position updating request, MSC/VLR checks whether created user profile, if no, then ask user's relevant CAMEL-Subscription-Information from HLR/AUC, or the like.The relevant treatment flow process receive Authentication Response with MSC/VLR and judge Authentication Response that terminal produces and the authentication five-tuple of this authentication of correspondence in the Expected Response subsequent treatment unanimity of carrying out when consistent.
Certainly, in the present embodiment, when HLR/AUC receives the synchronous request command again of MSC/VLR transmission, can judge earlier also whether the SQNMS among the AUTS is the particular value of agreement, the legitimacy of AUTS is judged in the back.
See also Fig. 3, Figure 3 shows that second embodiment of the specific embodiment of the invention, this enforcement is to use the flow process of the processing method realization of synchronous SQN of the present invention about starting terminal anti-theft feature in the terminal anti-theft method of key escrow HLR/AUC, in the present embodiment, terminal and HLR/AUC carry out the negotiation of antitheft key.Here agreement represents that with particular value 1023 terminal needs and HLR/AUC consult antitheft key and start antitheft checking, the agreement content of this particular value correspondence, also be that the content that network side is carried out when recognizing this particular value 1023 is " produce antitheft key; with when terminal request is carried out authentication to network, produce authentication information and return this authentication information to terminal according to this antitheft key ".
About the theft preventing method of key escrow HLR/AUC, can consult the patent application of application number for " PCT/CN2004/001325 ".
In step 301, terminal is initiated position updating request to network;
In step 302, after network side MSC/VLR receives described request, terminal is carried out authentication, and by terminal being sent authentication request, will send to terminal to authentication parameter RAND and the AUTN in should the current authentication five-tuple of terminal.
Step 303, when terminal receives authentication request, according to the KI that oneself preserves RAND and the AUTN that receives carried out consistency checking earlier, also promptly according to the KI and the described RAND that oneself preserve described AUTN is carried out consistency checking earlier, if checking is passed through, then execution in step 305, otherwise, execution in step 304.
In the step 304, terminal is returned the information of " failed authentication " to network, finishes this then and consults the flow process that KI upgrades.
Step 308 when the MSC/VLR of network side receives the synchronization failure message of terminal transmission, sends to HLR/AUC in the lump with the RAND in AUTS in the message and the corresponding five-tuple.
In the middle of the reality, when the MSC/VLR of network side receives the synchronization failure message that terminal sends, ask new authentication tuple, comprised the AUTS that is received from terminal and the RAND in the corresponding authentication five-tuple in the request message to HLR/AUC.
In the present embodiment, HLR/AUC represents synchronous flow process because of consulting the information that antitheft key causes by the expansion cell to MSC/VLR, specifically can handle regulation referring to the related protocol of the relevant authentication of 3GPP.
In the middle of the reality, can represent and to carry out authentication again to terminal to MSC/VLR by only transmitting a new authentication tuple.
Step 313 sends the Synchronous Processing results messages to MSC/VLR, has comprised illegal synchronizing information in the message.Execution in step 314 then.
MSC/VLR judge to terminal authentication by the time, can carry out follow-up processing, such as the authorizing procedure that causes for position updating request, MSC/VLR checks whether created user profile, if no, then ask user's relevant CAMEL-Subscription-Information from HLR/AUC, or the like.The relevant treatment flow process receive Authentication Response with MSC/VLR and judge Authentication Response that terminal produces and the authentication five-tuple of this authentication of correspondence in the Expected Response subsequent treatment unanimity of carrying out when consistent.
In the lock net implementation method of long-term trustship lock net center LC of a kind of key and interim trustship HLR/AUC, safe key SKey is set in portable terminal; Preserve corresponding relation and the corresponding IMSI matching code of mobile terminal identification and default safe key SKey in network side chain net center LC, the present invention is used as mobile terminal identification with the International Mobile Subscriber Identity IMEI of portable terminal; Behind the mobile terminal-opening, if judge terminal support lock net, and obstructed out-of-date according to safe key to network authentication, need and network side HLR/AUC negotiation, need replace KI KI to produce the authentication tuple with safe key SKey, to be used for terminal and network side mutual authentication.After terminal and network side are finished described negotiation, terminal can obtain the electron key according to safe key SKEY generation by the authorizing procedure with network side, when also being the MSC/VLR authentication, send to the authentication parameter RAND and the AUTN of terminal, whether the result that terminal is judged according to the legitimacy that this electron key is carried out judges portable terminal by legal use, thereby satisfies net is locked by operator to the rent machine requirement.Here, portable terminal is when carrying out above-mentioned negotiation with HLR/AUC, if HLR/AUC finds in the subscription data of mobile phone users not SKey that should terminal, HLR/AUC will obtain from lock net center LC according to the international mobile device station identification IMEI of this portable terminal and mobile subscriber IMSI number SKey that should terminal, preserve this SKey, to be used to replacing KI KI to produce the authentication five-tuple, also be, substitute KI with SKey and produce the authentication tuple, to be used for terminal network authentication.Like this, by in LC, each [IMEI, SKey] being limited carrying out the IMSI matching code, limit this portable terminal and can use which subscriber card to connect network, thereby reach the purpose of portable terminal being locked net.
See also Fig. 4, Figure 4 shows that the 3rd embodiment of the specific embodiment of the invention, this enforcement has been showed by Synchronous Processing flow process of the present invention, terminal and network side are consulted lock net authentication, promptly consult key SK ey safe in utilization and substitute KI KI generation authentication tuple, being used for portable terminal and network mutual authentication, thereby realize above-mentioned lock mesh.In the present embodiment, terminal and HLR/AUC consult lock net authentication, also are that HLR/AUC key SK ey safe in utilization replaces KI KI to produce the authentication tuple, to be used for terminal and network side mutual authentication.Here agreement is represented described negotiation request with particular value 63, the agreement content of this particular value correspondence, also be that the content carried out when recognizing this particular value when handling again synchronization message of network side HLR/AUC is for obtaining the safe key SKey of portable terminal correspondence, and use this SKey to replace KI KI to produce the authentication five-tuple, simultaneously, instruct MS C/VLR utilizes new authentication tuple to carry out authentication with terminal again.
Carry out before the flow process, safe key SKey at first is set in portable terminal, lock net sequence number of authentification LCSQNMS, the LCSQNMS initial value can be 1 or random number; In network side chain net center LC, preserve corresponding safe key SKey according to this portable terminal IMEI, IMSI matching code, and lock net sequence number of authentification LCSQNLC, the LCSQNLC initial value can be 1 or random number; In HLR/AUC, preserve the IMEI information of portable terminal in the subscription data of this mobile phone users of preservation, and LCSQNHE is set.Can when the user rents machine and handle signatory formality, this IMEI information be kept in user's the subscription data, also can mobile terminal-opening after, send the IMEI of portable terminal to HLR/AUC by short message or USSD business operation and preserve.
Handling process as follows:
In step 401, behind the starting up of terminal, initiate position updating request to network;
In step 402, after network side MSC/VLR receives described request, terminal is carried out authentication, and by terminal being sent authentication request, will send to terminal to authentication parameter RAND and the AUTN in should the current authentication five-tuple of terminal.
Step 403 when terminal receives authentication request, judges whether the support lock net, and terminal judges whether can realize like this by the support lock net, in terminal the one lock network mark note of whether locking net is set in advance, and terminal is according to described marker for judgment support lock net whether.If do not support, then execution in step 404; Otherwise, execution in step 405.
Specifically, when terminal receives from the RAND of MSC/VLR and AUTN, the SKey that preserves according to self, the SQNHE among RAND that receives and the AUTN that receives and AMF adopt with HLR/AUC and calculate the consistent algorithm generation MAC-A of MAC-A among the AUTN, terminal MAC-A that self is generated and the MAC-A among the AUTN compare then, if equating the consistency checking of then judging RAND and AUTN passes through, otherwise the consistency checking of judging RAND and AUTN does not pass through.
Described terminal authentication state is meant, HLR/AUC produces the authentication tuple, use SKey to substitute KI, use LCSQNHE to replace SQNHE to carry out, terminal is during to network authentication, use SKey to judge the consistency of RAND and AUTN, use LCSQNMS to judge that SQNHE among the AUTN is whether in the acceptable scope.
Step 406 finishes this and consults lock net authorizing procedure, presses the terminal authentication flow processing, also, handles by the normal authorizing procedure of terminal.Also be, terminal judges that according to LCSQNMS SQNHE among the AUTN is whether in tolerance interval, if, then judge network authentication is passed through, and enter normal operating condition, also be, terminal judges goes out upgrades the LCSQNMS that preserves to network authentication by the back according to SQNHE, produce Authentication Response, encryption key, Integrity Key according to SKey, and return Authentication Response to network, the Authentication Response that network based terminal is returned judges whether terminal authentication is passed through, thereby whether decision allows terminal access network normally; If terminal judges that according to LCSQNMS SQNHE among the AUTN is not in tolerance interval, then judge synchronization failure, promptly SQNHE and LCSQNMS are asynchronous, and terminal directly produces sync mark AUTS again according to SKey and LCSQNMS, network is initiated synchronous request command again, and enclose this AUTS.Specifically, terminal calculates MAC-S according to oneself SKey, LCSQNMS and RAND that receives and AMF etc., produces AUTS according to LCSQNMS, AK and MAC-S again, then network side is initiated synchronous request command again, and encloses this AUTS.Also promptly, send synchronization failure message, comprised AUTS in this synchronization failure message to MSC/VLR.By this synchronization request again, make HLR/AUC upgrade LCSQNHE according to LCSQNMS.HLR/AUC can learn that synchronous purpose is to upgrade LCSQNHE according to laying oneself open to the terminal authentication state, rather than SQNHE.
Specifically, when terminal receives from the RAND of MSC/VLR and AUTN, the KI that preserves according to self, the SQNHE among RAND that receives and the AUTN that receives and AMF adopt with HLR/AUC and calculate the consistent algorithm generation MAC-A of MAC-A among the AUTN, terminal MAC-A that self is generated and the MAC-A among the AUTN compare then, if equating the consistency checking of then judging RAND and AUTN passes through, otherwise the consistency checking of judging RAND and AUTN does not pass through.
Described card authentication status is meant that HLR/AUC produces the authentication tuple and is, uses KI, SQNHE carries out, terminal is during to network authentication, uses KI to judge the consistency of RAND and AUTN, uses SQNMS to judge that SQNHE among the AUTN is whether in the acceptable scope.
In the step 409, terminal is returned the information of " failed authentication " to network, finishes this then and consults the flow process that KI upgrades.
Step 413 when the MSC/VLR of network side receives the synchronization failure message of terminal transmission, sends to HLR/AUC in the lump with the RAND in AUTS in the message and the corresponding five-tuple.Execution in step 414 then.
In the middle of the reality, when the MSC/VLR of network side receives the synchronization failure message that terminal sends, ask new authentication tuple, comprised the AUTS that is received from terminal and the RAND in the corresponding authentication five-tuple in the request message to HLR/AUC.
Step 420 is returned IMSI matching judgment information to HLR/AUC, also is, LC judges whether the IMSI of this mobile phone users mates the IMSI matching code that obtains, if do not match, then returns to HLR/AUC and does not allow to obtain SKey information, otherwise, return SKey and the LCSQNLC that obtains to HLR/AUC.Execution in step 421.
Step 421, HLR/AUC obtain LC return after the message, judge whether LC obtains Skery, when judging LC and can not get SKey, return the Synchronous Processing results messages to MSC/VLR, comprise the SKey information that can not get terminal in the message, execution in step 425 then; When judging LC and not allowing to obtain SKey, return the Synchronous Processing results messages to MSC/VLR, comprise the SKey information that does not allow to obtain terminal in the message, execution in step 425 then; Judge when having comprised the SKey that obtains and LCSQNLC in the message, IMSI according to this mobile phone users preserves this SKey, and upgrade LCSQNHE according to LCSQNLC again, perhaps, this SKey is kept in the subscription data of this mobile phone users, and the value of the LCSQNHE of correspondence is set to LCSQNLC, and execution in step 422 then.
HLR/AUC can realize by expanding original protocol message when MSC/VLR transmits various Synchronous Processing results messages in the present embodiment.Such as, for situation from new authentication tuple to MSC/VLR that need return, by expanding original execution successful protocol message synchronously, i.e. HLR/AUC judgement AUTS produces new authentication tuple when legal and sends the protocol message of new authentication tuple to MSC/VLR; For the situation that does not need to send to MSC/VLR new authentication tuple information, by expanding the protocol message of original execution synchronization failure, promptly HLR/AUC judges the protocol message that sends the synchronization message invalid information when AUTS is illegal to MSC/VLR.Specifically can handle regulation referring to the related protocol of the relevant authentication of 3GPP.
Step 423 sends the Synchronous Processing results messages to MSC/VLR, has comprised illegal synchronizing information in the message, and execution in step 426 then.
Step 425, MSC/VLR judges that terminal is legal, finishes this and consults lock net flow process.MSC/VLR judges when comprising the SKey information that can not get terminal in the message, judges terminal authentication is passed through; Judge and comprise in the message when not allowing to obtain the SKey information of terminal, also judge terminal authentication is passed through.Certainly, MSC/VLR can also increase both of these case is done different processing, gives the user such as different cause values being returned to terminal by terminal notifying, like this, will be more humane user interface.
When the MSC/VLR judgement is passed through terminal authentication, obtain user profile from HLR/AUC, and insert user profile.In this case, terminal can't be carried out authentication to network, because can not get the relevant authentication information of MSC/VLR, terminal will be shut down after one default period automatically, perhaps enter the irregular operating state, and the prompting user, terminal illegally used, thereby reaches the lock mesh.
Comprehensive above-mentioned each embodiment, consider that various Synchronous Processing flow processs may be required to be supported by HLR/AUC and MSC/VLR simultaneously, therefore, MSC/VLR need take all factors into consideration various possible special synchronous flow processs when handling the Synchronous Processing results messages of HLR/AUC transmission.See also Fig. 5, Figure 5 shows that when MSC/VLR of the present invention takes all factors into consideration various possible special synchronous flow process, handle the flow process of the Synchronous Processing results messages that HLR/AUC sends:
Step 505 is preserved new authentication tuple, to be used for authentication next time.
Step 506 is judged terminal authentication is passed through, and handles accordingly.
Method of the present invention, not only can be used for transmitting solicited message that arranging key upgrades and terminal needs and HLR/AUC to network side consults antitheft key and starts antitheft authentication function, can also transmit the solicited message of consulting to upgrade authentication arithmetic to HLR/AUC, whether can also transmit terminal to HLR/AUC carries out antitheft checking and cancels antitheft authorization information, whether certainly, also can transmit terminal to HLR/AUC is information of GSM/WCDMA dual-mode terminal etc.
Initiate arranging key more under the news for HLR/AUC, terminal can utilize the inventive method to upgrade the information whether operation runs succeeded to the HLR/AUC " return " key".At this moment, HLR/AUC is special synchronizing information to the information that MSC/VLR transmits, and HLR/AUC is because this synchronous flow process produces the authentication tuple again, and MSC/VLR passes through terminal authentication according to this message judgement, and creates user profile.
SQNMS=63 is expressed as terminal to above-mentioned real agreement and HLR/AUC consults to start lock net authentication, be that HLR/AUC key SK ey safe in utilization replaces KI KI to produce the authentication tuple, to be used for terminal and network side mutual authentication, SQNMS=128 is expressed as terminal transmits the more information of new authentication secret key of asking to HLR/AUC, SQNMS=1023 is expressed as terminal needs and HLR/AUC consults antitheft key and starts antitheft authentication function, in the middle of the reality, can also arrange SQNMS=1024 is expressed as terminal needs and the antitheft checking of HLR/AUC negotiation cancellation, SQNMS=15 is expressed as terminal transmits the information that terminal belongs to lock net mobile phone to HLR/AUC, SQNMS=16 is expressed as terminal transmit to consult upgrades the solicited message of authentication arithmetic, and SQNMS=17 is expressed as terminal transmits the information etc. that terminal is the GSM/WCDMA dual-mode terminal to HLR/AUC to HLR/AUC.
Above-mentioned MSC/VLR is a circuit domain equipment, and for the network of packet domain, corresponding MSC/VLR equipment is SGSN, so the present invention can be equal to and is applied to packet domain.
Among above-mentioned each embodiment or the embodiment, terminal and HLR/AUC produce new authentication secret key can be to use ripe digest algorithm, and corresponding digest algorithm can be referring to " applied cryptography " book or relevant algorithm paper or report; Certainly, when producing new key, also can use the algorithm of mentioning in the 3GPP agreement to carry out by random number RA ND and KI KI generation encryption key CK or Integrity Key IK.
Among above-mentioned each embodiment or the embodiment, terminal is for the AUTN consistency checking, whether belongs to the judgement of tolerance interval for SQNHE, and HLR/AUC is for the checking of AUTS legitimacy, and HLR/AUC is when producing the authentication tuple, for the renewal of SQNHE; Produce the algorithm of authentication tuple, and the algorithm that produces AUTS, or the like, can owing to be known technology, repeat no more here referring to the 3GPP related protocol.
Be appreciated that the above only for preferred embodiment of the present invention,, all any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all should be included within protection scope of the present invention not in order to restriction the present invention.
Claims (19)
1. the processing method of a synchronous SQN, MSC/VLR is when carrying out authentication to terminal, the corresponding authentication parameter that is received from the authentication five-tuple of HLR/AUC is sent to terminal by authentication request message, the KI KI and the sequence number of authentification SQNMS of terminal basis oneself carry out authentication to network, it is characterized in that, said method comprising the steps of:
A. after terminal was passed through network authentication, terminal replaced SQNMS to produce sync mark AUTS again with the particular value of agreement, and network is sent synchronous request command again and encloses the described AUTS of sync mark again;
B. network side HLR/AUC receives described synchronous request command again, and described HLR/AUC judges whether described AUTS is legal, if illegal, then returns the Synchronous Processing results messages that comprises illegal synchronizing information to MSC/VLR; If it is legal, then HLR/AUC judges whether the SQNMS among the described AUTS is the particular value of described agreement, if, then carry out the operation of described particular value correspondence, and return the Synchronous Processing object information that comprises special synchronizing information to MSC/VLR, otherwise, SQNHE upgraded according to SQNMS, and produce the authentication tuple again, return the Synchronous Processing object information that comprises new authentication tuple and need re-authenticate information to MSC/VLR;
After c.MSC/VLR receives the Synchronous Processing results messages of HLR/AUC transmission, according to the different content information and executing corresponding process operations that comprises in the Synchronous Processing results messages.
2. method according to claim 1, it is characterized in that, described MSC/VLR comprised further that before terminal is carried out authentication terminal sends the order or the request that can cause authorizing procedure to network side, and described order or request can be position updating request or service request.
3. method according to claim 1 is characterized in that, described authentication five-tuple comprises: random number RA ND, Expected Response XRES, encryption key CK, Integrity Key IK and authentication signature AUTN; Described authentication signature AUTN comprises sequence number of authentification SQNHE, authentication management field AMF and message authentication coding MAC-A; Described corresponding authentication parameter comprises random number RA ND and authentication signature AUTN.
4. method according to claim 3 is characterized in that, among the step a, after terminal is passed through network authentication, further comprises the SQNMS according to the renewal of the SQNHE among the described AUTN oneself.
5. method according to claim 3, it is characterized in that, described terminal to network authentication by being meant: terminal is carried out consistency according to the RAND of own KI KI and reception to the AUTN that receives and is judged and pass through, and according to the SQNHE among the SQNMS judgement AUTN of oneself in tolerance interval.
6. method according to claim 5, it is characterized in that, step a also comprises: the KI KI of terminal basis oneself and the RAND of reception carry out the consistency judgement to the AUTN that receives and pass through, and when not belonging in the tolerance interval according to the SQNHE among the SQNMS judgement AUTN of oneself, directly produce sync mark AUTS again, network is sent synchronous request command again and encloses the described AUTS of sync mark again according to SQNMS.
7. method according to claim 6, it is characterized in that, among the step a, terminal directly produces again according to SQNMS that sync mark AUTS is meant: terminal is directly calculated and is produced sync mark AUTS again according to oneself SQNMS, KI KI and the AMF among RAND that receives and the AUTN.
8. method according to claim 3, it is characterized in that, among the step a, terminal replace SQNMS to produce again with the particular value of agreement sync mark AUTS is meant: terminal replaces SQNMS to come KI KI, the RAND that receives of basis oneself and the AMF among the AUTN to calculate with the particular value of agreement producing sync mark AUTS again.
9. method according to claim 3 is characterized in that, among the described step b: HLR/AUC upgrades SQNHE according to SQNMS when judging that the described AUTS of sync mark again is legal and the SQNMS among the sync mark AUTS is not the particular value of described agreement again.
10. method according to claim 3, it is characterized in that, described special Synchronous Processing information can be to be used for indicating the one or more of following content: terminal authentication is passed through, the new authentication tuple that produces, whether new authentication tuple is to be used for authentication, the wheel synchronization type information that particular value is indicated, and whether need again to terminal authentication.
11. method according to claim 3, it is characterized in that described step c further comprises: MSC/VLR judges whether comprised illegal synchronizing information in the Synchronous Processing results messages after receiving the Synchronous Processing results messages of HLR/AUC transmission, if, end process flow process then; Otherwise, MSC/VLR judges whether comprised new authentication tuple information in the Synchronous Processing results messages: if comprised new authentication tuple information, then delete old authentication, and further judge whether comprised needs in the Synchronous Processing results messages again to terminal authentication information, re-authenticate if desired then and terminal is initiated authentication again with new authentication tuple, otherwise, preserve new authentication tuple to be used for subsequent authentication, judge to terminal authentication by and handle accordingly; If do not comprise the first rent information of described new authentication, then MSC/VLR directly judges terminal authentication is passed through, and handles accordingly according to the corresponding special Synchronous Processing information that comprises.
12. method according to claim 11 is characterized in that, described needs are to expand by the Synchronous Processing results messages that has the authentication tuple that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's to terminal authentication information again.
13. method according to claim 11 is characterized in that, corresponding special Synchronous Processing information is to expand by the illegal Synchronous Processing results messages that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's.
14. method according to claim 11, it is characterized in that, corresponding special Synchronous Processing information can be to be used for terminal synchronously and HLR/AUC consults antitheft key and anti-theft feature is set, can be to be used for terminal and HLR/AUC negotiation cancellation anti-theft feature synchronously, can be to be used for terminal synchronously to transmit specific information to HLR/AUC, described specific information can be: terminal is the GSM/WCDMA dual-mode terminal, terminal is supported the GPS positioning function, the terminal support transfers the call to the fixed network function automatically, and terminal is returned the special operational execution result information to HLR/AUC.
15. method according to claim 1 is characterized in that, the particular value of described agreement is meant value or certain or a plurality of occurrence of agreement in a certain scope.
16. method according to claim 1, it is characterized in that described execution agreement content can be the execution key updating, carries out the authentication arithmetic renewal, carries out antitheft checking, cancel antitheft checking, obtains relevant information and return in the special operational execution result information one or more.
17. a MSC/VLR handles the method for the Synchronous Processing results messages that HLR/AUC returns, it is characterized in that MSC/VLR judges whether comprised illegal synchronizing information in the Synchronous Processing results messages after receiving the Synchronous Processing results messages of HLR/AUC transmission, if, end process flow process then; Otherwise, MSC/VLR judges whether comprised new authentication tuple information in the Synchronous Processing results messages: if comprised new authentication tuple information, then delete old authentication, and judge whether comprised needs in the Synchronous Processing results messages again to terminal authentication information, re-authenticate if desired, then terminal is initiated authentication again with new authentication tuple, otherwise, preserve new authentication tuple to be used for subsequent authentication, judge to terminal authentication by and handle accordingly; If do not comprise new authentication tuple information, then MSC/VLR directly judges terminal authentication is passed through, and handles accordingly according to the corresponding special Synchronous Processing information that comprises.
18. method according to claim 17 is characterized in that, described needs are to expand by the Synchronous Processing results messages that has the authentication tuple that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's to terminal authentication information again.
19. method according to claim 17 is characterized in that, corresponding special Synchronous Processing information is to expand by the illegal Synchronous Processing results messages that HLR/AUC is returned to MSC/VLR to carry to MSC/VLR's.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005100362234A CN100396156C (en) | 2005-07-26 | 2005-07-26 | Synchronous SQN processing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2005100362234A CN100396156C (en) | 2005-07-26 | 2005-07-26 | Synchronous SQN processing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1859709A CN1859709A (en) | 2006-11-08 |
CN100396156C true CN100396156C (en) | 2008-06-18 |
Family
ID=37298560
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2005100362234A Active CN100396156C (en) | 2005-07-26 | 2005-07-26 | Synchronous SQN processing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100396156C (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101466096B (en) * | 2007-12-17 | 2010-07-21 | 大唐移动通信设备有限公司 | Method and system for triggering synchronous failure of authentication process |
CN101729513B (en) * | 2008-10-27 | 2014-02-19 | 华为数字技术(成都)有限公司 | Network authentication method and device |
CN102056132B (en) * | 2009-11-10 | 2013-06-05 | ***通信集团公司 | Method, system and device for authenticating user cards roaming among different networks |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1430400A (en) * | 2002-01-01 | 2003-07-16 | 哈尔滨万博信息技术有限公司 | Identity identification method specially used in mobile phone networking insertion service |
WO2004019640A1 (en) * | 2002-08-16 | 2004-03-04 | Siemens Aktiengesellschaft | Method for identifying a communications terminal |
EP1414259A1 (en) * | 2002-10-21 | 2004-04-28 | Swisscom Mobile AG | Method for detecting a duplicated identification module |
-
2005
- 2005-07-26 CN CNB2005100362234A patent/CN100396156C/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1430400A (en) * | 2002-01-01 | 2003-07-16 | 哈尔滨万博信息技术有限公司 | Identity identification method specially used in mobile phone networking insertion service |
WO2004019640A1 (en) * | 2002-08-16 | 2004-03-04 | Siemens Aktiengesellschaft | Method for identifying a communications terminal |
EP1414259A1 (en) * | 2002-10-21 | 2004-04-28 | Swisscom Mobile AG | Method for detecting a duplicated identification module |
Non-Patent Citations (2)
Title |
---|
3G接入技术中认证鉴权的安全性研究. 张方舟,叶润国,冯彦君,宋成.微电子学与计算机,第21卷第9期. 2004 |
3G接入技术中认证鉴权的安全性研究. 张方舟,叶润国,冯彦君,宋成.微电子学与计算机,第21卷第9期. 2004 * |
Also Published As
Publication number | Publication date |
---|---|
CN1859709A (en) | 2006-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100583767C (en) | Key updating method and device | |
JP4263384B2 (en) | Improved method for authentication of user subscription identification module | |
CN100488280C (en) | Authentifying method and relative information transfer method | |
EP1758417B1 (en) | Authentication method | |
US10003965B2 (en) | Subscriber profile transfer method, subscriber profile transfer system, and user equipment | |
JP4688808B2 (en) | Enhanced security configuration for encryption in mobile communication systems | |
CN101536463B (en) | Generating keys for protection in next generation mobile networks | |
EP2296392A1 (en) | Authentication method, re-certification method and communication device | |
EP1976322A1 (en) | An authentication method | |
KR20060046243A (en) | Method and system for secured duplication of information from a sim card to at least one communicating object | |
KR20070112260A (en) | Network assisted terminal to sim/uicc key establishment | |
CN101163003A (en) | System and method for authenticating network for terminal when SIM card use UMTS terminal and UMTS system | |
CN109565672B (en) | Authentication server for cellular telecommunications network and corresponding UICC | |
CN107196920A (en) | A kind of key towards wireless communication system produces distribution method | |
CN104521213A (en) | Manipulation and restoration of authentication challenge parameters in network authentication procedures | |
CN100461938C (en) | Updating method of controlled secret key | |
CN100479569C (en) | Controlled key updating method | |
WO2006047938A1 (en) | Method for network equipment generating subscriber card authentication random number and method of authentication | |
CN100396156C (en) | Synchronous SQN processing method | |
CN105873059A (en) | United identity authentication method and system for power distribution communication wireless private network | |
CN101160784B (en) | Cipher key updating negotiation method and apparatus | |
CN102111268B (en) | Two-way authentication method of global system for mobile communications (GSM) network | |
CN1964259B (en) | A method to manage secret key in the course of switch-over | |
CN205693897U (en) | The secondary identity authorization system of LTE electric power wireless private network | |
CN101730093B (en) | Safe switching method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |