WO2012055297A1 - Authentication method and device of mobile terminal - Google Patents

Authentication method and device of mobile terminal Download PDF

Info

Publication number
WO2012055297A1
WO2012055297A1 PCT/CN2011/079177 CN2011079177W WO2012055297A1 WO 2012055297 A1 WO2012055297 A1 WO 2012055297A1 CN 2011079177 W CN2011079177 W CN 2011079177W WO 2012055297 A1 WO2012055297 A1 WO 2012055297A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
kdc
authentication request
encryption module
mobile terminal
Prior art date
Application number
PCT/CN2011/079177
Other languages
French (fr)
Chinese (zh)
Inventor
张金雷
曾稹卓
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012055297A1 publication Critical patent/WO2012055297A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for authenticating a mobile terminal. Background technique
  • Authentication is an interaction process between the terminal and the base station to confirm the identity of the terminal. It prevents false MIN (telephone identification) and ESN (device serial number) from using network service events. In view of the openness of the wireless network, the illegal user can match the ESN of the mobile phone with the MIN, so that the caller can perform unauthorized access to the wireless Internet, and the terminal and system side authentication process can be closed by the system side. Therefore, the security of normal authentication is not enough. Summary of the invention
  • the main object of the present invention is to provide an authentication method and apparatus for a mobile terminal, which are used to solve the problem that the authentication security of the mobile terminal existing in the prior art is insufficient.
  • Step A The cryptographic module performs a first authentication request to the KDC by using the communication protocol, and performs a second authentication request after determining that the first authentication request is successful;
  • Step B The KDC generates a final two-way authentication result after the second authentication is completed, and notifies the encryption module.
  • the step A includes:
  • Step A1 The cryptographic module makes a first authentication request data according to an authentication request command sent by the mobile terminal, and forwards the data to the KDC.
  • Step A2 The KDC determines the legality of the encryption module according to the first authentication request data, and makes a first response after confirming the validity;
  • Step A3 The cryptographic module determines according to the first response, and generates a second authentication request data when it is determined that the first authentication request is successful, and forwards the data to the KDC.
  • the step A3 includes:
  • the cryptographic module After receiving the first response of the KDC, the cryptographic module determines whether to perform the second authentication according to the first response: if it is determined that the first authentication fails, notifying the corresponding mobile terminal to perform the lock Dead; if it is determined that the first authentication is successful, a second authentication request data is generated and forwarded to the KDC.
  • the step B includes:
  • the KDC parses the second authentication request data sent by the encryption module to generate a final bidirectional authentication result, and sends the bidirectional authentication result to the encryption module by using a second response;
  • the cryptographic module determines whether the current bidirectional authentication is successful according to the bidirectional authentication result, and notifies the corresponding mobile terminal.
  • the communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
  • An authentication device for a mobile terminal comprising: a KDC, an encryption module, and a communication protocol between the encryption module and the KDC;
  • the encryption module is configured to perform the first authentication request to the KDC by using the communication protocol. And requesting, after determining that the first authentication request is successful, performing a second authentication request;
  • the KDC is configured to perform first authentication and second authentication with the cryptographic module, and generate a final bidirectional authentication result after the second authentication is completed, and notify the cryptographic module.
  • the cryptographic module is configured to: perform first authentication request data according to an authentication request command sent by the mobile terminal, and forward the data to the KDC; and perform, according to the first response sent by the KDC. Determining, and generating a second authentication request data when determining to perform the second authentication request, and forwarding the data to the KDC;
  • the KDC is configured to determine the validity of the encryption module according to the first authentication request data, and make a first response after confirming the validity.
  • the cryptographic module is configured to: after receiving the first response of the KDC, determine, according to the first response, whether to perform a second authentication: if it is determined that the first authentication fails, the notification corresponds to The mobile terminal is locked; if it is determined that the first authentication is successful, the second authentication request data is generated and forwarded to the KDC.
  • the KDC is configured to generate a final bidirectional authentication result according to the second authentication request data sent by the encryption module, and send the bidirectional authentication result to the second response by using the second response.
  • the cryptographic module is configured to determine, according to the two-way authentication result, whether the current two-way authentication is successful, and notify the "should mobile terminal.”
  • the communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
  • FIG. 1 is a schematic diagram of a communication process of a method according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. detailed description
  • the embodiment of the present invention adds an encryption module on the mobile terminal side and a KDC on the short message center side, wherein the encryption module can be built into the mobile terminal, and of course, can be made into pluggable hardware. Moreover, a predetermined communication protocol between the encryption module and the KDC is also added. Specifically, the mutual judgment of the validity of the encryption module and the KDC can be completed by the two-way response of the encryption module and the KDC: First, the KDC determines the validity of the encryption module; second, the encryption module determines the validity of the KDC; after the two-way request response ends That is, the mutual recognition of the encryption module and the KDC is completed, thereby completing the identity recognition of the mobile terminal, and further improving the security of the mobile terminal.
  • the encryption module may use the communication protocol to perform a first authentication request to the KDC, and perform a second authentication request after determining that the first authentication request is successful; the KDC is completed in the second authentication.
  • the final two-way authentication result is generated and notified to the encryption module, and the corresponding mobile terminal is notified by the encryption module.
  • FIG. 1 is a schematic diagram of a communication process of a method according to an embodiment of the present invention, which may specifically include the following steps:
  • Step 101 When the mobile terminal is powered on, send an authentication application command to the encryption module.
  • Step 102 The encryption module performs a first authentication request according to the received authentication application command, generates a first authentication request data, and forwards the data to the first authentication request.
  • the mobile terminal the mobile terminal encapsulates the first authentication request data in the form of a short message, and forwards the data to the KDC via the short message center;
  • Step 103 The KDC parses the short message that needs to be authenticated and forwarded by the short message center, and parses the first authentication request data, and determines the encryption module according to the first authentication request data. Legitimate, and make a first response after determining that the cryptographic module is legal, and at the same time, the first response is encapsulated and sent by the short message, and forwarded to the cryptographic module through the short message center and the mobile terminal;
  • Step 104 The cryptographic module receives After the first response sent by the KDC, it is determined whether to perform the second authentication request according to the first response, and if the first authentication failure is determined according to the first response (because the KDC is illegal or otherwise), then If the entire two-way authentication fails, the mobile terminal is notified to lock, and the entire process ends. If the first authentication succeeds according to the first response, the second authentication request is performed, and the second authentication request data is generated. Forwarded to the mobile terminal and sent to the KDC;
  • KDC KDC
  • Step 105 The KDC parses the second authentication request data forwarded by the short message center, generates a final bidirectional authentication result according to the parsing result of the second authentication request data, and forwards the bidirectional authentication result by the second response.
  • Step 106 The cryptographic module parses the bidirectional authentication result sent by the KDC, determines whether the bidirectional authentication succeeds or fails, and notifies the mobile terminal; so that the mobile terminal performs the next operation according to the bidirectional authentication result: If the authentication is successful, the mobile terminal opens a normal service function, otherwise the mobile terminal is locked.
  • FIG. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present invention, which may specifically include an encryption module of a KDC and a mobile terminal; and a predetermined communication protocol is stored in the KDC and the encryption module, where
  • the encryption module is disposed on the mobile terminal side, and performs a first authentication request to the KDC by using a communication protocol, and performs a second authentication request after determining that the first authentication request is successful;
  • KDC used for first authentication and second authentication with the cryptographic module, in the second authentication
  • the final two-way authentication result is generated and notified to the encryption module.
  • the encryption module makes the first authentication request data according to the authentication application command sent by the mobile terminal, and forwards the data to the KDC; the KDC determines the validity of the encryption module according to the first authentication request data, and confirms After the lawful, the first response is made; the encryption module judges according to the first response sent by the KDC, and generates a second authentication request data when it is determined to perform the second authentication request, and forwards the data to the KDC; The second authentication request data sent by the encryption module is parsed to generate a final bidirectional authentication result and sent to the encryption module. The encryption module determines whether the bidirectional authentication is successful according to the bidirectional authentication result, and notifies the mobile terminal.
  • the embodiment of the present invention provides a method and a device for authenticating a mobile terminal, by adding an encryption module and a KDC, and a communication protocol of the two, so that the encryption module uses the communication protocol to perform the first time to the KDC.
  • the authentication request is performed, and after determining that the first authentication request is successful, the second authentication request is performed; the KDC generates a final two-way authentication result after the second authentication is completed, and notifies the encryption module.
  • the method and device of the invention can effectively improve the security of the user identification, thereby greatly reducing the dependence on the inherent identity authentication of the mobile phone, improving the security of the mobile terminal, and better satisfying the security of the digital mobile communication. Claim.
  • An embodiment of the present invention provides a method and an apparatus for authenticating a mobile terminal, by adding an encryption module and a KDC, and a communication protocol of the two, so that the encryption module uses the communication protocol to perform a first authentication request to the KDC, and Perform a second test after determining that the first authentication request is successful The right request; the KDC generates the final two-way authentication result after the second authentication is completed, and notifies the encryption module.
  • the method and device of the invention can effectively improve the security of the user identification, thereby greatly reducing the dependence on the inherent identity authentication of the mobile phone, improving the security of the mobile terminal, and better satisfying the security of the digital mobile communication. Claim.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

Disclosed are an authentication method and device of a mobile terminal. The device comprises a key distribution center (KDC) (4) and an encryption module (1). A communication protocol between the encryption module (1) and the KDC (4) is pre-stored in the encryption module (1). The method comprises: the encryption module (1) using the communication protocol to send a first authentication request to the KDC (4) (102) and send a second authentication request after determining that the first authentication request is successful (104); and the KDC (4) generating a final bidirectional authentication result after the second authentication is completed, and informing the encryption module (1) of the result. The present invention can effectively improve the security of user identity authentication, greatly reduce the dependence on inherent identity authentication of a mobile terminal, improve the security of mobile terminal use and better meet digital mobile communication security requirements.

Description

移动终端的鉴权方法及装置 技术领域 本发明涉及通讯技术领域, 尤其涉及到一种移动终端的鉴权方法及装 置。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for authenticating a mobile terminal. Background technique
在数字移动通讯***中, 如何提高通讯的安全性, 保护手机用户的隐 私数据一直是一个永恒不断的话题。 虽然目前移动终端自身提供了鉴权的 方法, 对于普通用户来说, 其安全性已经足够了, 然而对于一些***门、 重要部门, 其安全性是远远不够的。  In the digital mobile communication system, how to improve the security of communication and protect the privacy data of mobile phone users has always been an eternal topic. Although the mobile terminal itself provides a method of authentication, the security is sufficient for ordinary users, but for some security departments and important departments, the security is not enough.
鉴权是为了确认终端的身份而在终端和基站之间进行的交互过程, 它 防止假的 MIN (电话标示)和 ESN (设备序列号)使用网络服务事件。 鉴 于无线网络的开放性, 非法用户可以通过复制手机的 ESN与 MIN相匹配, 使呼叫者能对无线互联网进行未授权的访问, 并且终端和***侧鉴权过程 可以被***侧关闭掉。 因此, 通常的鉴权的安全性是远远不够的。 发明内容  Authentication is an interaction process between the terminal and the base station to confirm the identity of the terminal. It prevents false MIN (telephone identification) and ESN (device serial number) from using network service events. In view of the openness of the wireless network, the illegal user can match the ESN of the mobile phone with the MIN, so that the caller can perform unauthorized access to the wireless Internet, and the terminal and system side authentication process can be closed by the system side. Therefore, the security of normal authentication is not enough. Summary of the invention
鉴于上述的分析, 本发明的主要目的在于提供一种移动终端的鉴权方 法及装置, 用以解决现有技术中存在的移动终端的鉴权安全性不够的问题。  In view of the foregoing analysis, the main object of the present invention is to provide an authentication method and apparatus for a mobile terminal, which are used to solve the problem that the authentication security of the mobile terminal existing in the prior art is insufficient.
本发明的目的主要是通过以下技术方案实现的:  The object of the present invention is mainly achieved by the following technical solutions:
一种移动终端的鉴权方法, 利用密钥管理中心 KDC和加密模块, 以及 所述加密模块与所述 KDC的通信协议, 执行如下步驟:  A method for authenticating a mobile terminal, using a key management center KDC and an encryption module, and a communication protocol between the encryption module and the KDC, performs the following steps:
步驟 A: 所述加密模块利用所述通信协议向所述 KDC进行第一次鉴权 请求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求; 步驟 B: 所述 KDC在第二次鉴权完成后生成最终的双向鉴权结果, 并 通知给所述加密模块。 Step A: The cryptographic module performs a first authentication request to the KDC by using the communication protocol, and performs a second authentication request after determining that the first authentication request is successful; Step B: The KDC generates a final two-way authentication result after the second authentication is completed, and notifies the encryption module.
其中, 所述步驟 A包括:  The step A includes:
步驟 A1: 所述加密模块根据移动终端发来的鉴权申请命令做出第一次 鉴权请求数据, 并转发给所述 KDC;  Step A1: The cryptographic module makes a first authentication request data according to an authentication request command sent by the mobile terminal, and forwards the data to the KDC.
步驟 A2: 所述 KDC根据所述第一次鉴权请求数据判断所述加密模块 的合法性, 并在确认合法后做出第一次应答;  Step A2: The KDC determines the legality of the encryption module according to the first authentication request data, and makes a first response after confirming the validity;
步驟 A3: 所述加密模块根据所述第一次应答进行判断, 当确定第一次 鉴权请求成功时生成第二次鉴权请求数据, 并以转发给所述 KDC。  Step A3: The cryptographic module determines according to the first response, and generates a second authentication request data when it is determined that the first authentication request is successful, and forwards the data to the KDC.
其中, 所述步驟 A3包括:  The step A3 includes:
所述加密模块在收到所述 KDC的第一次应答后,根据所述第一次应答 判断是否进行第二次鉴权: 如果判定第一次鉴权失败, 则通知对应的移动 终端进行锁死; 如果判定第一次鉴权成功, 则生成第二次鉴权请求数据, 并转发给所述 KDC。  After receiving the first response of the KDC, the cryptographic module determines whether to perform the second authentication according to the first response: if it is determined that the first authentication fails, notifying the corresponding mobile terminal to perform the lock Dead; if it is determined that the first authentication is successful, a second authentication request data is generated and forwarded to the KDC.
其中, 所述步驟 B包括:  The step B includes:
所述 KDC根据所述加密模块发来的第二次鉴权请求数据进行解析后 生成最终的双向鉴权结果, 并通过第二次应答将所述双向鉴权结果发送给 所述加密模块;  The KDC parses the second authentication request data sent by the encryption module to generate a final bidirectional authentication result, and sends the bidirectional authentication result to the encryption module by using a second response;
所述加密模块根据所述双向鉴权结果判断本次双向鉴权是否成功, 并 通知对应的移动终端。  The cryptographic module determines whether the current bidirectional authentication is successful according to the bidirectional authentication result, and notifies the corresponding mobile terminal.
其中, 所述通信协议为: 在所述加密模块和所述 KDC之间增加的预定 的通信协议。  The communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
一种移动终端的鉴权装置, 包括: KDC、 加密模块, 所述加密模块与 所述 KDC之间存在通信协议; 其中,  An authentication device for a mobile terminal, comprising: a KDC, an encryption module, and a communication protocol between the encryption module and the KDC;
所述加密模块,用于利用所述通信协议向所述 KDC进行第一次鉴权请 求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求; The encryption module is configured to perform the first authentication request to the KDC by using the communication protocol. And requesting, after determining that the first authentication request is successful, performing a second authentication request;
所述 KDC, 用于与所述加密模块进行第一次鉴权和第二次鉴权, 在第 二次鉴权完成后生成最终的双向鉴权结果, 并通知给所述加密模块。  The KDC is configured to perform first authentication and second authentication with the cryptographic module, and generate a final bidirectional authentication result after the second authentication is completed, and notify the cryptographic module.
其中, 所述加密模块用于, 根据移动终端发来的鉴权申请命令做出第 一次鉴权请求数据, 并转发给所述 KDC; 以及, 根据所述 KDC发来的第 一次应答进行判断, 并在确定进行第二次鉴权请求时生成第二次鉴权请求 数据, 并转发给所述 KDC;  The cryptographic module is configured to: perform first authentication request data according to an authentication request command sent by the mobile terminal, and forward the data to the KDC; and perform, according to the first response sent by the KDC. Determining, and generating a second authentication request data when determining to perform the second authentication request, and forwarding the data to the KDC;
所述 KDC用于,根据所述第一次鉴权请求数据判断所述加密模块的合 法性, 并在确认合法后做出第一次应答。  The KDC is configured to determine the validity of the encryption module according to the first authentication request data, and make a first response after confirming the validity.
其中, 所述加密模块用于, 在收到所述 KDC的第一次应答后, 根据所 述第一次应答判断是否进行第二次鉴权: 如果判定第一次鉴权失败, 则通 知对应的移动终端进行锁死; 如果判定第一次鉴权成功, 则生成第二次鉴 权请求数据, 并转发给所述 KDC。  The cryptographic module is configured to: after receiving the first response of the KDC, determine, according to the first response, whether to perform a second authentication: if it is determined that the first authentication fails, the notification corresponds to The mobile terminal is locked; if it is determined that the first authentication is successful, the second authentication request data is generated and forwarded to the KDC.
其中, 所述 KDC用于, 根据所述加密模块发来的第二次鉴权请求数据 进行解析后生成最终的双向鉴权结果, 并通过第二次应答将所述双向鉴权 结果发送给所述加密模块;  The KDC is configured to generate a final bidirectional authentication result according to the second authentication request data sent by the encryption module, and send the bidirectional authentication result to the second response by using the second response. Encryption module
所述加密模块用于, 根据所述双向鉴权结果判断本次双向鉴权是否成 功, 并通知 ^"应的移动终端。  The cryptographic module is configured to determine, according to the two-way authentication result, whether the current two-way authentication is successful, and notify the "should mobile terminal."
其中, 所述通信协议为: 在所述加密模块和所述 KDC之间增加的预定 的通信协议。  The communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
本发明有益效果如下:  The beneficial effects of the present invention are as follows:
通过增加加密模块和 KDC (密钥管理中心), 以及这两者的通信协议, 从而有效提高用户身份识别的安全性, 从而极大减少了对手机固有的身份 鉴权的依赖, 提高了移动终端使用的安全性, 更好地满足数字移动通讯的 安全性要求。 附图说明 By increasing the encryption module and the KDC (Key Management Center), and the communication protocols of the two, the security of the user identification is effectively improved, thereby greatly reducing the dependence on the inherent identity authentication of the mobile phone, and improving the mobile terminal. The security used to better meet the security requirements of digital mobile communications. DRAWINGS
图 1为本发明实施例所述方法的通信流程示意图;  1 is a schematic diagram of a communication process of a method according to an embodiment of the present invention;
图 2为本发明实施例所述装置的结构示意图。 具体实施方式  FIG. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. detailed description
下面结合附图来具体描述本发明的优选实施例。  Preferred embodiments of the present invention will be specifically described below with reference to the accompanying drawings.
首先, 结合图 1对本发明实施例所述方法进行详细说明。  First, the method according to the embodiment of the present invention will be described in detail with reference to FIG.
本发明实施例增加了移动终端侧的加密模块和短信中心侧的 KDC, 其 中, 加密模块可以内置到移动终端中, 当然也可以做成可插拔的硬件。 并 且, 还增加了加密模块和 KDC之间预定的通信协议。 具体而言, 可以通过 加密模块和 KDC的双向应答完成加密模块与 KDC的合法性的相互判断: 首先, KDC判断加密模块的合法性; 其次, 加密模块判断 KDC的合法性; 双向请求应答结束之后, 即完成了加密模块和 KDC的相互识别, 从而完成 了移动终端的身份识别, 进一步提高了移动终端的安全性。  The embodiment of the present invention adds an encryption module on the mobile terminal side and a KDC on the short message center side, wherein the encryption module can be built into the mobile terminal, and of course, can be made into pluggable hardware. Moreover, a predetermined communication protocol between the encryption module and the KDC is also added. Specifically, the mutual judgment of the validity of the encryption module and the KDC can be completed by the two-way response of the encryption module and the KDC: First, the KDC determines the validity of the encryption module; second, the encryption module determines the validity of the KDC; after the two-way request response ends That is, the mutual recognition of the encryption module and the KDC is completed, thereby completing the identity recognition of the mobile terminal, and further improving the security of the mobile terminal.
在实际应用中,加密模块可以利用所述通信协议向 KDC进行第一次鉴 权请求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求; KDC在第 二次鉴权完成后生成最终的双向鉴权结果, 并通知给加密模块, 由加密模 块再通知对应的移动终端。  In an actual application, the encryption module may use the communication protocol to perform a first authentication request to the KDC, and perform a second authentication request after determining that the first authentication request is successful; the KDC is completed in the second authentication. The final two-way authentication result is generated and notified to the encryption module, and the corresponding mobile terminal is notified by the encryption module.
如图 1所示, 图 1为本发明实施例所述方法的通信流程示意图, 具体 可以包括如下步驟:  As shown in FIG. 1 , FIG. 1 is a schematic diagram of a communication process of a method according to an embodiment of the present invention, which may specifically include the following steps:
步驟 101 : 当移动终端开机时, 发送鉴权申请命令给加密模块; 步驟 102: 加密模块根据接收到的鉴权申请命令进行第一次鉴权请求, 生成第一次鉴权请求数据并转发给该移动终端, 该移动终端使用短信的形 式将第一次鉴权请求数据封装起来, 经短信中心转发给 KDC;  Step 101: When the mobile terminal is powered on, send an authentication application command to the encryption module. Step 102: The encryption module performs a first authentication request according to the received authentication application command, generates a first authentication request data, and forwards the data to the first authentication request. The mobile terminal, the mobile terminal encapsulates the first authentication request data in the form of a short message, and forwards the data to the KDC via the short message center;
步驟 103: KDC对短信中心转发过来的需要进行鉴权的短信进行解析, 解析得到第一次鉴权请求数据, 根据第一次鉴权请求数据判断该加密模块 的合法性, 并在确定该加密模块合法后做出第一次应答, 同时将第一次应 答使用短信的形式封装起来发, 通过短信中心和移动终端转发给加密模块; 步驟 104: 加密模块接收到 KDC发来的第一次应答后, 根据第一次应 答判断是否进行第二次鉴权请求, 如果根据第一次应答判定第一次鉴权失 败(由于 KDC非法或者其他等原因), 则整个双向鉴权失败, 通知该移动 终端进行锁死, 整个流程结束; 如果根据第一次应答判定第一次鉴权成功, 则进行第二次鉴权请求, 生成第二次鉴权请求数据并转发给该移动终端, 发送给 KDC; Step 103: The KDC parses the short message that needs to be authenticated and forwarded by the short message center, and parses the first authentication request data, and determines the encryption module according to the first authentication request data. Legitimate, and make a first response after determining that the cryptographic module is legal, and at the same time, the first response is encapsulated and sent by the short message, and forwarded to the cryptographic module through the short message center and the mobile terminal; Step 104: The cryptographic module receives After the first response sent by the KDC, it is determined whether to perform the second authentication request according to the first response, and if the first authentication failure is determined according to the first response (because the KDC is illegal or otherwise), then If the entire two-way authentication fails, the mobile terminal is notified to lock, and the entire process ends. If the first authentication succeeds according to the first response, the second authentication request is performed, and the second authentication request data is generated. Forwarded to the mobile terminal and sent to the KDC;
同意开始第二次鉴权, 并产生第二次鉴权的内容, 由移动终端以短信 的形式包装起来, 该移动终端使用短信的形式将第二次鉴权请求数据封装 起来, 经短信中心转发给 KDC ( KDC );  Agree to start the second authentication, and generate the content of the second authentication, which is packaged by the mobile terminal in the form of a short message, and the mobile terminal encapsulates the second authentication request data in the form of a short message, and forwards the message through the short message center. To KDC ( KDC );
步驟 105: KDC解析通过短信中心转发来的第二次鉴权请求数据, 根 据第二鉴权请求数据的解析结果生成最终的双向鉴权结果, 并将该双向鉴 权结果通过第二次应答转发给加密模块;  Step 105: The KDC parses the second authentication request data forwarded by the short message center, generates a final bidirectional authentication result according to the parsing result of the second authentication request data, and forwards the bidirectional authentication result by the second response. Give the encryption module;
步驟 106: 加密模块对 KDC发来的双向鉴权结果进行解析, 判断本次 双向鉴权成功或者失败, 并通知该移动终端; 以便该移动终端根据该双向 鉴权结果进行下一步操作: 如果双向鉴权成功, 则该移动终端打开正常的 业务功能, 否则该移动终端锁死。  Step 106: The cryptographic module parses the bidirectional authentication result sent by the KDC, determines whether the bidirectional authentication succeeds or fails, and notifies the mobile terminal; so that the mobile terminal performs the next operation according to the bidirectional authentication result: If the authentication is successful, the mobile terminal opens a normal service function, otherwise the mobile terminal is locked.
接下来, 结合附图 2对本发明实施例所述装置进行详细说明。  Next, the device according to the embodiment of the present invention will be described in detail with reference to FIG.
如图 2所示, 图 2为本发明实施例所述装置的结构示意图, 具体可以 包括 KDC和移动终端的加密模块; 所述 KDC和所述加密模块中均存有预 定的通信协议, 其中,  As shown in FIG. 2, FIG. 2 is a schematic structural diagram of an apparatus according to an embodiment of the present invention, which may specifically include an encryption module of a KDC and a mobile terminal; and a predetermined communication protocol is stored in the KDC and the encryption module, where
加密模块, 设置于移动终端侧, 利用通信协议向 KDC进行第一次鉴权 请求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求;  The encryption module is disposed on the mobile terminal side, and performs a first authentication request to the KDC by using a communication protocol, and performs a second authentication request after determining that the first authentication request is successful;
KDC, 用于与加密模块进行第一次鉴权和第二次鉴权, 在第二次鉴权 完成后生成最终的双向鉴权结果, 并通知给加密模块。 KDC, used for first authentication and second authentication with the cryptographic module, in the second authentication Upon completion, the final two-way authentication result is generated and notified to the encryption module.
具体而言, 加密模块根据移动终端发来的鉴权申请命令做出第一次鉴 权请求数据, 并转发给 KDC; KDC根据第一次鉴权请求数据判断加密模块 的合法性, 并在确认合法后做出第一次应答; 加密模块根据 KDC发来的第 一次应答进行判断, 并在确定进行第二次鉴权请求时生成第二次鉴权请求 数据, 并转发给 KDC; KDC根据加密模块发来的第二次鉴权请求数据进行 解析, 生成最终的双向鉴权结果并发送给加密模块; 加密模块根据双向鉴 权结果判断本次双向鉴权是否成功, 并通知移动终端。  Specifically, the encryption module makes the first authentication request data according to the authentication application command sent by the mobile terminal, and forwards the data to the KDC; the KDC determines the validity of the encryption module according to the first authentication request data, and confirms After the lawful, the first response is made; the encryption module judges according to the first response sent by the KDC, and generates a second authentication request data when it is determined to perform the second authentication request, and forwards the data to the KDC; The second authentication request data sent by the encryption module is parsed to generate a final bidirectional authentication result and sent to the encryption module. The encryption module determines whether the bidirectional authentication is successful according to the bidirectional authentication result, and notifies the mobile terminal.
对于上述加密模块和 KDC的具体实施过程, 由于上述方法中已有详细 说明, 故此处不再赘述。  The specific implementation process of the foregoing encryption module and KDC is described in detail in the above method, and therefore will not be described herein.
综上所述, 本发明实施例提供了一种移动终端的鉴权方法及装置, 通 过增加加密模块和 KDC, 以及这两者的通信协议, 从而使加密模块利用通 信协议向 KDC进行第一次鉴权请求,并在确定第一次鉴权请求成功后进行 第二次鉴权请求; KDC在第二次鉴权完成后生成最终的双向鉴权结果, 并 通知给加密模块。 本发明方法及装置, 能够有效提高用户身份识别的安全 性, 从而极大减少了对手机固有的身份鉴权的依赖, 提高了移动终端使用 的安全性, 更好地满足数字移动通讯的安全性要求。  In summary, the embodiment of the present invention provides a method and a device for authenticating a mobile terminal, by adding an encryption module and a KDC, and a communication protocol of the two, so that the encryption module uses the communication protocol to perform the first time to the KDC. The authentication request is performed, and after determining that the first authentication request is successful, the second authentication request is performed; the KDC generates a final two-way authentication result after the second authentication is completed, and notifies the encryption module. The method and device of the invention can effectively improve the security of the user identification, thereby greatly reducing the dependence on the inherent identity authentication of the mobile phone, improving the security of the mobile terminal, and better satisfying the security of the digital mobile communication. Claim.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并 不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本 发明的保护范围应该以权利要求书的保护范围为准。 工业实用性  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims. Industrial applicability
本发明实施例提供了一种移动终端的鉴权方法及装置, 通过增加加密 模块和 KDC, 以及这两者的通信协议, 从而使加密模块利用通信协议向 KDC进行第一次鉴权请求, 并在确定第一次鉴权请求成功后进行第二次鉴 权请求; KDC在第二次鉴权完成后生成最终的双向鉴权结果, 并通知给加 密模块。 本发明方法及装置, 能够有效提高用户身份识别的安全性, 从而 极大减少了对手机固有的身份鉴权的依赖, 提高了移动终端使用的安全性, 更好地满足数字移动通讯的安全性要求。 An embodiment of the present invention provides a method and an apparatus for authenticating a mobile terminal, by adding an encryption module and a KDC, and a communication protocol of the two, so that the encryption module uses the communication protocol to perform a first authentication request to the KDC, and Perform a second test after determining that the first authentication request is successful The right request; the KDC generates the final two-way authentication result after the second authentication is completed, and notifies the encryption module. The method and device of the invention can effectively improve the security of the user identification, thereby greatly reducing the dependence on the inherent identity authentication of the mobile phone, improving the security of the mobile terminal, and better satisfying the security of the digital mobile communication. Claim.

Claims

权利要求书 Claim
1、 一种移动终端的鉴权方法, 利用密钥管理中心 KDC和加密模块, 以及所述加密模块与所述 KDC的通信协议, 执行如下步驟:  A method for authenticating a mobile terminal, using a key management center KDC and an encryption module, and a communication protocol between the encryption module and the KDC, performing the following steps:
步驟 A: 所述加密模块利用所述通信协议向所述 KDC进行第一次鉴权 请求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求;  Step A: The cryptographic module performs a first authentication request to the KDC by using the communication protocol, and performs a second authentication request after determining that the first authentication request is successful;
步驟 B: 所述 KDC在第二次鉴权完成后生成最终的双向鉴权结果, 并 通知给所述加密模块。  Step B: The KDC generates a final bidirectional authentication result after the second authentication is completed, and notifies the encryption module.
2、 根据权利要求 1所述的方法, 其中, 所述步驟 A包括:  2. The method according to claim 1, wherein the step A comprises:
步驟 A1: 所述加密模块根据移动终端发来的鉴权申请命令做出第一次 鉴权请求数据, 并转发给所述 KDC;  Step A1: The cryptographic module makes a first authentication request data according to an authentication request command sent by the mobile terminal, and forwards the data to the KDC.
步驟 A2: 所述 KDC根据所述第一次鉴权请求数据判断所述加密模块 的合法性, 并在确认合法后做出第一次应答;  Step A2: The KDC determines the legality of the encryption module according to the first authentication request data, and makes a first response after confirming the validity;
步驟 A3: 所述加密模块根据所述第一次应答进行判断, 当确定第一次 鉴权请求成功时生成第二次鉴权请求数据, 并以转发给所述 KDC。  Step A3: The cryptographic module determines according to the first response, and generates a second authentication request data when it is determined that the first authentication request is successful, and forwards the data to the KDC.
3、 根据权利要求 2所述的方法, 其中, 所述步驟 A3包括:  3. The method according to claim 2, wherein the step A3 comprises:
所述加密模块在收到所述 KDC的第一次应答后,根据所述第一次应答 判断是否进行第二次鉴权: 如果判定第一次鉴权失败, 则通知对应的移动 终端进行锁死; 如果判定第一次鉴权成功, 则生成第二次鉴权请求数据, 并转发给所述 KDC。  After receiving the first response of the KDC, the cryptographic module determines whether to perform the second authentication according to the first response: if it is determined that the first authentication fails, notifying the corresponding mobile terminal to perform the lock Dead; if it is determined that the first authentication is successful, a second authentication request data is generated and forwarded to the KDC.
4、 根据权利要求 1所述的方法, 其中, 所述步驟 B包括:  4. The method according to claim 1, wherein the step B comprises:
所述 KDC根据所述加密模块发来的第二次鉴权请求数据进行解析后 生成最终的双向鉴权结果, 并通过第二次应答将所述双向鉴权结果发送给 所述加密模块;  The KDC parses the second authentication request data sent by the encryption module to generate a final bidirectional authentication result, and sends the bidirectional authentication result to the encryption module by using a second response;
所述加密模块根据所述双向鉴权结果判断本次双向鉴权是否成功, 并 通知对应的移动终端。 The cryptographic module determines whether the current bidirectional authentication is successful according to the bidirectional authentication result, and notifies the corresponding mobile terminal.
5、 根据权利要求 1至 4任一项所述的方法, 其中, 所述通信协议为: 在所述加密模块和所述 KDC之间增加的预定的通信协议。 The method according to any one of claims 1 to 4, wherein the communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
6、 一种移动终端的鉴权装置, 包括: KDC、 加密模块, 所述加密模块 与所述 KDC之间存在通信协议; 其中,  An authentication device for a mobile terminal, comprising: a KDC, an encryption module, and a communication protocol between the encryption module and the KDC;
所述加密模块,用于利用所述通信协议向所述 KDC进行第一次鉴权请 求, 并在确定第一次鉴权请求成功后进行第二次鉴权请求;  The cryptographic module is configured to perform a first authentication request to the KDC by using the communication protocol, and perform a second authentication request after determining that the first authentication request is successful;
所述 KDC, 用于与所述加密模块进行第一次鉴权和第二次鉴权, 在第 二次鉴权完成后生成最终的双向鉴权结果, 并通知给所述加密模块。  The KDC is configured to perform first authentication and second authentication with the cryptographic module, and generate a final bidirectional authentication result after the second authentication is completed, and notify the cryptographic module.
7、 根据权利要求 6所述的装置, 其中,  7. The apparatus according to claim 6, wherein
所述加密模块用于, 根据移动终端发来的鉴权申请命令做出第一次鉴 权请求数据, 并转发给所述 KDC; 以及, 根据所述 KDC发来的第一次应 答进行判断, 并在确定进行第二次鉴权请求时生成第二次鉴权请求数据, 并转发给所述 KDC;  The cryptographic module is configured to: perform first authentication request data according to an authentication request command sent by the mobile terminal, and forward the data to the KDC; and determine, according to the first response sent by the KDC, And generating a second authentication request data when determining to perform the second authentication request, and forwarding the data to the KDC;
所述 KDC用于,根据所述第一次鉴权请求数据判断所述加密模块的合 法性, 并在确认合法后做出第一次应答。  The KDC is configured to determine the validity of the encryption module according to the first authentication request data, and make a first response after confirming the validity.
8、 根据权利要求 7所述的装置, 其中,  8. The apparatus according to claim 7, wherein
所述加密模块用于, 在收到所述 KDC的第一次应答后, 根据所述第一 次应答判断是否进行第二次鉴权: 如果判定第一次鉴权失败, 则通知对应 的移动终端进行锁死; 如果判定第一次鉴权成功, 则生成第二次鉴权请求 数据, 并转发给所述 KDC。  The cryptographic module is configured to: after receiving the first response of the KDC, determine whether to perform a second authentication according to the first response: if it is determined that the first authentication fails, notify the corresponding mobile The terminal locks; if it is determined that the first authentication is successful, the second authentication request data is generated and forwarded to the KDC.
9、 根据权利要求 6所述的装置, 其中,  9. The apparatus according to claim 6, wherein
所述 KDC用于,根据所述加密模块发来的第二次鉴权请求数据进行解 析后生成最终的双向鉴权结果, 并通过第二次应答将所述双向鉴权结果发 送给所述加密模块;  The KDC is configured to generate a final bidirectional authentication result according to the second authentication request data sent by the encryption module, and send the bidirectional authentication result to the encryption by using a second response. Module
所述加密模块用于, 根据所述双向鉴权结果判断本次双向鉴权是否成 功, 并通知对应的移动终端。 The cryptographic module is configured to determine, according to the two-way authentication result, whether the two-way authentication is successful Work, and notify the corresponding mobile terminal.
10、 根据权利要求 6至 9任一项所述的装置, 其中, 所述通信协议为: 在所述加密模块和所述 KDC之间增加的预定的通信协议。  10. The apparatus according to any one of claims 6 to 9, wherein the communication protocol is: a predetermined communication protocol added between the encryption module and the KDC.
PCT/CN2011/079177 2010-10-28 2011-08-31 Authentication method and device of mobile terminal WO2012055297A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010105228069A CN101977379A (en) 2010-10-28 2010-10-28 Authentication method and device of mobile terminal
CN201010522806.9 2010-10-28

Publications (1)

Publication Number Publication Date
WO2012055297A1 true WO2012055297A1 (en) 2012-05-03

Family

ID=43577219

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/079177 WO2012055297A1 (en) 2010-10-28 2011-08-31 Authentication method and device of mobile terminal

Country Status (2)

Country Link
CN (1) CN101977379A (en)
WO (1) WO2012055297A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103079202A (en) * 2013-01-16 2013-05-01 北京祥云天地科技有限公司 Method for realizing digital signing authentication by data interaction of audio-frequency port of mobile terminal
CN103237306A (en) * 2013-04-02 2013-08-07 程雪莲 Usbkey of cellphone identity authentication terminal and application of Usbkey
CN110719265A (en) * 2019-09-23 2020-01-21 腾讯科技(深圳)有限公司 Method, device and equipment for realizing network security communication

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977379A (en) * 2010-10-28 2011-02-16 中兴通讯股份有限公司 Authentication method and device of mobile terminal
CN102355663B (en) * 2011-06-30 2014-08-20 北京交通大学 Credible inter-domain rapid authentication method on basis of separation mechanism network
CN103327657A (en) * 2013-06-28 2013-09-25 青岛海信电子设备有限公司 Portable mobile terminal based on BeiDou communication and mobile communication
CN115119150B (en) * 2022-07-26 2023-10-03 广东安创信息科技开发有限公司 Short message encryption and decryption method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022608A (en) * 2006-02-15 2007-08-22 中兴通讯股份有限公司 CDMA standard group system key distributuion and dynamic updating method
JP2007310619A (en) * 2006-05-18 2007-11-29 Yokogawa Electric Corp Authentication method and authentication system using the same
CN101141710A (en) * 2007-10-15 2008-03-12 中兴通讯股份有限公司 Cluster scheduling system and cipher key remote destroying method
JP2008108137A (en) * 2006-10-26 2008-05-08 Ricoh Co Ltd Spoofing prevention method, image processor, spoofing prevention program and recording medium
CN101977379A (en) * 2010-10-28 2011-02-16 中兴通讯股份有限公司 Authentication method and device of mobile terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022608A (en) * 2006-02-15 2007-08-22 中兴通讯股份有限公司 CDMA standard group system key distributuion and dynamic updating method
JP2007310619A (en) * 2006-05-18 2007-11-29 Yokogawa Electric Corp Authentication method and authentication system using the same
JP2008108137A (en) * 2006-10-26 2008-05-08 Ricoh Co Ltd Spoofing prevention method, image processor, spoofing prevention program and recording medium
CN101141710A (en) * 2007-10-15 2008-03-12 中兴通讯股份有限公司 Cluster scheduling system and cipher key remote destroying method
CN101977379A (en) * 2010-10-28 2011-02-16 中兴通讯股份有限公司 Authentication method and device of mobile terminal

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103079202A (en) * 2013-01-16 2013-05-01 北京祥云天地科技有限公司 Method for realizing digital signing authentication by data interaction of audio-frequency port of mobile terminal
CN103237306A (en) * 2013-04-02 2013-08-07 程雪莲 Usbkey of cellphone identity authentication terminal and application of Usbkey
CN110719265A (en) * 2019-09-23 2020-01-21 腾讯科技(深圳)有限公司 Method, device and equipment for realizing network security communication

Also Published As

Publication number Publication date
CN101977379A (en) 2011-02-16

Similar Documents

Publication Publication Date Title
JP4621200B2 (en) Communication apparatus, communication system, and authentication method
EP3008935B1 (en) Mobile device authentication in heterogeneous communication networks scenario
WO2012055297A1 (en) Authentication method and device of mobile terminal
EP3328108A1 (en) Authentication method, re-authentication method and communication apparatus
RU2011140850A (en) METHOD OF AUTHENTICATION OF USER TERMINAL AND SERVER AUTHENTICATION AND USER TERMINAL FOR HIM
CN105828332A (en) Method of improving wireless local area authentication mechanism
CN109714360B (en) Intelligent gateway and gateway communication processing method
WO2010075644A1 (en) Method, system and terminal device for realizing locking network by terminal device
CN107612949B (en) Wireless intelligent terminal access authentication method and system based on radio frequency fingerprint
CN101272616A (en) Safety access method of wireless metropolitan area network
CN103220673B (en) WLAN user authentication method, certificate server and subscriber equipment
WO2012094841A1 (en) Network access method, apparatus and system
WO2012171284A1 (en) Method and device for third-party authentication and smart card supporting bidirectional authentication
WO2012171285A1 (en) Method, protocol, and smart card for bidirectional authentication between terminal and smart card
CN101272301A (en) Safety access method of wireless metropolitan area network
CN104717063A (en) Software security protection method of mobile terminal
WO2013185709A1 (en) Call authentication method, device, and system
WO2011124051A1 (en) Method and system for terminal authentication
CN111669750B (en) PDU session secondary verification method and device
CN101282215A (en) Method and apparatus for distinguishing certificate
WO2003036867B1 (en) System and method for performing mutual authentication between mobile terminal and server
WO2006026925A1 (en) A method for setting the authentication key
KR20150005788A (en) Method for authenticating by using user's key value
WO2011144129A2 (en) Machine-card interlocking method, user identity model card and terminal
CN107864136A (en) A kind of stolen method of anti-locking system short message service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11835571

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11835571

Country of ref document: EP

Kind code of ref document: A1