[go: up one dir, main page]

CN102918878A - Method and apparatus for message transmission - Google Patents

Method and apparatus for message transmission Download PDF

Info

Publication number
CN102918878A
CN102918878A CN2011800014367A CN201180001436A CN102918878A CN 102918878 A CN102918878 A CN 102918878A CN 2011800014367 A CN2011800014367 A CN 2011800014367A CN 201180001436 A CN201180001436 A CN 201180001436A CN 102918878 A CN102918878 A CN 102918878A
Authority
CN
China
Prior art keywords
user
user equipment
imsi
message
binding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011800014367A
Other languages
Chinese (zh)
Other versions
CN102918878B (en
Inventor
毕军
王优
张伟
胡虹雨
王旸旸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Huawei Technologies Co Ltd
Original Assignee
Tsinghua University
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Huawei Technologies Co Ltd filed Critical Tsinghua University
Publication of CN102918878A publication Critical patent/CN102918878A/en
Application granted granted Critical
Publication of CN102918878B publication Critical patent/CN102918878B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method and an apparatus for message transmission, which relate to a communications field, are provided in the embodiments of the present invention. The method includes: receiving an authentication request from a first user equipment, and transmitting, according to a first User Identifier (UID), an authentication request for user binding to a Home Subscriber Server (HSS) for the first user, in order that the HSS for the first user judges, according to a saved binding relationship between an International Mobile Subscriber Identity (IMSI) and the UID, whether a binding relationship between the IMSI of the first user equipment and the first UID is legal; ; and if the HSS for the first user determines that the binding relationship between the IMSI of the first user equipment and the first UID is legal, downloading the binding relationship between the IMSI of the first user equipment and the first UID from the HSS for the first user, and after establishing communications between the first user equipment and a second user equipment, transmitting a message satisfying the downloaded binding relationship to the second user equipment when receiving the message from the first user equipment. In the present invention, the occurrence of the UID fabrication in the data transmission procedure is prevented, and the security of the data transmission is enhanced.

Description

Message sending method and device
Message sending method and device technical field
The present invention relates to the field of communications, and in particular, to a method and an apparatus for sending a message.
Background
With the advent of a large number of mobile devices in the internet, it has become common for a single user to have multiple devices, and in order to solve the problems of mobility, multi-homing, security, etc. of the internet, a user identification and address separation scheme UIP (User Identifier Protocol, user identification protocol) is proposed, which divides the network into multiple domains and introduces two global-scope services, namely mapping services from user identification to address and data encapsulation/book of domain exit routers
And decapsulating the service. Under the UIP architecture, all access users are allocated with unique user identifications, the two communication parties establish connection by the respective user identifications, the address of the opposite end is obtained by query mapping, and the transmission of the data message is realized through the encapsulation/decapsulation of the domain exit router. The scheme solves the defect that the current internet communication is limited to addresses or devices, and can well solve the problems of mobility, multi-host, single-user multi-device and the like.
In carrying out the invention, the inventors have found that the prior art has at least the following problems:
In the prior art, UIP deployed in LTE (Long Term Evolution ) architecture cannot deter counterfeiting of user identification when communicating. Because the network does not authenticate the user identification, an attacker can randomly send a message of the fake user identification to achieve the effect of identity impersonation, and the network attack is implemented on the basis, so that serious consequences are caused, and the security is low. Disclosure of Invention
In order to improve the safety of data transmission, the embodiment of the invention provides a message sending method and device. The technical scheme is as follows:
A message sending method comprises the following steps:
Receiving an authentication request from first user equipment, wherein the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identifier, and the first user identifier is used for identifying a first user using the first user equipment;
According to the first user identifier, a user binding authentication request is sent to a Home Subscriber Server (HSS) of the first user, so that the HSS of the first user judges whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the stored binding relationship between the IMSI and the user identifier; the user binding authentication request carries the IMSI and a first user identifier of the user equipment;
when the HSS of the first user determines that the binding relation between the IMSI of the first user equipment and the first user identifier is legal, the binding relation between the IMSI of the first user equipment and the first user identifier is downloaded from the HSS of the first user, and after the communication between the first user equipment and the second user equipment is established, when a message from the first user equipment is received, the message conforming to the downloaded binding relation is sent to the second user equipment.
A message sending method comprises the following steps:
Receiving a user binding authentication request from an MME; the authentication request carries the IMSI of the first user equipment and a first user identification;
judging whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the binding relationship between the IMSI and the user identifier stored locally;
and if so, downloading the binding relation between the IMSI of the first user equipment and the first user identification to the MME, so that when the MME receives the message from the first user equipment after the communication between the first user equipment and the second user equipment is established, the message conforming to the downloaded binding relation is sent to the second user equipment.
A network side device, comprising:
the device comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an authentication request from first user equipment, the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identifier, and the first user identifier is used for identifying a first user using the first user equipment;
A user binding authentication request sending module, configured to send a user binding authentication request to a home subscriber server HSS of the first user according to the first user identifier, so that the HSS of the first user determines, according to a stored binding relationship between the IMSI and the user identifier, whether the binding relationship between the IMSI of the first user device and the first user identifier is legal; the user binding authentication request carries the IMSI and a first user identifier of the user equipment;
A downloading module, configured to, when the HSS of the first user determines that a binding relationship between the IMSI of the first user equipment and the first user identifier is legal, download, from the HSS of the first user, a binding relationship between the IMSI of the first user equipment and the first user identifier;
the communication establishing module is used for establishing communication between the first user equipment and the second user equipment;
and the message processing module is used for sending the message conforming to the downloaded binding relation to the second user equipment when receiving the message from the first user equipment after the first user equipment and the second user equipment establish communication.
A network side server, comprising:
A receiving module, configured to receive a user binding authentication request from an MME; the authentication request carries the IMSI and the first user identifier of the first user equipment; the judging module is used for judging whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the binding relationship between the IMSI and the user identifier which are stored locally;
And the downloading module is used for downloading the binding relation between the IMSI of the first user equipment and the first user identifier to the MME if the judging result of the judging module is that the binding relation between the IMSI of the first user equipment and the first user identifier is legal, so that when the MME receives a message from the first user equipment after the communication between the first user equipment and the second user equipment is established, the message conforming to the downloaded binding relation is sent to the second user equipment.
The technical scheme provided by the embodiment of the invention has the beneficial effects that:
The binding authentication is carried out on the user equipment according to the pre-stored binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is legal, the validity of the message is checked by utilizing the binding relationship, and the message conforming to the binding relationship is sent to the destination equipment, so that the occurrence of counterfeiting of the user identification in the data transmission process is prevented, and the safety of the data transmission is improved. Drawings
Fig. 1 is a flowchart of a message sending method provided in embodiment 1 of the present invention;
fig. 2 is a flowchart of a message sending method provided in embodiment 1 of the present invention;
fig. 3 is a flowchart of a message sending method provided in embodiment 1 of the present invention;
fig. 4 is a schematic structural diagram of a network side device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network side device according to an embodiment of the present invention;
Fig. 6 is a schematic structural diagram of a network side device according to an embodiment of the present invention;
Fig. 7 is a schematic structural diagram of a network side device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a network side server according to an embodiment of the present invention;
Fig. 9 is a schematic structural diagram of a network side server according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a network side server according to an embodiment of the present invention. Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
Fig. la is a flowchart of a method for sending a message according to an embodiment of the present invention. Referring to fig. lb, in an LTE network, it includes: the execution body of this embodiment of the MME is MME, see fig. 1, and the method includes:
101. receiving an authentication request from a first user equipment, wherein the authentication request carries an IMSI (International Mobile Subscriber Identity ) of the first user equipment and a first user identification, and the first user identification is used for identifying a first user using the first user equipment;
In this embodiment, each user in the network is assigned a globally unique user identity for identifying the user identity, and each UIP-enabled user device, referred to as UID (User Identifier) o, stores the identity of its user, i.e., the UID of the user. The UID can be pre-written into a SIM card of the user equipment, or can be manually configured into the user equipment by a user. The present invention uses IMSI (International Mobile Subscriber Identity) in a mobile communications network for identifying user equipment. The user equipment may be a mobile terminal in a network, an entity with communication functionality, etc. The LTE network of this embodiment includes: the relay control system comprises a first user equipment being used by a first user, a second user equipment being used by a second user, and an MME for relaying. Before step 101, communication is established between the first ue and the second ue, so as to improve the security of message transmission and prevent the counterfeiting of the user identifier in the data transmission process, where the first ue needs to be authenticated by the MME.
102. According to the first user identifier, a user binding authentication request is sent to an HSS (Home Subscriber Server, home user server) of the first user, so that the HSS of the first user judges whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the stored binding relationship between the IMSI and the user identifier; the user binding authentication request carries the IMSI and the first user identifier of the user equipment;
under the LTE architecture, each user corresponds to one HSS, and the HSS of the user may be the HSS to which a device owned by the user belongs.
In this embodiment, the MME queries, according to a first user identifier, an HSS corresponding to the first user identifier to obtain the HSS of the first user, where the HSS of the first user stores a binding relationship between the user identifier UID and the IMSI, and a single user may bind multiple user devices at the same time, that is, one user identifier UID may correspond to multiple IMSIs. The binding relationship is static and can be realized in an offline manner, and preferably, the binding relationship between the UID and the IMSI of the user equipment is stored by using a user binding table in the embodiment of the present invention, see table 1, table 1 is an example of the user binding table, UID a corresponds to a plurality of devices, and UID a is expressed in table 1 as corresponding to IMSI A1, IMSI B1, and the like. TABLE 1
It should be noted that, the HHS also maintains a mapping relationship between each user and the currently used user equipment, i.e. a mapping relationship between UID and IMSI. A single subscriber may map to multiple devices simultaneously, i.e., one UID may correspond to multiple IMSIs. Further, the mapping may be dynamically updated when the user switches the user equipment used. Preferably, the mapping relation between UID and IMSI of the currently used user equipment is stored by using a user mapping table in the embodiment of the present invention, referring to table 2, table 2 is an example of the user mapping table, UID a corresponds to one device, UID B corresponds to a plurality of devices, and UID B is shown in table 1 as IMSI Bl and IMSI B2.
TABLE 2
103. When the HSS of the first user determines that the binding relation between the IMSI of the first user equipment and the first user identifier is legal, the binding relation between the IMSI of the first user equipment and the first user identifier is downloaded from the HSS of the first user, and after the communication between the first user equipment and the second user equipment is established, when a message from the first user equipment is received, the message conforming to the downloaded binding relation is sent to the second user equipment.
According to the method provided by the embodiment, the user equipment is bound and authenticated according to the pre-stored binding relation between the user equipment and the user, and when the binding relation authentication of the user equipment is legal, the validity of the message is checked by utilizing the binding relation, the message conforming to the binding relation is sent to the target equipment, so that the occurrence of counterfeiting of the user identification in the data transmission process is prevented, and the safety of the data transmission is improved.
Fig. 2 is a flowchart of a method for sending a message according to an embodiment of the present invention. The interaction body of the embodiment is a first user equipment which is used by a first user, a HSS of the first user, a second user equipment which is used by a second user, a HSS of the second user, and a source MME. Referring to fig. 2, this embodiment includes:
201. The method comprises the steps that first user equipment sends an authentication request to a source MME, wherein the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identifier, and the first user identifier is used for identifying a first user using the first user equipment;
In the embodiment of the invention, when authenticating the user equipment, the authentication request is added with a first user identifier, and the MME uses the first user identifier and the IMSI of the first user equipment to perform binding authentication on the first user equipment. In the sending process, a new field can be added in the authentication request message, and the UID and the IMSI are placed in the new field of the authentication request message; the UID and the IMSI can be implicitly uploaded, some appointed characters are uploaded, and finally the HSS performs calculation of a preset algorithm according to the appointed characters to obtain the final IMSI and the final UID.
202. The MME receives an authentication request from first user equipment; the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identifier, wherein the first user identifier is used for identifying a first user using the first user equipment;
203. MME sends a user binding authentication request to a home subscriber server HSS of the first user according to the first user identifier; the user binding authentication request carries the IMSI and the first user identifier of the user equipment;
Those skilled in the art will appreciate that there is a local store of user identities and their mapping relationship to their HHSs.
204. The HSS of the first user receives the user binding authentication request and judges whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the stored binding relationship between the IMSI and the user identifier;
In this embodiment, the HSS has a function of storing a user binding relationship and a user mapping relationship. Each HSS stores a static user binding table for the user belonging to the HSS, the user binding table comprises a binding relation between the user and user equipment, and simultaneously stores and correctly maintains a user mapping table, and the user mapping table comprises a mapping relation between the user and the user equipment used by the user.
205. The HSS of the first user feeds back a judging result to the MME;
in this embodiment, if the binding is legal, an authentication success message is returned, otherwise, an authentication failure message is returned and disaffirmance certification flows are combined;
206. When the judging result is that the binding relationship is legal, the MME downloads the binding relationship between the IMSI of the first user equipment and the first user identifier from the HSS of the first user;
207. The MME continues the subsequent flow of EPC-AKA authentication protocol, namely, requests authentication data from the HSS of the user equipment and completes inquiry-response and key negotiation with the user equipment;
The embodiment of the invention adds a process of binding authentication to the user in the authentication flow, and the authentication is completed among the user equipment, the local MME, the user HSS and the HSS of the equipment currently used by the user.
In this embodiment, relative to the LTE architecture, in the process of user binding authentication, the user equipment carries the UID of the user in the authentication request message, and when the MME receives the authentication request, the MME sends the user binding authentication message to the user HSS; the user HSS inquires a local user binding table according to the user UID, judges the binding relation between the received UID and the IMSI, returns a judging result to the MME, and downloads the binding relation by the MME/SGW where the user is when the judging result is that the binding relation is legal.
The authentication process of steps 201 to 207 may be performed when the first ue accesses the network, and the authentication process is only performed before the first ue initiates the communication, which is not limited in particular.
208. The method comprises the steps that a first user device initiates a communication request, wherein the communication request carries a first user identifier and a second user identifier; in this embodiment, the source end is a first user equipment, and the destination end is a second user equipment; as will be appreciated by those skilled in the art, the communication request also includes a source port identification and a destination port identification.
209. The source MME receives the communication request and acquires second user equipment which is being used by a second user according to a second user identifier;
it should be noted that, since the first ue is authenticated by the source MME, when the source MME receives the communication request, the first ue and the second ue are allowed to establish communication.
Specifically, this step 209 includes: the source MME receives the communication request, and initiates a mapping query to the HSS of the second user according to the second user identifier in the communication request, where the HSS of the second user obtains the IMSI of the user equipment currently used by the second user according to the stored user mapping table, and returns the IMSI to the source MME, where the user mapping table is the user mapping relationship in step 102, and this embodiment is not described in detail. For example, the MME initiates a mapping query to the HSS of the user UID C, and the HHS queries that the user device corresponding to the UID C is IMSI C1 according to table 2, and feeds back IMSI C1 to the first user device.
210. Establishing communication between the first user equipment and the second user equipment;
Those skilled in the art will appreciate that the process of establishing communications proceeds according to the communication flow of the LTE architecture itself. Compared with the LTE architecture, the communication flow establishes communication connection for the identifier through UIDs of the source user equipment and the destination user equipment, and the MME initiates mapping inquiry according to the UID of the destination user equipment and obtains the IMSI function of the corresponding user equipment.
When the MME receives a message from the first ue, step 211 is executed;
211. when receiving a message from the first user equipment, the MME sends the message conforming to the downloaded binding relationship to the second user equipment;
Specifically, when receiving a message from the first user equipment, the MME checks the message according to the downloaded binding relationship, and when the binding relationship between the IMSI and the user identifier contained in the message accords with the downloaded binding relationship, the MME sends the message to the second user equipment; and discarding the message when the binding relation between the IMSI and the user identifier contained in the message does not accord with the downloaded binding relation.
If the user binding authentication is successful, the MME/SGW at the user location can obtain the corresponding binding relationship from the user HSS. In the subsequent data transmission process, since the message of the user communication simultaneously contains UID and IMSI information, the MME/SGW where the user is located can check the validity of the corresponding relationship between the UID and the IMSI in the user message accordingly, and the occurrence of counterfeiting of the user identification is prevented. If the user uses the forged UID to send data, the corresponding message is detected as illegal and discarded. In the data layer, the EPS-AKA protocol of the LTE can generate a corresponding key to protect the integrity and confidentiality of user data communication, and realize privacy confidentiality of equipment and user identifiers; the method provided by the invention can prevent the counterfeiting of the equipment and the user identification at the same time. Since the UIP deployed in the LTE architecture has low security at the control layer, that is, the security of the mapping table from the user identifier to the device thereof, which is maintained by the UIP, is difficult to ensure, at the control layer, the UIP needs to ensure the correctness of the mapping relationship from the user to the device currently used by the UIP, that is, the correctness of the user mapping table stored in the user HSS. When the user equipment passes the user binding authentication, the invention also comprises a user mapping updating process which is completed among the user equipment, the local MME and the user HSS, as shown in FIG. 3:
301. When a first user is switched from first user equipment to third user equipment, the third user equipment sends a mapping update request to a local MME, wherein the mapping update request carries a first user identifier and an IMSI of the third user equipment;
302. when a mapping update request of the first user is received, checking whether the binding relation between the first mapping identifier and the IMSI of the third user equipment is legal or not; if so, go to step 303;
in the embodiment, the mapping update request carries a first user identifier and an IMSI of a third user device, wherein the third user device is a user device currently used by the first user;
303. The MME/SGW forwards the mapping update request to the HSS of the first user, so that the HSS of the first user updates the saved user mapping relation according to the mapping update request.
The updating in this embodiment refers to modifying the mapping relationship stored in the HSS to the mapping relationship between the user and the user equipment currently used by the user. After updating the mapping relation, the HSS of the user returns a confirmation message to the MME, and after receiving the confirmation message, the MME returns a confirmation updating message to the third user equipment. Compared with the LTE architecture, in the process of user mapping updating, user equipment sends a mapping updating request when a user is switched to the user equipment, MME triggers message validity check according to the mapping updating request, and further forwards the mapping updating request to user HSS under the condition of validity, the user HSS identifies the mapping updating request, updates a local user mapping table and returns a successful message.
According to the method provided by the embodiment, the user equipment is bound and authenticated according to the pre-stored binding relation between the user equipment and the user, and when the binding relation authentication of the user equipment is legal, the validity of the message is checked by utilizing the binding relation, the message conforming to the binding relation is sent to the target equipment, so that the occurrence of counterfeiting of the user identification in the data transmission process is prevented, and the safety of the data transmission is improved. Further, after the binding relation passes the authentication, a user mapping updating flow is added, so that the correctness of the mapping relation from the user to the currently used equipment is ensured, and the safety of the data layer and the control layer of the UIP scheme is enhanced.
Fig. 4 is a schematic structural diagram of a network side device according to an embodiment of the present invention. Referring to fig. 4, the network side device includes: a receiving module 401, configured to receive an authentication request from a first user equipment, where the authentication request carries an international mobile subscriber identity IMSI and a first user identifier of the first user equipment, where the first user identifier is used to identify a first user using the first user equipment;
A user binding authentication request sending module 402, configured to send a user binding authentication request to a home subscriber server HSS of the first user according to the first user identifier, so that the HSS of the first user determines, according to a stored binding relationship between the IMSI and the user identifier, whether the binding relationship between the IMSI of the first user device and the first user identifier is legal; the user binding authentication request carries the IMSI and a first user identifier of the user equipment;
a downloading module 403, configured to, when the HSS of the first user determines that the binding relationship between the IMSI of the first user equipment and the first user identifier is legal, download, from the HSS of the first user, the binding relationship between the IMSI of the first user equipment and the first user identifier;
A communication establishing module 404, configured to establish communication between the first user equipment and the second user equipment;
And the message processing module 405 is configured to send, when receiving a message from the first user equipment after the first user equipment establishes communication with the second user equipment, a message conforming to the downloaded binding relationship to the second user equipment.
Referring to fig. 5, the message processing module 405 specifically includes:
A checking unit 405a, configured to, when receiving a message from the first user equipment, check the message according to the downloaded binding relationship;
A first processing unit 405b, configured to send the message to a second user equipment when the binding relationship between the IMSI and the user identifier included in the message conforms to the downloaded binding relationship;
and the second processing unit 405c is configured to discard the packet when the binding relationship between the IMSI and the user identifier included in the packet does not conform to the downloaded binding relationship.
Referring to fig. 6, the communicated setup module 404 includes:
a receiving unit 404a, configured to receive a communication request of a first user equipment, where the communication request carries a first user identifier and a second user identifier;
And the obtaining unit 404b is configured to obtain, according to a second user identifier, a second user device that is being used by the second user, so that a communication channel is established between the first user device and the second user device.
The obtaining unit 404b is specifically configured to initiate a mapping query to the HSS of the second user, so that the HSS of the second user returns, according to the saved mapping relationship of the user, the second user equipment that is being used by the second user.
Referring to fig. 7, the network side device further includes:
a checking module 406, configured to, when a mapping update request of the first user is received, carry a first user identifier and an IMSI of a third user equipment, where the third user equipment is a user equipment currently used by the first user; checking whether the binding relationship between the first mapping identifier and the IMSI of the third user equipment is legal, and if yes, triggering a forwarding module 407 for forwarding the mapping update request to the HSS of the first user, so that the HSS of the first user updates the saved mapping relationship of the user according to the mapping update request.
According to the network side equipment provided by the embodiment of the invention, the user equipment is subjected to binding authentication according to the pre-stored binding relation between the user equipment and the user, and when the binding relation authentication of the user equipment is legal, the message is subjected to validity check by utilizing the binding relation, the message conforming to the binding relation is sent to the target equipment, so that the occurrence of user identification counterfeiting in the data transmission process is prevented, and the safety of data transmission is improved.
Fig. 8 is a schematic structural diagram of a network side server according to an embodiment of the present invention. Referring to fig. 8, the network side server includes:
a receiving module 801, configured to receive a user binding authentication request from an MME; the authentication request carries the IMSI and the first user identifier of the first user equipment;
a judging module 802, configured to judge whether a binding relationship between the IMSI of the first user equipment and the first user identifier is legal according to a binding relationship between the IMSI and the user identifier stored locally;
And a downloading module 803, configured to download the binding relationship between the IMSI of the first user equipment and the first user identifier to the MME if the determination result of the determining module is that the binding relationship between the IMSI of the first user equipment and the first user identifier is legal, so that when the MME receives a message from the first user equipment after the first user equipment establishes communication with the second user equipment, send the message conforming to the downloaded binding relationship to the second user equipment.
Referring to fig. 9, the network side server further includes:
A query module 804, configured to obtain, when receiving a mapping query initiated by an MME during a communication channel establishment process, a second user equipment being used by a second user according to a stored user mapping relationship, and return the second user equipment to the MME.
Referring to fig. 10, the network side server further includes:
and the updating module 805 is configured to update the locally stored mapping relationship of the user according to the mapping update request when receiving the mapping update request forwarded by the MME.
According to the network side server provided by the embodiment of the invention, the binding authentication is carried out on the user equipment according to the pre-stored binding relationship between the user equipment and the user, and when the binding relationship authentication of the user equipment is legal, the binding relationship is downloaded into the network side equipment, so that the network side equipment carries out validity check on the message according to the binding relationship and sends the message conforming to the binding relationship to the destination equipment, the occurrence of counterfeiting of the user identifier in the data transmission process is prevented, and the safety of data transmission is improved.
Embodiments of the present invention may be implemented in software, and the corresponding software program may be stored in a readable storage medium, for example, a hard disk, a cache, or an optical disk of a computer. The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (1)

  1. Claim and claim
    1. A method for sending a message, comprising:
    receiving an authentication request from first user equipment, wherein the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identification, and the first user identification is used for identifying a first user using the first user equipment;
    According to the first user identifier, a user binding authentication request is sent to a Home Subscriber Server (HSS) of the first user, so that the HSS of the first user judges whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the stored binding relationship between the IMSI and the user identifier; the user binding authentication request carries the IMSI and a first user identifier of the user equipment;
    When the HSS of the first user determines that the binding relation between the IMSI of the first user equipment and the first user identifier is legal, the binding relation between the IMSI of the first user equipment and the first user identifier is downloaded from the HSS of the first user, and after the communication between the first user equipment and the second user equipment is established, when a message from the first user equipment is received, the message conforming to the downloaded binding relation is sent to the second user equipment.
    2. The method according to claim 1, wherein when receiving the message from the first user equipment, sending the message conforming to the downloaded binding relationship to the second user equipment, specifically comprises:
    When a message from the first user equipment is received, checking the message according to the downloaded binding relationship, and when the binding relationship between the IMSI and the user identifier contained in the message accords with the downloaded binding relationship, sending the message to the second user equipment;
    And discarding the message when the binding relationship between the IMSI and the user identifier contained in the message does not accord with the downloaded binding relationship.
    3. The method of claim 1, wherein establishing communication with the second user device comprises receiving a communication request from the first user device, the communication request carrying a first user identification and a second user identification; and acquiring second user equipment which is being used by the second user according to the second user identification, so that a communication channel is established between the first user equipment and the second user equipment.
    4. A method according to claim 3, characterized in that the obtaining of the second user equipment being used by the second user, in particular comprises:
    and initiating mapping inquiry to the HSS of the second user, so that the HSS of the second user returns the second user equipment which is being used by the second user according to the saved user mapping relation.
    5. The method according to claim 1, wherein the method further comprises: when a mapping update request of the first user is received, checking whether the binding relation between the first mapping identifier and the IMSI of the third user equipment is legal or not, if so, forwarding the mapping update request to the HSS of the first user, so that the HSS of the first user updates the saved user mapping relation according to the mapping update request; the mapping update request carries a first user identifier and an IMSI of third user equipment, wherein the third user equipment is user equipment currently used by the first user.
    6. A method for sending a message, comprising:
    receiving a user binding authentication request from an MME; the authentication request carries the IMSI of the first user equipment and a first user identification;
    judging whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the binding relationship between the IMSI and the user identifier stored locally;
    And if so, downloading the binding relation between the IMSI of the first user equipment and the first user identification to the MME, so that when the MME receives the message from the first user equipment after the communication between the first user equipment and the second user equipment is established, the message conforming to the downloaded binding relation is sent to the second user equipment.
    7. The method of claim 6, wherein receiving the user binding authentication request from the MME further comprises:
    in the process of establishing a communication channel, when receiving mapping inquiry initiated by an MME, obtaining second user equipment which is used by a second user according to a stored user mapping relation, and returning the second user equipment to the MME.
    8. The method of claim 6, wherein the method further comprises:
    when receiving a mapping update request forwarded by an MME, updating a locally stored user mapping relation according to the mapping update request.
    9. A network side device, comprising:
    The device comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving an authentication request from first user equipment, the authentication request carries an International Mobile Subscriber Identity (IMSI) of the first user equipment and a first user identifier, and the first user identifier is used for identifying a first user using the first user equipment;
    A user binding authentication request sending module, configured to send a user binding authentication request to a home subscriber server HSS of the first user according to the first user identifier, so that the HSS of the first user determines, according to a stored binding relationship between the IMSI and the user identifier, whether the binding relationship between the IMSI of the first user device and the first user identifier is legal;
    A downloading module, configured to, when the HSS of the first user determines that a binding relationship between the IMSI of the first user equipment and the first user identifier is legal, download, from the HSS of the first user, a binding relationship between the IMSI of the first user equipment and the first user identifier;
    the communication establishing module is used for establishing communication between the first user equipment and the second user equipment;
    and the message processing module is used for sending the message conforming to the downloaded binding relation to the second user equipment when receiving the message from the first user equipment after the first user equipment and the second user equipment establish communication.
    10. The network side device according to claim 9, wherein the message processing module specifically includes: the checking unit is used for checking the message according to the downloaded binding relation when receiving the message from the first user equipment;
    the first processing unit is used for sending the message to the second user equipment when the binding relationship between the IMSI and the user identifier contained in the message accords with the downloaded binding relationship;
    And the second processing unit is used for discarding the message when the binding relationship between the IMSI and the user identifier contained in the message does not accord with the downloaded binding relationship.
    11. The network-side device of claim 9, wherein the communication establishment module comprises: the receiving unit is used for receiving a communication request of the first user equipment, wherein the communication request carries a first user identifier and a second user identifier;
    the acquisition unit is used for acquiring second user equipment which is being used by the second user according to the second user identification, so that a communication channel is established between the first user equipment and the second user equipment.
    12. The network side device of claim 11, wherein the obtaining unit is specifically configured to initiate a mapping query to the HSS of the second user, so that the HSS of the second user returns, according to the stored mapping relationship of the user, the second user equipment that is being used by the second user.
    13. The network-side device of claim 9, wherein the network-side device further comprises: the checking module is used for checking whether the binding relation between the first mapping identifier and the IMSI of the third user equipment is legal or not when the mapping update request of the first user is received, and if so, triggering a forwarding module for forwarding the mapping update request to the HSS of the first user, so that the HSS of the first user updates the saved user mapping relation according to the mapping update request; the mapping update request carries a first user identifier and an IMSI of third user equipment, wherein the third user equipment is user equipment currently used by the first user.
    14. A network side server, comprising:
    a receiving module, configured to receive a user binding authentication request from an MME; the authentication request carries the IMSI and the first user identifier of the first user equipment;
    The judging module is used for judging whether the binding relationship between the IMSI of the first user equipment and the first user identifier is legal or not according to the binding relationship between the IMSI and the user identifier which are stored locally; and the downloading module is used for downloading the binding relation between the IMSI of the first user equipment and the first user identifier to the MME if the judging result of the judging module is that the binding relation between the IMSI of the first user equipment and the first user identifier is legal, so that when the MME receives a message from the first user equipment after the communication between the first user equipment and the second user equipment is established, the message conforming to the downloaded binding relation is sent to the second user equipment.
    15. The network side server of claim 14, wherein the network side server further comprises: and the query module is used for obtaining second user equipment used by a second user according to the stored user mapping relation when receiving mapping query initiated by the MME in the process of establishing the communication channel, and returning the second user equipment to the MME.
    16. The network side server of claim 14, wherein the network side server further comprises: and the updating module is used for updating the locally stored user mapping relation according to the mapping updating request when receiving the mapping updating request forwarded by the MME.
CN201180001436.7A 2011-05-31 2011-05-31 File transmitting method and device Active CN102918878B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/075041 WO2011157142A2 (en) 2011-05-31 2011-05-31 Method and apparatus for message transmission

Publications (2)

Publication Number Publication Date
CN102918878A true CN102918878A (en) 2013-02-06
CN102918878B CN102918878B (en) 2016-03-09

Family

ID=45348623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180001436.7A Active CN102918878B (en) 2011-05-31 2011-05-31 File transmitting method and device

Country Status (2)

Country Link
CN (1) CN102918878B (en)
WO (1) WO2011157142A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911814A (en) * 2017-11-24 2018-04-13 中国科学院信息工程研究所 A kind of subscriber identity information guard method and system based on HSS enhancings
CN111143351A (en) * 2019-11-27 2020-05-12 中国联合网络通信集团有限公司 IMSI data management method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2897042A1 (en) 2013-01-09 2014-07-17 Evernym, Inc. Systems and methods for access-controlled interactions
WO2025013069A1 (en) * 2023-07-11 2025-01-16 Jio Platforms Limited Method and system for synchronizing an international mobile subscriber identifier (imsi) thread binding

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN101784044A (en) * 2009-01-21 2010-07-21 华为技术有限公司 Address checking method and device and network system
CN102045688A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Detection method and device of illegal use of user equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022672B (en) * 2007-02-16 2010-05-26 华为技术有限公司 Method and system for checking legitimacy of mobile users
CN101374050B (en) * 2008-10-23 2011-04-06 普天信息技术研究院有限公司 A device, system and method for realizing identity authentication
CN102075909B (en) * 2009-11-23 2014-01-01 中兴通讯股份有限公司 Checking method and device of binding relationship of IMSI and IMEI
CN101820432A (en) * 2010-05-12 2010-09-01 中兴通讯股份有限公司 Safety control method and device of stateless address configuration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101784044A (en) * 2009-01-21 2010-07-21 华为技术有限公司 Address checking method and device and network system
CN101695164A (en) * 2009-09-28 2010-04-14 华为技术有限公司 Verification method, device and system for controlling resource access
CN102045688A (en) * 2009-10-15 2011-05-04 中兴通讯股份有限公司 Detection method and device of illegal use of user equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911814A (en) * 2017-11-24 2018-04-13 中国科学院信息工程研究所 A kind of subscriber identity information guard method and system based on HSS enhancings
CN111143351A (en) * 2019-11-27 2020-05-12 中国联合网络通信集团有限公司 IMSI data management method and device
CN111143351B (en) * 2019-11-27 2023-03-21 中国联合网络通信集团有限公司 IMSI data management method and equipment

Also Published As

Publication number Publication date
WO2011157142A3 (en) 2012-04-26
CN102918878B (en) 2016-03-09
WO2011157142A2 (en) 2011-12-22

Similar Documents

Publication Publication Date Title
CN110800331B (en) Network verification method, related equipment and system
US11425202B2 (en) Session processing method and device
US11089479B2 (en) Signaling attack prevention method and apparatus
US12057963B2 (en) Connecting to a home area network via a mobile communication network
US7961883B2 (en) System and method for securing a personalized indicium assigned to a mobile communications device
US10972917B2 (en) Signaling attack prevention method and apparatus
US8621570B2 (en) Access through non-3GPP access networks
US9729501B2 (en) System and data card for stateless automatic configuration of IPv6 address and method for implementing the same
US11451510B2 (en) Method and apparatus for processing service request
US9967738B2 (en) Methods and arrangements for enabling data transmission between a mobile device and a static destination address
CN103052064B (en) Method, the equipment and system of the own business of a kind of access operator
CN109413649B (en) Access authentication method and device
CN101621525B (en) Method and equipment for treating legal entries
CN102685712B (en) Mapping server in a kind of identity position separation network and its implementation
CN105981345B (en) Lawful Interception of WI-FI/Packet Core Network Access
US9357386B2 (en) System and method for femto ID verification
CN104735027A (en) Safety authentication method and authentication certification server
CN102918878A (en) Method and apparatus for message transmission
CN104253798A (en) Network security monitoring method and system
CN102611712A (en) Digital home network access and authentication method
CN116711387B (en) Method, device and system for authentication and authorization using edge data network
CN110446277B (en) VoWiFi service access method for dual-card terminal and terminal
CN103188662B (en) A kind of method and device verifying WAP (wireless access point)
CN116193421B (en) Verification method, device and system of network connection information and electronic equipment
CN119678433A (en) Method for communication between two devices, first device, second device and corresponding computer program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant