CN101808313A - Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system - Google Patents
Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system Download PDFInfo
- Publication number
- CN101808313A CN101808313A CN 201010122101 CN201010122101A CN101808313A CN 101808313 A CN101808313 A CN 101808313A CN 201010122101 CN201010122101 CN 201010122101 CN 201010122101 A CN201010122101 A CN 201010122101A CN 101808313 A CN101808313 A CN 101808313A
- Authority
- CN
- China
- Prior art keywords
- imsi
- random number
- hlr
- location register
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明实施例提供一种获取TMSI的方法、移动台、归属位置寄存器和通信系统,属于信息安全技术领域。所述方法包括:采用与归属位置寄存器商定的加密机制对国际移动用户识别码进行加密;将加密后的所述国际移动用户识别码通过访问位置寄存器发送给所述归属位置寄存器;接收所述访问位置寄存器根据解密后的所述国际移动用户识别码生成的客户临时识别码。所述移动台包括:加密模块和第一发送模块。所述归属位置寄存器包括:解密模块和第二发送模块。所述系统包括:移动台、访问位置寄存器和归属位置寄存器。本发明实施例在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI,且加密方法简单,可直接用于GSM系统。
Embodiments of the present invention provide a method for acquiring TMSI, a mobile station, a home location register and a communication system, which belong to the technical field of information security. The method includes: encrypting the IMSI using an encryption mechanism agreed upon with the HLR; sending the encrypted IMSI to the HLR through the VLR; receiving the visiting The temporary customer identification code generated by the location register according to the decrypted international mobile subscriber identification code. The mobile station includes: an encryption module and a first sending module. The home location register includes: a decryption module and a second sending module. The system includes: a mobile station, a visitor location register and a home location register. In the embodiment of the present invention, in the process of obtaining the TMSI, the IMSI is transmitted in the form of ciphertext on the wireless link, the IMSI is protected, and the encryption method is simple, which can be directly used in the GSM system.
Description
技术领域technical field
本发明实施例涉及信息安全技术领域,尤其涉及一种获取TMSI的方法、移动台、归属位置寄存器和通信系统。The embodiment of the present invention relates to the technical field of information security, and in particular to a method for obtaining TMSI, a mobile station, a home location register and a communication system.
背景技术Background technique
移动通信中,国际移动用户识别码(International Mobile SubscriberIdentification,以下简称IMSI)是识别移动台(Mobile Station,以下简称MS)用户的标志,相当于MS用户在全球移动通讯系统(Global System for MobileCommunications,以下简称GSM)网络里的身份证。由于IMSI在全网和全球中是唯一的,为了让网络更安全,GSM系统中一般不使用IMSI来识别用户,而是采用MS的客户临时识别码(Temporary Mobile Subscriber Identity,以下简称TMSI)来识别MS,即对进入其访问区的每个MS用户,访问位置寄存器(visiting location register,以下简称VLR)都会分配一个TMSI,用户在通信过程中,只要使用TMSI和位置区识别码(Location Area ID,以下简称LAI)即可标识自己的身份。In mobile communication, the International Mobile Subscriber Identification (IMSI) is a sign to identify a mobile station (Mobile Station, hereinafter referred to as MS) user, which is equivalent to the MS user in the Global System for Mobile Communications (Global System for Mobile Communications, hereinafter referred to as The ID card in the GSM network for short. Since the IMSI is unique in the entire network and the world, in order to make the network more secure, the GSM system generally does not use the IMSI to identify the user, but uses the Temporary Mobile Subscriber Identity (TMSI) of the MS to identify MS, that is, for each MS user entering its visiting area, the visiting location register (visiting location register, hereinafter referred to as VLR) will allocate a TMSI. During the communication process, the user only needs to use the TMSI and the location area identification code (Location Area ID, Hereinafter referred to as LAI) can identify their own identity.
在实现本发明过程中,发明人发现现有技术中至少存在如下问题:当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,就必须使用IMSI。这种情况下,需要将IMSI在无线链路上以明文进行传输,这就可能在获取TMSI的过程中会造成IMSI的泄漏。In the process of implementing the present invention, the inventors found that there are at least the following problems in the prior art: when the MS registers in the service network for the first time, or the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, it must Use IMSI. In this case, the IMSI needs to be transmitted in clear text on the wireless link, which may cause leakage of the IMSI during the process of obtaining the TMSI.
发明内容Contents of the invention
本发明实施例提供一种获取TMSI的方法、移动台、归属位置寄存器和通信系统,用以解决现有技术中在明文传输IMSI来获取TMSI时造成IMSI泄漏的缺陷,以保护IMSI的安全。The embodiment of the present invention provides a method for obtaining TMSI, a mobile station, a home location register and a communication system, which are used to solve the defect of IMSI leakage caused by transmitting the IMSI in plain text to obtain the TMSI in the prior art, so as to protect the security of the IMSI.
本发明实施例提供一种获取客户临时识别码的方法,所述方法包括:An embodiment of the present invention provides a method for obtaining a temporary customer identification code, the method comprising:
采用与归属位置寄存器商定的加密机制对国际移动用户识别码进行加密;encrypt the IMSI using the encryption mechanism agreed with the HLR;
将加密后的所述国际移动用户识别码通过访问位置寄存器发送给所述归属位置寄存器,以使所述归属位置寄存器根据所述商定的加密机制对加密后的所述国际移动用户识别码进行解密并将解密后的所述国际移动用户识别码发送给所述访问位置寄存器;sending the encrypted IMSI to the HLR through the VLR, so that the HLR decrypts the encrypted IMSI according to the agreed encryption mechanism and sending the decrypted IMSI to the VLR;
接收所述访问位置寄存器根据解密后的所述国际移动用户识别码生成的客户临时识别码。receiving the customer temporary identification code generated by the VLR according to the decrypted international mobile subscriber identification code.
本发明实施例提供一种移动台,所述移动台包括:加密模块和第一发送模块;An embodiment of the present invention provides a mobile station, and the mobile station includes: an encryption module and a first sending module;
所述加密模块,用于采用与归属位置寄存器商定的加密机制对国际移动用户识别码进行加密;The encryption module is used to encrypt the International Mobile Subscriber Identity code using the encryption mechanism agreed with the HLR;
所述第一发送模块,用于将所述加密模块加密后的所述国际移动用户识别码通过访问位置寄存器发送给所述归属位置寄存器,以使所述归属位置寄存器根据所述商定的加密机制对加密后的所述国际移动用户识别码进行解密并将解密后的所述国际移动用户识别码发送给所述访问位置寄存器。The first sending module is configured to send the IMSI code encrypted by the encryption module to the home location register through the visitor location register, so that the home location register according to the agreed encryption mechanism Decrypting the encrypted IMSI and sending the decrypted IMSI to the VLR.
本发明实施例一种归属位置寄存器,所述归属位置寄存器包括:解密模块和第二发送模块;A home location register in an embodiment of the present invention, the home location register includes: a decryption module and a second sending module;
所述解密模块,用于采用与移动台商定的加密机制对收到的加密后的国际移动用户识别码进行解密,得到解密后的所述国际移动用户识别码;The decryption module is used to decrypt the received encrypted IMSI by adopting an encryption mechanism agreed with the mobile station to obtain the decrypted IMSI;
第二发送模块,用于将所述解密模块得到的解密后的所述国际移动用户识别码发送给访问位置寄存器,以使所述访问位置寄存器根据解密后的所述国际移动用户识别码生成客户临时识别码。The second sending module is used to send the decrypted international mobile subscriber identification code obtained by the decryption module to the visitor location register, so that the visitor location register generates a client according to the decrypted international mobile subscriber identity code. Temporary ID.
本发明实施例提供一种通信系统,所述系统包括:移动台、访问位置寄存器和归属位置寄存器;An embodiment of the present invention provides a communication system, and the system includes: a mobile station, a visitor location register, and a home location register;
所述移动台,用于采用与所述归属位置寄存器商定的加密机制对国际移动用户识别码进行加密;并将加密后的所述国际移动用户识别码发送给所述访问位置寄存器,以使所述国际移动用户识别码在无线链路上以密文形式传输;The mobile station is configured to encrypt the International Mobile Subscriber Identity code using an encryption mechanism agreed with the Home Location Register; and send the encrypted International Mobile Subscriber Identity Code to the VLR, so that the The above-mentioned International Mobile Subscriber Identity code is transmitted in cipher text on the wireless link;
所述访问位置寄存器,用于收到所述移动台发送的加密后的所述国际移动用户识别码后,将加密后的所述国际移动用户识别码发送给所述归属位置寄存器;还用于接收所述归属位置寄存器发送的解密后的所述国际移动用户识别码,并根据解密后的所述国际移动用户识别码生成客户临时识别码。The visitor location register is configured to send the encrypted international mobile subscriber identity code to the home location register after receiving the encrypted international mobile subscriber identity code sent by the mobile station; receiving the decrypted IMSI sent by the HLR, and generating a temporary client ID according to the decrypted IMSI.
所述归属位置寄存器,用于根据与所述移动台商定的加密机制对收到的加密后的所述国际移动用户识别码进行解密,并将解密后的所述国际移动用户识别码发送给所述访问位置寄存器。The home location register is used to decrypt the received encrypted IMSI according to the encryption mechanism agreed with the mobile station, and send the decrypted IMSI to the access location register described above.
本发明实施例通过采用与HLR商定的加密机制对IMSI进行加密,将加密的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,根据商定的加密机制对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。The embodiment of the present invention encrypts the IMSI by adopting the encryption mechanism negotiated with the HLR, and sends the encrypted IMSI to the HLR through the VLR. After the HLR receives the encrypted IMSI, it decrypts the encrypted IMSI according to the agreed encryption mechanism, and sends The decrypted IMSI is sent to the VLR, so that the VLR generates a TMSI based on the decrypted IMSI. During the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI. After obtaining the TMSI, the VLR and the MS The exchange of commands between uses TMIS instead of IMSI, which prevents illegal individuals or groups from stealing the IMSI of the MS user or tracking the position of the MS user by monitoring the signaling exchange on the wireless path.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1a为GSM系统结构示意图;Figure 1a is a schematic structural diagram of the GSM system;
图1b为本发明获取客户临时识别码的方法第一实施例流程示意图;Fig. 1b is a schematic flow chart of the first embodiment of the method for obtaining a temporary identification code of a customer according to the present invention;
图2为本发明获取客户临时识别码的方法第二实施例流程示意图;Fig. 2 is a schematic flow chart of the second embodiment of the method for obtaining a temporary customer identification code in the present invention;
图3为本发明获取客户临时识别码的方法第三实施例流程示意图;Fig. 3 is a schematic flow chart of the third embodiment of the method for obtaining a temporary customer identification code in the present invention;
图4为本发明获取客户临时识别码的方法第四实施例流程示意图;Fig. 4 is a schematic flow chart of the fourth embodiment of the method for obtaining a temporary customer identification code in the present invention;
图5为本发明移动台的第一实施例结构示意图;FIG. 5 is a schematic structural diagram of the first embodiment of the mobile station of the present invention;
图6为本发明移动台的第二实施例结构示意图;FIG. 6 is a schematic structural diagram of the second embodiment of the mobile station of the present invention;
图7为本发明移动台的第三实施例结构示意图;FIG. 7 is a schematic structural diagram of a third embodiment of the mobile station of the present invention;
图8为本发明归属位置寄存器的第一实施例结构示意图;FIG. 8 is a schematic structural diagram of a first embodiment of a home location register according to the present invention;
图9为本发明归属位置寄存器的第二实施例结构示意图;FIG. 9 is a schematic structural diagram of a second embodiment of a home location register of the present invention;
图10为本发明归属位置寄存器的第三实施例结构示意图;FIG. 10 is a schematic structural diagram of a third embodiment of a home location register of the present invention;
图11为本发明通信系统第一实施例结构示意图。Fig. 11 is a schematic structural diagram of the first embodiment of the communication system of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
实施例1Example 1
本实施例提供的方法,可以应用于GSM系统中。图1a为GSM系统结构示意图,请参见图1a,GSM系统主要由MS、网络交换子系统(NetworkSwitching Subsystem,以下简称NSS)、基站子系统(Base Station Subsystem,以下简称BSS)和操作支持子系统(operation support Subsystem,以下简称OSS)四部分组成。The method provided in this embodiment can be applied in the GSM system. Figure 1a is a schematic diagram of the GSM system structure, please refer to Figure 1a, the GSM system is mainly composed of MS, Network Switching Subsystem (hereinafter referred to as NSS), Base Station Subsystem (hereinafter referred to as BSS) and operation support subsystem ( operation support Subsystem, hereinafter referred to as OSS) consists of four parts.
NSS是整个GSM系统的核心。它对GSM用户之间及用户与其它通信网用户之间通信起着交换连接与管理的功能。MS、BSS和NSS组成GSM系统的实体部分,BSS在MS和NSS之间提供和管理传输通路,特别是包括了MS与GSM系统的功能实体之间的无线接口管理。NSS is the core of the entire GSM system. It plays the function of exchanging connections and managing the communication between GSM users and between users and users of other communication networks. MS, BSS and NSS constitute the physical part of the GSM system. The BSS provides and manages the transmission path between the MS and the NSS, especially including the management of the radio interface between the MS and the functional entities of the GSM system.
具体的,NSS包括移动交换中心(Mobile Switching Center,以下简称MSC)、拜访位置寄存器VLR、归属位置寄存器HLR、鉴权中心(AUthenticationCenter,简称AUC)、和设备识别寄存器(equipment identity register,简称EIR)。Specifically, the NSS includes a mobile switching center (Mobile Switching Center, hereinafter referred to as MSC), a visitor location register VLR, a home location register HLR, an authentication center (AUthenticationCenter, referred to as AUC), and an equipment identity register (abbreviated as EIR). .
MSC是整个交换网络的核心,完成或参与NSS的全部功能,对呼叫进行控制与接续,提供计费信息并协调与控制整个GSM网络中的各个功能实体。MSC is the core of the entire switching network, completes or participates in all functions of the NSS, controls and connects calls, provides billing information, and coordinates and controls various functional entities in the entire GSM network.
VLR是服务于其控制区域内移动用户的数据库。系统存储着进入其控制区域内已登记的移动用户相关信息,为已登记的移动用户提供建立呼叫接续的必要条件。当某用户进入VLR控制区后,此VLR将向该移动用户的归属位置寄存器HLR获取并存储必要数据,而一旦此用户离开后则取消VLR中此用户的数据。VLR通常与MSC合设在一起。VLR is a database serving mobile users within its control area. The system stores the relevant information of registered mobile users entering its control area, and provides the registered mobile users with the necessary conditions for establishing call connections. After a certain user enters the VLR control area, the VLR will obtain and store necessary data from the home location register HLR of the mobile user, and once the user leaves, the data of the user in the VLR will be canceled. VLR is usually set up together with MSC.
HLR是一个存储移动用户数据的静态数据库。包括用户识别号码,访问能力,用户类别和补充业务等数据。同时也存储移动用户所在VLR区域的有关动态数据。HLR is a static database that stores mobile subscriber data. Including data such as user identification numbers, access capabilities, user categories and supplementary services. At the same time, it also stores the relevant dynamic data of the VLR area where the mobile user is located.
NSS还包括网络管理子系统(Network Management Subsystem,以下简称NMS),NMS又叫操作与维护中心(Operation & Maintenance Center,以下简称OMC),OMC负责NSS和BSS系统的维护管理工作。NSS also includes Network Management Subsystem (hereinafter referred to as NMS), NMS is also called Operation & Maintenance Center (hereinafter referred to as OMC), and OMC is responsible for the maintenance and management of NSS and BSS systems.
BSS由基站控制器(Base Station Control,以下简称BSC)和基站收发信台(Base Transceiver Station,以下简称BTS)组成。BSC是基站子系统BSS的控制部分。主要完成接口管理,BTS--BSC之间的地面信道管理,无线参数及无线资源管理测量和统计切换支持呼叫控制操作与维护等功能。BTS受控于基站控制器BSC,属于基站子系统BSS的无线部分,是服务于某小区的无线收发信台设备。The BSS consists of a base station controller (Base Station Control, hereinafter referred to as BSC) and a base transceiver station (Base Transceiver Station, hereinafter referred to as BTS). BSC is the control part of the base station subsystem BSS. It mainly completes interface management, terrestrial channel management between BTS--BSC, wireless parameter and wireless resource management measurement and statistical switching, and supports call control operation and maintenance functions. BTS is controlled by the base station controller BSC, belongs to the wireless part of the base station subsystem BSS, and is a wireless transceiver station device serving a certain cell.
OSS包括网络管理中心(Net Manage Center,以下简称NMC)、数据后处理系统(Date PostProcessing System,以下简称DPPS)、用户识别卡个人化中心(personal Center System,以下简称PCS)和安全性管理中心(SEcurityManagement Center,以下简称SEMC)。OSS includes Network Management Center (Net Management Center, hereinafter referred to as NMC), Data Post Processing System (Date PostProcessing System, hereinafter referred to as DPPS), User Identification Card Personalization Center (Personal Center System, hereinafter referred to as PCS) and Security Management Center ( SEcurity Management Center, hereinafter referred to as SEMC).
该GSM系统还包括公用数据网(Public Date Net,以下简称PDN)、公用电话网(Public Switched Telephone Network,以下简称PSTN)、综合业务数字网(Integrated Services Digital Network,以下简称ISDN)。The GSM system also includes a public data network (Public Date Net, hereinafter referred to as PDN), a public telephone network (Public Switched Telephone Network, hereinafter referred to as PSTN), and an integrated services digital network (Integrated Services Digital Network, hereinafter referred to as ISDN).
GSM系统中,国际移动用户识别码IMSI是唯一识别一个移动台用户的号码。IMSI在GSM系统所有服务区中都是有效的,在呼叫建立与位置更新时需要用到IMSI,IMSI保存在HLR、VLR和SIM卡中。考虑到移动用户的IMSI的安全性,VLR可给来访的每一个移动台用户分配一个唯一的TMSI,凡是在无线链路上传递的IMSI都用TMSI代替,在每次鉴权后分配,只在某一VLR管辖区内有效,当用户离开此VLR服务区后释放此号码,在呼叫建立和位置更新时可使用TMSI。In the GSM system, the International Mobile Subscriber Identity (IMSI) is the number that uniquely identifies a mobile station user. IMSI is valid in all service areas of the GSM system. IMSI is required for call establishment and location update. IMSI is stored in HLR, VLR and SIM card. Considering the security of the mobile user's IMSI, VLR can assign a unique TMSI to each visiting mobile station user. All IMSI transmitted on the wireless link will be replaced by TMSI, which will be assigned after each authentication. It is valid within the jurisdiction of a certain VLR. When the user leaves the service area of the VLR, the number is released, and the TMSI can be used in call establishment and location update.
请参见图1b,为获取客户临时识别码的方法第一实施例流程示意图,如图1b所示,该方法包括:Please refer to FIG. 1b, which is a schematic flow chart of the first embodiment of the method for obtaining a temporary customer identification code. As shown in FIG. 1b, the method includes:
步骤101:采用与归属位置寄存器商定的加密机制对IMSI进行加密。Step 101: Encrypt the IMSI using the encryption mechanism agreed with the HLR.
步骤102:将加密后的IMSI通过VLR发送给HLR,以使HLR根据上述商定的加密机制对加密后的IMSI进行解密并将解密后的IMSI发送给VLR。Step 102: Send the encrypted IMSI to the HLR through the VLR, so that the HLR decrypts the encrypted IMSI according to the above agreed encryption mechanism and sends the decrypted IMSI to the VLR.
例如,将加密后的IMSI和HLR的标识发送给VLR,实现IMSI在无线链路上以密文形式传输,然后VLR会根据HLR的标识将加密后的IMSI发送给HLR。For example, send the encrypted IMSI and the identifier of the HLR to the VLR, so that the IMSI is transmitted in cipher text on the wireless link, and then the VLR will send the encrypted IMSI to the HLR according to the identifier of the HLR.
步骤103:接收VLR根据解密后的IMSI生成的TMSI。Step 103: Receive the TMSI generated by the VLR according to the decrypted IMSI.
收到TMSI后,VLR和MS之间的命令交换就使用TMIS,用户的IMSI在无线链路上便不再以明文形式传送,防止了非法个人或团体通过监听无线路径上的信令交换而窃得移动客户的IMSI或跟踪移动客户的位置。After receiving the TMSI, the command exchange between the VLR and the MS uses TMIS, and the user's IMSI is no longer transmitted in clear text on the wireless link, preventing illegal individuals or groups from stealing by monitoring the signaling exchange on the wireless path. Get the IMSI of a mobile customer or track the location of a mobile customer.
通过采用与HLR商定的加密机制对IMSI进行加密,将加密的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,根据商定的加密机制对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。Encrypt the IMSI by using the encryption mechanism agreed with the HLR, and send the encrypted IMSI to the HLR through the VLR. After the HLR receives the encrypted IMSI, it decrypts the encrypted IMSI according to the agreed encryption mechanism, and sends the decrypted IMSI Send it to the VLR, so that the VLR generates TMSI according to the decrypted IMSI. During the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI; after obtaining the TMSI, the command between the VLR and the MS The exchange uses TMIS instead of IMSI, which prevents illegal individuals or groups from stealing the IMSI of the MS user or tracking the location of the MS user by monitoring the signaling exchange on the wireless path.
实施例2Example 2
图2为获取客户临时识别码的方法第二实施例流程示意图,如图2所示,该方法包括:Fig. 2 is a schematic flow chart of the second embodiment of the method for obtaining a temporary identification code for a client. As shown in Fig. 2, the method includes:
步骤201:MS通过VLR向HLR发送请求,请求HLR发送HLR的公钥。Step 201: The MS sends a request to the HLR through the VLR, requesting the HLR to send the public key of the HLR.
步骤202:MS通过VLR接收HLR的公钥。Step 202: The MS receives the public key of the HLR through the VLR.
步骤203:MS采用收到的HLR的公钥对IMSI进行加密。Step 203: The MS encrypts the IMSI using the received public key of the HLR.
步骤204:MS将HLR的标识和加密后的IMSI发送给VLR,以使IMSI在无线链路上以密文形式传输,并使VLR根据HLR的标识将加密后的IMSI发送给对应的HLR。Step 204: The MS sends the HLR ID and the encrypted IMSI to the VLR, so that the IMSI is transmitted in cipher text on the wireless link, and the VLR sends the encrypted IMSI to the corresponding HLR according to the HLR ID.
其中,如果只用HLR的公钥加密IMSI,虽然可以保护IMSI,但是却防止不了重放攻击,因为只用HLR的公钥加密IMSI的话,每次的加密的结果Esk(IMSI)都是相同的,则攻击者经常监听到这个加密结果后,这个攻击者也可以冒充合法的MS,通过VLR向HLR发送Esk(IMSI),这就是重放攻击,重放攻击在任何网络通讯过程中都可能发生。Wherein, if only the public key of HLR is used to encrypt the IMSI, although the IMSI can be protected, replay attacks cannot be prevented, because only the public key of the HLR is used to encrypt the IMSI, the result E sk (IMSI) of each encryption is the same If yes, the attacker often listens to the encryption result, and the attacker can also pretend to be a legitimate MS and send E sk (IMSI) to the HLR through the VLR. This is a replay attack. can happen.
为了防止重放攻击,MS自身可以产生一个随机数,用查询到的HLR的公钥将IMSI和该随机数加密后通过VLR发送给HLR,这样不仅保护了IMSI,同时也防止了重放攻击。In order to prevent replay attacks, MS can generate a random number itself, encrypt the IMSI and the random number with the queried HLR public key, and then send them to HLR through VLR, which not only protects IMSI, but also prevents replay attacks.
因为用HLR的公钥对IMSI和随机数加密的话,由于每次产生的随机数不相同,所以每次加密后的结果Esk(RAND||IMSI)也是不相同的,攻击者每次监听到的都是不同的加密结果,因此攻击者无法通过VLR向HLR发送正确的加密IMSI的结果,所以用随机数和HLR的公钥一起加密IMSI可以很好的防止重放攻击。Because if the IMSI and the random number are encrypted with the public key of the HLR, since the random number generated each time is different, the result E sk (RAND||IMSI) after each encryption is also different, and the attacker listens to Therefore, the attacker cannot send the correct encrypted IMSI result to the HLR through the VLR, so encrypting the IMSI with the random number and the public key of the HLR can prevent replay attacks very well.
进一步地,HLR通过VLR收到MS发送的加密结果后,通过HLR存储的私钥进行解密,如果只是加密IMSI,则解密后可以直接得到IMSI;如果加密的是IMSI和随机数,则解密后得到的结果包括IMSI和随机数,由于加密机制是预先商定的,随机数和IMSI的关系也都是预知的,加密时,如果随机数在IMSI的前面,则解密后的结果中后面15位就是IMSI;如果随机数在IMSI的后面,则解密后的结果中前面15位就是IMSI;也可以将随机数置于IMSI的中间,由于IMSI是由15位0和/或1组成的,而随机数大多不是0或1,因此很容易区分开。但是在随机数是0或1时,可以在随机数的前后加上其它字符,以和IMSI区分开,例如,解密得到结果为01010*1*0010111001,则可以去掉*号中间的1,余下即为IMSI。Furthermore, after the HLR receives the encryption result sent by the MS through the VLR, it decrypts it through the private key stored in the HLR. If it only encrypts the IMSI, it can directly obtain the IMSI after decryption; if it encrypts the IMSI and a random number, it can obtain the The results include IMSI and random numbers. Since the encryption mechanism is pre-agreed, the relationship between random numbers and IMSI is also predictable. When encrypting, if the random number is in front of the IMSI, the last 15 digits in the decrypted result are the IMSI ; If the random number is behind the IMSI, the first 15 digits in the decrypted result are the IMSI; the random number can also be placed in the middle of the IMSI, because the IMSI is composed of 15 bits of 0 and/or 1, and most of the random numbers Not 0 or 1, so it's easy to tell the difference. But when the random number is 0 or 1, you can add other characters before and after the random number to distinguish it from the IMSI. For example, if the decrypted result is 01010*1*0010111001, you can remove the 1 in the middle of the * number, and the rest is for the IMSI.
HLR解密得到IMSI后,根据该IMSI获取对应的主密钥Ki,根据该主密钥和自身产生的随机数生成认证信息,将该认证信息发送给VLR,使VLR根据该认证信息验证IMSI对应的MS是否合法,如果合法,则将解密后的所述国际移动用户识别码发送给所述访问位置寄存器。After the HLR decrypts and obtains the IMSI, it obtains the corresponding master key Ki according to the IMSI, generates authentication information based on the master key and the random number generated by itself, and sends the authentication information to the VLR, so that the VLR can verify the corresponding IMSI according to the authentication information. Whether the MS is legal, if legal, then send the decrypted IMSI to the VLR.
本实施例中,该认证信息可以是一个多元组,该多元组至少包括:HLR产生的随机数Rand,由Rand和Ki通过认证算法产生的认证参数RES,由Rand和Ki通过加密算法产生的加密密钥Kc。In this embodiment, the authentication information may be a tuple, which at least includes: the random number Rand generated by HLR, the authentication parameter RES generated by Rand and Ki through the authentication algorithm, and the encryption parameter RES generated by Rand and Ki through the encryption algorithm. Key Kc.
例如,VLR根据该认证信息验证MS是否合法的过程可以为:For example, the process for the VLR to verify whether the MS is legal according to the authentication information can be:
a:VLR向MS发送HLR产生的随机数;a: VLR sends the random number generated by HLR to MS;
b:MS收到后,利用A3算法对该随机数进行认证运算,将得到的认证运算结果SERS发送发给VLR;b: After MS receives it, it uses the A3 algorithm to perform authentication operations on the random number, and sends the obtained authentication operation result SERS to the VLR;
c:VLR收到MS发送的SERS后,与三元组中的RES进行比较,如果两者相等,则验证成功,表示该MS是合法的,并向HLR发送验证成功的消息。c: After receiving the SERS sent by the MS, the VLR compares it with the RES in the triplet. If the two are equal, the verification is successful, indicating that the MS is legal, and sends a successful verification message to the HLR.
d:HLR收到VLR发送的验证成功的消息后,向VLR发送该MS的IMSI,使VLR根据该IMSI生成TMSI,并将生成的TMSI发送给上述MS,使MS进行通信时使用TMSI,而不用IMSI,因而保证了IMSI的安全。d: After the HLR receives the successful authentication message sent by the VLR, it sends the IMSI of the MS to the VLR, so that the VLR generates a TMSI based on the IMSI, and sends the generated TMSI to the above-mentioned MS, so that the MS uses the TMSI instead of the MS when communicating. IMSI, thus ensuring the security of the IMSI.
本实施例提供的方法,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The method provided in this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or when the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, the method can be used. The method provided in this embodiment transmits the IMSI in ciphertext and generates the TMSI.
本实施例通过用HLR的公钥对IMSI进行加密,将加密的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,采用HLR的私钥对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全;与3G中加密IMSI的方法相比,本实施例加密TMSI的方法简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。This embodiment encrypts the IMSI with the public key of the HLR, and sends the encrypted IMSI to the HLR through the VLR. After the HLR receives the encrypted IMSI, it uses the private key of the HLR to decrypt the encrypted IMSI, and the decrypted The IMSI is sent to the VLR, so that the VLR generates the TMSI according to the decrypted IMSI. In the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI; compared with the method of encrypting the IMSI in 3G, The method for encrypting the TMSI in this embodiment is simple, and can be directly applied to the GSM system, without making major changes to various hardware devices of the GSM system; after obtaining the TMSI, the command exchange between the VLR and the MS uses TMIS instead of The IMSI prevents illegal individuals or groups from stealing the IMSI of the MS user or tracking the location of the MS user by monitoring the signaling exchange on the wireless path.
实施例3Example 3
图3为获取客户临时识别码的方法第三实施例流程示意图,如图3所示,该方法包括:Fig. 3 is a schematic flow chart of the third embodiment of the method for obtaining a temporary customer identification code, as shown in Fig. 3, the method includes:
步骤301:与HLR协商同态加密算法。Step 301: Negotiate the homomorphic encryption algorithm with the HLR.
步骤302:通过VLR接收HLR发送的HLR采用同态加密算法加密的多个随机数;该随机数的个数与MS的IMSI的位数相同。Step 302: The VLR receives a plurality of random numbers encrypted by the HLR using a homomorphic encryption algorithm sent by the HLR; the number of the random numbers is the same as the number of digits of the IMSI of the MS.
其中,该同态加密算法需要满足如下的性质:对于域内的3个数a,b,c,E(a)*E(b)=E(a+b),E(a)c=E(c·a)。Among them, the homomorphic encryption algorithm needs to satisfy the following properties: for the three numbers a, b, c in the domain, E(a)*E(b)=E(a+b), E(a) c =E( c·a).
例如,由于目前IMSI的位数是15位,因此HLR用上述同态加密算法加密自身选择的15个随机数r1,r2,...r15,这15个随机数r1,r2,...r15均不等于0。For example, since the current IMSI has 15 digits, the HLR encrypts 15 random numbers r 1 , r 2 ,...r 15 selected by itself with the above-mentioned homomorphic encryption algorithm. These 15 random numbers r 1 , r 2 , ...r 15 are not equal to 0.
如果将15个随机数一起加密的话,计算过程可能比较复杂,为了简化计算过程,HLR可以将自己选择的这15个随机数进行分批加密,即E(r1r2r3)||E(r4r5r6)||...||E(r13r14r15),||表示为链接,然后将分批加密后的这15个随机数通过VLR发送给MS。If 15 random numbers are encrypted together, the calculation process may be more complicated. In order to simplify the calculation process, HLR can encrypt these 15 random numbers selected by itself in batches, that is, E(r 1 r 2 r 3 )||E (r 4 r 5 r 6 )||...||E(r 13 r 14 r 15 ), || is represented as a link, and then the 15 random numbers encrypted in batches are sent to the MS through the VLR.
需要说明的是,本实施例对分批加密的批次和每批的随机数个数都不作限制。It should be noted that, in this embodiment, there is no limitation on the batches encrypted in batches and the number of random numbers in each batch.
步骤303:通过VLR收到HLR发送的加密的多个随机数后,根据上述同态加密算法的性质,采用IMSI对该加密的多个随机数进行同态加密运算,完成对IMSI的加密。Step 303: After receiving the encrypted random numbers sent by the HLR through the VLR, according to the properties of the homomorphic encryption algorithm, the IMSI is used to perform a homomorphic encryption operation on the encrypted random numbers to complete the encryption of the IMSI.
具体的,可以利用同态加密算法的性质E(a)c=E(c·a),采用IMSI对该加密的多个随机数进行幂运算,例如:Specifically, the property E(a) c = E(c a) of the homomorphic encryption algorithm can be used, and the IMSI can be used to perform exponentiation on the encrypted multiple random numbers, for example:
E(r1r2r3)a1a2a3||E(r4r5r6)a4a5a6||...||E(r13r14r15)a13a14a15,a1,a2,...,a15为IMSI的15位。E(r 1 r 2 r 3 ) a1a2a3 ||E(r 4 r 5 r 6 ) a4a5a6 ||...||E(r 13 r 14 r 15 ) a13a14a15 ,a 1 ,a 2 ,…, a 15 is the 15th digit of the IMSI.
也可以利用同态加密算法的性质E(a)*E(b)=E(a+b),采用IMSI对该加密的多个随机数进行乘运算,例如:It is also possible to use the property E(a)*E(b)=E(a+b) of the homomorphic encryption algorithm, and use IMSI to multiply the encrypted random numbers, for example:
E(r1r2r3)*E(a1a2a3)||E(r4r5r6)*E(a4a5a6)||...||E(r13r14r15)*E(a13a14a15)。E(r 1 r 2 r 3 )*E(a 1 a 2 a 3 )||E(r 4 r 5 r 6 )*E(a 4 a 5 a 6 )||...||E(r 13 r 14 r 15 )*E(a 13 a 14 a 15 ).
步骤304:将HLR的标识和加密后的IMSI发送给VLR,以使IMSI在无线链路上以密文形式传输,并使VLR根据HLR的标识将加密后的IMSI发送给对应的HLR。Step 304: Send the HLR ID and the encrypted IMSI to the VLR, so that the IMSI is transmitted in ciphertext on the wireless link, and the VLR sends the encrypted IMSI to the corresponding HLR according to the HLR ID.
进一步地,HLR收到加密后的IMSI之后,利用同态加密算法的性质,对IMSI进行同态解密运算,得到IMSI。Further, after receiving the encrypted IMSI, the HLR uses the property of the homomorphic encryption algorithm to perform a homomorphic decryption operation on the IMSI to obtain the IMSI.
具体的,当HLR收到E(r1r2r3)a1a2a3||E(r4r5r6)a4a5a6||...||E(r13r14r15)a13a14a15后,利用同态加密算法的性质E(a)c=E(c·a)进行解密,得到Specifically, when the HLR receives E(r 1 r 2 r 3 ) a1a2a3 ||E(r 4 r 5 r 6 ) a4a5a6 ||...||E(r 13 r 14 r 15 ) a13a14a15 , use the same The nature of state encryption algorithm E(a) c = E(c·a) to decrypt, get
a1a2a3·r1r2r3,a4a5a6·r4r5r6,...,a13a14a15·r13r14r15,然后通过除法运算得到a1,a2,...,a15,从而得到IMSI;a 1 a 2 a 3 r 1 r 2 r 3 , a 4 a 5 a 6 r 4 r 5 r 6 , ..., a 13 a 14 a 15 r 13 r 14 r 15 , then by division Get a 1 , a 2 , ..., a 15 , so as to get the IMSI;
当HLR收到E(r1r2r3)*E(a1a2a3)||E(r4r5r6)*E(a4a5a6)||...||E(r13r14r15)*E(a13a14a15)时,利用同态加密算法的性质E(a)*E(b)=E(a+b)进行解密,得到When HLR receives E(r 1 r 2 r 3 )*E(a 1 a 2 a 3 )||E(r 4 r 5 r 6 )*E(a 4 a 5 a 6 )||...| |E(r 13 r 14 r 15 )*E(a 13 a 14 a 15 ), use the property E(a)*E(b)=E(a+b) of the homomorphic encryption algorithm to decrypt, and get
r1r2r3+a1a2a3||r4r5r6+a4a5a6...||r13r14r15+a13a14a15,然后减去15个随机数,得到a1,a2,...,a15,从而得到解密后的IMSI。r 1 r 2 r 3 +a 1 a 2 a 3 ||r 4 r 5 r 6 +a 4 a 5 a 6 ...||r 13 r 14 r 15 +a 13 a 14 a 15 , then subtract 15 random numbers, a 1 , a 2 , ..., a 15 are obtained, and thus the decrypted IMSI is obtained.
HLR得到解密后的IMSI后的处理过程与实施例1中HLR得到解密后的IMSI后的处理过程相同,在此不再赘述。The processing process after the HLR obtains the decrypted IMSI is the same as the processing process after the HLR obtains the decrypted IMSI in Embodiment 1, and will not be repeated here.
本实施例提供的方法,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The method provided in this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or when the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, the method can be used. The method provided in this embodiment transmits the IMSI in ciphertext and generates the TMSI.
本实施例中,MS收到HLR用与MS协商的同态加密算法加密的多个随机数后,利用同态加密算法的性质,采用IMSI对该加密的多个随机数进行同态加密运算,完成对该IMSI的加密,将加密后的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,根据商定的同态加密算法对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全,同时也防止了重放攻击;与3G中加密IMSI的方法相比,本实施例加密TMSI的方法简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, after receiving multiple random numbers encrypted by the HLR with the homomorphic encryption algorithm negotiated with the MS, the MS uses the property of the homomorphic encryption algorithm to perform a homomorphic encryption operation on the encrypted multiple random numbers using the IMSI. Complete the encryption of the IMSI, and send the encrypted IMSI to the HLR through the VLR. After the HLR receives the encrypted IMSI, it decrypts the encrypted IMSI according to the agreed homomorphic encryption algorithm, and sends the decrypted IMSI to the VLR. , so that the VLR generates TMSI according to the decrypted IMSI, and in the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI and prevents replay attacks; Compared with the method, the method for encrypting the TMSI in this embodiment is simple, can be directly applied to the GSM system, and does not need to make major changes to various hardware devices of the GSM system; after obtaining the TMSI, the command exchange between the VLR and the MS uses the TMIS , without using the IMSI, preventing illegal individuals or groups from stealing the IMSI of the MS user or tracking the location of the MS user by monitoring the signaling exchange on the wireless path.
实施例4Example 4
图4为获取客户临时识别码的方法第四实施例流程示意图,如图4所示,该方法包括:Fig. 4 is a schematic flow chart of a fourth embodiment of a method for obtaining a temporary identification code for a customer. As shown in Fig. 4, the method includes:
步骤401:MS通过VLR向HLR发送自身产生的第一随机数,并通过VLR接收HLR发送的HLR产生的第二随机数。Step 401: The MS sends the first random number generated by itself to the HLR through the VLR, and receives the second random number generated by the HLR sent by the HLR through the VLR.
例如,设MS产生的第一随机数为R1,通过VLR将R1发送给HLR;设HLR的产生第二随机数为R2,通过VLR将R2发送给MS。For example, let the first random number generated by the MS be R1, and send R1 to the HLR through the VLR; let the second random number generated by the HLR be R2, and send R2 to the MS through the VLR.
步骤402:MS对自身产生的第一随机数和收到的第二随机数进行认证运算和异或运算,得到第三随机数,将该第三随机数再与自身的IMSI进行异或运算,得到加密后的IMSI。Step 402: The MS performs an authentication operation and an XOR operation on the first random number generated by itself and the received second random number to obtain a third random number, and performs an XOR operation on the third random number with its own IMSI, Get the encrypted IMSI.
步骤403:将加密后的IMSI和HLR的标识发送给VLR,以使IMSI在无线链路上以密文形式传输,并使VLR根据HLR的标识将加密后的IMSI发送给HLR。Step 403: Send the encrypted IMSI and the HLR ID to the VLR, so that the IMSI is transmitted in cipher text on the wireless link, and the VLR sends the encrypted IMSI to the HLR according to the HLR ID.
其中,MS通过VLR向HLR发送自身产生的第一随机数,并通过VLR接收HLR发送的HLR产生的第二随机数之后,MS将自身产生的第一随机数和收到的第二随机数进行认证运算和异或运算之前,本实施例提供的方法还可以包括:Wherein, the MS sends the first random number generated by itself to the HLR through the VLR, and after receiving the second random number generated by the HLR sent by the HLR through the VLR, the MS compares the first random number generated by itself with the second random number received. Before the authentication operation and the XOR operation, the method provided in this embodiment may further include:
对该第一随机数和第二随机数进行认证运算,得到第一认证运算结果,将所述第一认证运算结果通过VLR发送给HLR;Performing an authentication operation on the first random number and the second random number to obtain a first authentication operation result, and sending the first authentication operation result to the HLR through the VLR;
通过VLR接收HLR发送的第二认证运算结果;该第二认证运算结果为HLR采用相同的认证算法对第一随机数和第二随计数进行认证运算得到的;Receive the second authentication calculation result sent by the HLR through the VLR; the second authentication calculation result is obtained by the HLR using the same authentication algorithm to perform authentication operations on the first random number and the second random number;
当第一认证运算结果和第二认证运算结果相同时,MS确认第二随机数是HLR发送的,HLR也确认第一随机数是MS发送的。When the result of the first authentication operation is the same as the result of the second authentication operation, the MS confirms that the second random number is sent by the HLR, and the HLR also confirms that the first random number is sent by the MS.
下面以认证运算的算法以A3算法为例进一步说明,例如,The algorithm of the authentication operation is further described below using the A3 algorithm as an example, for example,
MS将R1和R2经过A3运算后,将第一认证运算结果通过VLR发送给HLR;MS sends R1 and R2 through A3 calculation, and sends the first authentication calculation result to HLR through VLR;
HLR将R1和R2经过A3运算后,将第二认证运算结果通过VLR发送给MS;After the HLR performs the A3 operation on R1 and R2, the second authentication operation result is sent to the MS through the VLR;
如果MS收到的HLR发送的第二认证运算结果和自身得到的第一认证运算结果相同,则MS向HLR发送认证成功的消息;If the second authentication operation result sent by the HLR received by the MS is the same as the first authentication operation result obtained by the MS, the MS sends an authentication success message to the HLR;
如果HLR收到的MS发送的第一认证运算结果和自身得到的第二认证运算结果相同,则HLR向MS发送认证成功的消息;If the first authentication operation result sent by the MS received by the HLR is the same as the second authentication operation result obtained by itself, then the HLR sends an authentication success message to the MS;
如果MS认证成功,并且收到了HLR发送的认证成功的消息,则MS再对自身产生的第一随机数R1和收到的第二随机数R2进行认证运算和异或运算。If the MS is successfully authenticated and receives the message of successful authentication sent by the HLR, the MS then performs an authentication operation and an XOR operation on the first random number R1 generated by itself and the second random number R2 received.
其中,MS对自身产生的第一随机数和收到的第二随机数进行认证和异或运算,具体可以为:Wherein, MS performs authentication and XOR operation on the first random number generated by itself and the second random number received, which can be specifically:
MS对第一随机数和第二随机数进行认证运算,将所述认证运算后的结果与第一随机数进行异或运算,然后再将异或运算的结果与第二随机数进行认证运算,得到第三随机数。The MS performs an authentication operation on the first random number and the second random number, performs an XOR operation on the result after the authentication operation and the first random number, and then performs an authentication operation on the result of the XOR operation and the second random number, Get the third random number.
仍以A3算法作为认证算法为例进行说明,则第三随机数R为R=A3(R1⊕A3(R1,R2),R2)。Still taking the A3 algorithm as the authentication algorithm as an example for illustration, the third random number R is R=A3(R1⊕A3(R1, R2), R2).
进一步地,HLR通过VLR收到加密后的IMSI之后,根据MS发送的第一随机数和自身产生的第二随机数计算出第三随机数,然后将计算出的第三随机数和收到的加密后的IMSI进行异或运算,得到解密后的IMSI。Further, after the HLR receives the encrypted IMSI through the VLR, it calculates a third random number according to the first random number sent by the MS and the second random number generated by itself, and then combines the calculated third random number with the received Exclusive OR operation is performed on the encrypted IMSI to obtain the decrypted IMSI.
HLR得到解密后的IMSI之后的处理过程与实施例1中HLR得到解密后的IMSI之后的处理过程相同,在此不再赘述。The processing procedure after the HLR obtains the decrypted IMSI is the same as the processing procedure after the HLR obtains the decrypted IMSI in Embodiment 1, and will not be repeated here.
需要说明的是,MS和HLR在进行异或运算前,需要将待进行异或运算的随机数转化为二进制。It should be noted that, before performing the exclusive OR operation, the MS and the HLR need to convert the random number to be subjected to the exclusive OR operation into binary.
本实施例提供的方法,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The method provided in this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or when the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, the method can be used. The method provided in this embodiment transmits the IMSI in ciphertext and generates the TMSI.
本实施例中MS通过将自身产生的第一随机数和收到的第二随机数进行认证运算和异或运算,得到第三随机数,将该三随机数再与自身的IMSI进行异或运算,得到加密后的IMSI,HLR收到加密的IMSI后,通过异或运算,对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全,同时也防止了重放攻击;与3G中加密IMSI的方法相比,本实施例加密TMSI的方法简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;而且异或方式简单,没有大量的加解密的运算,大大提高了效率;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, the MS obtains the third random number by performing authentication operation and XOR operation on the first random number generated by itself and the received second random number, and performs XOR operation on the three random numbers with its own IMSI , to get the encrypted IMSI, after the HLR receives the encrypted IMSI, it decrypts the encrypted IMSI through the XOR operation, and sends the decrypted IMSI to the VLR, so that the VLR generates a TMSI according to the decrypted IMSI. During the process of TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI and prevents replay attacks; compared with the method for encrypting the IMSI in 3G, the method for encrypting the TMSI in this embodiment is simple. It can be directly applied to the GSM system, without major changes to the various hardware devices of the GSM system; and the XOR method is simple, without a large number of encryption and decryption operations, which greatly improves the efficiency; after obtaining the TMSI, between the VLR and the MS TMIS is used instead of IMSI for the exchange of commands, which prevents illegal individuals or groups from stealing the IMSI of the MS user or tracking the location of the MS user by monitoring the signaling exchange on the wireless path.
实施例5Example 5
图5为移动台的第一实施例结构示意图,如图5所示,该移动台包括:加密模块501和第一发送模块502;FIG. 5 is a schematic structural diagram of a first embodiment of a mobile station. As shown in FIG. 5, the mobile station includes: an
加密模块501,用于采用与归属位置寄存器商定的加密机制对IMSI进行加密。The
第一发送模块502,用于将加密模块501加密后的IMSI通过VLR发送给HLR,以使HLR根据商定的加密机制对加密后的IMSI进行解密并将解密后的IMSI发送给VLR。The
第一发送模块502可以将HLR的标识和加密后的IMSI发送给VLR,实现IMSI在无线链路上以密文形式传输,然后VLR会根据HLR的标识将加密后的IMSI发送给HLR。The
具体的,加密模块501采用HLR的公钥对IMSI进行加密,或者采用HLR的公钥对IMSI和随机数进行加密,该随机数用于使每次加密后的IMSI不同。相应的,HLR通过VLR收到MS发送的加密结果后,通过自身存储的私钥进行解密,得到该MS的IMSI,并根据该IMSI获取对应的主密钥Ki,根据该主密钥和自身产生的随机数生成验证信息,将该认证信息发送给VLR,使VLR根据该认证信息对MS进行验证,以确定该IMSI对应的移动台是合法的。Specifically, the
本实施例中,该验证信息可以是一个多元组,该多元组至少包括:HLR产生的随机数Rand,由Rand和Ki通过认证算法产生的认证参数RES,由Rand和Ki通过加密算法产生的加密密钥Kc。In this embodiment, the authentication information can be a multigroup, which includes at least: the random number Rand generated by HLR, the authentication parameter RES generated by Rand and Ki through the authentication algorithm, and the encryption parameter RES generated by Rand and Ki through the encryption algorithm. Key Kc.
例如,VLR根据该验证信息对MS进行验证的具体过程可以为:For example, the specific process for the VLR to verify the MS according to the verification information may be:
a:VLR向MS发送HLR产生的随机数;a: VLR sends the random number generated by HLR to MS;
b:MS收到后,利用A3算法对该随机数进行认证运算,将得到的认证运算结果SERS发送发给VLR;b: After MS receives it, it uses the A3 algorithm to perform authentication operations on the random number, and sends the obtained authentication operation result SERS to the VLR;
c:VLR收到MS发送的SERS后,与三元组中的RES进行比较,如果两者相等,则验证成功,表示该MS是合法的,并向HLR发送验证成功的消息。c: After receiving the SERS sent by the MS, the VLR compares it with the RES in the triplet. If the two are equal, the verification is successful, indicating that the MS is legal, and sends a successful verification message to the HLR.
d:HLR收到VLR发送的验证成功的消息后,向VLR发送该MS的IMSI,使VLR根据该IMSI生成TMSI。d: After the HLR receives the verification success message sent by the VLR, it sends the IMSI of the MS to the VLR, so that the VLR generates a TMSI according to the IMSI.
本实施例提供的移动台,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The mobile station provided by this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, it can The method provided in this embodiment is used to transmit the IMSI in ciphertext and generate the TMSI.
本实施例通过采用与HLR商定的加密机制对IMSI进行加密,将加密的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,采用自身的私钥对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全,与3G中加密IMSI的方案相比,利用本实施例提供的MS将IMSI以密文形式传输,结构简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。This embodiment encrypts the IMSI by adopting the encryption mechanism agreed with the HLR, and sends the encrypted IMSI to the HLR through the VLR. After the HLR receives the encrypted IMSI, it uses its own private key to decrypt the encrypted IMSI, and decrypts the encrypted The final IMSI is sent to the VLR, so that the VLR generates a TMSI based on the decrypted IMSI. During the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI. It is similar to the scheme of encrypting the IMSI in 3G. Compared, utilizing the MS provided by this embodiment to transmit the IMSI in the form of ciphertext, the structure is simple, and can be directly applied to the GSM system, without making major changes to various hardware devices of the GSM system; after obtaining the TMSI, the VLR and the MS Inter-command exchange uses TMIS instead of IMSI, which prevents illegal individuals or groups from stealing MS user's IMSI or tracking the MS user's location by monitoring the signaling exchange on the wireless path.
实施例6Example 6
图6为移动台的第二实施例结构示意图,如图6所示,该移动台包括:加密模块501和第一发送模块502;FIG. 6 is a schematic structural diagram of the second embodiment of the mobile station. As shown in FIG. 6, the mobile station includes: an
具体的,加密模块501包括:第一协商单元5010,第一接收单元5011,第一加密单元5012;Specifically, the
第一协商单元5010,用于与HLR协商同态加密算法。The
其中,该同态加密算法需要满足如下的性质:对于域内的3个数a,b,c,E(a)*E(b)=E(a+b),E(a)c=E(c·a)。Among them, the homomorphic encryption algorithm needs to satisfy the following properties: for the three numbers a, b, c in the domain, E(a)*E(b)=E(a+b), E(a) c =E( c·a).
第一接收单元5011,用于通过VLR接收HLR发送的HLR采用上述同态加密算法加密的多个随机数;该随机数的个数与IMSI的位数相同。The
例如,由于目前IMSI的位数是15位,因此HLR采用同态加密算法加密15个随机数r1,r2,...r15,这15个随机数r1,r2,...r15均不等于0。For example, since the current IMSI has 15 digits, the HLR uses the homomorphic encryption algorithm to encrypt 15 random numbers r 1 , r 2 ,...r 15 , these 15 random numbers r 1 , r 2 ,... None of r 15 is equal to 0.
如果将15个随机数r1,r2,...r15一起加密的话,计算过程可能比较复杂,为了简化计算过程,HLR可以分批加密自身选择的15个随机数;例如,If 15 random numbers r 1 , r 2 , ...r 15 are encrypted together, the calculation process may be more complicated. In order to simplify the calculation process, HLR can encrypt 15 random numbers selected by itself in batches; for example,
E(r1r2r3)||E(r4r5r6)||...||E(r13r14r15),||表示为链接。E(r 1 r 2 r 3 )||E(r 4 r 5 r 6 )||...||E(r 13 r 14 r 15 ), || is represented as a link.
第一加密单元5012,用于在第一接收单元5011收到加密的多个随机数后,利用同态加密算法的性质,采用IMSI对加密的多个随机数进行同态加密运算,完成对IMSI的加密。The
具体的,第一加密单元5012利用同态加密算法的性质E(a)c=E(c·a),采用IMSI对加密的多个随机数进行幂运算,完成对IMSI的加密,例如E(r1r2r3)a1a2a3||E(r4r5r6)a4a5a6||...||E(r13r14r15)a13a14a15,a1,a2,...,a15为IMSI的15位;Specifically, the
第一加密单元5012也可以利用同态加密算法的性质E(a)*E(b)=E(a+b),采用IMSI对该加密的多个随机数进行乘运算,例如:The
E(r1r2r3)*E(a1a2a3)||E(r4r5r6)*E(a4a5a6)||...||E(r13r14r15)*E(a13a14a15)。E(r 1 r 2 r 3 )*E(a 1 a 2 a 3 )||E(r 4 r 5 r 6 )*E(a 4 a 5 a 6 )||...||E(r 13 r 14 r 15 )*E(a 13 a 14 a 15 ).
第一发送模块502,用于将HLR的标识和加密模块501加密后的IMSI发送给VLR,以使IMSI在无线链路上以密文形式传输,并使VLR根据HLR的标识将加密后的IMSI发送给HLR;The
进一步地,HLR收到加密后的IMSI之后,利用同态加密算法的性质,对IMSI进行同态解密运算,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI。Further, after receiving the encrypted IMSI, the HLR uses the property of the homomorphic encryption algorithm to perform a homomorphic decryption operation on the IMSI, and sends the decrypted IMSI to the VLR, so that the VLR generates a TMSI according to the decrypted IMSI.
本实施例提供的移动台,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The mobile station provided by this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, it can The method provided in this embodiment is used to transmit the IMSI in ciphertext and generate the TMSI.
本实施例中,MS收到HLR用与MS协商的同态加密算法加密的多个随机数后,利用同态加密算法的性质,用IMSI对该加密的多个随机数进行同态加密运算,将运算结果通过VLR发送给HLR,完成对IMSI的加密,并将加密后的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,根据商定的同态加密算法对加密后的IMSI进行同态解密运算,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全,同时也防止了重放攻击,与3G中加密IMSI的方案相比,利用本实施例提供的MS将IMSI以密文形式传输,结构简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, after receiving multiple random numbers encrypted by the HLR with the homomorphic encryption algorithm negotiated with the MS, the MS uses the properties of the homomorphic encryption algorithm to perform a homomorphic encryption operation on the encrypted multiple random numbers using the IMSI. Send the operation result to HLR through VLR, complete the encryption of IMSI, and send the encrypted IMSI to HLR through VLR. After HLR receives the encrypted IMSI, it performs homomorphic encryption on the encrypted IMSI according to the agreed homomorphic encryption algorithm. Decryption operation, and send the decrypted IMSI to the VLR, so that the VLR generates TMSI according to the decrypted IMSI, and in the process of obtaining the TMSI, the IMSI is transmitted in the form of cipher text on the wireless link, which protects the security of the IMSI and also The replay attack has been prevented. Compared with the scheme of encrypting IMSI in 3G, the MSI provided by this embodiment is used to transmit the IMSI in the form of ciphertext, the structure is simple, and it can be directly applied to the GSM system. There is no need to make major changes; after the TMSI is obtained, the command exchange between the VLR and the MS uses TMIS instead of IMSI, preventing illegal individuals or groups from stealing the IMSI or IMSI of the MS user by monitoring the signaling exchange on the wireless path. Track MS user's location.
实施例7Example 7
图7为移动台的第三实施例结构示意图,如图7所示,该移动台包括:加密模块501和第一发送模块502;FIG. 7 is a schematic structural diagram of a third embodiment of a mobile station. As shown in FIG. 7, the mobile station includes: an
该加密模块501包括:第一发送单元5013,第二接收单元5014和第二加密单元5015;The
第一发送单元5013,用于通过VLR向HLR发送第一随机数。The
例如,第一发送单元5013通过VLR将第一随机数R1发送给HLR。For example, the
第二接收单元5014,用于通过VLR接收HLR发送的HLR产生的第二随机数。The
例如,HLR产生第二随机数R2后,通过VLR将R2发送给MS。For example, after the HLR generates the second random number R2, it sends R2 to the MS through the VLR.
第二加密单元5015,用于对第一随机数和第二随机数进行认证运算和异或运算,得到第三随机数;将第三随机数再与自身的IMSI进行异或运算,完成对IMSI的加密。The
本实施例可以采用A3算法为认证算法,则第三随机数R为R=A3(R1⊕A3(R1,R2),R2)。In this embodiment, the A3 algorithm may be used as the authentication algorithm, and the third random number R is R=A3(R1⊕A3(R1, R2), R2).
加密模块501还可以包括:第一认证单元和第一确认单元;The
第一认证单元,用于对第一随机数和第二随机数进行认证运算,得到第一认证运算结果,将该第一认证运算结果通过VLR发送给HLR;The first authentication unit is configured to perform an authentication operation on the first random number and the second random number to obtain a first authentication operation result, and send the first authentication operation result to the HLR through the VLR;
还用于通过VLR接收HLR发送的第二认证运算结果;该第二认证运算结果为HLR采用与第一认证单元相同的认证算法对第一随机数和第二随机数进行认证运算得到的。It is also used for receiving the second authentication operation result sent by the HLR through the VLR; the second authentication operation result is obtained by the HLR using the same authentication algorithm as the first authentication unit to perform authentication operations on the first random number and the second random number.
第一确认单元,用于当第一认证运算结果和第二认证运算结果相同时,确认第二随机数是HLR发送的,触发所述第二加密单元5015。The first confirmation unit is configured to confirm that the second random number is sent by the HLR when the result of the first authentication operation is the same as the result of the second authentication operation, and trigger the
具体的,第二加密单元5015用于对第一随机数和第二随机数进行认证运算,将认证运算后的结果与第一随机数进行异或运算,然后再将异或运算的结果与第二随机数进行认证运算,得到第三随机数;将该第三随机数再与自身的IMSI进行异或运算,完成对IMSI的加密。Specifically, the
第一发送模块502,用于将加密模块501加密后的IMSI和HLR的标识发送给VLR,以使IMSI在无线链路上以密文形式传输,并使VLR根据HLR的标识将加密后的IMSI发送给HLR。The
HLR通过VLR收到加密的IMSI之后,根据MS发送的第一随机数和自身产生的第二随机数计算出第三随机数,然后将计算出的第三随机数和收到的加密的IMSI进行异或运算,得到解密后的IMSI,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI。After the HLR receives the encrypted IMSI through the VLR, it calculates the third random number according to the first random number sent by the MS and the second random number generated by itself, and then compares the calculated third random number with the received encrypted IMSI Exclusive OR operation to obtain the decrypted IMSI, and send the decrypted IMSI to the VLR, so that the VLR generates a TMSI according to the decrypted IMSI.
本实施例提供的移动台,可应用于用户身份的请求过程中,如当MS第一次在服务网络内注册,或者与MS交互的服务网络不能根据MS的TMSI获得相应的IMSI时,即可以采用本实施例提供的方法以密文形式传输IMSI,并产生TMSI。The mobile station provided by this embodiment can be applied to the process of requesting user identity. For example, when the MS registers in the service network for the first time, or the service network interacting with the MS cannot obtain the corresponding IMSI according to the TMSI of the MS, it can The method provided in this embodiment is used to transmit the IMSI in ciphertext and generate the TMSI.
本实施例中MS通过将自身产生的第一随机数和收到的第二随机数进行认证运算和异或运算,得到第三随机数,将该三随机数再与自身的IMSI进行异或运算,完成对IMSI的加密,将加密后的IMSI通过VLR发送给HLR,HLR收到加密后的IMSI之后,根据MS发送的第一随机数和自身产生的第二随机数计算出第三随机数,然后将计算出的第三随机数和收到的加密后的IMSI进行异或运算,得到解密后的IMSI,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全,同时也防止了重放攻击,与3G中加密IMSI的方案相比,利用本实施例提供的MS将IMSI以密文形式传输,MS结构简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, the MS obtains the third random number by performing authentication operation and XOR operation on the first random number generated by itself and the received second random number, and performs XOR operation on the three random numbers with its own IMSI , complete the encryption of the IMSI, send the encrypted IMSI to the HLR through the VLR, and after the HLR receives the encrypted IMSI, calculate the third random number according to the first random number sent by the MS and the second random number generated by itself, Then perform XOR operation with the calculated third random number and the received encrypted IMSI to obtain the decrypted IMSI, and send the decrypted IMSI to the VLR, so that the VLR generates a TMSI according to the decrypted IMSI, and obtains During the process of TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI and prevents replay attacks. Transmission in the form of cipher text, MS structure is simple, can be directly applied to the GSM system, without major changes to the various hardware devices of the GSM system; after obtaining TMSI, the command exchange between VLR and MS uses TMIS instead of Using the IMSI prevents illegal individuals or groups from stealing the IMSI of the MS user or tracking the location of the MS user by listening to signaling exchanges on the wireless path.
实施例8Example 8
图8为归属位置寄存器的第一实施例结构示意图,如图8所示,该HLR包括:解密模块601和第二发送模块602;FIG. 8 is a schematic structural diagram of a first embodiment of a home location register. As shown in FIG. 8, the HLR includes: a
解密模块601,用于采用与MS商定的加密机制对收到的加密后的IMSI进行解密,得到解密后的IMSI。The
当实施例5中的加密模块501具体采用HLR的公钥对IMSI进行加密时,相应的,解密模块601采用HLR的私钥对收到的加密后的IMSI进行解密,得到解密后的IMSI。When the
第二发送模块602,用于将解密模块601得到的解密后的IMSI发送给VLR,以使VLR根据解密后的IMSI生成TMSI。The
本实施例中,HLR通过采用与MS商定的加密机制对收到的加密后的IMSI进行解密,得到解密后的IMSI,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线链路上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, the HLR decrypts the received encrypted IMSI by using the encryption mechanism agreed with the MS to obtain the decrypted IMSI, and sends the decrypted IMSI to the VLR, so that the VLR generates a TMSI based on the decrypted IMSI After obtaining the TMSI, the command exchange between the VLR and the MS uses TMIS instead of IMSI, preventing illegal individuals or groups from stealing the IMSI of the MS user or tracking the MS user's ID by monitoring the signaling exchange on the wireless link. Location.
实施例9Example 9
图9为归属位置寄存器的第二实施例结构示意图,如图9所示,该HLR包括:解密模块601和第二发送模块602;其中,解密模块601具体包括:第二协商单元6010、第三加密单元6011、第二发送单元6012和第一解密单元6013;Fig. 9 is a schematic structural diagram of the second embodiment of the home location register. As shown in Fig. 9, the HLR includes: a
第二协商单元6010,用于与MS协商同态加密算法。The second negotiating unit 6010 is configured to negotiate a homomorphic encryption algorithm with the MS.
本实施例中的MS的结构与实施例6中的MS结构相同。The structure of the MS in this embodiment is the same as that of the MS in Embodiment 6.
第三加密单元6011,用于采用第二协商单元6010协商的同态加密算法加密自身选择的多个随机数,该随机数的个数与IMSI的位数相同。The third encryption unit 6011 is configured to use the homomorphic encryption algorithm negotiated by the second negotiation unit 6010 to encrypt multiple random numbers selected by itself, and the number of the random numbers is the same as the number of digits of the IMSI.
例如,由于目前IMSI的位数是15位,因此第三加密单元6011采用第二协商单元6010协商的同态加密算法加密自身选择的15个随机数r1,r2,...r15,这15个随机数r1,r2,...r15均不等于0。For example, since the current IMSI has 15 digits, the third encryption unit 6011 uses the homomorphic encryption algorithm negotiated by the second negotiation unit 6010 to encrypt 15 random numbers r 1 , r 2 ,...r 15 selected by itself, None of the 15 random numbers r 1 , r 2 , . . . r 15 are equal to 0.
如果将15个随机数r1,r2,...r15一起加密的话,计算过程可能比较复杂,为了简化计算过程,第三加密单元6011可以分批加密自身选择的15个随机数;例如,E(r1r2r3)||E(r4r5r6)||...||E(r13r14r15),||表示为链接。If 15 random numbers r 1 , r 2 , ... r 15 are encrypted together, the calculation process may be more complicated. In order to simplify the calculation process, the third encryption unit 6011 can encrypt 15 random numbers selected by itself in batches; for example , E(r 1 r 2 r 3 )||E(r 4 r 5 r 6 )||...||E(r 13 r 14 r 15 ), || is expressed as a link.
需要说明的是,本实施例对分批加密的批次和每批的随机数个数都不作限制。It should be noted that, in this embodiment, there is no limitation on the batches encrypted in batches and the number of random numbers in each batch.
第二发送单元6012,用于将第三加密单元6011加密的多个随机数通过VLR发送给MS。The second sending unit 6012 is configured to send the multiple random numbers encrypted by the third encrypting unit 6011 to the MS through the VLR.
第一解密单元6013,用于通过VLR收到MS发送的加密的IMSI后,利用同态加密算法的性质对加密后的IMSI进行同态解密运算,得到解密后的IMSI。The first decryption unit 6013 is configured to perform a homomorphic decryption operation on the encrypted IMSI by using the property of the homomorphic encryption algorithm after receiving the encrypted IMSI sent by the MS through the VLR to obtain the decrypted IMSI.
继续上述例子,当实施例6中第一加密单元5012将IMSI加密为E(r1r2r3)a1a2a3||E(r4r5r6)a4a5a6||...||E(r13r14r15)a13a14a15时,第一解密单元6013利用同态加密算法的性质E(a)c=E(c·a)进行同态解密运算,得到Continuing the above example, when the
a1a2a3·r1r2r3,a4a5a6·r4r5r6,...,a13a14a15·r13r14r15,然后通过除法运算得到a1,a2,...,a15,从而得到解密后的IMSI;a 1 a 2 a 3 r 1 r 2 r 3 , a 4 a 5 a 6 r 4 r 5 r 6 , ..., a 13 a 14 a 15 r 13 r 14 r 15 , then by division Get a 1 , a 2 , ..., a 15 , and thus get the decrypted IMSI;
当实施例6中第一加密单元5012将IMSI加密为When the
E(r1r2r3)*E(a1a2a3)||E(r4r5r6)*E(a4a5a6)||...||E(r13r14r15)*E(a13a14a15)时,第一解密单元6013利用同态加密算法的性质E(a)*E(b)=E(a+b)进行同态解密运算,得到E(r 1 r 2 r 3 )*E(a 1 a 2 a 3 )||E(r 4 r 5 r 6 )*E(a 4 a 5 a 6 )||...||E(r 13 r 14 r 15 )*E(a 13 a 14 a 15 ), the first decryption unit 6013 uses the property E(a)*E(b)=E(a+b) of the homomorphic encryption algorithm to perform homomorphic decryption operation, get
r1r2r3+a1a2a3||r4r5r6+a4a5a6...||r13r14r15+a13a14a15,然后减去15个随机数,得到a1,a2,...,a15,从而得到解密后的IMSI。r 1 r 2 r 3 +a 1 a 2 a 3 ||r 4 r 5 r 6 +a 4 a 5 a 6 ...||r 13 r 14 r 15 +a 13 a 14 a 15 , then subtract 15 random numbers, a 1 , a 2 , ..., a 15 are obtained, and thus the decrypted IMSI is obtained.
第二发送模块602,用于将解密模块601得到的解密后的IMSI发送给VLR,以使VLR根据解密后的IMSI生成TMSI。The
本实施例中,HLR通过采用与MS商定的同态加密算法对收到的加密后的IMSI进行同态解密运算,得到解密后的IMSI,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS用户的IMSI或跟踪MS用户的位置。In this embodiment, the HLR performs a homomorphic decryption operation on the received encrypted IMSI by using the homomorphic encryption algorithm agreed with the MS to obtain the decrypted IMSI, and sends the decrypted IMSI to the VLR, so that the VLR The final IMSI generates TMSI. After obtaining TMSI, the command exchange between VLR and MS uses TMIS instead of IMSI, which prevents illegal individuals or groups from stealing the IMSI or IMSI of the MS user by monitoring the signaling exchange on the wireless path. Track MS user's location.
实施例10Example 10
图10为归属位置寄存器的第三实施例结构示意图,如图10所示,该HLR包括:解密模块601和第二发送模块602;其中,解密模块601具体包括:第三接收单元6014,第三发送单元6015和第二解密单元6016;Fig. 10 is a schematic structural diagram of a third embodiment of a home location register. As shown in Fig. 10, the HLR includes: a
第三接收单元6014,用于通过VLR接收MS发送的第一随机数。The
本实施例中的MS的结构与实施例7中的MS结构相同。The structure of the MS in this example is the same as that of the MS in Example 7.
第三发送单元6015,用于通过VLR向MS发送第二随机数。The
第二解密单元6016,用于根据第一随机数和第二随机数计算出第三随机数,然后将计算出的第三随机数和收到的加密后的IMSI进行异或运算,得到解密后的IMSI。The
第二发送模块602,用于将解密模块601得到的解密后的IMSI发送给VLR,以使VLR根据解密后的IMSI生成TMSI。The
其中,解密模块601还包括:第二认证单元和第二确认单元;Wherein, the
第二认证单元,用于对第一随机数和第二随机数进行认证运算,得到第二认证运算结果,将该第二认证运算结果通过VLR发送给MS;The second authentication unit is configured to perform an authentication operation on the first random number and the second random number to obtain a second authentication operation result, and send the second authentication operation result to the MS through the VLR;
还用于通过VLR接收MS发送的第一认证运算结果;该第一认证运算结果为MS采用与第二认证单元相同的认证算法对第一随机数和第二随计数进行认证运算得到的。It is also used to receive the first authentication operation result sent by the MS through the VLR; the first authentication operation result is obtained by the MS using the same authentication algorithm as the second authentication unit to perform authentication operations on the first random number and the second random number.
第二确认单元,用于当第一认证运算结果和第二认证运算结果相同时,确认第一随机数是MS发送的,并向MS发送认证成功的消息。The second confirming unit is configured to confirm that the first random number is sent by the MS when the result of the first authentication operation is the same as the result of the second authentication operation, and send a message of successful authentication to the MS.
需要说明的是,在进行异或运算前,需要将待进行异或运算的随机数转化为二进制。It should be noted that before performing the XOR operation, the random number to be subjected to the XOR operation needs to be converted into binary.
本实施例中,HLR通过采用与MS商定的异或的加密机制对收到的加密的IMSI进行异或运算,得到解密后的IMSI,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得MS的IMSI或跟踪MS用户的位置。In this embodiment, the HLR performs an XOR operation on the received encrypted IMSI by using the XOR encryption mechanism agreed with the MS to obtain the decrypted IMSI, and sends the decrypted IMSI to the VLR, so that the VLR TMSI is generated from the IMSI, and after the TMSI is obtained, the command exchange between the VLR and the MS uses the TMIS instead of the IMSI, which prevents illegal individuals or groups from stealing the MS's IMSI or tracking the MS by monitoring the signaling exchange on the wireless path The user's location.
实施例11Example 11
图11为通信系统第一实施例结构示意图,如图11所示,该系统包括:MS11、VLR12和HLR13;Fig. 11 is a schematic structural diagram of the first embodiment of the communication system. As shown in Fig. 11, the system includes: MS11, VLR12 and HLR13;
MS11,用于采用与HLR13商定的加密机制对IMSI进行加密,并将加密后的IMSI发送给VLR12,以使IMSI在无线链路上以密文形式传输。MS11 is configured to encrypt the IMSI using the encryption mechanism agreed with the HLR13, and send the encrypted IMSI to the VLR12, so that the IMSI is transmitted in cipher text on the wireless link.
VLR12,用于收到MS11发送的加密后的IMSI后,将加密后的IMSI发送给HLR13;还用于接收HLR13发送的解密后的IMSI,并根据解密后的IMSI生成TMSI。VLR12 is used for sending the encrypted IMSI to HLR13 after receiving the encrypted IMSI sent by MS11; it is also used for receiving the decrypted IMSI sent by HLR13 and generating TMSI according to the decrypted IMSI.
HLR13,用于根据与MS11商定的加密机制对收到的加密后的IMSI进行解密,并将解密后的IMSI发送给VLR12。The HLR13 is configured to decrypt the received encrypted IMSI according to the encryption mechanism agreed with the MS11, and send the decrypted IMSI to the VLR12.
其中,HLR13将解密后的IMSI发送给VLR之前,还用于根据解密后的IMSI获取对应的主密钥,根据该主密钥和自身产生的随机数生成验证信息,并将该验证信息发送给VLR;Wherein, before HLR13 sends the decrypted IMSI to the VLR, it is also used to obtain the corresponding master key according to the decrypted IMSI, generates verification information according to the master key and the random number generated by itself, and sends the verification information to VLR;
相应的,VLR根据该验证信息对IMSI对应的移动台进行验证,以确认IMSI对应的MS是合法的。Correspondingly, the VLR verifies the mobile station corresponding to the IMSI according to the verification information, so as to confirm that the MS corresponding to the IMSI is legal.
本实施例中,MS采用与HLR商定的加密机制对IMSI进行加密,将加密的IMSI通过VLR发送给HLR,HLR收到加密的IMSI后,根据商定的加密机制对加密后的IMSI进行解密,并将解密后的IMSI发送给VLR,使VLR根据解密后的IMSI生成TMSI,在获取TMSI的过程中使得IMSI在无线链路上以密文形式传输,保护了IMSI的安全;与3G中加密IMSI的方案相比,本实施例中加密IMSI的方案简单,可以直接应用到GSM系统中,对GSM系统的各种硬件设备无须做较大改动;获取TMSI后,VLR和MS之间的命令交换就使用TMIS,而不使用IMSI,防止了非法个人或团体通过监听无线路径上的信令交换而窃得移动客户的IMSI或跟踪移动客户的位置。In this embodiment, the MS encrypts the IMSI using the encryption mechanism agreed with the HLR, and sends the encrypted IMSI to the HLR through the VLR. After receiving the encrypted IMSI, the HLR decrypts the encrypted IMSI according to the agreed encryption mechanism, and Send the decrypted IMSI to the VLR, so that the VLR generates the TMSI according to the decrypted IMSI. During the process of obtaining the TMSI, the IMSI is transmitted in cipher text on the wireless link, which protects the security of the IMSI; it is the same as the encrypted IMSI in 3G Compared with the scheme, the scheme of encrypting the IMSI in this embodiment is simple, can be directly applied to the GSM system, and does not need to make major changes to various hardware devices of the GSM system; after obtaining the TMSI, the command exchange between the VLR and the MS just uses TMIS, rather than using IMSI, prevents rogue individuals or parties from stealing a mobile client's IMSI or tracking a mobile client's location by listening to signaling exchanges over the wireless path.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.
Claims (19)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101221018A CN101808313B (en) | 2010-03-09 | 2010-03-09 | Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101221018A CN101808313B (en) | 2010-03-09 | 2010-03-09 | Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101808313A true CN101808313A (en) | 2010-08-18 |
| CN101808313B CN101808313B (en) | 2012-11-21 |
Family
ID=42609887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101221018A Expired - Fee Related CN101808313B (en) | 2010-03-09 | 2010-03-09 | Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101808313B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969638A (en) * | 2010-09-30 | 2011-02-09 | 中国科学院软件研究所 | Method for protecting international mobile subscriber identity (IMSI) in mobile communication |
| CN102131188A (en) * | 2010-09-01 | 2011-07-20 | 华为技术有限公司 | Method for transmitting user identity information, user equipment, network side equipment and system |
| CN102932318A (en) * | 2011-08-10 | 2013-02-13 | 华为技术有限公司 | Verification method for bidirectional forwarding detection session and node |
| CN104270737A (en) * | 2014-10-17 | 2015-01-07 | 中国联合网络通信集团有限公司 | IMSI protection method and device |
| CN105208552A (en) * | 2015-09-06 | 2015-12-30 | 集怡嘉数码科技(深圳)有限公司 | Realization method for binding of mobile terminal and smart card |
| CN109691058A (en) * | 2016-07-18 | 2019-04-26 | 瑞典爱立信有限公司 | User equipment-related operations using secret identifiers |
| CN110933670A (en) * | 2019-11-28 | 2020-03-27 | 楚天龙股份有限公司 | Security USIM card for realizing main authentication enhancement and main authentication method of terminal |
| CN110995409A (en) * | 2020-02-27 | 2020-04-10 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense arbitration method and system based on partial homomorphic encryption algorithm |
| CN111246464A (en) * | 2018-11-29 | 2020-06-05 | 中国电信股份有限公司 | Identity authentication method, device and system, and computer readable storage medium |
| JP2020537413A (en) * | 2017-10-13 | 2020-12-17 | クアルコム,インコーポレイテッド | Transferring protection configuration data from your home mobile network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1111952A2 (en) * | 1999-12-22 | 2001-06-27 | Nokia Corporation | Method for transmitting an encryption number in a communication system and a communication system |
| CN1790984A (en) * | 2004-12-14 | 2006-06-21 | 中兴通讯股份有限公司 | User identity secret-keeping method in communication system |
| CN101365219A (en) * | 2007-08-09 | 2009-02-11 | 展讯通信(上海)有限公司 | Mobile phone register method, mobile phone teminal processing method and network side processing method |
| CN102111760A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Method for promoting safety of international mobile subscriber identity (IMSI) |
-
2010
- 2010-03-09 CN CN2010101221018A patent/CN101808313B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1111952A2 (en) * | 1999-12-22 | 2001-06-27 | Nokia Corporation | Method for transmitting an encryption number in a communication system and a communication system |
| CN1790984A (en) * | 2004-12-14 | 2006-06-21 | 中兴通讯股份有限公司 | User identity secret-keeping method in communication system |
| CN101365219A (en) * | 2007-08-09 | 2009-02-11 | 展讯通信(上海)有限公司 | Mobile phone register method, mobile phone teminal processing method and network side processing method |
| CN102111760A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Method for promoting safety of international mobile subscriber identity (IMSI) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102131188A (en) * | 2010-09-01 | 2011-07-20 | 华为技术有限公司 | Method for transmitting user identity information, user equipment, network side equipment and system |
| WO2011147364A1 (en) * | 2010-09-01 | 2011-12-01 | 华为技术有限公司 | User identity information transmission method, and user equipment, web side equipment and system |
| CN102131188B (en) * | 2010-09-01 | 2013-12-04 | 华为技术有限公司 | Method and system for transmitting user identity information as well as user equipment and network side equipment |
| CN101969638A (en) * | 2010-09-30 | 2011-02-09 | 中国科学院软件研究所 | Method for protecting international mobile subscriber identity (IMSI) in mobile communication |
| CN101969638B (en) * | 2010-09-30 | 2013-08-14 | 中国科学院软件研究所 | Method for protecting international mobile subscriber identity (IMSI) in mobile communication |
| CN102932318A (en) * | 2011-08-10 | 2013-02-13 | 华为技术有限公司 | Verification method for bidirectional forwarding detection session and node |
| CN104270737B (en) * | 2014-10-17 | 2018-07-03 | 中国联合网络通信集团有限公司 | The guard method of IMSI and device |
| CN104270737A (en) * | 2014-10-17 | 2015-01-07 | 中国联合网络通信集团有限公司 | IMSI protection method and device |
| CN105208552A (en) * | 2015-09-06 | 2015-12-30 | 集怡嘉数码科技(深圳)有限公司 | Realization method for binding of mobile terminal and smart card |
| CN109691058A (en) * | 2016-07-18 | 2019-04-26 | 瑞典爱立信有限公司 | User equipment-related operations using secret identifiers |
| US11870765B2 (en) | 2016-07-18 | 2024-01-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Operation related to user equipment using secret identifier |
| US11539683B2 (en) | 2016-07-18 | 2022-12-27 | Telefonaktiebolaget Lm Ericsson (Publ) | Operation related to user equipment using secret identifier |
| JP7053814B2 (en) | 2017-10-13 | 2022-04-12 | クアルコム,インコーポレイテッド | Transferring protection configuration data from your home mobile network |
| JP2020537413A (en) * | 2017-10-13 | 2020-12-17 | クアルコム,インコーポレイテッド | Transferring protection configuration data from your home mobile network |
| CN111246464A (en) * | 2018-11-29 | 2020-06-05 | 中国电信股份有限公司 | Identity authentication method, device and system, and computer readable storage medium |
| CN111246464B (en) * | 2018-11-29 | 2023-04-07 | 中国电信股份有限公司 | Identity authentication method, device and system, and computer readable storage medium |
| CN110933670A (en) * | 2019-11-28 | 2020-03-27 | 楚天龙股份有限公司 | Security USIM card for realizing main authentication enhancement and main authentication method of terminal |
| WO2021169080A1 (en) * | 2020-02-27 | 2021-09-02 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense decision method and system based on partial homomorphic encryption algorithm |
| CN110995409B (en) * | 2020-02-27 | 2020-06-23 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense arbitration method and system based on partial homomorphic encryption algorithm |
| CN110995409A (en) * | 2020-02-27 | 2020-04-10 | 南京红阵网络安全技术研究院有限公司 | Mimicry defense arbitration method and system based on partial homomorphic encryption algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101808313B (en) | 2012-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108848502B (en) | Method for protecting SUPI (supl interconnection) by using 5G-AKA (alkyl ketene dimmer) | |
| CN101808313A (en) | Method for acquiring TMSI (Temporary Mobile Subscriber Identity), mobile station, home location register and communication system | |
| US11799650B2 (en) | Operator-assisted key establishment | |
| EP2666316B1 (en) | Method and apparatus for authenticating a communication device | |
| US9032205B2 (en) | Robust authentication and key agreement protocol for net-generation wireless networks | |
| US10003965B2 (en) | Subscriber profile transfer method, subscriber profile transfer system, and user equipment | |
| EP3340690B1 (en) | Access method, device and system for user equipment (ue) | |
| JP2019169963A (en) | Security configuration in communication between communication device and network device | |
| US20090191857A1 (en) | Universal subscriber identity module provisioning for machine-to-machine communications | |
| CN111133731A (en) | Private key and message authentication code | |
| US8954739B2 (en) | Efficient terminal authentication in telecommunication networks | |
| US20140141763A1 (en) | Method for setting terminal in mobile communication system | |
| CN101969638A (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
| EP3501194B1 (en) | Authentication server of a cellular telecommunication network and corresponding uicc | |
| WO2017188895A1 (en) | Method and system for authentication with asymmetric key | |
| CN104219650B (en) | Method for sending user identity authentication information and user equipment | |
| US11381973B2 (en) | Data transmission method, related device, and related system | |
| WO2012134789A1 (en) | Using a dynamically-generated symmetric key to establish internet protocol security for communications between a mobile subscriber and a supporting wireless communications network | |
| CN102264068A (en) | Shared key negotiation method and system, network platform and terminal | |
| CN102378174A (en) | Access method, device and system of user terminal of SIM (Subscriber Identity Module) card | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment | |
| CN100372431C (en) | A CDMA system end-to-end encrypted communication method | |
| CN1988716B (en) | Method for enshuring communication safety between mobile station and base station | |
| Haleem et al. | Networks-I: An optimal mutual authentication scheme in GSM networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20171207 Address after: 225327 Mingzhu Avenue, Yongan Town, Taizhou City, Jiangsu Province, No. 108 Patentee after: Wei Liqiang Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180102 Address after: 300000 Tianjin Jixian County economic development zone and Tianjin Special Automobile Industrial Park Patentee after: Tianjin China boson new materials Co.,Ltd. Address before: 225327 Mingzhu Avenue, Yongan Town, Taizhou City, Jiangsu Province, No. 108 Patentee before: Wei Liqiang |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121121 |