CN101203030B - An authentication device and method using a mobile terminal multi-mode protocol stack - Google Patents

Abstract

The invention discloses a device for carrying out authentication by means of a multimode protocol stack of a mobile terminal, including at least: a mode selecting module (101) used for selecting a working mode for the mobile terminal according to a received signal, a subscriber identity module SIM card-managing module (103) used for managing SIM card drivers of different types and identifying inserted SIM cards of different types, an interface managing module (104), which is used for reading and storing user information through the SIM card managing module (103) and the SIM cards of different types, and receiving authentication request information of a network side through different protocol stacks, as well as sending out an authentication responding message to different network sides through corresponded protocol stacks, and an authentication execution module (102) used for acquiring user information through the interface managing module (104), receiving authentication request information sent out by the network side, and carrying out an authentication operation to the information by means of a corresponded authentication algorithm to generate authentication responding information; and then the generated information is sent out to the interface managing module (104). The invention provides an authentication function after a completion of a UMTS mode, a WiMAX mode and a dual-mode of UMTS/WiMAX in one mobile terminal.

Description

An authentication device and method using a mobile terminal multi-mode protocol stack

technical field

The invention relates to authentication technology in the field of mobile communication, and specifically refers to a device and method for authentication by using a multi-mode protocol stack of a mobile terminal.

Background technique

In recent years, the number of mobile users has grown rapidly. While using voice services, users have also put forward higher requirements for mobile data services. High-speed wireless access is imperative. The integration of heterogeneous networks has become a clear direction for future network development. , where the integration of WiMAX network and third generation mobile communication network (3G, 3rd Generation Mobile Telecommunication Network) is a representative, but WiMAX network and 3G network each have their own authentication mechanism.

The authentication mechanism in the WiMAX security architecture supports bidirectional device authentication between the mobile terminal and the WiMAX network defined in IEEE 802.16e, while the authentication of the 3G network is performed by the Mobility Management sublayer (MM/GMM, Mobilty Manage /GPRS Mobilty Manage), when the UMTS (Universal Mobile Telecommunications System) authentication process of the 3G network is executed, a UMTS security context is established between the mobile terminal and the network; for a For successful UMTS authentication, the UMTS encryption key and UMTS integrity key are stored in the network and in the mobile terminal.

The network working group of the 802.16e protocol released the joint networking structure of the WiMAX network and the 3G network, so the joint authentication technology of the 3G/WIMAX multi-mode terminal protocol stack is one of its key technologies.

The joint networking structure of WiMAX and 3G network mainly has two forms:

1. Core network integration: This solution mainly considers that on the wireless interface side, WiMAX and 3GPP do not interoperate, but only connects the WiMAX access network to the 3GPP packet switching domain (PS, PacketSequencing) core network, and uses 3GPP PS The services and functions provided by the core network realize the mobile communication services of the WiMAX network.

2. Access network integration: On the basis of core network integration, the switching of two access technologies on the air interface will be considered to ensure service continuity when users move from a WiMAX-covered network to a 3GPP-covered network. This kind of integration has a relatively large impact on the existing air interface protocols of 3GPP and WiMAX. Therefore, it is expected that WCDMA in 3G will introduce the same OFDM and MIMO technology as WiMAX in the later stage of R7, and then consider the integration, which will become a matter of course. .

For the joint networking of 3G network and WiMAX network, whether it is core network integration or future access network integration, the WiMAX/3G dual-mode terminal protocol stack needs to solve the authentication problem of the two access networks; In the initial stage of development, the mentioned authentication schemes are all concentrated on the network side, and no one has proposed a patent for a related technical scheme for the solution of the mobile terminal protocol stack.

Contents of the invention

In view of this, the present invention proposes a method and device for authenticating by using a mobile terminal multimode protocol stack to solve how to complete UMTS mode, WiMAX mode and UMTS&WiMAX dual mode authentication under these three working modes in a mobile terminal. power function.

A device for authentication using a mobile terminal multi-mode protocol stack, applied to a mobile terminal, the device at least includes:

A mode selection module (101), configured to complete the selection of the working mode of the mobile terminal according to the received instruction;

Subscriber identification module SIM card management module (103), is used for managing different types of SIM card drivers, identifies different SIM card types inserted; and manages user information in the SIM card by the SIM card driver according to the identification result Data structure and storage space for user information;

The interface management module (104) is used for reading and storing user information through the SIM card management module (103) and different types of SIM cards; receiving the authentication request information of the network side through different protocol stacks, and sending the authentication response The message is sent to different network sides through the corresponding protocol stack;

An authentication execution module (102), configured to obtain user information through an interface management module (104) and receive authentication request information sent from the network side, and use a corresponding authentication algorithm to perform user information and authentication request information according to the user information and the authentication request information. The authentication operation generates an authentication response message and sends it to the interface management module (104).

The working mode of the device is divided into UMTS mode, WiMAX mode and UMTS & WiMAX dual mode;

The authentication operation performed by the authentication execution module (102) is to execute the authentication algorithm of the UMTS network and the WiMAX network.

The device authentication execution module (102) at least includes f1, f2, f3, f4, f5 algorithm modules required for performing UMTS network authentication;

The authentication execution module (102) at least includes an EAP method module (1022) and an EAP module (1023) required for WiMAX network authentication.

The EAP method module (1022) in the device authentication execution module (102) executes different EAP authentication algorithms, and the EAP authentication includes at least EAP-MD5, EAP-SIM, EAP-PEAP, EAP-TTLS, EAP-TLS and EAP-AKA, and execute the algorithm corresponding to the authentication according to the authentication selected by the system.

The interface management module (104) of the device at least includes:

SIM card interface module (1042), used to manage the drivers of different types of SIM cards;

The message cache module (1043), buffers the authentication information sent to the UMTS protocol stack/WiMAX protocol stack before the protocol stack receives it, and deletes the authentication information after receiving it; The authentication information is cached before the operation, and the authentication information is deleted after receiving; the received message must also be cached before the authentication execution module (102) processes;

The message routing module (1041), the message routing module (1041) in the interface management module (104), sends the authentication request message sent from the network side received from the protocol stack to the authentication execution module (102); The received authentication response message sent by the authentication execution module (102) is sent to the corresponding module in the corresponding protocol stack according to the type of the authentication response message, and the message cache module (1043) is called when routing the authentication message The authentication message is cached.

The SIM card interface module (1042) in the interface management module (104) of the device provides a unified external interface for different SIM card drivers managed by the SIM card management module (103).

The device described in the device uses the mobile terminal multimode protocol stack for authentication to exist independently in the mobile terminal, or as a plug-in to become a component of the UMTS terminal protocol stack unit, or as a plug-in to become a component of the WiMAX terminal protocol stack unit part.

A method for authenticating by using a mobile terminal multimode protocol stack, comprising:

A. Judging the working mode that the current mobile terminal needs to enter according to the received instruction, if it is single-mode, execute the single-mode authentication process, if it is multi-mode, go to step B;

B. After receiving the authentication request message sent by the first network side, the mobile terminal executes the original authentication process of the first network through interaction with the first network side;

C. After the authentication of the first network is completed, the first network side inquires whether the current mobile terminal has subscribed to the network service of the second network provided by the same operator, if yes, go to step D, otherwise the authentication ends;

D. The first network side sends an authentication request message of the second network to the mobile terminal. The mobile terminal interacts with the first network side through the authentication message according to the user information and the corresponding authentication algorithm. The mobile terminal and the first network side The authentication server generates a master session key respectively, and the authentication server sends the master session key to the base station of the second network;

E. The base station of the second network generates an authorization key according to the received master session key, and the mobile terminal generates an authorization key according to the master session key generated by itself, and uses the authorization key to communicate between the mobile terminal and the second network side Subsequent authentication operations.

The first network described in the method is a UMTS network, and the second network is a WiMAX network;

The step B includes: performing the authentication of the UMTS network according to the existing UMTS authentication process;

The step C includes: after completing the authentication of the UMTS network, if it is confirmed that the user has signed the WiMAX network service provided by the same operator, the UMTS network side MSC/VLR sends the user identification information to the AAA authentication server, otherwise the authentication ends;

Said step D comprises: the mobile terminal and the MSC/VLR and AAA authentication server on the UMTS network side send and forward the authentication message, and generate the master session key MSK on the mobile terminal and the AAA authentication server;

The AAA authentication server generates the shared master key PMK according to the MSK and sends it to the nearest WiMAX base station located in the base station of the UMTS network;

The step E includes: generating an authorization key AK at the base station and the mobile terminal, and using the authorization key AK to perform subsequent authentication operations between the mobile terminal and the second network side.

The query process described in step C of the method is that the UMTS network side queries the user subscription information of the mobile terminal to determine whether to subscribe to the WiMAX network service provided by the same operator.

The authentication message described in step D of the method includes EAP-REQUEST/TLS start and EAP-RESPONSE/TLS start conforming to the extended authentication protocol.

In the technical scheme of the present invention, by newly adding a device that utilizes the multimode protocol stack of the mobile terminal to perform authentication on the mobile terminal, the UMTS authentication function of the 3G network and the Extensible Authentication Protocol (EAP, Extensible Authentication Protocol) supported by the WiMAX network are executed. ) authentication function, which solves the authentication function in three modes of UMTS mode, WiMAX mode and UMTS & WiMAX dual mode in one mobile terminal.

Description of drawings

FIG. 1 is a schematic diagram of a device for authentication using a mobile terminal multimode protocol stack in the present invention;

Fig. 2 is a schematic diagram of each sub-module of the interface management module of the present invention;

Fig. 3 is a schematic diagram of information interaction of the authentication execution module of the present invention;

FIG. 4 is a schematic diagram of a mobile terminal authentication workflow in the present invention;

FIG. 5 is a schematic diagram of the UMTS mode authentication flow chart of the present invention;

FIG. 6 is a schematic diagram of algorithms f1-f5 executed by the authentication execution module 102 in the UMTS authentication mode of the present invention;

FIG. 7 is a schematic diagram of a WiMAX mode authentication flow in the present invention;

FIG. 8 is a schematic flow chart of completing WiMAX authentication through UMTS access network in the present invention.

Detailed ways

The present invention is proposed on the joint networking mode of WiMAX and 3G network adopting core network fusion. Newly increase a device that utilizes the mobile terminal multimode protocol stack to authenticate at the mobile terminal, execute the authentication function of the UMTS of the 3G network and the EAP authentication function supported by the WiMAX network; described utilize the mobile terminal multimode protocol stack to authenticate The authorized device is located on a mobile terminal supporting 3G/WiMAX dual working mode.

As shown in Figure 1, the device utilizing the mobile terminal multimode protocol stack for authentication includes four functional modules: a mode selection module 101, an authentication execution module 102, a Subscriber Identification Module (SIM) card management module 103, and an interface management module 104 ; The respective functions of the four functional modules are as follows:

The mode selection module 101 completes the setting of the working mode of the 3G/WiMAX mobile terminal. The working modes are divided into three types: UMTS mode, WiMAX mode and UMTS/WiMAX dual mode. Among them, in the UMTS & WiMAX dual-mode working environment, the mode selection includes determining the network access priority, that is, determining whether to preferentially access the WiMAX network for authentication or preferentially access the UMTS network for authentication. The mode selection can be manually set by the user, or it can be the default of the system. If it is the default of the system, it can be that UMTS preferentially accesses the network for authentication.

The authentication execution module 102 completes the specific implementation work of the authentication algorithm for accessing the UMTS network and accessing the WiMAX network, including: f1, f2, f3, f4, f5 algorithm modules 1021 performed by accessing the UMTS network authentication; The EAP method module 1022 and the EAP module 1023 of the WiMAX network. When the access UMTS network is authenticated: receive an authentication request (user authentication request) from the network side from the MM layer located at the UMTS protocol stack of the mobile terminal, call the interface management module 104, and call the SIM card in the interface management module 104 The management module 103 reads the master key K from the SIM card, runs the f1-f5 algorithm in the algorithm module 1021, and then sends an authentication response (user authentication response) to the MM layer. When authenticating access to the WiMAX network, the EAP authentication protocol is executed. There are many specific EAP authentication methods, such as EAP-MD5, EAP-SIM, EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-AKA. The algorithm execution program of EAP authentication is common, but in the present invention, it is stored in the EAP method module 1022, because which EAP method to adopt is selected by the operator, so the EAP method module 1022 of the present invention must support multiple EAP algorithms.

The function of the SIM card management module 103 is mainly to read and save relevant data required for authentication according to the driver interface provided by the SIM card manufacturer; to identify the type of SIM card inserted by the user; to uniformly manage the data storage space of the UMTSSIM card and the WiMAX SIM card . This module and its functions are implemented in the UMTS protocol stack in the prior art. Since the SIM management mainly implements functions such as reading and storing data from the SIM card, the present invention extracts the SIM card management module 103 as a use A functional module in a device for performing authentication by a multi-mode protocol stack of a mobile terminal.

Interface management module 104 is responsible for the distribution of UMTS messages and WiMAX messages, and has close interaction with UMTS protocol stack and WiMAX protocol stack; as shown in Figure 2, interface management module 104 includes: message routing module 1041, SIM card interface module 1042 , the message cache module 1043 .

Among them, the message routing module 1041 mainly completes the receiving and sending of messages, for example, sending the received authentication message sent by the network side to the authentication execution module 102; for the authentication response message sent by the authentication execution module 102, according to the Type, sent to the MM layer of the UMTS protocol stack or the EAP encapsulation module of the WiMAX protocol stack.

The SIM card interface module 1042 is mainly responsible for calling the driver program of the SIM card. The SIM card used by WiMAX may or may not be the same as the driver program of the UMTS SIM card of UMTS. Therefore, the SIM card management module 103 of the present invention supports multiple types of SIM cards. SIM card driver, and the SIM card interface module 1042 shields this difference of the SIM card management module 103, and is responsible for calling the drivers of different types of SIM cards provided by the SIM card supplier to read the data in the SIM card and storage.

The arrangement of the data structure and data content in the SIM card is completed by the SIM card management module 103, and the SIM card interface module 1042 does not process the above content.

The message cache module 1043 can not delete the message sent to the UMTS protocol stack and the WiMAX protocol stack before the other party receives it, and must cache it; before the authentication execution module 102 processes the message received, it must also be cached, so the message cache The module 1043 is responsible for managing the data temporarily stored in these caches, and provides external interfaces, and the message routing module 1041 calls the external interface of the message cache module 1043 to process the data in these caches.

Fig. 3 describes the message interaction between the authentication execution module 102 and other modules and the UMTS protocol stack and the WiMAX protocol stack: the authentication execution module 102 includes f1, f2, f3, f4, f5 algorithm module, and the EAP method module 1022 and EAP module 1023 of accessing WiMAX network; The information and data interaction of authentication execution module 102 and WiMAX SIM card and UMTS SIM card are realized by interface management module 104 and SIM card management module 103, The authentication execution module 102 calls the SIM card interface module 1042 in the interface management module 104, and the SIM card interface module 1042 directly calls the corresponding driver program in the SIM card management module 103 to complete the transmission of information and data; with the UMTS protocol stack, mainly MM layer, and the WiMAX protocol stack, mainly the EAP encapsulation module, and the interaction is completed through the message routing module 1041 .

The present invention relates to the authentication process under 3 kinds of working modes, how mobile terminal is described how to carry out the selection of working mode in 3 kinds of working modes in conjunction with specific situation below, and the brief steps of the authentication process after the selected working mode; Then to The authentication process in each working mode is described in detail.

Firstly, the flow of how the mobile terminal selects the working mode among the three working modes is described, as shown in FIG. 4 .

Step 201, after the user turns on the mobile terminal, according to user settings or system default settings, select only UMTS mode, only WiMAX mode or UMTS & WiMAX mode respectively, and enter the corresponding authentication process.

Enter only UMTS mode and start authentication:

In step 202, the MM layer sends the authentication request parameters from the network side to the authentication execution module 102 .

Step 203 , the SIM card management module 103 reads the master key K in the SIM card of the mobile terminal, and sends it to the authentication execution module 102 .

In step 204, the authentication execution module 102 executes f1-f5 algorithms to obtain authentication response parameters.

Step 205 , the authentication execution module 102 returns the authentication response parameters to the MM layer through the SIM card management module 103 .

Step 206, end the authentication process.

Enter only WiMAX mode and start authentication:

Step 207 , the EAP module 1023 located in the mobile terminal receives the authentication request (EAP-Request) from the base station (BS, BaseStation), and sends it to the authentication execution module 102 .

Step 208 , the authentication execution module 102 calls the EAP method module 1022 (EAP-Method) to execute the authentication algorithm, obtains the EAP-Response, and sends it to the EAP module 1023 .

Step 209, the EAP module 1023 sends an EAP-Response to the BS.

In step 210, the BS judges whether the authentication is successful, and if successful, sends an EAP-success to the EAP module 1023 of the mobile terminal, and the EAP fully activates the link.

In step 211, the EAP method module 1022 calculates the AAA-Key.

Step 212, the authentication ends.

Enter UMTS & WiMAX mode and start authentication.

Step 213, the UMTS access network performs UMTS authentication.

In step 214, the UMTS network side queries the user's subscription information, and confirms that the user has subscribed to the WiMAX network service.

Step 215, perform WiMAX authentication through the UMTS access network.

Step 216, the authentication ends.

Among them, the authentication procedures 202-206, 207-212 and 213-216 are the authentication procedures of the mobile terminal in three different authentication modes, and the execution order is not in particular order. Case 1:

As shown in Figure 5, after the mobile terminal selects only UMTS mode, the specific authentication process starts. The authentication process involves several devices, including the user home environment/user home location register (HE/HLR, Home Environment/Home Location Registor) on the network side, the visitor location register/supporting GPRS service node (VLR/SGSN, Visit Location Registor) /Serving GatewaySupport Nodes), and mobile terminals.

Step 301, the network side generates a user authentication request (user authentication request), and the above-mentioned user authentication request is sent to the MM layer of the UMTS protocol stack by the VLR/SGSN, and the authentication in the device for authentication using the mobile terminal multimode protocol stack The execution module 102 receives the user authentication request of the MM layer through the interface management module 104; the authentication execution module 102 calls the SIM card management module 103, and the SIM card management module 103 reads the master key K in the SIM card in a transparent transmission mode, It is sent to the authentication execution module 102 for executing the algorithms f1-f5 to start the authentication.

Step 302, in the UMTS authentication process, first the VLR/SGSN applies for an authentication vector (AV, Authentication Vector) from the HE/HLR to authenticate the mobile terminal, and the HE/HLR generates n groups of AVs.

The authentication vector AV=(RAND||XRES||CK||IK||AUTN); the above five parameters are respectively the random number RAND, the expected response value XRES, the encryption key CK, the integrity key IK and the authentication order Card AUTN; respectively generated on the network side by the following methods:

RAND is generated by f0;

XRES = f2K(RAND);

CK = f3K(RAND);

IK = f4K(RAND);

$\mathrm{<span\; class="notranslate">\; AUTN</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; SQN</span>}<span\; class="notranslate">\; \&CirclePlus;</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; AK</span>}<span\; class="notranslate">\; |</span><span\; class="notranslate">\; |</span>\mathrm{<span\; class="notranslate">\; AMF</span>}<span\; class="notranslate">\; |</span><span\; class="notranslate">\; |</span>\mathrm{<span\; class="notranslate">\; MAC</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; .</span>$

In the authentication token AUTN, SQN is the serial number; AK is the anonymous key used to hide the SQN; AMF is the authentication management domain; MAC is the message authentication code. The above-mentioned algorithm modules f1-f5 both exist in the HE/HLR on the network side and in the authentication execution module 102 of the mobile terminal, and the algorithms are identical, and the algorithm module f0 only exists in the HE/HLR on the network side.

Step 303, HE/HLR sends the generated n groups of AVs to VLR/SGSN, and after VLR/SGSN receives n groups of authentication vector AVs, sends the RAND and AUTN among them to the MM layer of the mobile terminal UTMS protocol stack for authentication right.

得到f1算法的输入数据SQN；f1算法利用RAND以及AUTN中的SQN和AMF，计算出期望消息认证码XMAC，其计算公式是XMAC＝f1K(SQN||RAND||AMF)。SIM卡中存放的主密钥K是移动终端和HE/HLR之间共享的密钥。Step 304, the authentication execution module 102 obtains RAND and AUTN in the MM layer through the interface management module 104; Executed before the f1 algorithm, the f5 algorithm uses RAND to generate an anonymous key AK, and its calculation formula is AK=f5K(RAND). AK XOR the SQN in AUTN, namely

Obtain the input data SQN of the f1 algorithm; the f1 algorithm uses RAND and SQN and AMF in AUTN to calculate the expected message authentication code XMAC, and the calculation formula is XMAC=f1K(SQN||RAND||AMF). The master key K stored in the SIM card is a key shared between the mobile terminal and the HE/HLR.

Step 305, the authentication execution module 102 compares whether the MAC in the XMAC and AUTN matches, and if it does not match, then sends a rejection authentication message to the network side, and abandons the authentication process; if the two are equal, then judge whether the received SQN is correct If the SQN is not in the correct range, then the mobile terminal sends a synchronization failure message to the VLR/SGSN, and abandons the authentication process; if the above two verifications are all passed, the authentication execution module 102 utilizes the formula RES= f2K(RAND) calculates the response value RES, and sends the RES to the VLR/SGSN as part of the network side authentication request response message. After receiving the response message, the VLR/SGSN compares the RES with the XRES obtained from the HE/HLR. If they are equal, the authentication succeeds, otherwise it fails.

Step 306, after successfully completing the UMTS authentication, the authentication execution module 102 in the device for authentication using the mobile terminal multimode protocol stack will execute the f3 and f4 algorithms, and compare the obtained encryption key CK with the consistency The check key IK is stored in the SIM card in a transparent transmission manner by calling the SIM card management module 103 .

In the situation described above, the execution of steps 301 and 302 is not in strict order of time.

When the mobile terminal chooses to perform authentication in only WiMAX mode, its specific authentication process is described in detail in Case 2.

Case 2:

As shown in FIG. 7, after only WiMAX mode is selected, the mobile terminal uses the mobile terminal multi-mode protocol stack for authentication device to execute the authentication process for the mobile terminal to access the WiMAX network. After starting authentication:

Step 401, the EAP layer in the EAP authenticator (EAP authenticator) entity of the base station sends an EAP-Request message, which is encapsulated as a PDU of the MAC management message as an EAP identity (EAP-Identity) request and sent to the mobile terminal WiMAX protocol stack.

Step 402, the authentication execution module 102 located in the device for authentication using the mobile terminal multimode protocol stack receives the EAP-Request from the EAP encapsulation module of the security sublayer of the WiMAX protocol stack through the interface management module 104, and passes it upward to EAP method layer for processing.

Step 403, after the EAP-Request is processed by the EAP method layer, an EAP-Response is obtained, and the authentication execution module 102 sends the EAP-Response to the EAP encapsulation module of the security sublayer of the WiMAX protocol stack.

Step 404, the EAP encapsulation module forwards all EAP-Response from the authentication execution module 102 to the AAA authentication server. Described AAA authentication server refers to the authentication server (Authentication Server) that realizes remote connection by AAA protocol (such as RADIUS).

Step 405, after one or more EAP-Request/Response interactions between the AAA authentication server and the authentication execution module 102 of the mobile terminal, the AAA authentication server determines whether the authentication is successful, if the AAA authentication server determines that the authentication is successful , go to step 406, otherwise go to step 408.

Step 406, the AAA authentication server sends an EAP-Success message to the mobile terminal, and the device of the mobile terminal that utilizes the mobile terminal multimode protocol stack to perform authentication fully activates the wireless link after receiving the EAP-Success message, removes the transmission restriction, and authenticates at the same time The EAP method layer of the authorization enforcement module 102 generates the shared master key AAA-key.

Step 407, the EAP layer of the authentication execution module 102 obtains the AAA-key from the EAP method layer, passes it to the key management module of the security sublayer of the WiMAX protocol stack, and executes subsequent authentication that does not involve using the mobile terminal multimode protocol stack The process of the device; at the same time, the relevant key including the AAA-key is stored in the authentication part of the SIM card through the SIM card management module 103. The WiMAX authentication process involving the EAP layer of the execution module executed by the device using the mobile terminal multi-mode protocol stack for authentication is completed here.

Step 408, the authentication is unsuccessful, and the authentication is stopped.

When authentication is performed in UMTS & WiMAX mode, the specific authentication process is described in the following embodiments.

When performing authentication on two networks, first complete the authentication of the first network according to the existing network authentication process; then, the mobile terminal processes the received authentication request message and generates an authentication response message, and sends it to the already The network side of the first network that completes the authentication is then forwarded to the AAA authentication server;

According to the authentication response message, the mobile terminal and the AAA authentication server simultaneously generate the master session key MSK, send it to the base station of the second network that is closest to the base station of the first network, establish the underlying link, and communicate between the base station of the second network and the base station of the second network. The mobile terminal generates an authorization key AK.

In the UMTS & WiMAX dual mode, according to the priority of the access network set by the user or the system default, assuming that UMTS is prioritized, then the access to the UMTS network must be completed first, and the device using the mobile terminal multi-mode protocol stack for authentication to perform UMTS Network authentication; after completing the UMTS network access, search for the WiMAX network and execute the WiMAX network authentication process. The specific process of UMTS&WiMAX dual-mode authentication is shown in Figure 8.

When the WiMAX network and the UMTS network belong to the same operator and the two networks share an AAA authentication server, the authentication process of the WiMAX network can be completed through the UMTS access network. The specific authentication process is as follows:

Step 501, after the mobile terminal is turned on, the system reads the configuration file in the SIM card, and according to the information in the configuration file, it is judged that the operator network allows the user to complete WiMAX user authentication through the UMTS network. A wireless link is established between the system (RNS, Radio Network System) and the mobile terminal.

Step 502: After the UMTS network authentication starts, the network side sends an authentication request message AUTHENTICATION REQEST to the mobile terminal to start UMTS network authentication.

Step 503, after the mobile terminal completes the UMTS authentication, it returns the parameters to the network side through the authentication response message AUTHENTICATION RESPONSE, and the network side completes the UMTS authentication.

Steps 502 and 503 are consistent with the entire UMTS authentication process described in Case 1.

Step 504, after the UMTS network side inquires about the user's subscription information, confirming that the user has signed up for the WiMAX network service at the same time, the MSC/VLR at the UMTS network side sends user identification information (such as IMSI, International Mobile SubscriberIdentification) to the AAA authentication server through MAP signaling.

Step 505: After receiving the user identification information, the AAA authentication server processes it, and returns an EAP-RESPONSE message to MSC/VLR through MAP signaling. The content of the EAP-RESPONSE message is TLS start, and can be expressed as EAP-RESPONSE/TLS The form of start.

Described EAP-RESPONSE/TLS start, the message that it contains is the TLS start that conforms to the extended authentication agreement, is the response message that realizes EAP agreement that is positioned at the transport layer, and this message indicates that the authentication server begins to authenticate the mobile terminal.

Step 506, the MSC/VLR on the UMTS network side sends the above-mentioned EAP-RESPONSE/TLS start message to the mobile terminal through the extended authentication request message EAP-REQUEST/TLS start, and its content is also a message TLS start that conforms to the extended authentication protocol.

Step 507, the EAP method layer located in the authentication execution module 102 in the mobile terminal processes the above-mentioned EAP-RESPONSE/TLS start, and sends the EAP-RESPONSE/TLS ClientHello to the MSC/TLS on the UMTS network side through the extended authentication response message. VLR;

Then the MSC/VLR uses the MAP signaling to send the above message to the AAA authentication server.

In step 508, the mobile terminal, the MSC/VLR on the UMTS network side, and the AAA authentication server send and forward multiple messages, and simultaneously generate a master Session key (MSK, Master Session Key).

Step 509, the AAA authentication server takes the highest 160 bits of the MSK as a shared master key (PMK, Shared Primary Master Key) and sends it to the nearest WiMAX base station located in the UMTS base station.

In the case where WiMAX and UMTS belong to the same operator, especially when UMTS and WiMAX share the site, the above process is feasible; in addition, since the radiation range of the WiMAX base station is larger than the area covered by the UMTS base station, the address of the UMTS base station can Identify nearby WiMAX base stations.

Step 510, after successfully completing ranging and basic capability negotiation, the bottom layer of the WiMAX base station sends a logic signal "link activation" to the upper layer EAP authenticator entity, indicating that the bottom layer link has been established.

Step 511 , the WiMAX base station and the mobile terminal's authentication device using the mobile terminal's multi-mode protocol stack generate an authorization key AK according to the regulations in IEEE802.16e.

Steps 512-514, after completing the above steps, when the WiMAX network switching is completed or the network enters, the base station determines that it owns the PMK of the mobile terminal, and at this time, the base station sends an EAP-Establish-Key-Request message, the message carries the Nonce random number of the base station, and may carry EAP-Master-Key-Id, which is optional to carry EAP-Master-Key-Id, EAP-Master-Key- The Id is the unique identifier representing the PMK; then the security association (SA, Security Association) descriptor allocation process is completed.

The device for authentication by using the multi-mode protocol stack of the mobile terminal can be independent. The above description is the process of authentication when the device for authentication by the multi-mode protocol stack of the mobile terminal is used as an independent module of the mobile terminal. The authentication device for the terminal multi-mode protocol stack can also be placed in the 3G terminal protocol stack or the WiMAX terminal protocol stack, and become a component of the single-mode protocol stack and a plug-in (interface component) of the dual-mode protocol stack. At the same time, the device for performing authentication by using the multi-mode protocol stack of the mobile terminal may also perform WiMAX authentication through a 3G network such as WCDMA or CDMA2000.

The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention; it can be seen that the present invention realizes UMTS mode, WiMAX mode by constructing a device that utilizes the mobile terminal multimode protocol stack to perform authentication. and UMTS & WiMAX dual-mode authentication support in these three modes, and automatically complete the individual authentication and joint authentication of the two networks according to the usage scenario; the technology of the present invention has a wide application prospect in the communication field, so all Within the spirit and principles of the invention, any modifications, equivalent replacements, improvements, etc., shall be included in the protection scope of the present invention.

Claims (11)

1. A device that utilizes a mobile terminal multimode protocol stack to authenticate, is characterized in that, applied to a mobile terminal, the device at least includes: A mode selection module (101), configured to complete the selection of the working mode of the mobile terminal according to the received instruction; Subscriber identification module SIM card management module (103), is used for managing different types of SIM card drivers, identifies different SIM card types inserted; and manages user information in the SIM card by the SIM card driver according to the identification result Data structure and storage space for user information; The interface management module (104) is used for reading and storing user information through the SIM card management module (103) and different types of SIM cards; receiving the authentication request information of the network side through different protocol stacks, and sending the authentication response The message is sent to different network sides through the corresponding protocol stack; An authentication execution module (102), configured to obtain user information through an interface management module (104) and receive authentication request information sent from the network side, and use a corresponding authentication algorithm to perform user information and authentication request information according to the user information and the authentication request information. The authentication operation generates an authentication response message and sends it to the interface management module (104). 2. The device according to claim 1, wherein the operating mode is divided into UMTS mode, WiMAX mode and UMTS&WiMAX dual mode; The authentication operation performed by the authentication execution module (102) is to execute the authentication algorithm of the UMTS network and the WiMAX network. 3. The device according to claim 2, characterized in that the authentication execution module (102) at least includes f1, f2, f3, f4, f5 algorithm modules required for performing UMTS network authentication; The authentication execution module (102) at least includes an EAP method module (1022) and an EAP module (1023) required for WiMAX network authentication. 4. The device according to claim 3, characterized in that the EAP method module (1022) in the authentication execution module (102) executes different EAP authentication algorithms, and the EAP authentication includes at least EAP-MD5, EAP-SIM , EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-AKA, and execute the algorithm corresponding to the authentication selected by the system. 5. The device according to claim 1, characterized in that, the interface management module (104) at least includes: SIM card interface module (1042), used to manage the drivers of different types of SIM cards; The message cache module (1043), buffers the authentication information sent to the UMTS protocol stack/WiMAX protocol stack before the protocol stack receives it, and deletes the authentication information after receiving it; The authentication information is cached before the operation, and the authentication information is deleted after receiving; the received message must also be cached before the authentication execution module (102) processes; The message routing module (1041), the message routing module (1041) in the interface management module (104), sends the authentication request message sent from the network side received from the protocol stack to the authentication execution module (102); The received authentication response message sent by the authentication execution module (102) is sent to the corresponding module in the corresponding protocol stack according to the type of the authentication response message, and the message cache module (1043) is called when routing the authentication message The authentication message is cached. 6. The device according to claim 5, characterized in that, the SIM card interface module (1042) in the interface management module (104) provides unified SIM card drivers for different SIM card drivers managed by the SIM card management module (103). the external interface. 7. The device according to claim 1, wherein the device for authenticating using the mobile terminal multimode protocol stack exists independently in the mobile terminal, or becomes a component of the UMTS terminal protocol stack unit as a plug-in, Or as a plug-in, it becomes an integral part of the WiMAX terminal protocol stack unit. 8. A method for authenticating using a mobile terminal multimode protocol stack, characterized in that it comprises: A. Judging the working mode that the current mobile terminal needs to enter according to the received instruction, if it is single-mode, execute the single-mode authentication process, if it is multi-mode, go to step B; B. After receiving the authentication request message sent by the first network side, the mobile terminal executes the original authentication process of the first network through interaction with the first network side; C. After the authentication of the first network is completed, the first network side inquires whether the current mobile terminal has subscribed to the network service of the second network provided by the same operator, if yes, go to step D, otherwise the authentication ends; D. The first network side sends an authentication request message of the second network to the mobile terminal. The mobile terminal interacts with the first network side through the authentication message according to the user information and the corresponding authentication algorithm. The mobile terminal and the first network side The authentication server generates a master session key respectively, and the authentication server sends the master session key to the base station of the second network; E. The base station of the second network generates an authorization key according to the received master session key, and the mobile terminal generates an authorization key according to the master session key generated by itself, and uses the authorization key to communicate between the mobile terminal and the second network side Subsequent authentication operations. 9. The method according to claim 8, wherein the first network is a UMTS network, and the second network is a WiMAX network; The step B includes: performing the authentication of the UMTS network according to the existing UMTS authentication process; The step C includes: after completing the authentication of the UMTS network, if it is confirmed that the user has signed the WiMAX network service provided by the same operator, the UMTS network side MSC/VLR sends the user identification information to the AAA authentication server, otherwise the authentication ends; Said step D comprises: the mobile terminal and the MSC/VLR and AAA authentication server on the UMTS network side send and forward the authentication message, and generate the master session key MSK on the mobile terminal and the AAA authentication server; The AAA authentication server generates the shared master key PMK according to the MSK and sends it to the nearest WiMAX base station located in the base station of the UMTS network; The step E includes: generating an authorization key AK at the base station and the mobile terminal, and using the authorization key AK to perform subsequent authentication operations between the mobile terminal and the second network side. 10. The method according to claim 9, wherein the query process in step C is that the UMTS network side queries the user subscription information of the mobile terminal to determine whether to subscribe to the WiMAX network service provided by the same operator. 11. The method according to claim 9, wherein the authentication message in step D includes EAP-REQUEST/TLS start and EAP-RESPONSE/TLSstart conforming to the extended authentication protocol.

Images