CN103179563A - Method and system for access authentication - Google Patents

Method and system for access authentication Download PDF

Info

Publication number
CN103179563A
CN103179563A CN2011104285641A CN201110428564A CN103179563A CN 103179563 A CN103179563 A CN 103179563A CN 2011104285641 A CN2011104285641 A CN 2011104285641A CN 201110428564 A CN201110428564 A CN 201110428564A CN 103179563 A CN103179563 A CN 103179563A
Authority
CN
China
Prior art keywords
authentication
equipment
user terminal
access network
sends
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011104285641A
Other languages
Chinese (zh)
Other versions
CN103179563B (en
Inventor
林奕琳
张琳峰
吴敏清
张岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201110428564.1A priority Critical patent/CN103179563B/en
Publication of CN103179563A publication Critical patent/CN103179563A/en
Application granted granted Critical
Publication of CN103179563B publication Critical patent/CN103179563B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method and system for access authentication. In the access authentication method, after a first access network device receives an access request, first authentication is conducted for a first user terminal; if the first authentication succeeds, the first access network device sends an access request to an HAAA server; the HAAA server detects whether business connection relevant to identifying information exists; if the business connection exists, the HAAA server sends a re-authentication request to a second access network device; the second access network device conducts second authentication for a second user terminal; if the second authentication succeeds, the second access network device sends re-authentication success information to the HAAA device; and the HAAA device refuses the access request. Due to the fact that a clone card can not copy safe keys, an illegal user terminal can be identified correctly through authentication for the safe key, connection of the illegal user terminal and a network can be removed successfully, simultaneously burden of the network can not be added, and user experience is improved.

Description

Access authentication method and system
Technical field
The present invention relates to the communications field, particularly relate to access authentication method and system.
Background technology
at code division multiple access (Code Division Multiple Access, be called for short: CDMA) when 2000 network operation, has the user of professional knowledge for some, may be by some means to normal Removable User Identity Module (Removable User Identity Module, be called for short: R-UIM) some parameter in the card copies, for example network insertion identification code (Network Access Identifier, be called for short: NAI) or international mobile subscriber identity (International Mobile Subscriber Identifier, be called for short: IMSI), thereby obtain a clone's R-UIM card, but can't copy safe key.Thereby, using HRPD (high rate packet data) (High Rate Packet Data, be called for short: HRPD) during business, this user may first use legal R-UIM card to set up HRPD session and peer-peer protocol (Point-to-Point Protocol, be called for short: PPP) connect, by CDMA2000 packet field network accessing Internet.After the PPP connection was set up and completed, this user re-used clone R-UIM card and substitutes legal R-UIM card, and plug the old terminal of cloning the R-UIM card and can normally use the HRPD data service this moment, normal access network.
due at present only when setting up the HRPD session network can do to terminal the Access Network authentication of an A12 interface, set up, all do not require when activating the PPP connection and do access authentication, only carry out PPP challenge handshake authentication protocol (Challenge Handshake Authentication Protocol, be called for short: CHAP) authentication, mostly be common account (CTWAP or CTNET) and password and the PPP chap authentication is adopted at present, and do not need user profile, therefore, this moment, this user may use legal R-UIM card again to set up an other cover HRPD session on a new terminal under another one Access Network AN to be connected with PPP.So repeatedly, a user can set up a plurality of HRPD sessions at different Access Networks and is connected with PPP.The appearance of the problems referred to above will bring loss to the validated user that is cloned, and simultaneously, also can cause the congested of carrier network, have a strong impact on the network running.
For the problems referred to above, industry has following two kinds of solutions at present:
Method 1: require terminal after access HRPD network, each set up, activate PPP connect before AN must carry out Access Network authentication based on the A12 interface, only have the terminal of the Access Network authentication by the A12 interface could set up PPP and connect.
Method 2: jointly enjoyed by two terminals if there is same NAI/IMSI or R-UIM card, new terminal after having set up the PPP connection, is removed PPP corresponding to old terminal and is connected, and namely PPP is in the NULL state.(Packet Data Serving Node is called for short: PDSN), be responsible for removing PPP by PDSN and connect if new, old two terminals are at a packet data serving node; If new, old terminal belongs to different PDSN, attribution authentication, mandate, the charging HAAA by the PDSN side sends dismounting request (Disconnect-Request) message to old PDSN, removes old PPP and connects, and IS-835-D has supported this message at present.
For method 1, owing to need to all PPP establishment of connections of all users, activation all being carried out the Access Network authentication of A12 interface, thereby increased the time delay of PPP flow process, brought extra burden to Access Network simultaneously, therefore will reduce the business experience that all users use the HRPD business.
For method 2, because PDSN and HAAA equipment only can judge according to IMSI user's legitimacy, if clone user's IMSI is correct, before and after PDSN and HAAA can not judge, which user is validated user, the wrong situation that validated user connects of removing easily occurs, experience thereby reduce the user.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of access authentication method and system, block the safe key that can't copy in R-UIM due to the clone, therefore by the authentication to safe key, can accurately identify disabled user's terminal, and successfully remove being connected of this disabled user's terminal and network, simultaneously can not increase the burden of network, improve user's experience.
According to an aspect of the present invention, provide a kind of access authentication method, having comprised:
After the first access network equipment receives the access request of first user terminal transmission, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal;
If the first authentication success, the first access network equipment sends to the first packet data serving node PDSN equipment with access request;
The one PDSN equipment sends to attribution authentication, mandate, charging HAAA server with access request;
After the HAAA server receives access request, in the connection of current foundation, detect whether there is the service connection that is associated with described identifying information;
If there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication;
The 2nd PDSN equipment authentication request again sends to the second access network equipment;
After the second access network equipment receives again authentication request, the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication;
If the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment;
The 2nd PDSN equipment authentication success message again sends to HAAA equipment;
HAAA equipment is refused described access request after receiving again authentication success message.
According to an aspect of the present invention, provide a kind of access authentication system, having comprised:
The first access network equipment, be used for after the access request that receives the transmission of first user terminal, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success sends to a PDSN equipment with access request;
The one PDSN equipment is used for access request is sent to the HAAA server;
The HAAA server is used for after receiving access request, in the connection of current foundation, detects whether there is the service connection that is associated with described identifying information; If there is described service connection, send authentication request again to the 2nd PDSN equipment of setting up described service connection, wherein authentication request is used for the second user terminal of setting up described service connection is re-started authentication again; After the message of authentication success again that the 2nd PDSN equipment that receives sends, refuse described access request;
The 2nd PDSN equipment is used for again authentication request and sends to the second access network equipment, and the message of authentication success again that the second access network equipment is sent sends to HAAA equipment;
The second access network equipment is used for after receiving again authentication request, and the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success sends authentication success message again to the 2nd PDSN equipment.
After the present invention receives the access request of first user terminal transmission by the first access network equipment, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success, the first access network equipment sends to a PDSN equipment with access request; The one PDSN equipment sends to the HAAA server with access request; After the HAAA server receives access request, in the connection of current foundation, detect whether there is the service connection that is associated with described identifying information; If there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication; The 2nd PDSN equipment authentication request again sends to the second access network equipment; After the second access network equipment receives again authentication request, the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment; The 2nd PDSN equipment authentication success message again sends to HAAA equipment; HAAA equipment is refused described access request after receiving again authentication success message.Block the safe key that can't copy in R-UIM due to the clone, therefore by the authentication to safe key, can accurately identify disabled user's terminal, and successfully remove being connected of this disabled user's terminal and network, simultaneously can not increase the burden of network, improve user's experience.
Description of drawings
Fig. 1 is the schematic diagram of an embodiment of access authentication method of the present invention.
Fig. 2 is the schematic diagram of another embodiment of access authentication method of the present invention.
Fig. 3 is the schematic diagram of an embodiment of access authentication system of the present invention.
Fig. 4 is the unite schematic diagram of another embodiment of access authentication of the present invention.
Embodiment
With reference to the accompanying drawings the present invention is described more fully, exemplary embodiment of the present invention wherein is described.
Fig. 1 is the schematic diagram of an embodiment of access authentication method of the present invention.As shown in Figure 1, the access authentication method of this embodiment is as follows:
Step 101, after the first access network equipment receives the access request of first user terminal transmission, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal.
Step 102, if the first authentication success, the first access network equipment sends to a PDSN equipment with access request.
Step 103, a PDSN equipment sends to the HAAA server with access request.
Step 104 after the HAAA server receives access request, in the connection of current foundation, detects whether there is the service connection that is associated with described identifying information.
Step 105, if there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication.
Step 106, the 2nd PDSN equipment authentication request again sends to the second access network equipment.
Step 107 after the second access network equipment receives again authentication request, is carried out the second authentication to the safe key of Removable User Identity Module card in the second user terminal.
Step 108, if the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment.
Step 109, the 2nd PDSN equipment authentication success message again sends to HAAA equipment.
Step 110, HAAA equipment are refused described access request after receiving again authentication success message.
The access authentication method that provides based on the above embodiment of the present invention, receive the access request of first user terminal transmission by the first access network equipment after, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success, the first access network equipment sends to a PDSN equipment with access request; The one PDSN equipment sends to the HAAA server with access request; After the HAAA server receives access request, in the connection of current foundation, detect whether there is the service connection that is associated with described identifying information; If there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication; The 2nd PDSN equipment authentication request again sends to the second access network equipment; After the second access network equipment receives again authentication request, the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment; The 2nd PDSN equipment authentication success message again sends to HAAA equipment; HAAA equipment is refused described access request after receiving again authentication success message.Block the safe key that can't copy in R-UIM due to the clone, therefore by the authentication to safe key, can accurately identify disabled user's terminal, and successfully remove being connected of this disabled user's terminal and network, simultaneously can not increase the burden of network, improve user's experience.
Another specific embodiment according to the present invention, identifying information are IMSI.
Another specific embodiment according to the present invention, be provided with the first Packet Control Function (Packet Control Funtion between the first access network device and a PDSN equipment, be called for short: PCF) equipment, first network access device and a PDSN equipment carry out information interaction by a PCF equipment.Simultaneously, be provided with second minute PCF equipment between the second access network device and the 2nd PDSN equipment, second network access device and the 2nd PDSN equipment carry out information interaction by the 2nd PCF equipment.
Fig. 2 is the schematic diagram of another embodiment of access authentication method of the present invention.As shown in Figure 2, the access authentication method of this embodiment is as follows:
Step 201, the first access network equipment receives the access request that the first user terminal sends, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal.
Step 202, the first access network equipment sends the first challenge message to the first user terminal.
Step 203, first user terminal utilize the safe key in the Removable User Identity Module card that the first challenge message is encrypted, and obtain the first challenge encrypting messages.
Step 204, the first user terminal sends to the first access network equipment with the first challenge encrypting messages.
Step 205, the first access network equipment sends to the first certificate server with the first challenge encrypting messages.
Another specific embodiment according to the present invention, the first certificate server are the first Access Network authentication, authorization and accounting server.
After step 206, the first certificate server receive the first challenge encrypting messages, utilize predetermined key that the first challenge encrypting messages is authenticated.
Step 207, the first certificate server sends authentication result to the first access network equipment.If authentication success, the first certificate server sends the first authentication success message to the first access network equipment; If authentification failure, the first certificate server sends the first authentification failure message to the first access network equipment.
Step 208, the first access network equipment judges according to authentication result whether the first authentication is successful, if the first authentification failure, execution in step 209; If the first authentication success, execution in step 210.
Step 209, the access request of the first access network equipment refusal first user terminal.Afterwards, no longer carry out other step of the present invention.
Because the first user terminal does not have legal safe key, therefore refuse the access request of first user terminal.
Step 210, if the first authentication success, the first access network equipment sends to a PDSN equipment with access request.
Step 211, a PDSN equipment sends to the HAAA server with access request.
Step 212 after the HAAA server receives access request, in the connection of current foundation, detects whether there is the service connection that is associated with described identifying information.If there is not described service connection, execution in step 213; If there is described service connection, execution in step 215.
Step 213, the HAAA server sends to a PDSN equipment access request information of accepting.
Step 214 after a PDSN equipment receives and accepts access request information, connects with the first user terminal.Afterwards, no longer carry out other step of the present embodiment.
Because identifying information does not have to participate in the connection of foundation at present, namely there is not the situation of clone's card, can receive the access request of first user terminal this moment.
Step 215, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication.
Step 216, the 2nd PDSN equipment authentication request again sends to the second access network equipment.
Step 217 after the second access network equipment receives again authentication request, sends the second challenge message to the second user terminal.
Step 218, the second user terminal utilize the safe key in the Removable User Identity Module card that the second challenge message is encrypted, and obtain the second challenge encrypting messages.
Step 219, the second user terminal sends to the second access network equipment with the second challenge encrypting messages.
Step 220, the second access network equipment sends to the second certificate server with the second challenge encrypting messages.
Another specific embodiment according to the present invention, the second certificate server are the second Access Network authentication, authorization and accounting server.
After step 221, the second certificate server receive the second challenge encrypting messages, utilize predetermined key that the second challenge encrypting messages is authenticated.
Step 222, the second certificate server sends authentication result to the second access network equipment.If authentication success, the second certificate server sends the second authentication success message to the second access network equipment; If authentification failure, the second certificate server sends the second authentification failure message to the second access network equipment.
Step 223, the second access network equipment judges according to authentication result whether the second authentication is successful.If the second authentication success, execution in step 224; If the second authentification failure, execution in step 227.
Step 224, the second access network equipment sends authentication success message again to the 2nd PDSN equipment.
Step 225, the 2nd PDSN equipment authentication success message again sends to HAAA equipment.
Step 226, HAAA equipment are refused described access request after receiving again authentication success message.Afterwards, no longer carry out other step of the present embodiment.
Can be by authentication due to the second user terminal, show that the first user terminal only used legal card in first when authentication, what use afterwards is clone's card, should refuse the access request of first user terminal this moment.
Step 227, the second access network equipment discharges the session that the second user terminal participates in.
Step 228, the second access network equipment dismounting is connected with the 2nd PDSN equipment.
Another specific embodiment according to the present invention, the second access network equipment sends the first release message to the 2nd PCF equipment, and the 2nd PCF equipment sends the second release message to the 2nd PDSN equipment.The 2nd PDSN equipment discharges the connection of A10 interface, and Release complete is sent to the 2nd PCF equipment.After the 2nd PCF equipment receives Release complete, discharge the connection of A8 interface, then Release complete is sent to the second access network equipment, thereby realize removing being connected of the second access network equipment and the 2nd PDSN equipment.
Step 229, the second access network equipment sends authentification failure message again to the 2nd PDSN equipment.
Step 230, the 2nd PDSN equipment authentification failure message again sends to the HAAA server.
After step 231, HAAA server receive again authentification failure message, send to a PDSN equipment access request information of accepting.
Step 232 after a PDSN equipment receives and accepts access request information, connects with the first user terminal.
Because the second user terminal fails to show that by the second authentication the second user terminal gives the first user terminal with legal card, what the second user terminal self used is that the clone blocks.First remove being connected of the second user terminal and the 2nd PDSN equipment this moment, then set up being connected of first user terminal and a PDSN equipment, thereby can not remove the situation of the legal card user connection of use, improved user's experience.
Fig. 3 is the schematic diagram of an embodiment of access authentication system of the present invention.As shown in Figure 3, access authentication system comprises:
The first access network equipment 301, be used for after the access request that receives the transmission of first user terminal, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success sends to a PDSN equipment 302 with access request;
The one PDSN equipment 302 is used for access request is sent to HAAA server 303;
HAAA server 303 is used for after receiving access request, in the connection of current foundation, detects whether there is the service connection that is associated with described identifying information; If there is described service connection, send authentication request again to the 2nd PDSN equipment 312 of setting up described service connection, wherein authentication request is used for the second user terminal of setting up described service connection is re-started authentication again; After the message of authentication success again that the 2nd PDSN equipment 312 that receives sends, refuse described access request;
The 2nd PDSN equipment 312 is used for again authentication request and sends to the second access network equipment, and the message of authentication success again that the second access network equipment 311 is sent sends to HAAA equipment 303;
The second access network equipment 311 is used for after receiving again authentication request, and the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success sends authentication success message again to the 2nd PDSN equipment 312.
The access authentication system that provides based on the above embodiment of the present invention, receive the access request of first user terminal transmission by the first access network equipment after, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success, the first access network equipment sends to a PDSN equipment with access request; The one PDSN equipment sends to the HAAA server with access request; After the HAAA server receives access request, in the connection of current foundation, detect whether there is the service connection that is associated with described identifying information; If there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication; The 2nd PDSN equipment authentication request again sends to the second access network equipment; After the second access network equipment receives again authentication request, the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment; The 2nd PDSN equipment authentication success message again sends to HAAA equipment; HAAA equipment is refused described access request after receiving again authentication success message.Block the safe key that can't copy in R-UIM due to the clone, therefore by the authentication to safe key, can accurately identify disabled user's terminal, and successfully remove being connected of this disabled user's terminal and network, simultaneously can not increase the burden of network, improve user's experience.
Another specific embodiment according to the present invention, identifying information are IMSI.
Another specific embodiment according to the present invention is provided with a PCF equipment between the first access network device and a PDSN equipment, and first network access device and a PDSN equipment carry out information interaction by a PCF equipment.Simultaneously, be provided with second minute PCF equipment between the second access network device and the 2nd PDSN equipment, second network access device and the 2nd PDSN equipment carry out information interaction by the 2nd PCF equipment.
Another specific embodiment according to the present invention, the second access network equipment 311 also are used for discharging the session that the second user terminal participates in when the second authentification failure; Dismounting is connected with the 2nd PDSN equipment 312; Send authentification failure message again to the 2nd PDSN equipment 312.
The 2nd PDSN equipment 312 also is used for again authentification failure message and sends to HAAA server 303.
HAAA server 303 also is used for after receiving again authentification failure message, sends to a PDSN equipment 302 the access request information of accepting.
The one PDSN equipment 302 also be used for receive accept access request information after, connect with the first user terminal.
Another specific embodiment according to the present invention, HAAA server 303 also are used for when not having described service connection, send to a PDSN equipment 302 the access request information of accepting.
The one PDSN equipment 302 also be used for receive accept access request information after, connect with the first user terminal.
Another specific embodiment according to the present invention, the first access network equipment 301 also are used for when the first authentification failure, the access request of refusal first user terminal.
Fig. 4 is the schematic diagram of an embodiment of access authentication system of the present invention.Compare with Fig. 3, first certificate server 401 that also comprises embodiment illustrated in fig. 4, wherein:
The first access network equipment 301 also is used for sending the first challenge message to the first user terminal, receive the first challenge encrypting messages that the first user terminal sends, wherein the first user terminal utilizes the safe key in the Removable User Identity Module card to be encrypted to obtain the first challenge encrypting messages to the first challenge message; The first challenge encrypting messages is sent to the first certificate server 401.
The first certificate server 401 also is used for after receiving the first challenge encrypting messages, utilizes predetermined key that the first challenge encrypting messages is authenticated; If authentication success sends the first authentication success message to the first access network equipment 301; If authentification failure sends the first authentification failure message to the first access network equipment 301.
Another specific embodiment according to the present invention, the second access network equipment 311 also is used for sending the second challenge message to the second user terminal, receive the second challenge encrypting messages that the second user terminal sends, wherein the second user terminal utilizes the safe key in the Removable User Identity Module card to be encrypted to obtain the second challenge encrypting messages to the second challenge message; The second challenge encrypting messages is sent to the second certificate server 411.
The second certificate server 411 also is used for after receiving the second challenge encrypting messages, utilizes predetermined key that the second challenge encrypting messages is authenticated; If authentication success sends the second authentication success message to the second access network equipment 311; If authentification failure sends the second authentification failure message to the second access network equipment 311.
Another specific embodiment according to the present invention, the first certificate server 401 is the first Access Network authentication, authorization and accounting server.The second certificate server 411 is the second Access Network authentication, authorization and accounting server.
Description of the invention provides for example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is for better explanation principle of the present invention and practical application, thereby and makes those of ordinary skill in the art can understand the various embodiment with various modifications that the present invention's design is suitable for special-purpose.

Claims (14)

1. an access authentication method, is characterized in that, comprising:
After the first access network equipment receives the access request of first user terminal transmission, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal;
If the first authentication success, the first access network equipment sends to the first packet data serving node PDSN equipment with access request;
The one PDSN equipment sends to attribution authentication, mandate, charging HAAA server with access request;
After the HAAA server receives access request, in the connection of current foundation, detect whether there is the service connection that is associated with described identifying information;
If there is described service connection, the HAAA server sends authentication request again to the 2nd PDSN equipment of setting up described service connection, is used for the second user terminal of setting up described service connection is re-started authentication;
The 2nd PDSN equipment authentication request again sends to the second access network equipment;
After the second access network equipment receives again authentication request, the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication;
If the second authentication success, the second access network equipment sends authentication success message again to the 2nd PDSN equipment;
The 2nd PDSN equipment authentication success message again sends to HAAA equipment;
HAAA equipment is refused described access request after receiving again authentication success message.
2. method according to claim 1, is characterized in that,
If the second authentification failure, the second access network equipment discharges the session that the second user terminal participates in;
The second access network equipment dismounting is connected with the 2nd PDSN equipment;
The second access network equipment sends authentification failure message again to the 2nd PDSN equipment;
The 2nd PDSN equipment authentification failure message again sends to the HAAA server;
After the HAAA server receives again authentification failure message, send to a PDSN equipment access request information of accepting;
After the one PDSN equipment receives and accepts access request information, connect with the first user terminal.
3. method according to claim 1 and 2, is characterized in that,
Described the first access network equipment carries out the first authentication to the safe key of Removable User Identity Module card in the first user terminal and comprises:
The first access network equipment sends the first challenge message to the first user terminal;
The first user terminal utilizes the safe key in the Removable User Identity Module card that the first challenge message is encrypted, and obtains the first challenge encrypting messages;
The first user terminal sends to the first access network equipment with the first challenge encrypting messages;
The first access network equipment sends to the first certificate server with the first challenge encrypting messages;
After the first certificate server receives the first challenge encrypting messages, utilize predetermined key that the first challenge encrypting messages is authenticated;
If authentication success, the first certificate server sends the first authentication success message to the first access network equipment;
If authentification failure, the first certificate server sends the first authentification failure message to the first access network equipment.
4. method according to claim 1 and 2, is characterized in that,
Described the second access network equipment carries out the second authentication to the safe key of Removable User Identity Module card in the second user terminal and comprises:
The second access network equipment sends the second challenge message to the second user terminal;
The second user terminal utilizes the safe key in the Removable User Identity Module card that the second challenge message is encrypted, and obtains the second challenge encrypting messages;
The second user terminal sends to the second access network equipment with the second challenge encrypting messages;
The second access network equipment sends to the second certificate server with the second challenge encrypting messages;
After the second certificate server receives the second challenge encrypting messages, utilize predetermined key that the second challenge encrypting messages is authenticated;
If authentication success, the second certificate server sends the second authentication success message to the second access network equipment;
If authentification failure, the second certificate server sends the second authentification failure message to the second access network equipment.
5. method according to claim 1 and 2, is characterized in that,
If there is not described service connection, the HAAA server sends to a PDSN equipment access request information of accepting;
After the one PDSN equipment receives and accepts access request information, connect with the first user terminal.
6. method according to claim 1 and 2, is characterized in that,
If the first authentification failure, the access request of the first access network equipment refusal first user terminal.
7. method according to claim 1 and 2, is characterized in that,
Described identifying information is international mobile subscriber identity.
8. an access authentication system, is characterized in that, comprising:
The first access network equipment, be used for after the access request that receives the transmission of first user terminal, safe key to Removable User Identity Module card in the first user terminal carries out the first authentication, and wherein access request comprises the identifying information of Removable User Identity Module card in the first user terminal; If the first authentication success sends to a PDSN equipment with access request;
The one PDSN equipment is used for access request is sent to the HAAA server;
The HAAA server is used for after receiving access request, in the connection of current foundation, detects whether there is the service connection that is associated with described identifying information; If there is described service connection, send authentication request again to the 2nd PDSN equipment of setting up described service connection, wherein authentication request is used for the second user terminal of setting up described service connection is re-started authentication again; After the message of authentication success again that the 2nd PDSN equipment that receives sends, refuse described access request;
The 2nd PDSN equipment is used for again authentication request and sends to the second access network equipment, and the message of authentication success again that the second access network equipment is sent sends to HAAA equipment;
The second access network equipment is used for after receiving again authentication request, and the safe key of Removable User Identity Module card in the second user terminal is carried out the second authentication; If the second authentication success sends authentication success message again to the 2nd PDSN equipment.
9. system according to claim 8, is characterized in that,
The second access network equipment also is used for discharging the session that the second user terminal participates in when the second authentification failure; Dismounting is connected with the 2nd PDSN equipment; Send authentification failure message again to the 2nd PDSN equipment;
The 2nd PDSN equipment also is used for again authentification failure message and sends to the HAAA server;
The HAAA server also is used for sending to a PDSN equipment access request information of accepting after receiving again authentification failure message;
The one PDSN equipment also be used for receive accept access request information after, connect with the first user terminal.
10. according to claim 8 or 9 described systems, is characterized in that, also comprises:
The first access network equipment also is used for sending the first challenge message to the first user terminal, receive the first challenge encrypting messages that the first user terminal sends, wherein the first user terminal utilizes the safe key in the Removable User Identity Module card to be encrypted to obtain the first challenge encrypting messages to the first challenge message; The first challenge encrypting messages is sent to the first certificate server;
The first certificate server also is used for after receiving the first challenge encrypting messages, utilizes predetermined key that the first challenge encrypting messages is authenticated; If authentication success sends the first authentication success message to the first access network equipment; If authentification failure sends the first authentification failure message to the first access network equipment.
11. according to claim 8 or 9 described systems is characterized in that, also comprise:
The second access network equipment also is used for sending the second challenge message to the second user terminal, receive the second challenge encrypting messages that the second user terminal sends, wherein the second user terminal utilizes the safe key in the Removable User Identity Module card to be encrypted to obtain the second challenge encrypting messages to the second challenge message; The second challenge encrypting messages is sent to the second certificate server;
The second certificate server also is used for after receiving the second challenge encrypting messages, utilizes predetermined key that the second challenge encrypting messages is authenticated; If authentication success sends the second authentication success message to the second access network equipment; If authentification failure sends the second authentification failure message to the second access network equipment.
12. according to claim 8 or 9 described systems is characterized in that,
The HAAA server also is used for sending to a PDSN equipment access request information of accepting when not having described service connection;
The one PDSN equipment also be used for receive accept access request information after, connect with the first user terminal.
13. according to claim 8 or 9 described systems is characterized in that,
The first access network equipment also is used for when the first authentification failure, the access request of refusal first user terminal.
14. according to claim 8 or 9 described systems is characterized in that,
Described identifying information is international mobile subscriber identity.
CN201110428564.1A 2011-12-20 2011-12-20 Access authentication method and system Active CN103179563B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110428564.1A CN103179563B (en) 2011-12-20 2011-12-20 Access authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110428564.1A CN103179563B (en) 2011-12-20 2011-12-20 Access authentication method and system

Publications (2)

Publication Number Publication Date
CN103179563A true CN103179563A (en) 2013-06-26
CN103179563B CN103179563B (en) 2015-08-05

Family

ID=48639123

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110428564.1A Active CN103179563B (en) 2011-12-20 2011-12-20 Access authentication method and system

Country Status (1)

Country Link
CN (1) CN103179563B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527909A (en) * 2009-04-08 2009-09-09 中兴通讯股份有限公司 Method for realizing access authentication, device thereof and mobile terminal
CN102098674A (en) * 2010-11-25 2011-06-15 中兴通讯股份有限公司 Detection method and device of cloning equipment
WO2011147258A1 (en) * 2010-05-25 2011-12-01 中兴通讯股份有限公司 Card authenticating method, system and user equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101527909A (en) * 2009-04-08 2009-09-09 中兴通讯股份有限公司 Method for realizing access authentication, device thereof and mobile terminal
WO2011147258A1 (en) * 2010-05-25 2011-12-01 中兴通讯股份有限公司 Card authenticating method, system and user equipment
CN102098674A (en) * 2010-11-25 2011-06-15 中兴通讯股份有限公司 Detection method and device of cloning equipment

Also Published As

Publication number Publication date
CN103179563B (en) 2015-08-05

Similar Documents

Publication Publication Date Title
CN101232372B (en) Authentication method, authentication system and authentication device
EP1886438B1 (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
CN106161032B (en) A kind of identity authentication method and device
CN101557406B (en) User terminal authentication method, device and system thereof
CN102036242B (en) Access authentication method and system in mobile communication network
US8433286B2 (en) Mobile communication network and method and apparatus for authenticating mobile node in the mobile communication network
WO2006020329B1 (en) Method and apparatus for determining authentication capabilities
WO2006060943A1 (en) Authentication method
CN108923918A (en) User equipment and communication means
CN112491829B (en) MEC platform identity authentication method and device based on 5G core network and blockchain
CN101877850A (en) Access authentication method and device
CN106452763B (en) One kind using cipher key method by remote dummy USB device
CN101399659B (en) Cipher key authentication method and device between user identification module and terminal
CN102263826A (en) Method and device for establishing connection with transport layer
CN113194476A (en) Equipment activation and authentication binding method
CN101282215A (en) Method and apparatus for distinguishing certificate
CN101542973A (en) Method and system for authenticating peer devices using EAP
CN101102191B (en) Method for identifying the style of secret key request service in general authentication framework
CN101835150B (en) Method, device and system for updating shared enciphered data
CN103179563B (en) Access authentication method and system
CN101163326A (en) Method, system and mobile terminal of preventing playback attack
CN101431754B (en) Method for preventing clone terminal access
CN108924828B (en) APN self-adaptation method, server and terminal
CN102244663B (en) User identification method and system based on transmission control protocol (TCP) data packet construction technology
KR100299058B1 (en) Method for detecting terminal cloning using a call history count where a smart card is selected in mobile communication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant