CN101674574B - User authentication method and user authentication device - Google Patents
User authentication method and user authentication device Download PDFInfo
- Publication number
- CN101674574B CN101674574B CN200810212881.8A CN200810212881A CN101674574B CN 101674574 B CN101674574 B CN 101674574B CN 200810212881 A CN200810212881 A CN 200810212881A CN 101674574 B CN101674574 B CN 101674574B
- Authority
- CN
- China
- Prior art keywords
- calling subscriber
- authentication
- auc
- private data
- described calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000004044 response Effects 0.000 claims description 30
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000630 rising effect Effects 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a user authentication method and a user authentication device, which are applied to a network environment comprising a home location register/authentication center, a mobile switching center/visited location register, and user equipment taken as a calling user. The method comprises that: an update period of the shared confidential data of the calling user is preset; after returning the position information about a called user to the calling user by the home location register/authentication center, and if the last update time of the shared confidential data of the calling user exceeds the update period and the calling user is preset to cancel the share of the shared confidential data after the last update time exceeds the update period, the home location register/authentication center receives an authentication request transmitted by the calling user via the mobile switching center/visited location register, and authenticates the calling user; and if the calling user does not pass the authentication and does not access a network for the first time, the calling user is determined to be illegally cloned. The user authentication method and the user authentication device prevent the user from being illegally embezzled for a long time.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of user anthority identifying method and device.
Background technology
At code division multiple access (Code Division Multiple Access, referred to as CDMA) in the network, attaching position register (Home Location Register, referred to as HLR)/(the Authentication Center of AUC, referred to as AUC) and terminal device records place the mobile subscriber's of number shared private data (Shared SecretData at this HLR/AUC, referred to as SSD), this SSD is used for network and terminal equipment in the calculating of authentication process (AUTHREQ) to authenticating result (AUTHR), and terminal equipment carried out validity checking, refusal the disabled user access in network.
For SSD,, can upgrade selectively first in the situation of access network, failed authentication at terminal equipment, also can initiatively trigger shared secret data (SSD) update by network side.In the situation of authentication success, user's SSD generally remains unchanged, when terminal is cloned fully, namely, as user's MIN (Mobile Identification Number, travelling carriage identification code), ESN (Electronic Serial Number, Electronic Serial Number), A-Key (AuthenticationKey, KI), when SSD information is cloned, clone terminal can successful access network.
The below works the process of exhaling to the mobile subscriber as caller and is described in detail, and working the mobile subscriber who exhales as caller can be legal terminal, also can be clone terminal.Fig. 1 works flow chart when exhaling according to the mobile subscriber of correlation technique as caller, as shown in Figure 1, may further comprise the steps:
Step S102, rise when exhaling as caller the mobile subscriber, the calling subscriber sends connection management service request (that is, rise to call for ask) (CM Service Req) through current place base station controller (Base Station Controller is referred to as BSC) to MSC/VLR;
Step S104 asks based on call for from rising of calling subscriber, behind the MSC/VLR application land circuit of the current registration of calling subscriber, to the BSC request assignment wireless channel (Assign Req) at the current place of calling subscriber;
Step S106, based on the AssignReq from the MSC/VLR of the current registration of calling subscriber, the BSC at the current place of calling subscriber returns wireless channel assignment response (Assign Cmpl) to the MSC/VLR of the current registration of calling subscriber;
Step S108, the MSC/VLR receiving position request message (LOCREQ) of the current registration of calling subscriber, and to the HLR/AUC transmission location request message that the called subscriber belongs to, be used for request called subscriber positional information;
Step S110, the HLR/AUC receiving position request message of called subscriber's ownership, and by the retrieval internal database judge whether the MSC/VLR of the current registration of calling subscriber is the MSC/VLR of the current registration of called subscriber, namely, whether called subscriber and calling subscriber be at same MSC/VLR, be in the situation that is in judged result, HLR/AUC directly returns called subscriber's positional information (locreq), in the situation that the determination result is NO, MSC/VLR to the current registration of called subscriber sends route request information (ROUTREQ), is used for request called subscriber's routing iinformation;
Step S112, the MSC/VLR of the current registration of called subscriber receives route request information (ROUTREQ), and the HLR/AUC that belongs to the called subscriber returns route response message (routreq), and carries therein called subscriber's routing iinformation;
Step S114, the HLR/AUC of called subscriber ownership receives route response message (routreq), to the MSC/VLR home position response message (locreq) of the current registration of calling subscriber, and carries therein called subscriber's positional information;
Step S116, the MSC/VLR of the current registration of calling subscriber send initial address message (IAI) to the MSC/VLR of the current registration of called subscriber;
Step S118, at the MSC/VLR of the current registration of called subscriber to the called subscriber after the called and assignment wireless channel of current place BSC request paging, the MSC/VLR of the current registration of called subscriber sends Address Complete Message (ACM) to the MSC/VLR of the current registration of calling subscriber, and the calling subscriber begins to listen to ring-back tone;
Step S120, called off-hook, the MSC of the current registration of called subscriber sends answer signal (ANC) to the MSC/VLR of the current registration of calling subscriber, and both sides begin conversation, after this, winding-up.
As mentioned above, in above-mentioned flow process, working the mobile subscriber who exhales as caller can be legal terminal, also can be clone terminal, but only by said process, obviously can not detect the clone terminal of un-authorised access to network.
Summary of the invention
Renewal processing procedure for present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged and propose the present invention, and for this reason, the present invention aims to provide a kind of user anthority identifying method and device, to address the above problem.
According to an aspect of the present invention, provide a kind of user anthority identifying method.
According to user anthority identifying method of the present invention, be applied to comprise attaching position register/AUC, mobile switching center/visitor location register and as the network environment of calling subscriber's subscriber equipment, said method comprises: the update cycle that sets in advance calling subscriber's shared private data; After attaching position register/AUC returns called subscriber's positional information to the calling subscriber, if surpassed the update cycle update time last time of calling subscriber's shared private data, and set in advance as calling subscriber after surpassing the update cycle cancels shared private data and share, then attaching position register/AUC receives the authentication request that the calling subscriber sends via mobile switching center/visitor location register, and the calling subscriber is carried out authentication; If calling subscriber's failed authentication, and the calling subscriber is not access network first, determines that then the calling subscriber is illegally cloned.
Preferably, after definite calling subscriber was illegally cloned, said method further comprised: whether attaching position register/AUC arranges decision according to system and allows the calling subscriber to share the private data renewal.
Preferably, be set to allow the calling subscriber to share private data more under the news in system, said method further comprises: if the access style of authentication request has been to exhale, then attaching position register/AUC returns to the calling subscriber via mobile switching center/visitor location register and is used to indicate the indication that the calling subscriber shares the private data renewal, and carries in indication and share at random private data parameter and shared private data parameter.
Preferably, be set to not allow the calling subscriber to share private data more under the news in system, said method further comprises: attaching position register/AUC returns the failed authentication response via mobile switching center/visitor location register to the calling subscriber, and carries therein the Reason For Denial parameter.
Preferably, said method further comprises: in the situation of calling subscriber's failed authentication, attaching position register/AUC arranges decision according to system and whether carries out the alarm of calling subscriber's failed authentication.
Preferably, after attaching position register/AUC returned called subscriber's positional information to the calling subscriber, said method further comprised: attaching position register/AUC judges whether surpassed the update cycle update time last time of calling subscriber's shared private data; Be in the situation that is in judged result, further judge whether to have set in advance for calling subscriber after surpassing the update cycle cancels update time last time in calling subscriber's shared private data and share private data and share; If set in advance, then attaching position register/AUC sends to the calling subscriber via mobile switching center/visitor location register and is used to indicate the calling subscriber and cancels and share the authentication Indication message that private data is shared, and receives the authentication indication response message that the calling subscriber returns via mobile switching center/visitor location register.
Preferably, whether surpassed before the update cycle update time last time of judging calling subscriber's shared private data in attaching position register/AUC, and said method further comprises: attaching position register/AUC obtains rear subscriber number according to the calling subscriber via the location request message that mobile switching center/visitor location register sends; Attaching position register/AUC judges according to rear subscriber number whether the calling subscriber belongs to attaching position register/AUC; Be in the situation that is in judged result, attaching position register/AUC carries out judges that the calling subscriber shared the operation whether the private data success surpasses the shared automatic update cycle of private data update time last time.
Preferably, in the situation of calling subscriber's authentication success, said method further comprises: attaching position register/AUC judges whether surpassed the update cycle update time last time of calling subscriber's shared private data, if judged result is yes, then attaching position register/AUC returns to the calling subscriber via mobile switching center/visitor location register and is used to indicate the indication that the calling subscriber shares the private data renewal.
Preferably, return to the calling subscriber via mobile switching center/visitor location register in attaching position register/AUC and to be used to indicate after the calling subscriber shares the indication that private data upgrades, said method further comprises: the calling subscriber shares the private data renewal according to indication.
According to another aspect of the present invention, provide a kind of subscription authentication device.
Subscription authentication device according to the present invention comprises: first arranges module, is used for setting in advance calling subscriber's the automatic update cycle of shared private data; Second arranges module, shares for cancelling shared private data above calling subscriber after the update cycle update time last time of the shared private data that is arranged on the calling subscriber; The first judge module is used for judging that whether update time last time of shared private data of calling subscriber is above the update cycle; Whether the second judge module is cancelled shared private data for judgement calling subscriber after surpassing the update cycle update time last time of calling subscriber's shared private data and is shared; Receiver module is used for receiving the authentication request that the calling subscriber sends via mobile switching center/visitor location register; Authentication module is used for the calling subscriber is carried out authentication; Arbitration modules is used for determining whether the calling subscriber is illegally cloned.
Preferably, said apparatus also comprises: upgrade indicating module, be used to indicate the authentication response message that the calling subscriber shares the private data renewal for returning to the calling subscriber via mobile switching center/visitor location register.
Preferably, if the judged result of the first judge module is yes, and the judged result of the second judge module is yes, and then receiver module receives the authentication request that the calling subscriber sends via mobile switching center/visitor location register, and authentication module is carried out authentication to the calling subscriber; If authentication module is to the success of calling subscriber's authentication, then the second judge module is judged after surpassing the update cycle whether the calling subscriber cancels update time last time of calling subscriber's shared private data and is shared private data and share, if the judged result of the second judge module is yes, then upgrades indicating module and return to the calling subscriber via mobile switching center/visitor location register and be used to indicate the calling subscriber and share the indication that private data is upgraded; If authentication module is to calling subscriber's failed authentication, and the calling subscriber is not access network first, and then arbitration modules determines that the calling subscriber is illegally cloned.
According to another aspect of the present invention, also provide a kind of attaching position register/AUC.
According to attaching position register/AUC of the present invention, comprise above-mentioned subscription authentication device.
By the present invention, adopt the method for periodically automatically upgrading calling subscriber SSD, the renewal processing procedure that has overcome present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged, and then has avoided the user illegally to be usurped for a long time.
Description of drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, consists of the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not consist of improper restriction of the present invention.In the accompanying drawings:
Fig. 1 works when exhaling the flow chart of the calling procedure of ANSI41 agreement Plays as caller according to the mobile subscriber of correlation technique;
Fig. 2 is the structured flowchart according to the subscription authentication device of the embodiment of the invention;
Fig. 3 is the preferred structure block diagram according to the subscription authentication device of the embodiment of the invention;
Fig. 4 is the structured flowchart according to the HLR/AUC of the embodiment of the invention;
Fig. 5 is the flow chart according to the user anthority identifying method of the embodiment of the invention;
Fig. 6 rises when exhaling as caller according to the mobile subscriber of the embodiment of the invention, and HLR/AUC determines the schematic diagram that calling subscriber's SSD whether is set to not share;
Fig. 7 is according to after the success of the calling subscriber MS-A authentication of the embodiment of the invention, and success determines whether to carry out the schematic diagram of shared secret data (SSD) update update time to HLR/AUC according to calling subscriber SSD last time;
Fig. 8 is that HLR/AUC arranges the schematic diagram whether decision allows the calling subscriber to carry out shared secret data (SSD) update, whether carry out the failed authentication alarm according to system behind the calling subscriber MS-B failed authentication according to the embodiment of the invention.
Embodiment
Functional overview
In order in time to detect the clone terminal un-authorised access to network, the invention provides the automatic update method of a kind of calling subscriber SSD, when carrying out caller, the user rises when exhaling, and arrange automatically according to system the calling subscriber is carried out periodic shared secret data (SSD) update.Supposing has 2 MS (Mobile Station, portable terminal), MS-A and MS-B, and wherein, one is legal terminal, another is clone terminal.Because MS-A and MS-B only may have one to make a call and carry out shared secret data (SSD) update in a certain particular moment, therefore the SSD of MS-A and MS-B can not be consistent for a long time, consequently the situation of failed authentication can appear in one of them terminal very soon, system can in time detect terminal and illegally cloned thus, and then can process by ALM message informing system maintenance personnel, can avoid the user illegally to be usurped for a long time.
Describe below with reference to the accompanying drawings and in conjunction with the embodiments the present invention in detail.
Device embodiment
Embodiment one
According to embodiments of the invention, provide a kind of subscription authentication device.Fig. 2 is the structured flowchart according to the subscription authentication device of the embodiment of the invention, as shown in Figure 2, this device comprises: first arranges module 202, second arranges module 204, the first judge module 206, the second judge module 208, receiver module 210, authentication module 212, arbitration modules 214, and the below is described in detail said structure.
First arranges module 202, is used for setting in advance calling subscriber's the automatic update cycle of SSD.
Second arranges module 204, shares for cancelling SSD above calling subscriber after the update cycle update time last time of the SSD that is arranged on the calling subscriber.
The first judge module 206 is connected to first module 202 is set, and is used for judging that whether update time last time of SSD of calling subscriber is above the update cycle.
The second judge module 208 is connected to second module 204 is set, and whether cancels SSD for judgement calling subscriber after surpassing the update cycle update time last time of calling subscriber's SSD and shares.
Fig. 3 is the preferred structure block diagram according to the subscription authentication device of the embodiment of the invention, and as shown in Figure 3, this device further comprises:
Upgrade indicating module 302, be connected to authentication module 212, be used to indicate the authentication response message that the calling subscriber carries out shared secret data (SSD) update for returning to the calling subscriber via MSC/VLR.
Particularly, the detailed implementation procedure of said structure is as follows:
(1) if the judged result of the first judge module 206 is yes, and the judged result of the second judge module 208 is yes, then receiver module 210 receives the authentication request that the calling subscriber sends via MSC/VLR, and 212 couples of calling subscribers of authentication module carry out authentication;
(2) if 212 pairs of calling subscriber's authentication successes of authentication module, then the second judge module 208 is judged whether the calling subscriber cancels SSD after surpassing the update cycle update time last time of calling subscriber's SSD and is shared, if the judged result of the second judge module 208 is yes, then upgrades indicating module 302 and return to the calling subscriber via MSC/VLR and be used to indicate the indication that the calling subscriber carries out shared secret data (SSD) update;
(3) if 212 pairs of calling subscriber's failed authentications of authentication module, and the calling subscriber is not access network first, then arbitration modules 214 determines that calling subscribers are illegally cloned.
By this embodiment, adopt the method for periodically automatically upgrading calling subscriber SSD, the renewal processing procedure that has overcome present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged, and then has avoided the user illegally to be usurped for a long time.
Embodiment two
According to embodiments of the invention, also provide a kind of HLR/AUC.Fig. 4 is the structured flowchart according to the HLR/AUC of the embodiment of the invention, as shown in Figure 4, this HLR/AUC comprises: first arranges module 402, second arranges module 404, the first judge module 406, the second judge module 408, receiver module 410, authentication module 412, upgrades indicating module 414, arbitration modules 416, and the below is described in detail said structure.
First arranges module 402, is used for setting in advance calling subscriber's the automatic update cycle of SSD;
Second arranges module 404, shares for cancelling SSD above calling subscriber after the update cycle update time last time of the SSD that is arranged on the calling subscriber;
The first judge module 406 is connected to first module 402 is set, and is used for judging that whether update time last time of SSD of calling subscriber is above the update cycle;
The second judge module 408 is connected to second module 404 is set, and whether cancels SSD for judgement calling subscriber after surpassing the update cycle update time last time of calling subscriber's SSD and shares;
Upgrade indicating module 414, be connected to authentication module 412, be used to indicate the authentication response message that the calling subscriber carries out shared secret data (SSD) update for returning to the calling subscriber via MSC/VLR;
The detailed implementation procedure of said structure is identical with above-described embodiment one, does not repeat them here.
By this embodiment, adopt the method for periodically automatically upgrading calling subscriber SSD, the renewal processing procedure that has overcome present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged, and then has avoided the user illegally to be usurped for a long time.
Embodiment of the method
According to embodiments of the invention, provide a kind of user anthority identifying method.Fig. 5 is the flow chart according to the user anthority identifying method of the embodiment of the invention, and as shown in Figure 5, the method is applied to comprise HLR/AUC, MSC/VLR and as the network environment of calling subscriber's subscriber equipment, may further comprise the steps:
Step S502 sets in advance update cycle of calling subscriber's SSD;
Step S504, after HLR/AUC returns called subscriber's positional information to the calling subscriber, if surpassed the update cycle update time last time of calling subscriber's SSD, and set in advance as calling subscriber after surpassing the update cycle cancels SSD and share, then HLR/AUC receives the authentication request that the calling subscriber sends via MSC/VLR, and the calling subscriber is carried out authentication;
Step S506, if calling subscriber's authentication success, then HLR/AUC judges whether surpassed the update cycle update time last time of calling subscriber's SSD, if judged result is yes, then HLR/AUC returns to the calling subscriber via MSC/VLR and is used to indicate the indication that the calling subscriber carries out shared secret data (SSD) update;
Step S508, if calling subscriber's failed authentication, and the calling subscriber is not access network first, determines that then the calling subscriber is illegally cloned.
By this embodiment, adopt the method for periodically automatically upgrading calling subscriber SSD return called subscriber's positional information at HLR/AUC after, the renewal processing procedure that has overcome present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged, and then has avoided the user illegally to be usurped for a long time.
Describe the present invention below in conjunction with example.Suppose to have 2 terminal MS-A and MS-B, wherein, one is legal terminal, and another is clone terminal.HLR/AUC is in business procession, can't distinguish MS-A and MS-B, but, as long as clone's phenomenon has occured in the user, and one of them of HLR/AUC instruct MS-A and MS-B carried out shared secret data (SSD) update, a subscription authentication success will occur, the situation of another subscription authentication failure, so HLR/AUC detects this user according to the situation of failed authentication and is illegally usurped.
Fig. 6 rises when exhaling as caller according to the mobile subscriber of the embodiment of the invention, HLR/AUC determines the schematic diagram that calling subscriber's SSD whether is set to not share, as shown in Figure 6, when the mobile subscriber rises when exhaling as caller, the calling subscriber can be MS-A or MS-B, at first, can carry out following setting:
(1) sets in advance automatic update cycle of SSD of calling subscriber, can be used as system-level configuration the user that all belong to HLR/AUC is carried out identical setting, the business information that also can be used as the mobile subscriber arranges separately, is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information.
(2) set in advance in calling subscriber SSD last time success and surpass SSD that system arranges update time after the automatic update cycle, whether the user cancels SSD is shared, and can be used as system-level configuration the user that all belong to HLR/AUC is carried out identical setting; The business information that also can be used as the mobile subscriber arranges separately, is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information.
After this, embodiments of the invention comprise the steps:
Step S602 rises when exhaling as caller the mobile subscriber, and the calling subscriber sends connection management service request (that is, rise to call for ask) (CMService Req) through current place BSC to MSC/VLR;
Step S604 asks based on call for from rising of calling subscriber, behind the MSC/VLR application land circuit of the current registration of calling subscriber, to the BSC request assignment wireless channel (Assign Req) at the current place of calling subscriber;
Step S606, based on the AssignReq from the MSC/VLR of the current registration of calling subscriber, the BSC at the current place of calling subscriber returns wireless channel assignment response (Assign Cmpl) to the MSC/VLR of the current registration of calling subscriber;
Step S608, the MSC/VLR receiving position request message (LOCREQ) of the current registration of calling subscriber, and to the HLR/AUC transmission location request message that the called subscriber belongs to, be used for request called subscriber positional information;
Step S610, HLR/AUC receiving position request message, and by the retrieval internal database judge whether the MSC/VLR of the current registration of calling subscriber is the MSC/VLR of the current registration of called subscriber, namely, whether called subscriber and calling subscriber be at same MSC/VLR, be in the situation that is in judged result, HLR/AUC directly returns called subscriber's positional information (locreq), in the situation that the determination result is NO, MSC/VLR to the current registration of called subscriber sends route request information (ROUTREQ), is used for request called subscriber's routing iinformation;
Step S612, the MSC/VLR of the current registration of called subscriber receives route request information (ROUTREQ), returns route response message (routreq) to HLR/AUC, and carries therein called subscriber's routing iinformation;
Step S614, HLR/AUC receives route response message (routreq), to the MSC/VLR home position response message (locreq) of the current registration of calling subscriber, and carries therein called subscriber's positional information;
Step S616, the MSC/VLR of the current registration of calling subscriber send initial address message (IAI) to the MSC/VLR of the current registration of called subscriber;
Step S618, at the MSC/VLR of the current registration of called subscriber to the called subscriber after the called and assignment wireless channel of current place BSC request paging, the MSC/VLR of the current registration of called subscriber sends Address Complete Message (ACM) to the MSC/VLR of the current registration of calling subscriber, and the calling subscriber begins to listen to ring-back tone;
Step S620, called off-hook, the MSC of the current registration of called subscriber sends answer signal (ANC) to the MSC/VLR of the current registration of calling subscriber, and both sides begin conversation;
Step S622, the parameter calling number numeral 1 that HLR/AUC carries according to location request message (LOCREQ) (Calling Party Number Digits1) or calling number numeral 2 (Calling Party Number Digits2) judge whether location request message (LOCREQ) has carried calling subscriber's number, be in the situation that is in judged result, obtain calling subscriber's number, and judge according to calling subscriber's number whether the calling subscriber belongs to this HLR/AUC, be in the situation that is in judged result, proceed to step S624, in the situation that the determination result is NO, proceed to step S636;
Step S624, the automatic update cycle of calling subscriber SSD that HLR/AUC arranges according to system judges that whether calling subscriber SSD last time success update time is above the automatic update cycle of SSD, be in the situation that is in judged result, proceed to step S626, in the situation that the determination result is NO, proceed to step S636;
Step S626 judges whether the calling subscriber cancels SSD and share, and is in the situation that is in judged result, proceeds to step S628, in the situation that the determination result is NO, proceeds to step S636;
Step S628, HLR/AUC sends authentication Indication message (AUTHDIR) to the MSC/VLR of calling subscriber registers, the SSD that is used for the cancellation calling subscriber shares (NOSSD=1), that is, HLR/AUC sends to the calling subscriber via MSC/VLR and is used to indicate the calling subscriber and cancels the authentication Indication message that SSD shares;
Step S630, the MSC/VLR of calling subscriber registers sends authentication Indication message (AUTHDIR) to the calling subscriber;
Step S632, the calling subscriber returns authentication indication response message (authdir) to the MSC/VLR of calling subscriber registers;
Step S634, the MSC/VLR of calling subscriber registers returns authentication indication response message (authdir) to HLR/AUC; After this, HLR/AUC receives the authentication indication response message that the calling subscriber returns via MSC/VLR;
Step S636, winding-up.
Fig. 7 is according to after the success of the calling subscriber MS-A authentication of the embodiment of the invention, whether HLR/AUC carries out the schematic diagram of shared secret data (SSD) update according to calling subscriber SSD last time success decision update time, as shown in Figure 7, after the success of calling subscriber MS-A authentication, whether HLR/AUC carries out shared secret data (SSD) update according to calling subscriber SSD last time success decision update time.Owing to only may have a user among MS-A and the MS-B to make a call in a certain particular moment, suppose that the user who makes a call is MS-A.
According to the ANSI41 agreement, in calling procedure, after the SSD of HLR/AUC by authentication Indication message (AUTHDIR) cancellation calling subscriber MS-A shared, calling subscriber MS-A initiated authentication request (AUTHREQ) by MSC/VLR and carries out authentication.Whether cancel identical that process that SSD shares and Fig. 6 arrange about automatic update cycle of calling subscriber's SSD, calling subscriber.
Step S702, calling subscriber MS-A initiate calling subscriber's authentication request message (AUTHREQ) to MSC/VLR and carry out authentication;
Step S704, MSC/VLR sends the authentication that calling subscriber's authentication request message (AUTHREQ) is carried out calling subscriber MS-A to HLR/AUC;
Step S706, HLR/AUC carries out authentication to calling subscriber MS-A, and judge whether calling subscriber MS-A authentication is successful, wherein, calling subscriber MS-A authentication refers to that successfully the AUTHR that carries in authenticating result (AUTHR) that SSD that RANDU (unique challenge random number), user MIN number, current network side that HLR/AUC carries according to authentication request message (AUTHREQ) are preserved calculates and the authentication request message (AUTHREQ) is in full accord; Be in the situation that is in judged result, proceed to step S708, in the situation that the determination result is NO, proceed to step S716;
Step S708, the automatic update cycle of calling subscriber SSD that HLR/AUC arranges according to system judges that whether calling subscriber SSD last time success update time is above the automatic update cycle of SSD, be in the situation that is in judged result, proceed to step S710, in the situation that the determination result is NO, proceed to step S716;
Step S710, judge whether the access style that checks calling subscriber's authentication request (AUTHREQ) has been to exhale (Call origination), and judge further whether the calling subscriber cancels SSD and share, result in above-mentioned two judgements is in the situation that is, proceed to step S712, result in above-mentioned two judgements is not to be in the situation that is, proceeds to step S716;
Step S712, HLR/AUC returns calling subscriber's authentication response message (authreq) to MSC/VLR, be used to indicate the user and carry out shared secret data (SSD) update, and in authentication response message (authreq), carry RANDSSD (share with private data random number) and SSD, that is, HLR/AUC returns to the calling subscriber via MSC/VLR and is used to indicate the indication that the calling subscriber carries out shared secret data (SSD) update;
Step S714, MSC/VLR returns authentication response message (authreq) to calling subscriber MS-A, after this, calling subscriber MS-A receives calling subscriber's authentication response message (authreq), and carry out shared secret data (SSD) update according to above-mentioned indication, within the scope that the present invention describes, detailed process can be with reference to the ANSI41 agreement for the process of this shared secret data (SSD) update;
Step S716, winding-up.
Fig. 8 is behind the calling subscriber MS-B failed authentication according to the embodiment of the invention, HLR/AUC arranges the schematic diagram whether decision allows the calling subscriber to carry out shared secret data (SSD) update, whether carry out the failed authentication alarm according to system, because the user that supposition makes a call in Fig. 7 is MS-A, so the user of Fig. 8 failed authentication can only be MS-B.Wherein, whether allow shared secret data (SSD) update behind calling subscriber's failed authentication and whether carry out alarm, the system-level configuration that can be used as HLR/AUC arranges.
As shown in Figure 8, behind the calling subscriber MS-B failed authentication, whether HLR/AUC arranges decision according to system and allows the calling subscriber to carry out shared secret data (SSD) update, whether carry out the failed authentication alarm, comprises the steps:
Step S802, calling subscriber MS-B initiate authentication request (AUTHREQ) to MSC/VLR and carry out authentication;
Step S804, MSC/VLR sends the authentication that authentication request message (AUTHREQ) is carried out calling subscriber MS-B to HLR/AUC;
Step S806, HLR/AUC carries out authentication to calling subscriber MS-B, and judge whether calling subscriber MS-B authentication is failed, wherein, calling subscriber MS-A failed authentication refers to that the AUTHR that carries in authenticating result (AUTHR) that SSD that RANDU, user MIN number, current network side that HLR/AUC carries according to authentication request message (AUTHREQ) are preserved calculates and the authentication request message (AUTHREQ) is inconsistent; Be in the situation that is in judged result, proceed to step S808, in the situation that the determination result is NO, proceed to step S822;
Step S808, HLR/AUC checks whether calling subscriber MS-B is the old user, wherein, the old user refers to the terminal equipment of non-first access network, because terminal equipment is when access network carries out authentication first, its authenticating result must be failure, so be necessary to distinguish the old and new users in the HLR/AUC of user attaching, the business state information that differentiation old and new users's information can be used as the mobile subscriber is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information; And whether allow shared secret data (SSD) update after further judging calling subscriber's failed authentication; Result in above-mentioned two judgements in the situation that is, proceeds to step S810, is yes last the result who judges, in the situation that the result of a rear judgement is that no, proceed to step S816, in the result of above-mentioned two judgements situation that all is that no, proceed to step S822;
Step S810 if calling subscriber MS-B is the old user, and allows to carry out shared secret data (SSD) update behind calling subscriber's failed authentication, check whether the access style of authentication request (AUTHREQ) has been to exhale (Call origination); Be in the situation that is in judged result, proceed to step S812, in the situation that the determination result is NO, proceed to step S816;
Step S812, HLR/AUC returns authentication response message (authreq) to MSC/VLR, be used to indicate the user and carry out shared secret data (SSD) update, and in authentication response message (authreq), carry RANDSSD and SSD, namely, be set to allow the calling subscriber to carry out in the situation of shared secret data (SSD) update in system, HLR/AUC returns to the calling subscriber via MSC/VLR and is used to indicate the indication that the calling subscriber carries out shared secret data (SSD) update, and carries at random SSD parameter and SSD parameter in indication; Proceed to step S814 and step S820;
Step S814, MSC/VLR returns authentication response message (authreq) to calling subscriber MS-B, and after this, calling subscriber MS-B carries out shared secret data (SSD) update, and within the scope that the present invention describes, detailed process can be with reference to the ANSI41 agreement for the process of this shared secret data (SSD) update;
Step S816, if forbid carrying out shared secret data (SSD) update behind the calling subscriber MS-B failed authentication, HLR/AUC returns failed authentication response message (authreq) to MSC/VLR, and carry therein Reason For Denial parameter (DenyAccess), namely, be set to not allow the calling subscriber to carry out in the situation of shared secret data (SSD) update in system, HLR/AUC returns the failed authentication response via MSC/VLR to the calling subscriber;
Step S818, MSC/VLR returns failed authentication response message (authreq) to calling subscriber MS-B, and calling subscriber MS-B receives failed authentication response message (authreq);
Step S820, if alarm when system is set to failed authentication, HLR/AUC is by ALM message informing attendant subscription authentication failure, that is, HLR/AUC arranges decision according to system and whether carries out the alarm of calling subscriber's failed authentication;
Step S822, winding-up.
From above-described embodiment, can find out: for HLR/AUC, in the situation that the terminal clone occurs, MS-A and MS-B are same users, and in Fig. 7, user MS-A has carried out shared secret data (SSD) update after the authentication success, therefore the SSD of network side preservation is consistent scarcely with the SSD that MS-B preserves among the step S806, so the authenticating result of MS-B is bound to fail.
In the situation that terminal equipment is illegally cloned, because the periodicity shared secret data (SSD) update of HLR, the SSD of legal terminal and clone terminal MS-A, MS-B can not be consistent for a long time, consequently one of them terminal of legal terminal and clone terminal failed authentication can occur very soon, therefore can in time detect terminal is illegally cloned, and then can process by ALM message informing system maintenance personnel, avoid the user illegally to be usurped for a long time.
In addition, the scene that above-described embodiment is described, all the scene with MSC/VLR unification, HLR/AUC unification describes.In actual applications, MSC can separate with VLR, also can unify; HLR can separate with AUC, also can unify.The method that the SSD that the embodiment of the invention is described upgrades periodically automatically is not only applicable to the scene that user SSD is illegally cloned, and equally is applicable to user A-Key by illegal clone's (SSD is not cloned) scene yet.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and be carried out by calculation element, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. user anthority identifying method is applied to comprise attaching position register/AUC, mobile switching center/visitor location register and as the network environment of calling subscriber's subscriber equipment, it is characterized in that described method comprises:
Set in advance the update cycle of calling subscriber's shared private data;
After described attaching position register/AUC returns called subscriber's positional information to the calling subscriber, if the time period between update time last time of current time and described calling subscriber's shared private data surpasses the described update cycle, and set in advance as described calling subscriber after surpassing the described update cycle cancels described shared private data and share, then described attaching position register/AUC receives the authentication request that described calling subscriber sends via mobile switching center/visitor location register, and described calling subscriber is carried out authentication;
If described calling subscriber's failed authentication, and described calling subscriber is not access network first, determines that then described calling subscriber is illegally cloned.
2. method according to claim 1 is characterized in that, after described definite described calling subscriber was illegally cloned, described method further comprised:
Whether described attaching position register/AUC arranges decision according to system and allows described calling subscriber to share the private data renewal.
3. method according to claim 2 is characterized in that, is set to allow described calling subscriber to share private data more under the news in described system, and described method further comprises:
If the access style of described authentication request has been to exhale, then described attaching position register/AUC returns to described calling subscriber via described mobile switching center/visitor location register and is used to indicate the indication that described calling subscriber shares the private data renewal, and carries in described indication and share at random private data parameter and shared private data parameter.
4. method according to claim 2 is characterized in that, is set to not allow described calling subscriber to share private data more under the news in described system, and described method further comprises:
Described attaching position register/AUC returns the failed authentication response via described mobile switching center/visitor location register to described calling subscriber, and carries therein the Reason For Denial parameter.
5. each described method in 4 according to claim 1 is characterized in that, further comprises:
In the situation of described calling subscriber's failed authentication, described attaching position register/AUC arranges decision according to system and whether carries out the alarm of calling subscriber's failed authentication.
6. method according to claim 1 is characterized in that, after described attaching position register/AUC returned called subscriber's positional information to the calling subscriber, described method further comprised:
Described attaching position register/AUC judges whether the time period between update time last time of shared private data of current time and described calling subscriber surpasses the described update cycle;
Be in the situation that is in judged result, further judge whether to have set in advance for described calling subscriber after surpassing the described update cycle in the time period between update time last time of current time and described calling subscriber's shared private data cancels described shared private data and share;
If carried out described setting in advance, then described attaching position register/AUC sends to described calling subscriber via described mobile switching center/visitor location register and is used to indicate described calling subscriber and cancels and share the authentication Indication message that private data is shared, and receives the authentication indication response message that described calling subscriber returns via described mobile switching center/visitor location register.
7. method according to claim 6, it is characterized in that, judge in described attaching position register/AUC whether the time period between update time last time of shared private data of current time and described calling subscriber surpassed before the described update cycle, described method further comprises:
Described attaching position register/AUC obtains rear subscriber number according to described calling subscriber via the location request message that described mobile switching center/visitor location register sends;
Described attaching position register/AUC judges according to described rear subscriber number whether described calling subscriber belongs to described attaching position register/AUC;
Be in the situation that is in judged result, described attaching position register/AUC carries out judges that current time and described calling subscriber shared the time period of private data between successful update time last time whether above the operation of described update cycle.
8. method according to claim 1 is characterized in that, in the situation of described calling subscriber's authentication success, described method further comprises:
Described attaching position register/AUC judges whether the time period between update time last time of shared private data of current time and described calling subscriber surpasses the described update cycle, if judged result is yes, then described attaching position register/AUC returns to described calling subscriber via mobile switching center/visitor location register and is used to indicate the indication that described calling subscriber carries out described shared private data renewal.
9. method according to claim 8, it is characterized in that, return to described calling subscriber via mobile switching center/visitor location register in described attaching position register/AUC and to be used to indicate after described calling subscriber carries out indication that described shared private data upgrades, described method further comprises:
Described calling subscriber shares private data according to described indication and upgrades.
10. a subscription authentication device is characterized in that, comprising:
First arranges module, is used for setting in advance calling subscriber's the automatic update cycle of shared private data;
Second arranges module, cancels described shared private data for the time period between update time last time of the shared private data that is arranged on current time and described calling subscriber above described calling subscriber after the described update cycle and shares;
The first judge module is used for judging that whether time period between update time last time of shared private data of current time and described calling subscriber is above the described update cycle;
Whether the second judge module is cancelled described shared private data for judgement described calling subscriber after the time period between update time last time of current time and described calling subscriber's shared private data surpasses the described update cycle and is shared;
Receiver module is used for receiving the authentication request that described calling subscriber sends via mobile switching center/visitor location register;
Authentication module is used for described calling subscriber is carried out authentication;
Arbitration modules is used for determining whether described calling subscriber is illegally cloned.
11. device according to claim 10 is characterized in that, also comprises:
Upgrade indicating module, be used to indicate the authentication response message that described calling subscriber carries out described shared private data renewal for returning to described calling subscriber via mobile switching center/visitor location register.
12. device according to claim 11 is characterized in that:
If the judged result of described the first judge module is yes, and the judged result of described the second judge module is yes, then described receiver module receives the authentication request that described calling subscriber sends via mobile switching center/visitor location register, and described authentication module is carried out authentication to described calling subscriber;
If described authentication module is to described calling subscriber's authentication success, then to judge after the time period between update time last time of current time and described calling subscriber's shared private data surpasses the described update cycle whether described calling subscriber cancels described shared private data shared for described the second judge module, if the judged result of described the second judge module is yes, then described renewal indicating module returns to described calling subscriber via mobile switching center/visitor location register and is used to indicate the indication that described calling subscriber carries out described shared private data renewal;
If described authentication module is to described calling subscriber's failed authentication, and described calling subscriber is not access network first, and then described arbitration modules determines that described calling subscriber is illegally cloned.
13. an attaching position register/AUC comprises subscription authentication device according to claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810212881.8A CN101674574B (en) | 2008-09-10 | 2008-09-10 | User authentication method and user authentication device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810212881.8A CN101674574B (en) | 2008-09-10 | 2008-09-10 | User authentication method and user authentication device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101674574A CN101674574A (en) | 2010-03-17 |
| CN101674574B true CN101674574B (en) | 2013-03-27 |
Family
ID=42021504
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810212881.8A Expired - Fee Related CN101674574B (en) | 2008-09-10 | 2008-09-10 | User authentication method and user authentication device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101674574B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1312991A (en) * | 1998-08-19 | 2001-09-12 | 夸尔柯姆股份有限公司 | Seque processing for authentication of wireless communications device |
| CN101188860A (en) * | 2007-12-19 | 2008-05-28 | 华为技术有限公司 | A method and device for identifying abnormal terminals |
| CN101222760A (en) * | 1998-08-28 | 2008-07-16 | 朗迅科技公司 | Method for establishing session key agreement |
-
2008
- 2008-09-10 CN CN200810212881.8A patent/CN101674574B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1312991A (en) * | 1998-08-19 | 2001-09-12 | 夸尔柯姆股份有限公司 | Seque processing for authentication of wireless communications device |
| CN101222760A (en) * | 1998-08-28 | 2008-07-16 | 朗迅科技公司 | Method for establishing session key agreement |
| CN101188860A (en) * | 2007-12-19 | 2008-05-28 | 华为技术有限公司 | A method and device for identifying abnormal terminals |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101674574A (en) | 2010-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6081705A (en) | Cellular telephone network support of international mobile station identity (IMSI) | |
| JP4030588B2 (en) | Search for copied SIM card | |
| US7809372B2 (en) | Method for a secure detach procedure in a radio telecommunication network | |
| EP1754390B1 (en) | Method and radio communication network for detecting the presence of fraudulent subscriber identity modules | |
| EP0976278A1 (en) | Preventing misuse of a copied subscriber identity in a mobile communication system | |
| EP1917822A1 (en) | Method and database for performing a permission status check on a mobile equipment | |
| US6173174B1 (en) | Method and apparatus for automated SSD updates on an a-key entry in a mobile telephone system | |
| CN101674574B (en) | User authentication method and user authentication device | |
| CA2389189C (en) | Detecting a fraudulent mobile station in a mobile communication system using location information of mobile station | |
| CN101754197B (en) | Terminal authentication method and home location register/authentication center | |
| KR101537738B1 (en) | USIM Card Password-Related Automatic Guidance System and Method and Apparatus Therefor | |
| KR100417525B1 (en) | Method for providing user with service which is looking for a lost mobile communication terminal in a mobile switching center | |
| EP2938104A1 (en) | Method, terminal, and system for implementing call forwarding | |
| KR100732482B1 (en) | Method and System for Managing Mobile Phone Disappearance with Authentication | |
| KR100617849B1 (en) | Home-zone service method in mobile communication system | |
| KR101286098B1 (en) | Method and apparatus for authentication of subscriber in a mobile communication system | |
| KR100827063B1 (en) | Method and apparatus for limited authentication service of mobile switching center when home subscriber location registration database is down in mobile communication network | |
| JP2000156892A (en) | Improved security against eavesdropping on mobile phones | |
| KR100784301B1 (en) | Mobile communication system and method | |
| KR101121534B1 (en) | Call processing method of mobile communication system | |
| KR20050095257A (en) | System and method for limitating access of the invalid mobile phone |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130327 Termination date: 20170910 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |