[go: up one dir, main page]

CN101754197B - Terminal authentication method and home location register/authentication center - Google Patents

Terminal authentication method and home location register/authentication center Download PDF

Info

Publication number
CN101754197B
CN101754197B CN2008101858349A CN200810185834A CN101754197B CN 101754197 B CN101754197 B CN 101754197B CN 2008101858349 A CN2008101858349 A CN 2008101858349A CN 200810185834 A CN200810185834 A CN 200810185834A CN 101754197 B CN101754197 B CN 101754197B
Authority
CN
China
Prior art keywords
terminal called
terminal
authentication
private data
auc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008101858349A
Other languages
Chinese (zh)
Other versions
CN101754197A (en
Inventor
陈继华
张田生
张振华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2008101858349A priority Critical patent/CN101754197B/en
Publication of CN101754197A publication Critical patent/CN101754197A/en
Application granted granted Critical
Publication of CN101754197B publication Critical patent/CN101754197B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a terminal authentication method and a home location register/authentication center. The terminal authentication method comprises that: the home location register/authentication center of a called terminal returns position information of the called terminal to a calling terminal; according to a preset update cycle of shared security data of the called terminal, if the judgment result shows that the last updating time of the shared security data of the called terminal is over the update cycle and the called terminal is set into canceling sharing of the shared security data when the last updating time is over the update cycle, the home location register/authentication center carries out authentication on the called terminal; and if the home location register/authentication center is failed in carrying out authentication on the called terminal, and if the judgment result shows the called terminal does not access the network for the first time, the called terminal is determined to be illegally cloned. The problem that the current SSD updating process cannot detect whether a clone terminal illegally accesses the network is solved by applying the invention.

Description

A kind of terminal authentication method and attaching position register/AUC
Technical field
The present invention relates to the communications field, be specifically related to a kind of terminal authentication method and attaching position register/AUC.
Background technology
At code division multiple access (Code Division Multiple Access; Abbreviate CDMA as) in the network; Attaching position register (Home Location Register abbreviates HLR as)/AUC's (Authentication Center abbreviates AUC as) and terminal device records place shared private data (the Shared Secret Data of the portable terminal of number at this HLR/AUC; Abbreviate SSD as); This SSD is used for network and terminal equipment in the calculating of authentication process (AUTHREQ) to authenticating result (AUTHR), and terminal equipment is carried out validity checking, and the refusal illegal terminal inserts in network.
For SSD,, can upgrade selectively first under the situation of access network, failed authentication at terminal equipment, also can initiatively trigger shared secret data (SSD) update by network side.Under the authentication case of successful, the SSD at terminal generally remains unchanged, when the terminal is cloned fully; Promptly; As the MIN at terminal (MobileIdentification Number, travelling carriage identification code), ESN (Electronic Serial Number, Electronic Serial Number), A-Key (Authentication Key; KI), when SSD information is cloned, clone terminal can successful access network.
Being described in detail as the process of exhaling called end in the face of portable terminal down, can be legal terminal as the portable terminal of exhaling called end, also can be clone terminal.Fig. 1 is the flow chart when exhaling as called end according to the portable terminal of correlation technique, and is as shown in Figure 1, comprise,
Step S102; When portable terminal was exhaled as called end; The calling terminal that makes a call is through base station controller (Base Station Controller; Abbreviate BSC as) after the MSC of the current registration of calling terminal (mobile switching centre)/VLR (VLR Visitor Location Register) sent connection management service request and assignment wireless channel, the MSC/VLR of the current registration of calling terminal sent location request message (LOCREQ) to the HLR/AUC of terminal called ownership, is used to ask the terminal called positional information;
Step S104; The HLR/AUC receiving position request message of terminal called ownership, and judge through the retrieval internal database whether the MSC/VLR of the current registration of calling terminal is the MSC/VLR of the current registration of terminal called, promptly; Whether terminal called and calling terminal be at same MSC/VLR; In judged result is under the situation that is, HLR/AUC directly returns the positional information (locreq) of terminal called, is under the situation not in judged result; MSC/VLR to the current registration of terminal called sends route request information (ROUTREQ), is used to ask the routing iinformation of terminal called;
Step S106, the MSC/VLR of the current registration of terminal called receives route request information (ROUTREQ), returns route response message (routreq) to the HLR/AUC of terminal called ownership, and carries the routing iinformation of terminal called therein;
Step S108, the HLR/AUC of terminal called ownership receives route response message (routreq), to the MSC/VLR of the current registration of calling terminal home position response message (locreq), and the positional information of carrying terminal called therein;
Step S110, the MSC/VLR of the current registration of calling terminal send the MSC/VLR of initial address message (IAI) to the current registration of terminal called;
Step S112, the MSC/VLR of the current registration of terminal called analyzes the called number (TLDN) in the IAI message, and discovery is that this MSC/VLR distributes, and it is professional just it to be parsed into local local exchange, sends paging request message (PageReq) to BSC, and the request paging is called;
Step S114, the BSC paging is sent page-response message (PageRsp) to terminal called to the MSC/VLR of the current registration of terminal called;
After step S116, the MSC/VLR of the current registration of terminal called are terminal called application land circuit, to BSC request assignment wireless channel (Assign Req);
Step S118, BSC return wireless channel assignment response (Assign Cmpl), expression wireless channel assignment success.The ring of terminal called this moment;
Step S120, the MSC/VLR of the current registration of terminal called sends Address Complete Message (ACM) to the MSC/VLR of the current registration of calling terminal, and calling terminal begins to listen to ring-back tone;
Step S122, called off-hook, the MSC of the current registration of terminal called sends answer signal (ANC) to the MSC/VLR of the current registration of calling terminal, and both sides begin conversation, after this, winding-up.
As stated, in above-mentioned flow process, can be legal terminal as the portable terminal of exhaling called end, also can be clone terminal, but only through said process, HLR/AUC obviously can not detect the clone terminal of un-authorised access to network.
Summary of the invention
Technical problem to be solved by this invention provides a kind of terminal authentication method and attaching position register/AUC, and the update processing process that has solved current SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged.
In order to address the above problem, the invention provides a kind of terminal authentication method, comprise,
After the attaching position register/AUC of terminal called returns the positional information of this terminal called to calling terminal; According to the update cycle of the shared private data of this terminal called that is provided with; If be set to above said update cycle after cancellation shared private data shared as if surpassing said update cycle and this terminal called update time last time of the shared private data of this terminal called of judgement, then this attaching position register/AUC carries out authentication to this terminal called;
If said attaching position register/AUC is to the failed authentication of said terminal called, and, confirm that then this terminal called is by illegal clone if judging this terminal called is not access network first.
Further; Above-mentioned terminal authentication method also can comprise; Said attaching position register/AUC is if judge that update time last time of shared private data of said terminal called is if surpass the said update cycle and after this terminal called is set to after surpassing the said update cycle cancellation and shares private data and share; This attaching position register/AUC sends to said terminal called via the mobile switching center of said terminal called and is used to indicate this terminal called cancellation to share the authentication Indication message that private data is shared, and receives the authentication indication response message that this terminal called returns via the mobile switching center of said terminal called.
Further; Above-mentioned terminal authentication method can comprise that also after said attaching position register/AUC confirmed that terminal called is by illegal clone, this attaching position register/AUC was provided with decision according to system and whether allows terminal called to share the private data renewal; Wherein
If being set to allow terminal called to share private data, system upgrades; Then said attaching position register/AUC exhales for whole if judge the access style of the authentication request of said terminal called; Then this attaching position register/AUC returns to said terminal called via the mobile switching center of said terminal called and is used to indicate terminal called to share the indication that private data is upgraded, and in indication, carries random shared private data parameter and shared private data parameter;
If system is set to not allow terminal called to share more news of private data; Then said attaching position register/AUC returns the failed authentication response via the mobile switching center of said terminal called to said terminal called, and carries the Reason For Denial parameter therein.
Further; Above-mentioned terminal authentication method also can comprise; If said attaching position register/AUC is to the failed authentication of said terminal called, then said attaching position register/AUC then carries out the alarm of terminal called failed authentication if the judgement system is set to alarm behind the failed authentication.
Further; Above-mentioned terminal authentication method also can comprise; If said attaching position register/AUC is to the authentication success of said terminal called; Then said attaching position register/AUC surpassed the said update cycle update time last time of the shared private data of said terminal called if judge; Then this attaching position register/AUC returns to this terminal called via the mobile switching center of said terminal called and is used to indicate this terminal called to share the indication that private data is upgraded, and this terminal called is shared private data according to the said indication that receives and upgraded.
The present invention also provides a kind of attaching position register/AUC, is used for terminal authentication,
Comprise: first is provided with module, second is provided with module, first judge module, second judge module, receiver module, authentication module and arbitration modules, wherein,
Said first is provided with module, is used for being provided with in advance the update cycle of the shared private data of terminal called;
Said second is provided with module, is used to be provided with the shared private data of said terminal called cancellation and shares;
Said first judge module; After being used for said attaching position register/AUC and returning the positional information of terminal called to calling terminal; According to said first module is set setting, whether surpassed the said update cycle update time last time of judging the shared private data of this terminal called;
Said second judge module; Be used for said first judge module judgement if after surpassing the said update cycle update time last time of the shared private data of said terminal called; According to second module is set setting, judge whether said terminal called is cancelled and share private data and share;
Said receiver module is used for said second judge module if after judging that the shared private data of said terminal called cancellation is shared, receive the authentication request that this terminal called sends;
Said authentication module is used for the said authentication request according to said receiver module reception, and this terminal called is carried out authentication;
Said arbitration modules is used for whether judging the terminal by illegal clone according to the authenticating result of said authentication module, if failed authentication, and if judging said terminal called is not access network first, confirms that then this terminal called is by illegal clone.
Further; Above-mentioned attaching position register/AUC also can comprise the renewal indicating module; Be used for said authentication module to the success of the authentication of said terminal called and said first judge module if judge surpass the said update cycle update time last time of the shared private data of said terminal called after, return to this terminal called via the mobile switching center of said terminal called and to be used to indicate this terminal called to share the indication of private data renewal.
Further, above-mentioned attaching position register/AUC also can comprise, said renewal indicating module; Also be used for after said arbitration modules confirms that said terminal called is by illegal clone; According to system decision is set and whether allows terminal called to share the private data renewal, wherein
If the access style that system is set to allow terminal called to share the authentication request of private data renewal and said terminal called is to exhale eventually; Then return to said terminal called and be used to indicate terminal called to share the indication that private data is upgraded, and in indication, carry random shared private data parameter and shared private data parameter via the mobile switching center of said terminal called;
If system is set to not allow terminal called to share more news of private data, then returns the failed authentication response to said terminal called, and carry the Reason For Denial parameter therein via the mobile switching center of said terminal called.
Further, above-mentioned attaching position register/AUC can comprise that also said receiver module receives the authentication request of this terminal called via the mobile switching center of said terminal called.
Compared with prior art; Use the present invention; Adopt the method for upgrading terminal called SSD periodically automatically, the update processing process that has solved present SSD can not detect the problem whether the clone terminal un-authorised access to network is arranged, and then has avoided user's termination number illegally to be usurped for a long time.
Description of drawings
Fig. 1 is the mobile subscriber according to correlation technique when exhaling as called end, the flow chart of the calling procedure of standard in the ANSI41 agreement;
Fig. 2 is the flow chart of a kind of terminal authentication method of the present invention;
Fig. 3 is the structured flowchart of the HLR/AUC of instance according to the present invention;
Fig. 4 is the portable terminal of instance of the present invention when exhaling as called end, and the HLR/AUC decision whether SSD of terminal called is set to the schematic flow sheet do not shared;
After Fig. 5 was the terminal called MS-A authentication success of instance of the present invention, whether HLR/AUC carried out the schematic flow sheet of shared secret data (SSD) update according to terminal called SSD last time success decision update time;
After Fig. 6 was the terminal called MS-B failed authentication of instance of the present invention, HLR/AUC was provided with the schematic flow sheet whether decision allows the called subscriber to carry out shared secret data (SSD) update, whether carry out the failed authentication alarm according to system;
Fig. 7 is the flow chart of the terminal authentication method of instance of the present invention.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is described further.
Main design of the present invention is: when the terminal carries out exhaling called end, be provided with automatically according to system terminal called is carried out periodic shared secret data (SSD) update, supposing has 2 MS (Mobile Station; Portable terminal), MS-A and MS-B, wherein; One is legal terminal, and another is a clone terminal; Because MS-A and MS-B only had a call accepted and carry out shared secret data (SSD) update in a certain particular moment; Therefore the SSD of MS-A and MS-B can not be consistent for a long time; Consequently the situation of failed authentication can appear in one of them terminal very soon; System can in time detect the terminal by illegal clone thus, and then can handle through ALM message informing system maintenance personnel, can avoid user terminal illegally to be usurped for a long time.
As shown in Figure 2, a kind of terminal authentication method of the present invention is applied to comprise the mobile switching center of attaching position register/AUC, said terminal called and as the network environment of the terminal equipment of terminal called, comprises,
Attaching position register/the AUC of step 10, said terminal called is provided with the update cycle of the shared private data of terminal called in advance;
After the attaching position register/AUC of step 20, said terminal called returns the positional information of terminal called to calling terminal; Update time last time of shared private data of judging this terminal called is if surpass the said update cycle; And judge that this terminal called is set to after surpassing the said update cycle, cancel shared private data and shares; Then this attaching position register/AUC receives the authentication request that this terminal called sends via the mobile switching center of said terminal called, and this terminal called is carried out authentication;
Update time last time of the shared private data of said attaching position register/AUC's this terminal called of judgement is if surpass the said update cycle; And judge that this terminal called is set to after surpassing the said update cycle, cancel shared private data and shares; This attaching position register/AUC sends to terminal called via the mobile switching center of said terminal called and is used to indicate the terminal called cancellation to share the authentication Indication message that private data is shared, and receives the authentication indication response message that terminal called returns via the mobile switching center of said terminal called.
If the said terminal called failed authentication of step 30, and the attaching position register of said terminal called/AUC judges that this terminal called is not an access network first, confirms that then this terminal called is by illegal clone.
After said attaching position register/AUC confirmed that terminal called is by illegal clone, whether said attaching position register/AUC was provided with decision according to system and allows terminal called to share the private data renewal, wherein,
If system is set to allow terminal called to share more news of private data; Then said attaching position register/AUC is judged if the access style of authentication request is exhaled for whole; Then this attaching position register/AUC returns to said terminal called via the mobile switching center of said terminal called and is used to indicate terminal called to share the indication that private data is upgraded, and in indication, carries random shared private data parameter and shared private data parameter.
If system is set to not allow terminal called to share more news of private data; Then said attaching position register/AUC returns the failed authentication response via the mobile switching center of said terminal called to said terminal called, and carries the Reason For Denial parameter therein.
Step 40, if said terminal called failed authentication, then said attaching position register/AUC is provided with decision according to system and whether carries out the alarm of terminal called failed authentication; If said terminal called authentication success; Then said attaching position register/AUC judges that update time last time of shared private data of said terminal called is if surpass the said update cycle; Then this attaching position register/AUC returns to this terminal called via the mobile switching center of said terminal called and is used to indicate this terminal called to share the indication that private data is upgraded, and this terminal called is shared private data according to the said indication that receives and upgraded.
Attaching position register/AUC of the present invention is used for terminal authentication, comprising: first is provided with module, second is provided with module, first judge module, second judge module, receiver module, authentication module, arbitration modules and renewal indicating module, wherein,
Said first is provided with module, is used for being provided with in advance the update cycle of the shared private data of terminal called;
Said second is provided with module, is used to be provided with the shared private data of said terminal called cancellation and shares;
Said first judge module; After being used for said attaching position register/AUC and returning the positional information of terminal called to calling terminal; According to first module is set setting, whether surpassed the said update cycle update time last time of judging the shared private data of this terminal called;
Said second judge module; Be used for said first judge module judgement if after surpassing the said update cycle update time last time of the shared private data of said terminal called; According to second module is set setting, judge whether said terminal called is cancelled and share private data and share;
Said receiver module is used for that said second judge module is judged said terminal called if after cancellation is shared private data and shared, receive the authentication request that this terminal called sends via the mobile switching center of said terminal called;
Said authentication module is used for the said authentication request according to said receiver module reception, and this terminal called is carried out authentication;
Said arbitration modules is used for whether judging the terminal by illegal clone according to the authenticating result of said authentication module, if failed authentication, and judges that said terminal called is not an access network first, confirms that then this terminal called is by illegal clone.
Said renewal indicating module; Be used for said authentication module to the success of the authentication of said terminal called and said first judge module if judge surpass the said update cycle update time last time of the shared private data of said terminal called after, return to this terminal called via the mobile switching center of said terminal called and to be used to indicate this terminal called to share the indication of private data renewal.
Said renewal indicating module also is used for after said arbitration modules confirms that said terminal called is by illegal clone, and according to system decision is set and whether allows terminal called to share the private data renewal, wherein,
If the access style that system is set to allow terminal called to share the authentication request of private data renewal and said terminal called is to exhale eventually; Then return to said terminal called and be used to indicate terminal called to share the indication that private data is upgraded, and in indication, carry random shared private data parameter and shared private data parameter via the mobile switching center of said terminal called;
If system is set to not allow terminal called to share more news of private data, then returns the failed authentication response to said terminal called, and carry the Reason For Denial parameter therein via the mobile switching center of said terminal called.
Below in conjunction with instantiation the present invention is described further.
Fig. 3 is the structured flowchart of the attaching position register/AUC of instance of the present invention; Comprise: first is provided with module 302, second is provided with module 304, first judge module 306, second judge module 308, receiver module 310, authentication module 312, arbitration modules 314, is described in detail below.
First is provided with module 302, is used for being provided with in advance the automatic update cycle of SSD of terminal called.
Second is provided with module 304, surpass the update cycle update time last time that is used to be arranged on the SSD of terminal called after terminal called cancellation SSD share.
First judge module 306 is connected to first module 302 is set, and whether surpasses the update cycle update time last time that is used to judge the SSD of terminal called.
Second judge module 308 is connected to second module 304 is set, and is used to judge whether terminal called cancels SSD update time last time of the SSD of terminal called after surpassing the update cycle shares.
Receiver module 310 is connected to first judge module 306 and second judge module 308, is used to receive the authentication request that terminal called sends via MSC/VLR.
Authentication module 312 is connected to receiver module 310, is used for terminal called is carried out authentication.
Arbitration modules 314 is connected to authentication module 312, is used for confirming that whether terminal called is by illegal clone.
The preferred structure block diagram of this attaching position register/AUC further comprises: upgrade indicating module 316, be connected to authentication module 312, be used for returning to terminal called via MSC/VLR and be used to indicate terminal called to carry out the authentication response message of shared secret data (SSD) update.
Particularly, the detailed implementation procedure of said structure is following:
(1) if the judged result of first judge module 306 is for being, and the judged result of second judge module 308 is for being that then receiver module 310 receives the authentication request that terminal calleds send via MSC/VLR, and 312 pairs of terminal calleds of authentication module carry out authentication;
(2) if 312 pairs of terminal called authentication successes of authentication module; Then second judge module 308 is judged whether terminal called cancels SSD after surpassing the update cycle update time last time of the SSD of terminal called and is shared; If the judged result of second judge module 308, is then upgraded indicating module 316 for being and is returned to terminal called via MSC/VLR and be used to indicate terminal called to carry out the indication of shared secret data (SSD) update;
(3) if 312 pairs of terminal called failed authentications of authentication module, and terminal called is not access network first, then arbitration modules 314 confirms that terminal calleds are by illegal clone.
Fig. 4 is a portable terminal when exhaling as called end, and the HLR/AUC decision whether SSD of terminal called is set to the sketch map do not shared, and when portable terminal was exhaled as called end, terminal called can be MS-A or MS-B, at first, can be provided with as follows:
(1) automatic update cycle of SSD of terminal called is set in advance; Can be used as system-level configuration identical setting is carried out at the terminal that all belong to HLR/AUC; The business information that also can be used as portable terminal is provided with separately, is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information.
(2) be arranged on terminal called SSD last time success in advance and surpass SSD that system is provided with update time after the automatic update cycle, whether the terminal cancels SSD is shared, and can be used as system-level configuration identical setting is carried out at the terminal that all belong to HLR/AUC; The business information that also can be used as portable terminal is provided with separately, is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information.
After this, this instance comprises the steps:
Step S402; When portable terminal was exhaled as called end; The calling terminal that makes a call is through base station controller (Base Station Controller; Abbreviate BSC as) after the MSC/VLR of the current registration of calling terminal sent connection management service request and assignment wireless channel, the MSC/VLR of the current registration of calling terminal sent location request message (LOCREQ) to the HLR/AUC of terminal called ownership, is used to ask the terminal called positional information;
Step S404; The HLR/AUC receiving position request message of terminal called ownership, and judge through the retrieval internal database whether the MSC/VLR of the current registration of calling terminal is the MSC/VLR of the current registration of terminal called, promptly; Whether terminal called and calling terminal be at same MSC/VLR; In judged result is under the situation that is, HLR/AUC directly returns the positional information (locreq) of terminal called, is under the situation not in judged result; MSC/VLR to the current registration of terminal called sends route request information (ROUTREQ), is used to ask the routing iinformation of terminal called;
Step S406, the MSC/VLR of the current registration of terminal called receives route request information (ROUTREQ), returns route response message (routreq) to HLR/AUC, and carries the routing iinformation of terminal called therein;
Step S408, HLR/AUC receives route response message (routreq), to the MSC/VLR of the current registration of calling terminal home position response message (locreq), and the positional information of carrying terminal called therein;
Step S410, the MSC/VLR of the current registration of calling terminal send the MSC/VLR of initial address message (IAI) to the current registration of terminal called;
Step S412, the MSC/VLR of the current registration of terminal called analyzes the called number (TLDN) in the IAI message, and discovery is that this MSC/VLR distributes, and it is professional just it to be parsed into local local exchange, sends paging request message (PageReq) to BSC, and the request paging is called;
Step S414, the BSC paging is sent page-response message (PageRsp) to terminal called to the MSC/VLR of the current registration of terminal called;
After step S416, the MSC/VLR of the current registration of terminal called are terminal called application land circuit, to BSC request assignment wireless channel (Assign Req);
Step S418, BSC return wireless channel assignment response (Assign Cmpl), expression wireless channel assignment success.The ring of terminal called this moment;
Step S420, the MSC/VLR of the current registration of terminal called sends Address Complete Message (ACM) to the MSC/VLR of the current registration of calling terminal, and calling terminal begins to listen to ring-back tone;
Step S422, called off-hook, the MSC of the current registration of terminal called sends answer signal (ANC) to the MSC/VLR of the current registration of calling terminal, and both sides begin conversation;
Step S424; The automatic update cycle of terminal called SSD that HLR/AUC is provided with according to system judges that whether terminal called SSD last time success update time is above the automatic update cycle of SSD; In judged result is under the situation that is; Proceeding to step S426, is under the situation not in judged result, proceeds to step S436;
Step S426 judges whether terminal called is cancelled SSD and shared, and is under the situation that is in judged result, proceeds to step S428, is under the situation not in judged result, proceeds to step S436;
Step S428; HLR/AUC sends authentication Indication message (AUTHDIR) to the MSC/VLR of terminal called registration; Be used to cancel the SSD shared (NOSSD=1) of terminal called, that is, HLR/AUC sends to terminal called via MSC/VLR and is used to indicate the shared authentication Indication message of terminal called cancellation SSD;
Step S430, the MSC/VLR of terminal called registration sends authentication Indication message (AUTHDIR) to terminal called;
Step S432, terminal called returns authentication indication response message (authdir) to the MSC/VLR of terminal called registration;
Step S434, the MSC/VLR of terminal called registration returns authentication indication response message (authdir) to HLR/AUC; After this, HLR/AUC receives the authentication indication response message that terminal called returns via MSC/VLR;
Step S436, winding-up.
After Fig. 5 is the success of terminal called MS-A authentication; Whether HLR/AUC carries out the sketch map of shared secret data (SSD) update according to terminal called SSD last time success decision update time; After the success of terminal called MS-A authentication, whether HLR/AUC carries out shared secret data (SSD) update according to terminal called SSD last time success decision update time.Because a terminal that only has among MS-A and the MS-B in a certain particular moment makes a call, and supposes that terminal called is MS-A.
According to the ANSI41 agreement, in calling procedure, after the SSD of HLR/AUC through authentication Indication message (AUTHDIR) cancellation MS-A shared, terminal called MS-A carried out authentication through MSC/VLR initiation authentication request (AUTHREQ).Whether cancel identical that process that SSD shares and Fig. 4 are provided with about automatic update cycle of the SSD of terminal called, terminal called.
Step S502, terminal called MS-A initiate terminal called authentication request message (AUTHREQ) to MSC/VLR and carry out authentication;
Step S504, MSC/VLR sends the authentication that terminal called authentication request message (AUTHREQ) is carried out terminal called MS-A to HLR/AUC;
Step S506; HLR/AUC carries out authentication to terminal called MS-A; And judge whether terminal called MS-A authentication is successful; Wherein, terminal called MS-A authentication is meant that successfully the AUTHR that carries in authenticating result (AUTHR) that SSD that RANDU (unique challenge random number), terminal MIN number, current network side that HLR/AUC carries according to authentication request message (AUTHREQ) are preserved calculates and the authentication request message (AUTHREQ) is in full accord; In judged result is under the situation that is, proceeds to step S508, is under the situation not in judged result, proceeds to step S516;
Step S508; The automatic update cycle of terminal called SSD that HLR/AUC is provided with according to system judges that whether terminal called SSD last time success update time is above the automatic update cycle of SSD; In judged result is under the situation that is; Proceeding to step S510, is under the situation not in judged result, proceeds to step S516;
Step S510; Whether the access style of judging inspection terminal called authentication request (AUTHREQ) is to exhale (Page Resopnse) eventually; And judge further whether terminal called is cancelled SSD and shared, under the situation that is, proceed to step S512 in the result of above-mentioned two judgements; Result in above-mentioned two judgements is not to be under the situation that is, proceeds to step S516;
Step S512; HLR/AUC returns terminal called authentication response message (authreq) to MSC/VLR; Be used for indicating terminal and carry out shared secret data (SSD) update; And in authentication response message (authreq), carry RANDSSD (sharing the private data random number) and SSD, that is, HLR/AUC returns to terminal called via MSC/VLR and is used to indicate terminal called to carry out the indication of shared secret data (SSD) update;
Step S514; MSC/VLR returns authentication response message (authreq) to terminal called MS-A; After this, terminal called MS-A receives terminal called authentication response message (authreq), and carries out shared secret data (SSD) update according to above-mentioned indication; Within the scope that the present invention describes, detailed process can be with reference to the ANSI41 agreement for the process of this shared secret data (SSD) update;
Step S516, winding-up.
After Fig. 6 is terminal called MS-B failed authentication; HLR/AUC is provided with the sketch map whether decision allows terminal called to carry out shared secret data (SSD) update, whether carry out the failed authentication alarm according to system; Because the terminal of supposition call accepted is MS-A in Fig. 5, so the terminal of failed authentication is MS-B among Fig. 6.Whether wherein, whether allow shared secret data (SSD) update behind the terminal called failed authentication and alarm, the system-level configuration that can be used as HLR/AUC is provided with.
As shown in Figure 6, behind the terminal called MS-B failed authentication, whether HLR/AUC is provided with decision according to system and allows terminal called to carry out shared secret data (SSD) update, whether carries out the failed authentication alarm, comprising:
Step S602, terminal called MS-B initiate authentication request (AUTHREQ) to MSC/VLR and carry out authentication;
Step S604, MSC/VLR sends the authentication that authentication request message (AUTHREQ) is carried out terminal called MS-B to HLR/AUC;
Step S606; HLR/AUC carries out authentication to terminal called MS-B; And judge whether terminal called MS-B authentication fails; Wherein, terminal called MS-B failed authentication is meant the authenticating result (AUTHR) that obtains after the SSD of RANDU, terminal MIN number and the preservation of current network side that HLR/AUC carries according to authentication request message (AUTHREQ) calculates, and is inconsistent with the AUTHR that carries in this authentication request message (AUTHREQ); In judged result is under the situation that is, proceeds to step S608, is under the situation not in judged result, proceeds to step S622;
Step S608; Whether HLR/AUC inspection terminal called MS-B is old terminal, and wherein, old terminal is meant the terminal equipment of non-access network first; Because terminal equipment is when access network carries out authentication first; Its authenticating result must be failure, so be necessary in the HLR/AUC of terminal attaching, to distinguish the old and new terminal, the business state information that differentiation the old and new terminal information can be used as portable terminal is stored in the internal database of HLR/AUC with other CAMEL-Subscription-Information; And whether allow shared secret data (SSD) update after further judging the terminal called failed authentication; Result in above-mentioned two judgements under the situation that is, proceeds to step S610, in last the result who judges for being; Under the situation that the result of the judgement in back is that no; Proceed to step S616, under the result of above-mentioned two judgements situation that all is that no, proceed to step S622;
Step S610 if terminal called MS-B is old terminal, and allows to carry out shared secret data (SSD) update behind the terminal called failed authentication, whether the access style of inspection authentication request (AUTHREQ) is to exhale (PageResopnse) eventually; In judged result is under the situation that is, proceeds to step S612, is under the situation not in judged result, proceeds to step S616;
Step S612; HLR/AUC returns authentication response message (authreq) to MSC/VLR, is used for indicating terminal and carries out shared secret data (SSD) update, and in authentication response message (authreq), carry RANDSSD and SSD; Promptly; Be set to allow terminal called to carry out under the situation of shared secret data (SSD) update in system, HLR/AUC returns to terminal called via MSC/VLR and is used to indicate terminal called to carry out the indication of shared secret data (SSD) update, and in indication, carries SSD parameter and SSD parameter at random; Proceed to step S614 and step S620;
Step S614, MSC/VLR returns authentication response message (authreq) to terminal called MS-B, and after this, terminal called MS-B carries out shared secret data (SSD) update, and within the scope that the present invention describes, detailed process can be with reference to the ANSI41 agreement for the process of this shared secret data (SSD) update;
Step S616; If forbid carrying out shared secret data (SSD) update behind the terminal called MS-B failed authentication; HLR/AUC returns failed authentication response message (authreq) to MSC/VLR, and carries Reason For Denial parameter (DenyAccess) therein, promptly; Be set to not allow terminal called to carry out under the situation of shared secret data (SSD) update in system, HLR/AUC returns the failed authentication response via MSC/VLR to terminal called;
Step S618, MSC/VLR returns failed authentication response message (authreq) to terminal called MS-B, and terminal called MS-B receives failed authentication response message (authreq);
Step S620, if system was alarmed when being set to failed authentication, HLR/AUC is through the failure of ALM message informing attendant terminal authentication, that is, HLR/AUC is provided with decision according to system and whether carries out the alarm of terminal called failed authentication;
Step S622, winding-up.
From above-mentioned instance, can find out: for HLR/AUC; Under the situation that the terminal clone is taken place; MS-A and MS-B are same terminals, and in Fig. 5, terminal MS-A has carried out shared secret data (SSD) update after the authentication success; Therefore the SSD of network side preservation is consistent scarcely with the SSD that MS-B preserves among the step S606, so the authenticating result of MS-B is bound to fail.
Fig. 7 is the flow chart of terminal authentication method, is applied to comprise HLR/AUC, MSC/VLR and as the network environment of the terminal equipment of terminal called.
Step S702 is provided with update cycle of the SSD of terminal called in advance;
Step S704; At HLR/AUC after calling terminal returns the positional information of terminal called; If surpassed the update cycle update time last time of the SSD of terminal called; And be set in advance sharing above terminal called cancellation SSD after the update cycle, then HLR/AUC receives the authentication request that terminal called sends via MSC/VLR, and terminal called is carried out authentication;
Step S706; If terminal called authentication success; Then HLR/AUC judges and whether surpasses the update cycle update time last time of the SSD of terminal called, if judged result is for being that then HLR/AUC returns to terminal called via MSC/VLR and is used to indicate terminal called to carry out the indication of shared secret data (SSD) update;
Step S708, if the terminal called failed authentication, and terminal called is not access network first, confirms that then terminal called is by illegal clone.
Under the illegal clone's of terminal equipment quilt situation; Because the periodicity shared secret data (SSD) update of HLR; The SSD of legal terminal and clone terminal MS-A, MS-B can not be consistent for a long time, and consequently one of them terminal of legal terminal and clone terminal failed authentication can occur very soon, therefore can in time detect the terminal by illegal clone; And then can handle through ALM message informing system maintenance personnel, avoid the terminal illegally to be usurped for a long time.
In addition, the scene of above-mentioned case description, all the scene with MSC/VLR unification, HLR/AUC unification describes.In practical application, MSC can separate with VLR, also can unify; HLR can separate with AUC, also can unify.The HLR/AUC explanation has all functions of HLR and AUC.The MSC/VLR explanation has all functions of MSC and VLR.The SSD of case description of the present invention is method for updating periodically automatically, is not only applicable to terminal SSD by illegal clone's scene, is applicable to that equally also terminal A-Key is by illegal clone (SSD do not be's by the clone) scene.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize by calculation element.Like this, the present invention is not restricted to any specific hardware and software combination.
The above; Be merely the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with this technological people in the technical scope that the present invention disclosed; The variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (7)

1. a terminal authentication method comprises,
After the attaching position register/AUC of terminal called returns the positional information of this terminal called to calling terminal; According to the update cycle of the shared private data of this terminal called that is provided with; If the time interval of update time last time apart from the present of the shared private data of this terminal called of judgement is set to shared above the shared private data of cancellation after the said update cycle as if surpassing said update cycle and this terminal called, then this attaching position register/AUC carries out authentication to this terminal called;
If said attaching position register/AUC is to the failed authentication of said terminal called, and, confirm that then this terminal called is by illegal clone if judging this terminal called is not access network first;
If said attaching position register/AUC is to the authentication success of said terminal called; And said attaching position register/AUC surpasses the said update cycle as if the time interval of update time last time apart from the present of the shared private data of judging said terminal called; Then this attaching position register/AUC returns to this terminal called via the mobile switching center of said terminal called and is used to indicate this terminal called to share the indication that private data is upgraded, and this terminal called is shared private data according to the said indication that receives and upgraded.
2. terminal authentication method as claimed in claim 1 is characterized in that,
Said attaching position register/AUC is if judge that time interval of update time last time apart from the present of shared private data of said terminal called is if surpass the said update cycle and after this terminal called is set to after surpassing the said update cycle cancellation and shares private data and share; This attaching position register/AUC sends to said terminal called via the mobile switching center of said terminal called and is used to indicate this terminal called cancellation to share the authentication Indication message that private data is shared, and receives the authentication indication response message that this terminal called returns via the mobile switching center of said terminal called.
3. terminal authentication method as claimed in claim 1 is characterized in that,
After said attaching position register/AUC confirmed that terminal called is by illegal clone, whether this attaching position register/AUC was provided with decision according to system and allows terminal called to share the private data renewal, wherein,
If being set to allow terminal called to share private data, system upgrades; And said attaching position register/AUC exhales for whole if judge the access style of the authentication request of said terminal called; Then this attaching position register/AUC returns to said terminal called via the mobile switching center of said terminal called and is used to indicate terminal called to share the indication that private data is upgraded, and in indication, carries random shared private data parameter and shared private data parameter;
If system is set to not allow terminal called to share more news of private data; Then said attaching position register/AUC returns the failed authentication response via the mobile switching center of said terminal called to said terminal called, and carries the Reason For Denial parameter therein.
4. terminal authentication method as claimed in claim 1 is characterized in that,
If said attaching position register/AUC is to the failed authentication of said terminal called, and said attaching position register/AUC then carries out the alarm of terminal called failed authentication if the judgement system is set to alarm behind the failed authentication.
5. an attaching position register/AUC is used for terminal authentication, it is characterized in that,
Comprise: first is provided with module, second is provided with module, first judge module, second judge module, receiver module, authentication module, arbitration modules and renewal indicating module, wherein,
Said first is provided with module, is used for being provided with in advance the update cycle of the shared private data of terminal called;
Said second is provided with module, is used to be provided with the shared private data of said terminal called cancellation and shares;
Said first judge module; After being used for said attaching position register/AUC and returning the positional information of terminal called to calling terminal; According to said first module is set setting, judge whether time interval of update time last time apart from the present of the shared private data of this terminal called surpasses the said update cycle;
Said second judge module; Be used for that said first judge module is judged after if the time interval of update time last time apart from the present of the shared private data of said terminal called surpasses the said update cycle; According to second module is set setting, judge whether said terminal called is cancelled and share private data and share;
Said receiver module is used for said second judge module if after judging that the shared private data of said terminal called cancellation is shared, receive the authentication request that this terminal called sends;
Said authentication module is used for the said authentication request according to said receiver module reception, and this terminal called is carried out authentication;
Said arbitration modules is used for whether judging the terminal by illegal clone according to the authenticating result of said authentication module, if failed authentication, and if judging said terminal called is not access network first, confirms that then this terminal called is by illegal clone;
Said renewal indicating module; Be used in said authentication module the success of the authentication of said terminal called and said first judge module if after judging that time interval of update time last time apart from the present of the shared private data of said terminal called surpasses the said update cycle, return to this terminal called via the mobile switching center of said terminal called and be used to indicate this terminal called to share the indication of private data renewal.
6. attaching position register/AUC as claimed in claim 5 is characterized in that,
Said renewal indicating module also is used for after said arbitration modules confirms that said terminal called is by illegal clone, and according to system decision is set and whether allows terminal called to share the private data renewal, wherein,
If the access style that system is set to allow terminal called to share the authentication request of private data renewal and said terminal called is to exhale eventually; Then return to said terminal called and be used to indicate terminal called to share the indication that private data is upgraded, and in indication, carry random shared private data parameter and shared private data parameter via the mobile switching center of said terminal called;
If system is set to not allow terminal called to share more news of private data, then returns the failed authentication response to said terminal called, and carry the Reason For Denial parameter therein via the mobile switching center of said terminal called.
7. attaching position register/AUC as claimed in claim 5 is characterized in that,
Said receiver module receives the authentication request of this terminal called via the mobile switching center of said terminal called.
CN2008101858349A 2008-12-15 2008-12-15 Terminal authentication method and home location register/authentication center Expired - Fee Related CN101754197B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101858349A CN101754197B (en) 2008-12-15 2008-12-15 Terminal authentication method and home location register/authentication center

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101858349A CN101754197B (en) 2008-12-15 2008-12-15 Terminal authentication method and home location register/authentication center

Publications (2)

Publication Number Publication Date
CN101754197A CN101754197A (en) 2010-06-23
CN101754197B true CN101754197B (en) 2012-06-13

Family

ID=42480417

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101858349A Expired - Fee Related CN101754197B (en) 2008-12-15 2008-12-15 Terminal authentication method and home location register/authentication center

Country Status (1)

Country Link
CN (1) CN101754197B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404734B (en) * 2010-09-13 2016-03-23 中国电信股份有限公司 A kind of Shared Secret Data upgrades implementation method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1312991A (en) * 1998-08-19 2001-09-12 夸尔柯姆股份有限公司 Seque processing for authentication of wireless communications device
CN101188860A (en) * 2007-12-19 2008-05-28 华为技术有限公司 A method and device for identifying abnormal terminals
CN101222760A (en) * 1998-08-28 2008-07-16 朗迅科技公司 Method for establishing session key agreement

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1312991A (en) * 1998-08-19 2001-09-12 夸尔柯姆股份有限公司 Seque processing for authentication of wireless communications device
CN101222760A (en) * 1998-08-28 2008-07-16 朗迅科技公司 Method for establishing session key agreement
CN101188860A (en) * 2007-12-19 2008-05-28 华为技术有限公司 A method and device for identifying abnormal terminals

Also Published As

Publication number Publication date
CN101754197A (en) 2010-06-23

Similar Documents

Publication Publication Date Title
AU758451B2 (en) Subscriber validation method in cellular communication system
CA2279367C (en) Cellular telephone network support of international mobile station identity (imsi)
US7809372B2 (en) Method for a secure detach procedure in a radio telecommunication network
FI102235B (en) Management of authentication keys in a mobile communication system
US6427073B1 (en) Preventing misuse of a copied subscriber identity in a mobile communication system
JP4030588B2 (en) Search for copied SIM card
CN101120534A (en) System, method and devices for authentication in a wireless local area network (wlan)
EP1763178A2 (en) A method of verifying integrity of an access point on a wireless network
US6363151B1 (en) Method and system for subscriber authentification and/or encryption of items of information
US6173174B1 (en) Method and apparatus for automated SSD updates on an a-key entry in a mobile telephone system
CA2293291A1 (en) Processing of emergency calls in wireless communications system with fraud protection
KR20010007499A (en) Mobile-station adapted for removable user identity modules
CN101754197B (en) Terminal authentication method and home location register/authentication center
JP5405185B2 (en) Location registration receiving apparatus and location registration receiving method
KR101208722B1 (en) Method for accessing closed groups in radio access networks
WO1999049688A1 (en) System and method of authenticating a mobile station's identity and handling authentication failures in a radio telecommunications network
CN101674574B (en) User authentication method and user authentication device
KR100732482B1 (en) Method and System for Managing Mobile Phone Disappearance with Authentication
JP3396149B2 (en) Mobile station authentication method and system
WO1998031162A2 (en) Method and apparatus for limiting authentication directive initiation in a mobile telephone system
KR101286098B1 (en) Method and apparatus for authentication of subscriber in a mobile communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120613

Termination date: 20171215

CF01 Termination of patent right due to non-payment of annual fee