[go: up one dir, main page]

CN107911814A - A kind of subscriber identity information guard method and system based on HSS enhancings - Google Patents

A kind of subscriber identity information guard method and system based on HSS enhancings Download PDF

Info

Publication number
CN107911814A
CN107911814A CN201711188905.6A CN201711188905A CN107911814A CN 107911814 A CN107911814 A CN 107911814A CN 201711188905 A CN201711188905 A CN 201711188905A CN 107911814 A CN107911814 A CN 107911814A
Authority
CN
China
Prior art keywords
identity information
user
hss
imsin
temporary subscription
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711188905.6A
Other languages
Chinese (zh)
Other versions
CN107911814B (en
Inventor
张顺亮
周卫华
汪永明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201711188905.6A priority Critical patent/CN107911814B/en
Publication of CN107911814A publication Critical patent/CN107911814A/en
Application granted granted Critical
Publication of CN107911814B publication Critical patent/CN107911814B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种基于HSS增强的用户身份信息保护方法及系统。本发明对现有移动核心网络HSS功能进行增强,HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要将用户的新临时签约身份信息和用户长久签约身份信息或旧临时签约身份信息绑定起来。当用户使用临时签约身份信息接入HSS时,如果HSS中存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则直接拒绝该用户接入移动网络。本发明可以大大减少,或完全避免用户长期签约身份信息以明文形式在空中接口传送,避免被恶意分子主动或被动截获/监听,提高对用户身份位置等隐私信息的保护。

The invention discloses a user identity information protection method and system based on HSS enhancement. The present invention enhances the function of the existing mobile core network HSS. After the HSS receives the user identity information update notification sent by the user identity location protection server, it needs to update the user's new temporary subscription identity information and the user's long-term subscription identity information or old temporary subscription information. Identity information is bound. When a user uses temporary subscription identity information to access the HSS, if there is binding information related to the temporary subscription identity information in the HSS, the user identity information authentication process is started; otherwise, the user is directly denied access to the mobile network. The present invention can greatly reduce or completely avoid the user's long-term contract identity information being transmitted in clear text in the air interface, avoid being actively or passively intercepted/monitored by malicious elements, and improve the protection of privacy information such as user identity and location.

Description

一种基于HSS增强的用户身份信息保护方法及系统A method and system for protecting user identity information based on HSS enhancement

技术领域technical field

本发明属于网络通信安全技术领域,涉及一种在移动通网络中用户身份信息保护方法及系统。The invention belongs to the technical field of network communication security, and relates to a method and system for protecting user identity information in a mobile communication network.

背景技术Background technique

移动通信网络服务由于其移动性和便利性已经广泛应用于人们的日常生活。随着4G移动通信网络的大规模部署,越来越多人开始使用4G网络服务。在享受移动通信网络带来的便利同时,通信监听以及个人隐私泄露也成为日益严重的问题。Due to its mobility and convenience, mobile communication network services have been widely used in people's daily life. With the large-scale deployment of 4G mobile communication networks, more and more people are beginning to use 4G network services. While enjoying the convenience brought by the mobile communication network, communication monitoring and personal privacy leakage have become increasingly serious problems.

移动网络用户使用3G、4G等网络业务的过程中,恶意用户通过截取用户接入无线网的接入请求过程中尚未安全保护信令消息,分析信令消息获取用户身份信息,或者通过恶意软件模仿核心网发起用户身份信息请求机制,恶意获取用户的身份信息,即真实IMSI信息,然后通过结合非法途径获取移动用户签约信息感知IMSI代表的用户身份。从而通过截取特定IMSI相关的信令及流量信息,对用户位置进行非法跟踪导致用户敏感信息泄露。When mobile network users use 3G, 4G and other network services, malicious users intercept the user's access request to access the wireless network and have not yet protected the signaling message, analyze the signaling message to obtain user identity information, or use malicious software to imitate The core network initiates the user identity information request mechanism, maliciously obtains the user's identity information, that is, the real IMSI information, and then obtains the mobile user subscription information through illegal means to perceive the user identity represented by the IMSI. Therefore, by intercepting the signaling and traffic information related to a specific IMSI, illegal tracking of the user's location is performed, resulting in the leakage of sensitive user information.

现有的3G、4G移动网络为了降低用户真实IMSI信息被泄露的风险,采取临时身份信息,即P-TMSI及GUTI,用户在首次成功接入网络以后,以后再访问网络业务时就使用网络侧分配的临时身份信息以标识自己身份。网络侧靠动态变更临时签约身份信息,从而降低用户真实身份信息IMSI泄露的风险。In order to reduce the risk of users’ real IMSI information being leaked, existing 3G and 4G mobile networks adopt temporary identity information, namely P-TMSI and GUTI. After users successfully access the network for the first time, they use the network side when accessing network services in the future. Temporary identity information assigned to identify oneself. The network side relies on dynamically changing the temporary contract identity information, thereby reducing the risk of leakage of the user's real identity information IMSI.

现有机制靠临时身份信息能够在一定程度降低用户真实身份信息被泄露的风险。但是目前的4G网络设计还是存在一定漏洞。在用户接入移动网络过程中,核心网的网元收到临时签约身份信息如果无法识别,就会主动要求用户以明文方式上报其真实身份信息。这个机制目前可以被恶意软件或机构伪装核心网,从而获取用户的真实身份信息。非法使用用户真实身份信息可能导致用户位置信息泄露。所以目前的4G移动网络机制还存在一定缺陷无法解决用户真实身份信息泄露及位置被跟踪的安全威胁。The existing mechanism can reduce the risk of users' real identity information being leaked to a certain extent by relying on temporary identity information. However, there are still some loopholes in the current 4G network design. When a user accesses the mobile network, if the network element of the core network cannot identify the temporary contract identity information received, it will actively request the user to report its real identity information in plain text. Currently, this mechanism can be disguised as the core network by malicious software or institutions to obtain the real identity information of users. Illegal use of user real identity information may lead to leakage of user location information. Therefore, the current 4G mobile network mechanism still has certain defects and cannot solve the security threats of users' real identity information leakage and location tracking.

本发明提出了一种移动通信网络用户身份信息保护方法可以避免用户长期签约身份信息泄露,从而保护用户身份及位置等隐私信息不被发现。The invention proposes a method for protecting user identity information of a mobile communication network, which can avoid leakage of long-term contract identity information of users, thereby protecting private information such as user identity and location from being discovered.

发明内容Contents of the invention

本发明提出了一种移动通信网络用户长期签约身份信息保护方法及系统。该方法通过动态为用户分配临时签约身份信息(临时签约身份信息的形式仍然是IMSI),用户每次接入移动网络时使用临时签约身份信息接入移动网络进行接入认证,从而避免在不安全网络环境中暴露用户真实身份信息导致用户真实身份信息被恶意截获、用户位置被跟踪。The invention proposes a method and a system for protecting long-term subscription identity information of mobile communication network users. This method dynamically assigns temporary subscription identity information to the user (the form of the temporary subscription identity information is still IMSI), and uses the temporary subscription identity information to access the mobile network for access authentication each time the user accesses the mobile network, thereby avoiding The exposure of the user's real identity information in the network environment leads to the malicious interception of the user's real identity information and the tracking of the user's location.

本发明的技术方案为:Technical scheme of the present invention is:

一种基于HSS增强的用户身份信息保护方法,其步骤包括:A method for protecting user identity information based on HSS enhancements, the steps comprising:

1)用户终端开机或打开移动网络连接时,利用用户的长期签约身份信息或临时签约身份信息发起移动网络附着流程,完成网络附着;1) When the user terminal is powered on or opens the mobile network connection, use the user's long-term subscription identity information or temporary subscription identity information to initiate a mobile network attachment process to complete the network attachment;

2)该用户终端发送身份请求消息给身份位置保护服务器,该身份请求消息包含用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0;2) The user terminal sends an identity request message to the identity location protection server, and the identity request message includes the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0;

3)身份位置保护服务器收到用户身份请求消息后,从临时签约身份信息池中为该用户分配新的临时签约身份信息IMSIn+1并发送动态身份请求消息通知HSS对该用户身份信息进行更新;该动态身份请求消息包括,用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息;3) After receiving the user identity request message, the identity location protection server allocates new temporary subscription identity information IMSIn+1 for the user from the temporary subscription identity information pool and sends a dynamic identity request message to notify the HSS to update the user identity information; The dynamic identity request message includes the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0, and new temporary subscription identity information IMSI information to be used in the future;

4)如果该动态身份请求消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,则HSS利用该用户的新临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息;如果该动态身份请求消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,则HSS将该临时签约身份信息IMSIn和IMSI0绑定起来;4) If the dynamic identity request message includes the new temporary subscription identity information IMSIn+1 and the current temporary subscription identity information IMSIn, the HSS uses the user's new temporary subscription identity information IMSIn+1 to replace the currently stored temporary subscription identity information; If the dynamic identity request message includes temporary subscription identity information IMSIn and long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and IMSI0;

5)HSS发送更新成功消息给身份位置保护服务器;5) The HSS sends an update success message to the identity location protection server;

6)身份位置保护服务器回复响应消息给该用户终端,该响应消息应包含该用户的新临时签约身份信息IMSIn+1;6) The identity location protection server replies a response message to the user terminal, and the response message should include the user's new temporary subscription identity information IMSIn+1;

7)MME收到用户终端设备发起的附着请求消息后,MME向HSS发送认证数据请求消息,如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时,则HSS启动用户身份信息认证过程,否则不生成认证数据;7) After the MME receives the attach request message initiated by the user terminal equipment, the MME sends an authentication data request message to the HSS. If the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information , the HSS starts the user identity information authentication process, otherwise no authentication data is generated;

该附着请求消息包含用户长期签约身份信息IMSI0或临时签约身份信息IMSIn。The attach request message includes user long-term subscription identity information IMSI0 or temporary subscription identity information IMSIn.

所述临时签约身份信息IMSIn、所述新的临时签约身份信息IMSIn+1与长期签约身份信息IMSI的数据格式相同。The data format of the temporary subscription identity information IMSIn, the new temporary subscription identity information IMSIn+1 and the long-term subscription identity information IMSI is the same.

所述步骤7)中,如果该认证数据请求中的身份信息是用户长期签约身份信息且没有任何绑定关系,则HSS按现有3GPP规范执行。In the step 7), if the identity information in the authentication data request is the user's long-term subscription identity information and has no binding relationship, the HSS executes according to the existing 3GPP specification.

HSS收到用户使用新临时签约身份信息附着网络后,释放该用户的之前临时签约身份信息和用户长期签约身份信息之间的绑定。After receiving the user's new temporary subscription identity information to attach to the network, the HSS releases the binding between the user's previous temporary subscription identity information and the user's long-term subscription identity information.

HSS收到用户使用新临时签约身份信息附着网络后,启动定时器,该定时器超时后,释放该用户的之前临时签约身份信息和用户长期签约身份信息之间的绑定。After receiving the user's new temporary subscription identity information to attach to the network, the HSS starts a timer, and releases the binding between the user's previous temporary subscription identity information and the user's long-term subscription identity information after the timer expires.

HSS为同一用户的长期签约身份信息绑定一个或多个临时签约身份信息。The HSS binds one or more temporary subscription identity information to the long-term subscription identity information of the same user.

一种基于HSS增强的用户身份信息保护系统,其特征在于,包括身份位置保护服务器、HSS和MME;其中,An HSS-based enhanced user identity information protection system, characterized in that it includes an identity location protection server, HSS and MME; wherein,

所述身份位置保护服务器,用于从临时签约身份信息池中为用户分配新的临时签约身份信息IMSIn+1并发送动态身份请求消息通知HSS对该用户身份信息进行更新;该动态身份请求消息包括,用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息;以及收到HSS发送的更新成功消息后回复响应消息给用户终端,该响应消息应包含该用户的新临时签约身份信息IMSIn+1;The identity location protection server is configured to allocate new temporary subscription identity information IMSIn+1 to the user from the temporary subscription identity information pool and send a dynamic identity request message to notify the HSS to update the user identity information; the dynamic identity request message includes , the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0, and the new temporary subscription identity information IMSI information to be used in the future; and reply a response message to the user terminal after receiving the update success message sent by the HSS, the response message should be Contains the user's new temporary signing identity information IMSIn+1;

HSS用于根据收到的动态身份请求消息对用户身份信息进行更新,如果该动态身份请求消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,则HSS利用该用户的新临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息;如果该动态身份请求消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,则HSS将该临时签约身份信息IMSIn和IMSI0绑定起来;HSS发送更新成功消息给身份位置保护服务器;The HSS is used to update the user identity information according to the received dynamic identity request message. If the dynamic identity request message contains the new temporary subscription identity information IMSIn+1 and the current temporary subscription identity information IMSIn, the HSS uses the user's new The temporary subscription identity information IMSIn+1 replaces the currently stored temporary subscription identity information; if the dynamic identity request message contains the temporary subscription identity information IMSIn and the long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and IMSI0 Get up; HSS sends an update success message to the identity location protection server;

MME用于收到用户终端设备发起的附着请求消息并向HSS发送认证数据请求消息,如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时,则HSS启动用户身份信息认证过程,否则不生成认证数据;该附着请求消息包含用户长期签约身份信息IMSI0或临时签约身份信息IMSIn。The MME is used to receive the attach request message initiated by the user terminal equipment and send the authentication data request message to the HSS. If the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information, Then the HSS starts the user identity information authentication process, otherwise no authentication data is generated; the attach request message includes the user's long-term subscription identity information IMSI0 or temporary subscription identity information IMSIn.

本发明对现有移动核心网络HSS功能进行增强,HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要将用户的新临时签约身份信息和用户长久签约身份信息或旧临时签约身份信息绑定起来。当用户使用临时签约身份信息接入HSS时,如果HSS中存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则直接拒绝该用户接入移动网络。The present invention enhances the function of the existing mobile core network HSS. After the HSS receives the update notification of the user identity information sent by the user identity location protection server, it needs to update the user's new temporary subscription identity information and the user's long-term subscription identity information or old temporary subscription information. Identity information is bound. When a user uses temporary subscription identity information to access the HSS, if there is binding information related to the temporary subscription identity information in the HSS, the user identity information authentication process is started; otherwise, the user is directly denied access to the mobile network.

本发明的架构如图1所示,本发明对现有移动核心网中的HSS功能进行增强,同时引入新的网络功能,身份位置保护服务器。在增强的HSS和身份位置保护服务器之间定义新的接口实现动态用户身份更新功能。身份位置保护服务器为用户临时签约身份信息(临时签约身份信息和长期签约身份信息IMSI的形式是相同的)后,发送接口消息通知HSS对该用户身份信息进行更新。HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要用该用户的临时签约身份信息替换长久签约身份信息,或者需要用该用户新的临时签约身份信息替换旧的动态身份信息。当用户下次进行网络附着时,HSS根据MME发送的认证数据请求消息中的临时签约身份信息确定是否为该用户生成认证数据。如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则不生成认证数据,间接拒绝该用户接入移动网络。The architecture of the present invention is shown in Figure 1. The present invention enhances the HSS function in the existing mobile core network and introduces a new network function, the identity location protection server. A new interface is defined between the enhanced HSS and the identity location protection server to realize the function of dynamic user identity update. After the identity location protection server provides the temporary subscription identity information for the user (the form of the temporary subscription identity information and the long-term subscription identity information IMSI are the same), it sends an interface message to notify the HSS to update the user identity information. After HSS receives the user identity information update notification from the user identity location protection server, it needs to replace the permanent subscription identity information with the user's temporary subscription identity information, or replace the old dynamic identity information with the user's new temporary subscription identity information . When the user performs network attachment next time, the HSS determines whether to generate authentication data for the user according to the temporary subscription identity information in the authentication data request message sent by the MME. If the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information, the user identity information authentication process is started; otherwise, no authentication data is generated, and the user is indirectly denied access to the mobile network.

具体来说,该方案主要有以下发明点:Specifically, the program mainly has the following invention points:

在新定义的网络功能和增强的HSS之间定义新的接口,增强HSS通过该接口和HSS交互完成动态身份更新功能。 A new interface is defined between the newly defined network function and the enhanced HSS, and the enhanced HSS interacts with the HSS through this interface to complete the dynamic identity update function.

身份位置保护服务器通过发送动态身份请求消息通知相关HSS进行用户身份信息更新。该请求消息包括,用户当前使用的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息。 The identity location protection server notifies the relevant HSS to update the user identity information by sending a dynamic identity request message. The request message includes temporary subscription identity information IMSIn or long-term subscription identity information IMSI0 currently used by the user, and new temporary subscription identity information IMSI information to be used in the future.

收到来自安全接入服务器的请求消息后,根据消息内容HSS进行不同的操作完成动态身份信息更新: After receiving the request message from the secure access server, HSS performs different operations according to the content of the message to complete the dynamic identity information update:

·如果该消息包含的是用户长期签约身份信息IMSI0及即将使用的临时签约身份信息IMSIn,HSS将临时签约身份信息和长期签约身份信息进行绑定,即临时签约身份信息等价于长期签约身份信息。并将绑定信息写入数据库。If the message contains the user's long-term subscription identity information IMSI0 and the temporary subscription identity information IMSIn to be used, the HSS will bind the temporary subscription identity information and the long-term subscription identity information, that is, the temporary subscription identity information is equivalent to the long-term subscription identity information . And write the binding information to the database.

·如果该消息包含的是当前临时签约身份信息IMSIn及下一次将使用的临时签约身份信息IMSIn+1,HSS用下一次即将使用的临时签约身份信息IMSIn+1替换当前临时签约身份信息IMSIn或之前的IMSIn-1。If the message contains the current temporary signing identity information IMSIn and the temporary signing identity information IMSIn+1 to be used next time, the HSS replaces the current temporary signing identity information IMSIn or before with the temporary signing identity information IMSIn+1 to be used next time IMSIn-1.

用户长期签约身份信息IMSI0绑定动态身份信息IMSIn后,根据安全策略HSS可以决定是否接受用户使用长期签约身份信息接入网络,及相关条件。 After the user's long-term subscription identity information IMSI0 is bound to the dynamic identity information IMSIn, the HSS can decide whether to accept the user's long-term subscription identity information to access the network and related conditions according to the security policy.

临时签约身份信息更新完毕后,HSS并通知身份位置保护服务器该用户身份信息已经更新,即用户可以使用新的临时签约身份信息接入网络。 After the temporary subscription identity information is updated, the HSS notifies the identity location protection server that the user identity information has been updated, that is, the user can use the new temporary subscription identity information to access the network.

用户附着时,收到来自MME的认证数据请求时,HSS在查找数据库确定该临时签约身份信息是否存相应绑定: When the user attaches, when receiving the authentication data request from the MME, the HSS searches the database to determine whether there is a corresponding binding for the temporary contract identity information:

·如果该身份信息是临时签约身份信息而且没绑定任何长期签约身份信息,则拒绝该用户;·If the identity information is temporary contract identity information and is not bound to any long-term contract identity information, reject the user;

·如果是临时签约身份信息且存在和长期签约身份信息绑定,则接受该用户认证请求,同时使用长期签约身份信息对应的凭据信息对该用户进行认证。· If it is temporary contract identity information and is bound to long-term contract identity information, accept the user authentication request, and at the same time use the credential information corresponding to the long-term contract identity information to authenticate the user.

此外,HSS收到用户使用新临时签约身份信息附着网络后,可立释放,或启动定时器,等定时器超时后,释放旧的临时签约身份信息和用户长期签约身份信息之间的绑定。HSS可以为某个具体用户的长期签约身份信息绑定一个或多个临时签约身份信息。 In addition, after receiving the user's new temporary subscription identity information to attach to the network, the HSS can immediately release it, or start a timer, and release the binding between the old temporary subscription identity information and the user's long-term subscription identity information after the timer expires. The HSS can bind one or more temporary subscription identity information to the long-term subscription identity information of a specific user.

与现有技术相比,本发明的积极效果为:Compared with prior art, positive effect of the present invention is:

本发明可以大大减少,或完全避免用户长期签约身份信息以明文形式(即包含在附着请求或者身份响应消息)在空中接口传送,避免被恶意分子主动或被动截获/监听,提高对用户身份位置等隐私信息的保护。The present invention can greatly reduce or completely avoid the transmission of the user's long-term contract identity information in clear text (that is, included in the attachment request or identity response message) over the air interface, avoiding being actively or passively intercepted/monitored by malicious elements, and improving the user's identity, location, etc. Protection of private information.

附图说明Description of drawings

图1为用户身份及位置信息保护方案架构图;Figure 1 is a schematic diagram of the user identity and location information protection scheme;

图2为用户动态身份信息分配流程图;Fig. 2 is a flow chart of assigning user dynamic identity information;

图3为用户动态身份信息启用及绑定关系释放过程图。FIG. 3 is a process diagram of enabling user dynamic identity information and releasing a binding relationship.

具体实施方式Detailed ways

为使本发明的上述特征和优点能更明显易懂,下文特举实施例,并配合所附图作详细说明。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail together with the accompanying drawings.

1)动态身份信息分配过程1) Dynamic identity information allocation process

如图2所示,动态身份信息分配主要步骤如下:As shown in Figure 2, the main steps of dynamic identity information allocation are as follows:

(1)用户设备开机或打开移动网络连接时,用户终端设备上的协议栈功能使用长期签约身份信息或临时签约身份信息发起移动网络附着流程,完成网络附着。(1) When the user equipment is powered on or opens the mobile network connection, the protocol stack function on the user terminal equipment uses the long-term subscription identity information or the temporary subscription identity information to initiate the mobile network attachment process and complete the network attachment.

(2)附着完成后,用户终端发送身份请求消息给身份位置保护服务器,该身份请求消息包含用户当前正在使用的临时签约身份信息(IMSIn)或长期签约身份信息(IMSI0)。(2) After the attachment is completed, the user terminal sends an identity request message to the identity location protection server, and the identity request message includes the temporary subscription identity information (IMSIn) or long-term subscription identity information (IMSI0) currently used by the user.

(3)身份位置保护服务器收到用户身份请求消息后,从临时签约身份信息池中为该用户分配新的临时签约身份信息IMSIn+1。(3) After receiving the user identity request message, the identity location protection server allocates new temporary subscription identity information IMSIn+1 to the user from the temporary subscription identity information pool.

(4)身份位置保护服务器发送身份更新消息给该用户相关的HSS,该消息包含用户当前临时签约身份信息IMSIn(或长期签约身份信息IMSI0),及新的临时签约身份信息IMSIn+1。(4) The identity location protection server sends an identity update message to the HSS related to the user. The message includes the user's current temporary subscription identity information IMSIn (or long-term subscription identity information IMSI0) and new temporary subscription identity information IMSIn+1.

5A.如果该消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,HSS利用用户新的临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息。5A. If the message contains the new temporary subscription identity information IMSIn+1 and the current temporary subscription identity information IMSIn, the HSS uses the user's new temporary subscription identity information IMSIn+1 to replace the currently stored temporary subscription identity information.

5B.如果该消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,HSS将该临时签约身份信息IMSIn和IMSI0绑定起来,即将IMSIn和IMSI0等价,并将该绑定关系存入数据库。5B. If the message contains the temporary signing identity information IMSIn and the long-term signing identity information IMSI0, the HSS binds the temporary signing identity information IMSIn and IMSI0, that is, IMSIn and IMSI0 are equivalent, and stores the binding relationship in the database .

(6)HSS回复响应消息给身份位置保护服务器表示用户临时签约身份信息更新成功。(6) The HSS replies a response message to the identity location protection server to indicate that the user's temporary subscription identity information is successfully updated.

(7)身份位置保护服务器回复响应消息给用户终端设备,该消息应包含用户新的临时签约身份信息IMSIn+1。(7) The identity location protection server replies a response message to the user terminal device, and the message should include the user's new temporary subscription identity information IMSIn+1.

2)动态身份信启用及绑定关系释放过程2) Dynamic identity information activation and binding relationship release process

如图3所示,临时签约身份信息回收主要步骤如下:As shown in Figure 3, the main steps of recovery of temporary contract identity information are as follows:

(1)用户终端设备(重)新启动。(1) The user terminal equipment is (re)started.

(2)用户终端设备向MME发起附着请求消息,该消息包含用户长期签约身份信息IMSI0或身份位置保护服务器之前分配的临时签约身份信息IMSIn。(2) The user terminal device sends an attach request message to the MME, and the message includes the user's long-term subscription identity information IMSI0 or the temporary subscription identity information IMSIn previously allocated by the identity location protection server.

(3)MME向HSS发送认证数据请求消息,该消息包含用户当前身份信息IMSIn或IMSI0。(3) The MME sends an authentication data request message to the HSS, which contains the current user identity information IMSIn or IMSI0.

4A HSS收到消息后,检查消息中的身份信息及相关数据库。如果是用户长期签约身份信息且没有任何绑定关系存,则按现有3GPP规范执行。如果是用户长期签约身份信息且绑定了临时签约身份信息,则按配置的安全策略确定是否为该用户生成签约数据。安全策略可以规定某个用户使用某一具体动态身份信息的使用时间段(几小时,几天等)或次数(1次,5次)。如果用户使用某个动态身份信息过长,则安全性降低,极限情况下就回退到现有机制了,动态签约身份=长期签约身份信息;安全策略可以配置到HSS里作为用户签约信息的一部分,不同用户可能对于隐私保护需求不同,因此可以实现用户级的定制。4A After receiving the message, the HSS checks the identity information and related database in the message. If it is the user's long-term contract identity information and there is no binding relationship, it will be implemented according to the existing 3GPP specifications. If it is the user's long-term subscription identity information and the temporary subscription identity information is bound, then determine whether to generate subscription data for the user according to the configured security policy. The security policy may specify the time period (hours, days, etc.) or the number of times (1 time, 5 times) for a certain user to use certain dynamic identity information. If the user uses a certain dynamic identity information for too long, the security will be reduced, and in the extreme case, it will fall back to the existing mechanism. Dynamic signing identity = long-term signing identity information; security policies can be configured in HSS as part of user signing information , different users may have different requirements for privacy protection, so user-level customization can be realized.

4B HSS收到消息后,检查消息中的身份信息及相关数据库。如果是临时签约身份信息且没有任何绑定关系存,则不生成认证数据拒绝该用户接入网络。如果是临时签约身份信息且绑定了长期签约身份信息,则使用长期签约身份信息对应的凭据信息为该用户生成认证数据信息。4B After receiving the message, the HSS checks the identity information and related database in the message. If it is temporary contract identity information and no binding relationship exists, no authentication data is generated to deny the user access to the network. If it is the temporary contract identity information and the long-term contract identity information is bound, use the credential information corresponding to the long-term contract identity information to generate authentication data information for the user.

(4)HSS以响应消息回复MME,该消息可包含认证数据及结果信息,MME依据认证数据信息完成和该用户之间的相互认证。(4) The HSS replies to the MME with a response message, which may include authentication data and result information, and the MME completes mutual authentication with the user according to the authentication data information.

(5)MME回复用户终端设备附着响应消息。(5) The MME replies with an attach response message for the UE.

综上所述,本发明公开了适用于移动网络用户身长期签约身份信息及位置保护方法。To sum up, the present invention discloses a method for protecting long-term subscription identity information and location of mobile network users.

本发明的描述是为了示例和描述起见而给出的,而并不是无遗漏的或者将本发明限于所公开的形式。显然,本领域的普通技术人员可以对本发明的示例进行各种改动和变形而不脱离本发明的精神和原则。选择和描述实施例是为了更好说明本发明的原理和实际应用,并且使本领域的普通技术人员能够理解本发明从而设计适于特定用途的带有各种修改的各种实施例。The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Apparently, those skilled in the art can make various changes and modifications to the examples of the present invention without departing from the spirit and principle of the present invention. The embodiment was chosen and described in order to better explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention and design various embodiments with various modifications as are suited to the particular use.

Claims (10)

1. A subscriber identity information protection method based on HSS enhancement comprises the following steps:
1) when a user terminal is started or mobile network connection is opened, a mobile network attachment process is initiated by using long-term subscription identity information or temporary subscription identity information of a user to complete network attachment;
2) the user terminal sends an identity request message to an identity position protection server, wherein the identity request message comprises current temporary subscription identity information IMSIN or long-term subscription identity information IMSI0 of the user;
3) after receiving the user identity request message, the identity position protection server distributes new temporary signing identity information IMSIn +1 for the user from the temporary signing identity information pool and sends a dynamic identity request message to inform HSS of updating the user identity information; the dynamic identity request message includes the current temporary subscription identity information IMSIn or the long-term subscription identity information IMSI0 of the user, and the new temporary subscription identity information IMSI information to be used in the future;
4) if the dynamic identity request message contains new temporary subscription identity information IMSIn +1 and current temporary subscription identity information IMSIn, the HSS replaces the currently stored temporary subscription identity information with the new temporary subscription identity information IMSIn +1 of the user; if the dynamic identity request message contains the temporary subscription identity information IMSIn and the long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and the IMSI 0;
5) HSS sends update success message to identity position protection server;
6) the identity position protection server replies a response message to the user terminal, wherein the response message contains new temporary subscription identity information IMSIn +1 of the user;
7) after MME receives an attachment request message initiated by user terminal equipment, MME sends an authentication data request message to HSS, if the user identity information in the authentication data request message is temporary subscription identity information and binding information related to the temporary subscription identity information exists, HSS starts a user identity information authentication process, otherwise authentication data is not generated; the attach request message contains the subscriber long-term subscription identity information IMSI0 or the temporary subscription identity information IMSIn.
2. The method of claim 1, wherein the temporary subscription identity information IMSIn, the new temporary subscription identity information IMSIn +1 and the long-term subscription identity information IMSI have the same data format.
3. The method as claimed in claim 1, wherein in step 7), if the identity information in the authentication data request is the user long-term subscription identity information and there is no binding relationship, the HSS performs according to the existing 3GPP specifications.
4. The method of claim 1, wherein the HSS releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after receiving the new temporary subscription identity information attached to the network by the subscriber.
5. The method as claimed in claim 1, wherein the HSS starts a timer after receiving the new temporary subscription identity information attached to the network by the subscriber, and releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after the timer expires.
6. The method of claim 1, wherein the HSS binds one or more temporary subscription identities for long-term subscription identities of the same user.
7. A user identity information protection system based on HSS enhancement is characterized by comprising an identity position protection server, an HSS and an MME; wherein,
the identity position protection server is used for distributing new temporary subscription identity information IMSIn +1 for the user from the temporary subscription identity information pool and sending a dynamic identity request message to inform the HSS of updating the user identity information; the dynamic identity request message includes the current temporary subscription identity information IMSIn or the long-term subscription identity information IMSI0 of the user, and the new temporary subscription identity information IMSI information to be used in the future; after receiving the update success message sent by the HSS, replying a response message to the user terminal, wherein the response message contains new temporary subscription identity information IMSIn +1 of the user;
the HSS is used for updating the user identity information according to the received dynamic identity request message, and if the dynamic identity request message contains new temporary subscription identity information IMSIn +1 and current temporary subscription identity information IMSIn, the HSS replaces the currently stored temporary subscription identity information with the new temporary subscription identity information IMSIn +1 of the user; if the dynamic identity request message contains the temporary subscription identity information IMSIn and the long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and the IMSI 0; HSS sends update success message to identity position protection server;
the MME is used for receiving an attachment request message initiated by user terminal equipment and sending an authentication data request message to the HSS, if the user identity information in the authentication data request message is temporary subscription identity information and binding information related to the temporary subscription identity information exists, the HSS starts a user identity information authentication process, otherwise, authentication data are not generated; the attach request message contains the subscriber long-term subscription identity information IMSI0 or the temporary subscription identity information IMSIn.
8. The system of claim 7, wherein the temporary subscription identity information IMSIn, the new temporary subscription identity information IMSIn +1 and the long-term subscription identity information IMSI have the same data format.
9. The system of claim 7, wherein the HSS releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after receiving the new temporary subscription identity information attached to the network by the subscriber.
10. The system of claim 7, wherein the HSS binds one or more temporary subscription identities for long-term subscription identities of the same user.
CN201711188905.6A 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system Expired - Fee Related CN107911814B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711188905.6A CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711188905.6A CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Publications (2)

Publication Number Publication Date
CN107911814A true CN107911814A (en) 2018-04-13
CN107911814B CN107911814B (en) 2020-08-25

Family

ID=61847617

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711188905.6A Expired - Fee Related CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Country Status (1)

Country Link
CN (1) CN107911814B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901018A (en) * 2018-07-27 2018-11-27 中国电子科技集团公司第三十研究所 A kind of mobile communication system user identity hiding method that terminal is initiated
CN116347440A (en) * 2021-12-23 2023-06-27 中国科学院信息工程研究所 Mobile network user dynamic identity information management method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101720086A (en) * 2009-12-23 2010-06-02 成都三零瑞通移动通信有限公司 Identity protection method for mobile communication user
CN101771992A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI
CN101959183A (en) * 2010-09-21 2011-01-26 中国科学院软件研究所 A Pseudonym-Based Mobile Subscriber Identifier IMSI Protection Method
CN102014114A (en) * 2010-07-09 2011-04-13 北京哈工大计算机网络与信息安全技术研究中心 Method and device for protecting location privacies of objects in Internet of things
CN102918878A (en) * 2011-05-31 2013-02-06 华为技术有限公司 Method and apparatus for message transmission
US9042902B1 (en) * 2013-01-11 2015-05-26 Polaris Wireless, Inc. Third-party control of call-related services for a mobile station and subscriber

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771992A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI
CN101720086A (en) * 2009-12-23 2010-06-02 成都三零瑞通移动通信有限公司 Identity protection method for mobile communication user
CN102014114A (en) * 2010-07-09 2011-04-13 北京哈工大计算机网络与信息安全技术研究中心 Method and device for protecting location privacies of objects in Internet of things
CN101959183A (en) * 2010-09-21 2011-01-26 中国科学院软件研究所 A Pseudonym-Based Mobile Subscriber Identifier IMSI Protection Method
CN102918878A (en) * 2011-05-31 2013-02-06 华为技术有限公司 Method and apparatus for message transmission
US9042902B1 (en) * 2013-01-11 2015-05-26 Polaris Wireless, Inc. Third-party control of call-related services for a mobile station and subscriber

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901018A (en) * 2018-07-27 2018-11-27 中国电子科技集团公司第三十研究所 A kind of mobile communication system user identity hiding method that terminal is initiated
CN116347440A (en) * 2021-12-23 2023-06-27 中国科学院信息工程研究所 Mobile network user dynamic identity information management method and system

Also Published As

Publication number Publication date
CN107911814B (en) 2020-08-25

Similar Documents

Publication Publication Date Title
Hong et al. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier.
US20200213290A1 (en) Authorization method and network element
CN108293223B (en) Data transmission method, user equipment and network side equipment
Kwon et al. Towards 5G-based IoT security analysis against Vo5G eavesdropping
US20200311277A1 (en) Method, system and device for security configurations
CN110476397B (en) User authentication method and device
Bitsikas et al. You have been warned: Abusing 5G’s Warning and Emergency Systems
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
CN104125554B (en) Communication method and communication system
US20250063364A1 (en) Communication method and network element device
CN101068143B (en) A network device authentication method
CN110417563A (en) A kind of methods, devices and systems of network slice access
CN115442807B (en) User security improving method and device for 5G system
WO2020224341A1 (en) Method and apparatus for identifying tls encrypted traffic
WO2017167153A1 (en) Mobile communication system and paging method
US10412585B2 (en) User identity authentication method and device
CN108093402B (en) User privacy information protection method and system based on terminal enhancement
CN107911814B (en) HSS (home subscriber server) -enhanced user identity information protection method and system
WO2018137195A1 (en) Message protection method, user device and core network device
CN108200007B (en) Dynamic identity management method and system for mobile network
CN101047506B (en) Management method for service initiation by terminal equipment in wireless communication network
CN107911813B (en) Transparent mode mobile user identity management method and system
CN105392112B (en) Guard method, equipment and the system of MTC device information
CN102124767B (en) A kind of method and apparatus for providing identity Confidentiality protection for user of communication terminal
CN104270737B (en) The guard method of IMSI and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200825