[go: up one dir, main page]

CN107911814B - HSS (home subscriber server) -enhanced user identity information protection method and system - Google Patents

HSS (home subscriber server) -enhanced user identity information protection method and system Download PDF

Info

Publication number
CN107911814B
CN107911814B CN201711188905.6A CN201711188905A CN107911814B CN 107911814 B CN107911814 B CN 107911814B CN 201711188905 A CN201711188905 A CN 201711188905A CN 107911814 B CN107911814 B CN 107911814B
Authority
CN
China
Prior art keywords
identity information
user
hss
temporary subscription
subscription identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201711188905.6A
Other languages
Chinese (zh)
Other versions
CN107911814A (en
Inventor
张顺亮
周卫华
汪永明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201711188905.6A priority Critical patent/CN107911814B/en
Publication of CN107911814A publication Critical patent/CN107911814A/en
Application granted granted Critical
Publication of CN107911814B publication Critical patent/CN107911814B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种基于HSS增强的用户身份信息保护方法及系统。本发明对现有移动核心网络HSS功能进行增强,HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要将用户的新临时签约身份信息和用户长久签约身份信息或旧临时签约身份信息绑定起来。当用户使用临时签约身份信息接入HSS时,如果HSS中存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则直接拒绝该用户接入移动网络。本发明可以大大减少,或完全避免用户长期签约身份信息以明文形式在空中接口传送,避免被恶意分子主动或被动截获/监听,提高对用户身份位置等隐私信息的保护。

Figure 201711188905

The invention discloses a method and system for protecting user identity information based on HSS enhancement. The invention enhances the HSS function of the existing mobile core network. After the HSS receives the user identity information update notification sent by the user identity location protection server, it needs to update the user's new temporary subscription identity information and the user's long-term subscription identity information or the old temporary subscription identity information. Identity information is bound. When a user accesses the HSS using the temporary subscription identity information, the user identity information authentication process is started if there is binding information related to the temporary subscription identity information in the HSS; otherwise, the user is directly refused to access the mobile network. The invention can greatly reduce or completely avoid the long-term contract identity information of users being transmitted in clear text on the air interface, avoid being actively or passively intercepted/monitored by malicious elements, and improve the protection of privacy information such as user identity and location.

Figure 201711188905

Description

一种基于HSS增强的用户身份信息保护方法及系统A method and system for protecting user identity information based on HSS enhancement

技术领域technical field

本发明属于网络通信安全技术领域,涉及一种在移动通网络中用户身份信息保护方法及系统。The invention belongs to the technical field of network communication security, and relates to a method and a system for protecting user identity information in a mobile communication network.

背景技术Background technique

移动通信网络服务由于其移动性和便利性已经广泛应用于人们的日常生活。随着4G移动通信网络的大规模部署,越来越多人开始使用4G网络服务。在享受移动通信网络带来的便利同时,通信监听以及个人隐私泄露也成为日益严重的问题。Mobile communication network services have been widely used in people's daily life due to their mobility and convenience. With the large-scale deployment of 4G mobile communication networks, more and more people begin to use 4G network services. While enjoying the convenience brought by the mobile communication network, communication monitoring and personal privacy leakage have become increasingly serious problems.

移动网络用户使用3G、4G等网络业务的过程中,恶意用户通过截取用户接入无线网的接入请求过程中尚未安全保护信令消息,分析信令消息获取用户身份信息,或者通过恶意软件模仿核心网发起用户身份信息请求机制,恶意获取用户的身份信息,即真实IMSI信息,然后通过结合非法途径获取移动用户签约信息感知IMSI代表的用户身份。从而通过截取特定IMSI相关的信令及流量信息,对用户位置进行非法跟踪导致用户敏感信息泄露。In the process of mobile network users using 3G, 4G and other network services, malicious users intercept the signaling messages that have not been securely protected during the access request process of the user to access the wireless network, analyze the signaling messages to obtain user identity information, or imitate the user through malicious software. The core network initiates a user identity information request mechanism, maliciously obtains the user's identity information, that is, the real IMSI information, and then obtains the mobile user subscription information through illegal means to perceive the user identity represented by the IMSI. Therefore, by intercepting specific IMSI-related signaling and traffic information, illegal tracking of the user's location leads to leakage of user sensitive information.

现有的3G、4G移动网络为了降低用户真实IMSI信息被泄露的风险,采取临时身份信息,即P-TMSI及GUTI,用户在首次成功接入网络以后,以后再访问网络业务时就使用网络侧分配的临时身份信息以标识自己身份。网络侧靠动态变更临时签约身份信息,从而降低用户真实身份信息IMSI泄露的风险。In order to reduce the risk of leakage of real IMSI information of users, the existing 3G and 4G mobile networks adopt temporary identity information, namely P-TMSI and GUTI. After users successfully access the network for the first time, they use the network side to access network services later Assigned temporary identity information to identify yourself. The network side relies on the dynamic change of the temporary subscription identity information, thereby reducing the risk of leakage of the user's real identity information IMSI.

现有机制靠临时身份信息能够在一定程度降低用户真实身份信息被泄露的风险。但是目前的4G网络设计还是存在一定漏洞。在用户接入移动网络过程中,核心网的网元收到临时签约身份信息如果无法识别,就会主动要求用户以明文方式上报其真实身份信息。这个机制目前可以被恶意软件或机构伪装核心网,从而获取用户的真实身份信息。非法使用用户真实身份信息可能导致用户位置信息泄露。所以目前的4G移动网络机制还存在一定缺陷无法解决用户真实身份信息泄露及位置被跟踪的安全威胁。The existing mechanism can reduce the risk of the user's real identity information being leaked to a certain extent by relying on temporary identity information. However, there are still some loopholes in the current 4G network design. During the user's access to the mobile network, if the network element of the core network cannot identify the temporary subscription identity information received, it will take the initiative to request the user to report its real identity information in plaintext. This mechanism can currently be used by malware or institutions to disguise the core network to obtain the user's real identity information. Illegal use of the user's real identity information may lead to the disclosure of the user's location information. Therefore, the current 4G mobile network mechanism still has certain defects and cannot solve the security threat of leakage of user's real identity information and location tracking.

本发明提出了一种移动通信网络用户身份信息保护方法可以避免用户长期签约身份信息泄露,从而保护用户身份及位置等隐私信息不被发现。The present invention proposes a method for protecting user identity information of a mobile communication network, which can avoid the leakage of user identity information for long-term contracts, thereby protecting privacy information such as user identity and location from being discovered.

发明内容SUMMARY OF THE INVENTION

本发明提出了一种移动通信网络用户长期签约身份信息保护方法及系统。该方法通过动态为用户分配临时签约身份信息(临时签约身份信息的形式仍然是IMSI),用户每次接入移动网络时使用临时签约身份信息接入移动网络进行接入认证,从而避免在不安全网络环境中暴露用户真实身份信息导致用户真实身份信息被恶意截获、用户位置被跟踪。The present invention provides a method and system for protecting long-term subscription identity information of mobile communication network users. The method dynamically allocates temporary subscription identity information to users (the form of temporary subscription identity information is still IMSI), and the user uses the temporary subscription identity information to access the mobile network for access authentication every time the user accesses the mobile network, thereby avoiding unsafe Exposing the user's real identity information in the network environment leads to malicious interception of the user's real identity information and tracking of the user's location.

本发明的技术方案为:The technical scheme of the present invention is:

一种基于HSS增强的用户身份信息保护方法,其步骤包括:A method for protecting user identity information based on HSS enhancement, the steps of which include:

1)用户终端开机或打开移动网络连接时,利用用户的长期签约身份信息或临时签约身份信息发起移动网络附着流程,完成网络附着;1) When the user terminal is powered on or opens a mobile network connection, the user's long-term subscription identity information or temporary subscription identity information is used to initiate a mobile network attachment process to complete the network attachment;

2)该用户终端发送身份请求消息给身份位置保护服务器,该身份请求消息包含用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0;2) The user terminal sends an identity request message to the identity location protection server, where the identity request message includes the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0;

3)身份位置保护服务器收到用户身份请求消息后,从临时签约身份信息池中为该用户分配新的临时签约身份信息IMSIn+1并发送动态身份请求消息通知HSS对该用户身份信息进行更新;该动态身份请求消息包括,用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息;3) After receiving the user identity request message, the identity location protection server allocates new temporary subscription identity information IMSIn+1 for the user from the temporary subscription identity information pool and sends a dynamic identity request message to notify the HSS to update the user identity information; The dynamic identity request message includes the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0, and new temporary subscription identity information IMSI information to be used in the future;

4)如果该动态身份请求消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,则HSS利用该用户的新临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息;如果该动态身份请求消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,则HSS将该临时签约身份信息IMSIn和IMSI0绑定起来;4) if what this dynamic identity request message contains is new temporary subscription identity information IMSIn+1 and current temporary subscription identity information IMSIn, then HSS utilizes the new temporary subscription identity information IMSIn+1 of the user to replace the currently saved temporary subscription identity information; If the dynamic identity request message contains temporary subscription identity information IMSIn and long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and IMSI0;

5)HSS发送更新成功消息给身份位置保护服务器;5) HSS sends an update success message to the identity location protection server;

6)身份位置保护服务器回复响应消息给该用户终端,该响应消息应包含该用户的新临时签约身份信息IMSIn+1;6) The identity location protection server replies a response message to the user terminal, and the response message should contain the user's new temporary subscription identity information IMSIn+1;

7)MME收到用户终端设备发起的附着请求消息后,MME向HSS发送认证数据请求消息,如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时,则HSS启动用户身份信息认证过程,否则不生成认证数据;7) After the MME receives the attach request message initiated by the user terminal equipment, the MME sends an authentication data request message to the HSS, if the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information , the HSS starts the user identity information authentication process, otherwise the authentication data will not be generated;

该附着请求消息包含用户长期签约身份信息IMSI0或临时签约身份信息IMSIn。The attach request message includes user long-term subscription identity information IMSI0 or temporary subscription identity information IMSIn.

所述临时签约身份信息IMSIn、所述新的临时签约身份信息IMSIn+1与长期签约身份信息IMSI的数据格式相同。The temporary subscription identity information IMSIn and the new temporary subscription identity information IMSIn+1 have the same data format as the long-term subscription identity information IMSI.

所述步骤7)中,如果该认证数据请求中的身份信息是用户长期签约身份信息且没有任何绑定关系,则HSS按现有3GPP规范执行。In the step 7), if the identity information in the authentication data request is the user's long-term subscription identity information and does not have any binding relationship, the HSS is executed according to the existing 3GPP specifications.

HSS收到用户使用新临时签约身份信息附着网络后,释放该用户的之前临时签约身份信息和用户长期签约身份信息之间的绑定。After receiving that the user attaches to the network using the new temporary subscription identity information, the HSS releases the binding between the user's previous temporary subscription identity information and the user's long-term subscription identity information.

HSS收到用户使用新临时签约身份信息附着网络后,启动定时器,该定时器超时后,释放该用户的之前临时签约身份信息和用户长期签约身份信息之间的绑定。After receiving that the user attaches to the network using the new temporary subscription identity information, the HSS starts a timer. After the timer expires, it releases the binding between the user's previous temporary subscription identity information and the user's long-term subscription identity information.

HSS为同一用户的长期签约身份信息绑定一个或多个临时签约身份信息。The HSS binds one or more temporary subscription identities to the long-term subscription identities of the same user.

一种基于HSS增强的用户身份信息保护系统,其特征在于,包括身份位置保护服务器、HSS和MME;其中,An enhanced user identity information protection system based on HSS, characterized in that it includes an identity location protection server, an HSS and an MME; wherein,

所述身份位置保护服务器,用于从临时签约身份信息池中为用户分配新的临时签约身份信息IMSIn+1并发送动态身份请求消息通知HSS对该用户身份信息进行更新;该动态身份请求消息包括,用户当前的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息;以及收到HSS发送的更新成功消息后回复响应消息给用户终端,该响应消息应包含该用户的新临时签约身份信息IMSIn+1;The identity location protection server is configured to allocate new temporary subscription identity information IMSIn+1 for the user from the temporary subscription identity information pool and send a dynamic identity request message to notify the HSS to update the user identity information; the dynamic identity request message includes , the user's current temporary subscription identity information IMSIn or long-term subscription identity information IMSI0, and the new temporary subscription identity information IMSI information to be used in the future; and after receiving the update success message sent by the HSS, reply a response message to the user terminal, the response message should be Contains the user's new temporary subscription identity information IMSIn+1;

HSS用于根据收到的动态身份请求消息对用户身份信息进行更新,如果该动态身份请求消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,则HSS利用该用户的新临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息;如果该动态身份请求消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,则HSS将该临时签约身份信息IMSIn和IMSI0绑定起来;HSS发送更新成功消息给身份位置保护服务器;The HSS is used to update the user identity information according to the received dynamic identity request message. If the dynamic identity request message contains the new temporary subscription identity information IMSIn+1 and the current temporary subscription identity information IMSIn, the HSS uses the user's new The temporary subscription identity information IMSIn+1 replaces the currently stored temporary subscription identity information; if the dynamic identity request message contains the temporary subscription identity information IMSIn and the long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and IMSI0 Get up; HSS sends an update success message to the identity location protection server;

MME用于收到用户终端设备发起的附着请求消息并向HSS发送认证数据请求消息,如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时,则HSS启动用户身份信息认证过程,否则不生成认证数据;该附着请求消息包含用户长期签约身份信息IMSI0或临时签约身份信息IMSIn。The MME is used to receive the attach request message initiated by the user terminal equipment and send the authentication data request message to the HSS. If the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information, Then the HSS starts the user identity information authentication process, otherwise, no authentication data is generated; the attach request message includes the user's long-term subscription identity information IMSI0 or temporary subscription identity information IMSIn.

本发明对现有移动核心网络HSS功能进行增强,HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要将用户的新临时签约身份信息和用户长久签约身份信息或旧临时签约身份信息绑定起来。当用户使用临时签约身份信息接入HSS时,如果HSS中存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则直接拒绝该用户接入移动网络。The invention enhances the HSS function of the existing mobile core network. After the HSS receives the user identity information update notification sent by the user identity location protection server, it needs to update the user's new temporary subscription identity information and the user's long-term subscription identity information or the old temporary subscription identity information. Identity information is bound. When a user accesses the HSS using the temporary subscription identity information, the user identity information authentication process is started if there is binding information related to the temporary subscription identity information in the HSS; otherwise, the user is directly refused to access the mobile network.

本发明的架构如图1所示,本发明对现有移动核心网中的HSS功能进行增强,同时引入新的网络功能,身份位置保护服务器。在增强的HSS和身份位置保护服务器之间定义新的接口实现动态用户身份更新功能。身份位置保护服务器为用户临时签约身份信息(临时签约身份信息和长期签约身份信息IMSI的形式是相同的)后,发送接口消息通知HSS对该用户身份信息进行更新。HSS收到用户身份位置保护服务器发来的用户身份信息更新通知后,需要用该用户的临时签约身份信息替换长久签约身份信息,或者需要用该用户新的临时签约身份信息替换旧的动态身份信息。当用户下次进行网络附着时,HSS根据MME发送的认证数据请求消息中的临时签约身份信息确定是否为该用户生成认证数据。如果认证数据请求消息中的用户身份信息是临时签约身份信息且存在该临时签约身份信息相关绑定信息时就启动用户身份信息认证过程,否则不生成认证数据,间接拒绝该用户接入移动网络。The architecture of the present invention is shown in FIG. 1 , the present invention enhances the HSS function in the existing mobile core network, and at the same time introduces a new network function, the identity location protection server. A new interface is defined between the enhanced HSS and the identity location protection server to implement the dynamic user identity update function. The identity location protection server sends an interface message to notify the HSS to update the user identity information after the temporary subscription identity information (the form of the temporary subscription identity information and the long-term subscription identity information IMSI is the same) for the user. After the HSS receives the user identity information update notification from the user identity location protection server, it needs to replace the long-term contract identity information with the user's temporary contract identity information, or replace the old dynamic identity information with the user's new temporary contract identity information. . When the user attaches to the network next time, the HSS determines whether to generate authentication data for the user according to the temporary subscription identity information in the authentication data request message sent by the MME. If the user identity information in the authentication data request message is temporary subscription identity information and there is binding information related to the temporary subscription identity information, the user identity information authentication process is started; otherwise, no authentication data is generated, and the user is indirectly denied access to the mobile network.

具体来说,该方案主要有以下发明点:Specifically, the scheme mainly has the following invention points:

Figure BDA0001480627880000041
在新定义的网络功能和增强的HSS之间定义新的接口,增强HSS通过该接口和HSS交互完成动态身份更新功能。
Figure BDA0001480627880000041
A new interface is defined between the newly defined network function and the enhanced HSS, and the enhanced HSS interacts with the HSS to complete the dynamic identity update function through the interface.

Figure BDA0001480627880000042
身份位置保护服务器通过发送动态身份请求消息通知相关HSS进行用户身份信息更新。该请求消息包括,用户当前使用的临时签约身份信息IMSIn或长期签约身份信息IMSI0,以及未来即将使用的新临时签约身份信息IMSI信息。
Figure BDA0001480627880000042
The identity location protection server notifies the relevant HSS to update the user identity information by sending a dynamic identity request message. The request message includes the temporary subscription identity information IMSIn or long-term subscription identity information IMSI0 currently used by the user, and the new temporary subscription identity information IMSI information to be used in the future.

Figure BDA0001480627880000043
收到来自安全接入服务器的请求消息后,根据消息内容HSS进行不同的操作完成动态身份信息更新:
Figure BDA0001480627880000043
After receiving the request message from the secure access server, HSS performs different operations according to the message content to update the dynamic identity information:

·如果该消息包含的是用户长期签约身份信息IMSI0及即将使用的临时签约身份信息IMSIn,HSS将临时签约身份信息和长期签约身份信息进行绑定,即临时签约身份信息等价于长期签约身份信息。并将绑定信息写入数据库。If the message contains the user's long-term subscription identity information IMSI0 and the temporary subscription identity information to be used IMSIn, the HSS binds the temporary subscription identity information and the long-term subscription identity information, that is, the temporary subscription identity information is equivalent to the long-term subscription identity information . And write the binding information to the database.

·如果该消息包含的是当前临时签约身份信息IMSIn及下一次将使用的临时签约身份信息IMSIn+1,HSS用下一次即将使用的临时签约身份信息IMSIn+1替换当前临时签约身份信息IMSIn或之前的IMSIn-1。If the message contains the current temporary subscription identity information IMSIn and the temporary subscription identity information to be used next time, IMSIn+1, the HSS replaces the current temporary subscription identity information IMSIn or the previous temporary subscription identity information IMSIn+1 with the temporary subscription identity information to be used next time. IMSIn-1.

Figure BDA0001480627880000044
用户长期签约身份信息IMSI0绑定动态身份信息IMSIn后,根据安全策略HSS可以决定是否接受用户使用长期签约身份信息接入网络,及相关条件。
Figure BDA0001480627880000044
After the user's long-term subscription identity information IMSI0 is bound to the dynamic identity information IMSIn, according to the security policy HSS can decide whether to accept the user's long-term subscription identity information to access the network, and related conditions.

Figure BDA0001480627880000045
临时签约身份信息更新完毕后,HSS并通知身份位置保护服务器该用户身份信息已经更新,即用户可以使用新的临时签约身份信息接入网络。
Figure BDA0001480627880000045
After the temporary subscription identity information is updated, the HSS notifies the identity location protection server that the user identity information has been updated, that is, the user can use the new temporary subscription identity information to access the network.

Figure BDA0001480627880000046
用户附着时,收到来自MME的认证数据请求时,HSS在查找数据库确定该临时签约身份信息是否存相应绑定:
Figure BDA0001480627880000046
When the user attaches, when receiving the authentication data request from the MME, the HSS searches the database to determine whether the temporary subscription identity information has a corresponding binding:

·如果该身份信息是临时签约身份信息而且没绑定任何长期签约身份信息,则拒绝该用户;If the identity information is temporary contract identity information and no long-term contract identity information is bound, reject the user;

·如果是临时签约身份信息且存在和长期签约身份信息绑定,则接受该用户认证请求,同时使用长期签约身份信息对应的凭据信息对该用户进行认证。· If it is temporary contract identity information and exists bound to long-term contract identity information, the user authentication request is accepted, and the user is authenticated using the credential information corresponding to the long-term contract identity information.

Figure BDA0001480627880000047
此外,HSS收到用户使用新临时签约身份信息附着网络后,可立释放,或启动定时器,等定时器超时后,释放旧的临时签约身份信息和用户长期签约身份信息之间的绑定。HSS可以为某个具体用户的长期签约身份信息绑定一个或多个临时签约身份信息。
Figure BDA0001480627880000047
In addition, after receiving the user using the new temporary subscription identity information to attach to the network, the HSS can release it immediately, or start a timer, and after the timer expires, release the binding between the old temporary subscription identity information and the user's long-term subscription identity information. The HSS can bind one or more temporary subscription identity information to the long-term subscription identity information of a specific user.

与现有技术相比,本发明的积极效果为:Compared with the prior art, the positive effects of the present invention are:

本发明可以大大减少,或完全避免用户长期签约身份信息以明文形式(即包含在附着请求或者身份响应消息)在空中接口传送,避免被恶意分子主动或被动截获/监听,提高对用户身份位置等隐私信息的保护。The present invention can greatly reduce or completely avoid the transmission of long-term user identity information in clear text (that is, contained in the attachment request or identity response message) on the air interface, avoid active or passive interception/monitoring by malicious elements, and improve the user's identity and location. Protection of Private Information.

附图说明Description of drawings

图1为用户身份及位置信息保护方案架构图;Figure 1 is an architecture diagram of a user identity and location information protection scheme;

图2为用户动态身份信息分配流程图;Fig. 2 is a flow chart of user dynamic identity information allocation;

图3为用户动态身份信息启用及绑定关系释放过程图。FIG. 3 is a process diagram of enabling dynamic identity information of a user and releasing a binding relationship.

具体实施方式Detailed ways

为使本发明的上述特征和优点能更明显易懂,下文特举实施例,并配合所附图作详细说明。In order to make the above-mentioned features and advantages of the present invention more obvious and easy to understand, the following embodiments are given and described in detail with the accompanying drawings.

1)动态身份信息分配过程1) Dynamic identity information allocation process

如图2所示,动态身份信息分配主要步骤如下:As shown in Figure 2, the main steps of dynamic identity information allocation are as follows:

(1)用户设备开机或打开移动网络连接时,用户终端设备上的协议栈功能使用长期签约身份信息或临时签约身份信息发起移动网络附着流程,完成网络附着。(1) When the user equipment is powered on or the mobile network connection is opened, the protocol stack function on the user terminal equipment uses the long-term subscription identity information or the temporary subscription identity information to initiate the mobile network attachment process to complete the network attachment.

(2)附着完成后,用户终端发送身份请求消息给身份位置保护服务器,该身份请求消息包含用户当前正在使用的临时签约身份信息(IMSIn)或长期签约身份信息(IMSI0)。(2) After the attachment is completed, the user terminal sends an identity request message to the identity location protection server, where the identity request message includes the temporary subscription identity information (IMSIn) or long-term subscription identity information (IMSI0) currently being used by the user.

(3)身份位置保护服务器收到用户身份请求消息后,从临时签约身份信息池中为该用户分配新的临时签约身份信息IMSIn+1。(3) After receiving the user identity request message, the identity location protection server allocates new temporary subscription identity information IMSIn+1 to the user from the temporary subscription identity information pool.

(4)身份位置保护服务器发送身份更新消息给该用户相关的HSS,该消息包含用户当前临时签约身份信息IMSIn(或长期签约身份信息IMSI0),及新的临时签约身份信息IMSIn+1。(4) The identity location protection server sends an identity update message to the HSS related to the user. The message includes the user's current temporary subscription identity information IMSIn (or long-term subscription identity information IMSI0) and new temporary subscription identity information IMSIn+1.

5A.如果该消息包含的是新临时签约身份信息IMSIn+1及当前临时签约身份信息IMSIn,HSS利用用户新的临时签约身份信息IMSIn+1替换当前保存的临时签约身份信息。5A. If the message contains the new temporary subscription identity information IMSIn+1 and the current temporary subscription identity information IMSIn, the HSS replaces the currently saved temporary subscription identity information with the user's new temporary subscription identity information IMSIn+1.

5B.如果该消息包含的是临时签约身份信息IMSIn及长期签约身份信息IMSI0,HSS将该临时签约身份信息IMSIn和IMSI0绑定起来,即将IMSIn和IMSI0等价,并将该绑定关系存入数据库。5B. If the message contains temporary subscription identity information IMSIn and long-term subscription identity information IMSI0, the HSS binds the temporary subscription identity information IMSIn and IMSI0, that is, IMSIn and IMSI0 are equivalent, and stores the binding relationship in the database .

(6)HSS回复响应消息给身份位置保护服务器表示用户临时签约身份信息更新成功。(6) The HSS replies a response message to the identity location protection server to indicate that the user's temporary subscription identity information is updated successfully.

(7)身份位置保护服务器回复响应消息给用户终端设备,该消息应包含用户新的临时签约身份信息IMSIn+1。(7) The identity location protection server replies a response message to the user terminal equipment, and the message should contain the user's new temporary subscription identity information IMSIn+1.

2)动态身份信启用及绑定关系释放过程2) Dynamic identity letter enablement and binding relationship release process

如图3所示,临时签约身份信息回收主要步骤如下:As shown in Figure 3, the main steps for the recovery of temporary contract identity information are as follows:

(1)用户终端设备(重)新启动。(1) The user terminal equipment is (re)restarted.

(2)用户终端设备向MME发起附着请求消息,该消息包含用户长期签约身份信息IMSI0或身份位置保护服务器之前分配的临时签约身份信息IMSIn。(2) The user terminal device sends an attach request message to the MME, the message including the user's long-term subscription identity information IMSI0 or the temporary subscription identity information IMSIn previously allocated by the identity location protection server.

(3)MME向HSS发送认证数据请求消息,该消息包含用户当前身份信息IMSIn或IMSI0。(3) The MME sends an authentication data request message to the HSS, where the message includes the user's current identity information IMSIn or IMSI0.

4A HSS收到消息后,检查消息中的身份信息及相关数据库。如果是用户长期签约身份信息且没有任何绑定关系存,则按现有3GPP规范执行。如果是用户长期签约身份信息且绑定了临时签约身份信息,则按配置的安全策略确定是否为该用户生成签约数据。安全策略可以规定某个用户使用某一具体动态身份信息的使用时间段(几小时,几天等)或次数(1次,5次)。如果用户使用某个动态身份信息过长,则安全性降低,极限情况下就回退到现有机制了,动态签约身份=长期签约身份信息;安全策略可以配置到HSS里作为用户签约信息的一部分,不同用户可能对于隐私保护需求不同,因此可以实现用户级的定制。4A After receiving the message, the HSS checks the identity information and related database in the message. If it is the user's long-term contract identity information and there is no binding relationship, it is executed according to the existing 3GPP specifications. If it is the user's long-term subscription identity information and the temporary subscription identity information is bound, it is determined whether to generate subscription data for the user according to the configured security policy. The security policy can specify the usage time period (hours, days, etc.) or the number of times (1 time, 5 times) for a certain user to use a specific dynamic identity information. If a user uses a certain dynamic identity information for too long, the security will be reduced, and in extreme cases, it will fall back to the existing mechanism, dynamic contract identity = long-term contract identity information; security policies can be configured in the HSS as part of the user's contract information , different users may have different privacy protection requirements, so user-level customization can be achieved.

4B HSS收到消息后,检查消息中的身份信息及相关数据库。如果是临时签约身份信息且没有任何绑定关系存,则不生成认证数据拒绝该用户接入网络。如果是临时签约身份信息且绑定了长期签约身份信息,则使用长期签约身份信息对应的凭据信息为该用户生成认证数据信息。After receiving the message, 4B HSS checks the identity information and related database in the message. If it is temporary subscription identity information and no binding relationship exists, no authentication data is generated to deny the user access to the network. If it is the temporary contract identity information and the long-term contract identity information is bound, the authentication data information is generated for the user by using the credential information corresponding to the long-term contract identity information.

(4)HSS以响应消息回复MME,该消息可包含认证数据及结果信息,MME依据认证数据信息完成和该用户之间的相互认证。(4) The HSS replies to the MME with a response message, which may include authentication data and result information, and the MME completes the mutual authentication with the user according to the authentication data information.

(5)MME回复用户终端设备附着响应消息。(5) The MME replies the user terminal equipment attach response message.

综上所述,本发明公开了适用于移动网络用户身长期签约身份信息及位置保护方法。To sum up, the present invention discloses a method for protecting long-term identity information and location of mobile network users.

本发明的描述是为了示例和描述起见而给出的,而并不是无遗漏的或者将本发明限于所公开的形式。显然,本领域的普通技术人员可以对本发明的示例进行各种改动和变形而不脱离本发明的精神和原则。选择和描述实施例是为了更好说明本发明的原理和实际应用,并且使本领域的普通技术人员能够理解本发明从而设计适于特定用途的带有各种修改的各种实施例。The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or to limit the invention to the form disclosed. It will be apparent to those skilled in the art that various changes and modifications can be made to the examples of the present invention without departing from the spirit and principles of the invention. The embodiment was chosen and described in order to better explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use.

Claims (10)

1. A subscriber identity information protection method based on HSS enhancement comprises the following steps:
1) when a user terminal is started or mobile network connection is opened, a mobile network attachment process is initiated by using long-term subscription identity information or temporary subscription identity information of a user to complete network attachment;
2) the user terminal sends an identity request message to an identity position protection server, wherein the identity request message comprises current temporary subscription identity information IMSIN or long-term subscription identity information IMSI0 of the user;
3) after receiving the user identity request message, the identity position protection server distributes new temporary signing identity information IMSIn +1 for the user from the temporary signing identity information pool and sends a dynamic identity request message to inform HSS of updating the user identity information; if the temporary subscription identity information of the user is used for attaching to the network in the step 1), the dynamic identity request message includes: after the network attachment is completed, the current temporary subscription identity information IMSIN of the user and the new temporary subscription identity information IMSI information which is used in the future are obtained; if the network is attached by using the long-term subscription identity information of the user in the step 1), the dynamic identity request message includes: long-term subscription identity information IMSI0 after completing network attachment and new temporary subscription identity information IMSI information to be used in the future;
4) if the dynamic identity request message contains new temporary subscription identity information IMSIn +1 after the network attachment is completed and current temporary subscription identity information IMSIn after the network attachment is completed, the HSS replaces the currently stored temporary subscription identity information with the new temporary subscription identity information IMSIn +1 of the user; if the dynamic identity request message contains temporary subscription identity information IMSin after the completion of network attachment and long-term subscription identity information IMSI0 after the completion of network attachment, the HSS binds the temporary subscription identity information IMSin and IMSI 0;
5) HSS sends update success message to identity position protection server;
6) the identity position protection server replies a response message to the user terminal, wherein the response message contains new temporary subscription identity information IMSIn +1 of the user;
7) when the user terminal is attached again, after the MME receives an attachment request message initiated by user terminal equipment, the MME sends an authentication data request message to the HSS, if the user identity information in the authentication data request message is temporary subscription identity information and binding information related to the temporary subscription identity information exists, the HSS starts a user identity information authentication process, otherwise, authentication data are not generated; the attach request message contains temporary subscription identity information IMSIn.
2. The method of claim 1, wherein the temporary subscription identity information IMSIn, the new temporary subscription identity information IMSIn +1 and the long-term subscription identity information IMSI have the same data format.
3. The method as claimed in claim 1, wherein in step 7), if the identity information in the authentication data request is the user long-term subscription identity information and there is no binding relationship, the HSS performs according to the existing 3GPP specifications.
4. The method of claim 1, wherein the HSS releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after receiving the new temporary subscription identity information attached to the network by the subscriber.
5. The method as claimed in claim 1, wherein the HSS starts a timer after receiving the new temporary subscription identity information attached to the network by the subscriber, and releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after the timer expires.
6. The method of claim 1, wherein the HSS binds one or more temporary subscription identities for long-term subscription identities of the same user.
7. A user identity information protection system based on HSS enhancement is characterized by comprising an identity position protection server, an HSS and an MME; wherein,
the identity position protection server is used for distributing new temporary subscription identity information IMSIn +1 for the user from the temporary subscription identity information pool and sending a dynamic identity request message to inform the HSS of updating the user identity information; if the network is attached by using the temporary subscription identity information of the user, the dynamic identity request message includes: after the network attachment is completed, the current temporary subscription identity information IMSIn of the user and the new temporary subscription identity information IMSI information to be used in the future are obtained, and if the network is attached by using the long-term subscription identity information of the user, the dynamic identity request message includes: long-term subscription identity information IMSI0 after completing network attachment and new temporary subscription identity information IMSI information to be used in the future; after receiving the update success message sent by the HSS, replying a response message to the user terminal, wherein the response message contains new temporary subscription identity information IMSIn +1 of the user;
the HSS is used for updating the user identity information according to the received dynamic identity request message, and if the dynamic identity request message contains new temporary subscription identity information IMSIn +1 after the network attachment is completed and current temporary subscription identity information IMSIn after the network attachment is completed, the HSS replaces the currently stored temporary subscription identity information with the new temporary subscription identity information IMSIn +1 of the user; if the dynamic identity request message contains temporary subscription identity information IMSin after the completion of network attachment and long-term subscription identity information IMSI0 after the completion of network attachment, the HSS binds the temporary subscription identity information IMSin and IMSI 0; HSS sends update success message to identity position protection server;
the MME is used for receiving an attachment request message initiated when the user terminal equipment is attached again and sending an authentication data request message to the HSS, if the user identity information in the authentication data request message is temporary subscription identity information and binding information related to the temporary subscription identity information exists, the HSS starts a user identity information authentication process, otherwise, authentication data are not generated; the attach request message contains temporary subscription identity information IMSIn.
8. The system of claim 7, wherein the temporary subscription identity information IMSIn, the new temporary subscription identity information IMSIn +1 and the long-term subscription identity information IMSI have the same data format.
9. The system of claim 7, wherein the HSS releases the binding between the previous temporary subscription identity information of the subscriber and the long-term subscription identity information of the subscriber after receiving the new temporary subscription identity information attached to the network by the subscriber.
10. The system of claim 7, wherein the HSS binds one or more temporary subscription identities for long-term subscription identities of the same user.
CN201711188905.6A 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system Expired - Fee Related CN107911814B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711188905.6A CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711188905.6A CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Publications (2)

Publication Number Publication Date
CN107911814A CN107911814A (en) 2018-04-13
CN107911814B true CN107911814B (en) 2020-08-25

Family

ID=61847617

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711188905.6A Expired - Fee Related CN107911814B (en) 2017-11-24 2017-11-24 HSS (home subscriber server) -enhanced user identity information protection method and system

Country Status (1)

Country Link
CN (1) CN107911814B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108901018B (en) * 2018-07-27 2021-02-12 中国电子科技集团公司第三十研究所 Method for hiding user identity of mobile communication system initiated by terminal
CN116347440A (en) * 2021-12-23 2023-06-27 中国科学院信息工程研究所 Mobile network user dynamic identity information management method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101720086A (en) * 2009-12-23 2010-06-02 成都三零瑞通移动通信有限公司 Identity protection method for mobile communication user
CN101771992A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI
CN101959183A (en) * 2010-09-21 2011-01-26 中国科学院软件研究所 A Pseudonym-Based Mobile Subscriber Identifier IMSI Protection Method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014114B (en) * 2010-07-09 2013-10-23 北京哈工大计算机网络与信息安全技术研究中心 Method and device for protecting object location privacy in Internet of things
CN102918878B (en) * 2011-05-31 2016-03-09 华为技术有限公司 File transmitting method and device
US9042902B1 (en) * 2013-01-11 2015-05-26 Polaris Wireless, Inc. Third-party control of call-related services for a mobile station and subscriber

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771992A (en) * 2009-01-04 2010-07-07 中国移动通信集团公司 Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI
CN101720086A (en) * 2009-12-23 2010-06-02 成都三零瑞通移动通信有限公司 Identity protection method for mobile communication user
CN101959183A (en) * 2010-09-21 2011-01-26 中国科学院软件研究所 A Pseudonym-Based Mobile Subscriber Identifier IMSI Protection Method

Also Published As

Publication number Publication date
CN107911814A (en) 2018-04-13

Similar Documents

Publication Publication Date Title
US11431695B2 (en) Authorization method and network element
CN108293223B (en) Data transmission method, user equipment and network side equipment
JP2021516515A (en) Common API framework security procedures for next-generation networks
US20180241731A1 (en) Method, system and device for security configurations
Bitsikas et al. You have been warned: Abusing 5G’s Warning and Emergency Systems
US20250063364A1 (en) Communication method and network element device
CN115460606B (en) A method and device based on 5G core network control plane security enhancement
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
CN104125554B (en) Communication method and communication system
CN110417563A (en) A kind of methods, devices and systems of network slice access
CN115442807B (en) User security improving method and device for 5G system
US10412585B2 (en) User identity authentication method and device
CN107911814B (en) HSS (home subscriber server) -enhanced user identity information protection method and system
CN108093402B (en) User privacy information protection method and system based on terminal enhancement
WO2018137195A1 (en) Message protection method, user device and core network device
CN101557589A (en) Method for preventing empty integrity protection algorithm from being used in normal communication and system thereof
CN108200007B (en) Dynamic identity management method and system for mobile network
CN107911813B (en) Transparent mode mobile user identity management method and system
EP3518491A1 (en) Registering or authenticating user equipment to a visited public land mobile network
CN105392112B (en) Guard method, equipment and the system of MTC device information
CN104270737B (en) The guard method of IMSI and device
CN102124767B (en) A kind of method and apparatus for providing identity Confidentiality protection for user of communication terminal
WO2016184057A1 (en) Access authentication method, apparatus, system, and computer storage medium
WO2022183427A1 (en) Method, device, and system for protecting sequence number in wireless network
CN100574186C (en) A Method of Selecting Encryption/Integrity Algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200825