200915819 九、發明說明: 【發明所屬之技術領域】 本發明係關於一種應用於整合異質無線網路的認證 裝置與方法,特別是一種利用SIM/USIM卡使一具備異 質無線網路通信協定的裝置具有單一身分認證的裝置 與方法。 【先前技術】 隨著無線網路的發展與普及,一般使用者使用無線 網路來上網已是—必然的趨勢。然而當—無線網路用戶 欲使用一公眾無線區域網路(pwLAN)前須進行身分認 證’以往大多需輸人—用戶識別碼(User⑷仙㈣ 與相對應之密碼(Passw〇rd),藉以判Μ是否可以允許 使用该無線網路,進而進行認證與計費之依據。該方法 具有以下缺點:第―,該用戶識別碼與密.碼需準讀記憶 :輸入之缺點’一旦該用戶記憶或輸入錯誤將無法通過 進而使用網路。第二,該用戶識別碼與密碼可能遭 竊^使用而用戶卻不易察覺之缺點;將造成用戶計費上 之知失。第三’該用戶識別碼與密碼無法進行單—使用 者身知之控管;該使用者可將用戶識別碼與密碼授予多 :共同使用,造成無線網路業者管理及收費上的損失。 ―第四,,無法使用該用戶識別碼與密碼對無線網路進行誤 證’當該無線網路用戶裝置失察接取上财居心的無線 200915819 網路,不但用戶識別碼與密碼會被竊取,其通訊過程中 的資料亦無安全性可言。 目前電信行動網路系統業者所採用的GSM/GPRS或 UMTS行動通信網路糸統係利用電話用戶識別核組 (Subscriber Identity Module,SIM)卡 / 通用用戶識別 模組(Universal Subscriber Identity Module,USIΜ) 卡的資訊作為用戶身份憑證,SIM/USIM卡具有極高的 安全性,因此適合用於認證與計費系統的基礎。此外, 更由於 SIM/USIM 卡具有 PIN(Personal Identification Number)碼保護,即使 SIM/USIM 卡遭 竊仍亦需輸入正確的PIN碼才能使用該SIM/USIΜ卡, 更提高了 SIM/USIM卡的安全性。因SIM/USIM卡中的國 際行動電話用戶識別碼(International Mobile Subs cr i ber Identity,I MS I)具有全球唯一性,因此適 合作為單一使用的身分認證依據。行動通信網路中之本 籍用戶伺服器(Home Subscriber Server,HSS)/本籍位 址紀錄器(Home Location Register,HLR)負責用戶的 權限設定以及進行認證,當行動電話用戶欲接取行動通 信網路服務時,其SIM/USIM卡資訊t經由HSS/HLR進 行驗證,作為用戶認證、授予權限以及帳務管理的依據。 有鑑於此,本發明提出一種應用於整合異質無線網 200915819 路的認證方法,特別是一 種利用SIM/USIM卡使—且错 異質無線網路通信協定 吏,備 1 /、有以早—身分益丑说 的認證與計費並可快速自動完成認證的方法。礎 由二可見,上述^方式財諸多缺失,實非一良 口之3又矸,而亟待加以改良。 本案發明人鑑於上述習用 用方式所衍生的各項缺點, 乃亟思加以改良創新,並經多 ’ y卞玄'u孤讀潛心研穿絲, 終於成功研發完成本件應 證裝置與方法。 “異貝無線網路的認 【發明目的】 本發明之目的即在於提供—種應用於整合異質 網路的認證裝置盥方法,係剎 _ …、、 〃万去係利用仃動通信網路系統中的 SIM/USIM卡,使—具備異質無線網路通信協定的裝置 在複數個異質無線網路中,可以用單—身分進行認證與 计費’對使用者而言可達到認證資料安全性、通訊機密 不卜Λ以及㈤逮自動完成認證之功效;對同時擁有兩個 異質無線網路以上的系統業者而言並可達到提供用戶 服務之控管以及帳務合併管理之功效。 【發明内容】 ^達成上述發明目的之應用於整合異質無線網路的認 證裝置與方法,係於無線網路裝置與無線基地台連結 200915819 (Associate)後,該無線網路裝置利用該裝置内的行動 通信網路SIM/USIM卡,以本發明之認證方法來完成認 • 證。本發明之認證方法至少包括: — a.控制SIM/USIM卡以取得認證所需之國際行動電 話用戶識別碼(International Mobile Subscriber200915819 IX. Description of the Invention: [Technical Field] The present invention relates to an authentication apparatus and method for integrating a heterogeneous wireless network, and more particularly to a device having a heterogeneous wireless network communication protocol using a SIM/USIM card A device and method with a single identity authentication. [Prior Art] With the development and popularization of wireless networks, it is an inevitable trend for the average user to use the wireless network to access the Internet. However, when a wireless network user wants to use a public wireless local area network (PWLAN), the identity authentication is required. In the past, most users need to enter the user identification code (User(4) cent(4) and the corresponding password (Passw〇rd). Whether the wireless network can be allowed to use, and then the basis for authentication and charging. The method has the following disadvantages: ―, the user identification code and the secret code need to read the memory: the shortcoming of the input 'once the user memorizes or inputs The error will not be able to pass the network. Secondly, the user ID and password may be stolen and the user is not easily aware of the shortcomings; the user will be charged. 3. The third 'user ID and password Unable to perform single-user control; the user can grant the user ID and password more: use together, causing loss of wireless network operator management and charging. ― Fourth, the user ID cannot be used. Witnessing the wireless network with the password 'When the wireless network user device is out of the way, the wireless 200915819 network is received, not only the user ID and password will be It is stolen and there is no security in the communication process. Currently, the GSM/GPRS or UMTS mobile communication network used by telecom mobile network system operators utilizes the Subscriber Identity Module (SIM). ) Card/Universal Subscriber Identity Module (USIΜ) card information as a user identity certificate, SIM / USIM card is extremely secure, so it is suitable for the basis of the authentication and billing system. In addition, more Since the SIM/USIM card has PIN (Personal Identification Number) code protection, even if the SIM/USIM card is stolen, the correct PIN code is required to use the SIM/USI Μ card, which improves the security of the SIM/USIM card. The International Mobile Subscribing User ID (IMS I) in the SIM/USIM card is globally unique, so it is suitable as a single-use identity authentication basis. The user server in the mobile communication network. (Home Subscriber Server, HSS) / Home Location Register (HLR) is responsible for user permission settings and Line authentication, when the mobile phone user wants to access the mobile communication network service, its SIM/USIM card information is verified by the HSS/HLR as the basis for user authentication, granting authority and accounting management. In view of this, the present invention An authentication method for integrating the heterogeneous wireless network 200915819 is proposed, in particular, a SIM/USIM card is used to make a false-heterogeneous wireless network communication protocol, and the authentication and calculation are based on the early-identification benefit. Fees and quick and automatic method of certification. It can be seen from the second that the above-mentioned ^ method of wealth is lacking, and it is not a good one, but it needs to be improved. In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and has successfully researched and completed the device and method of the present invention through many y卞Xuan'u. OBJECT OF THE EXTERNAL WIRELESS NETWORK [ OBJECT OF THE INVENTION] The object of the present invention is to provide an authentication device and method for integrating a heterogeneous network, and to use a smashing communication network system. The SIM/USIM card enables devices with heterogeneous wireless network communication protocols to authenticate and bill with single-identity in multiple heterogeneous wireless networks. The communication confidentiality is not sufficient and (5) the effect of automatically completing the certification; for the system operators who have two heterogeneous wireless networks at the same time, it can achieve the functions of providing user service control and accounting consolidation management. The authentication device and method for integrating the heterogeneous wireless network, which achieves the above object, is a wireless network device that uses the mobile communication network in the device after the wireless network device and the wireless base station are connected to 200915819 (Associate). The SIM/USIM card is authenticated by the authentication method of the present invention. The authentication method of the present invention includes at least: — a. controlling the SIM/USIM card to obtain recognition The international action required phone user identification code (International Mobile Subscriber
Identity,IMSI); b. 控制SIM/USIM卡以執行2G之A3/A8加密演算 法’藉以取得加密及驗證所需之加密金錄(ci pher key ’ Kc)及簽署結果(signed result,SRES); c. 控制USIM卡以執行3G之fl,f2,f3,f4及f5 加密演算法,藉以取得加密及驗證所需之加密金鑰 IK、CK及認證結果RES、AUTN ; d. 執行 Secure Hash Algorithm (SHA1)演算法、 Pseudo-random Function (PRF)演算法、 Hash-based Message Authentication Code based on SHA1 (HMAC-SHA1-128)演算法; e. 選擇認證協定版本; f. 產生隨機亂數; : g. 判斷所連結之無線網路是否為可信賴的;以及 h.以區域網路之可擴充認證通訊協定(Extensible 200915819Identity, IMSI); b. Control the SIM/USIM card to perform the 2G A3/A8 encryption algorithm 'to obtain the cipher key 'Kc' and the signed result (SRES) required for encryption and verification c. Control the USIM card to perform 3G fl, f2, f3, f4 and f5 encryption algorithms to obtain the encryption keys IK, CK and authentication results RES, AUTN required for encryption and verification; d. Execute Secure Hash Algorithm (SHA1) algorithm, Pseudo-random Function (PRF) algorithm, Hash-based Message Authentication Code based on SHA1 (HMAC-SHA1-128) algorithm; e. Select authentication protocol version; f. Generate random random number; g. determine whether the connected wireless network is trustworthy; and h. expand the authentication protocol with the regional network (Extensible 200915819
Authentication Protocol over LAN,EAP0L)傳送 及接收尚未經過認證之封包資料。 【實施方式】 本發明係為提供一種應用於整合異質無線網路的認 战裝置與方法,特別是一種利用行動通信網路系統中的 SIM/USIM卡,在一具有複數個異質無線網路環境中, 使一具備複數個異質無線網路通信協定的裝置可以用 單一身分進行認證與計費。可使使用者達到認證資料安 全性、通訊機密不外洩以及快速自動完成認證之功效, 並且可使同時經營複數個異質網路的業者達到單一用 戶帳號控管以及帳務合併管理之功效。 請參閱圖-所示,為本發明應用於整合異質無線網 路的認證裝置與方法之網路架構圖。在該網路環境架構 中,具有行動通信網路18及其本籍用戶飼服器 SubSCriber Server ’ HSS)/本籍位址紀錄器(η㈣ L〇Catl〇n細心,關17、複數個異質無線網路 ⑴3及其無線網路基地台⑵,13ι、—認證飼服器 (A_entlcatiGn Server)15以及無線網路用戶裝置 11。其中複數個異質無線網路12,13為非行動通信網路 之無線網路,該網路可以是而不限制是無線區域網路 WLAN)、無線都會區域網路(Worldwide 200915819Authentication Protocol over LAN (EAP0L) transmits and receives packet data that has not been authenticated. [Embodiment] The present invention provides a combat device and method for integrating a heterogeneous wireless network, in particular, a SIM/USIM card in a mobile communication network system, in a plurality of heterogeneous wireless network environments. In this way, a device having a plurality of heterogeneous wireless network communication protocols can perform authentication and charging with a single identity. It can enable users to achieve the security of authentication data, the confidentiality of communication secrets, and the rapid and automatic completion of authentication. It can also enable the operators who operate multiple heterogeneous networks to achieve the functions of single user account control and account consolidation management. Referring to the figure, the network architecture diagram of the authentication apparatus and method for integrating the heterogeneous wireless network according to the present invention is shown. In the network environment architecture, there is a mobile communication network 18 and its home user feed device SubSCriber Server 'HSS) / home address recorder (n (four) L〇Catl〇n careful, off 17, multiple heterogeneous wireless networks (1) 3 and its wireless network base station (2), 13 ι, - A_entlcatiGn Server 15 and wireless network user device 11. Among them, a plurality of heterogeneous wireless networks 12, 13 are wireless networks of non-mobile communication networks. , the network can be, without limitation, wireless local area network WLAN), wireless metropolitan area network (Worldwide 200915819
Interoperability for Microwave Access , fiMAX)。 該無線網路之基地台121,131與認證伺服器15彼此以 有線網路互連,使無線網路基地台121,131可連線至認 證飼服器15進行認證,且亦可經路由器(r〇uter)i4連 線至其他網路,例如網際網路(Internet)。應注意的 疋’為了說明方便,本實施例中的網路架構僅揭露特定 數置的無線網路且在各別無線網路巾僅揭露特定數量 的無線網路基地台’'然而熟習該項技藝當知無線網路及 無線網路基地台的數量可依實際需求而調整,並不受限 於本實施例所揭露。 本實施例之無線通訊裝置的認證方法係由無線網路 用戶裝置11執行。該無線網路用戶裝置u為具有一可 無線連線至對應基地台之電子設備,其可為桌上型電 腦、筆記型電腦、行動電話、個人數位助理(pDA)、智 =手機(SmartPhQne)、WiFi Ph㈣或任何具有無線 網路功能之行動裝置。 凊參閱圖二所示,為本發明應用於整合異質 :的:證裝置與方法之無線網路用戶裝置功能方塊 有—無線網路協定模組2卜一行動通信網路 Id疋…3、—行動電話用戶識別模組⑽SCriber 心㈣Module,训)卡/通用用戶識別 200915819 (Universal Subscriber Identity. Module,USIM)卡 2 31、一用以執行電子設備功能之主系統2 4以及本發明 之整合異質無線網路的認證模組22。 其中該整合異質無線網路的認證模組22具有一無 線網路控制單元221、一 SIM/USIM卡控制單元222以 及一認證控制單元223。無線網路控制單元221用以接 收來自無線網路協定模組21的認證封包信息以及傳送 認證封包信息給無線網路協定模組21。§ IM/US IΜ卡控 制早元2 2 2用以控制SIM/USIΜ卡,可以讀取s IM/USIΜ 卡中的資料、寫入SIM/USIM卡中的資料以及控制 SIM/USIM卡以執行SIM/USIM卡之加密演算法,藉以取 得加密所需之金錄及認證結果。認證控制單元2 2 3用以 選定認證方式以及版本、產生隨機亂數(N0NCE__mt)、執 行 Secure Hash Algorithm(SHAl)演算法、執行 Pseudo-random Function(PRF)演算法、執行 Hash-based Message Authentication Code based on SHA1 (HMAC-SHA1 -128)演算法以及判斷所連結之無線網 路是否為可信賴的。在此,由於前述構件21、23、231、 24以及構件223所執行演算法的功能及特點廣為熟習 該項技藝者所熟知且非本案之改良重點,因而不在此贅 述。 (s 11 200915819 請參閱圖三及圖四,圖三為本發明應用於整合異質 無線網路的認證裝置與方法之實施例Extensible Authentication Protocol Method for GSM Subscriber Identity Modules (ΕΑΡ-SIM)認證成功訊息處理流程 圖,圖四為本發明之另一實施例 Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)認證成 功訊息處理流程圖,在此以圖三之EAP-SIM認證成功訊 息處理流程圖作為實施例說明。然而熟習該項技藝當知 認證協定、步驟流程及例外處理可依實際需求而調整, 並不受限於本實施例所揭露。 依據前述的構件及功能,在下文中配合圖三來說明 本實施例的認證處理流程。 首先,當開啟無線網路用戶裝置11並且開啟其無線 網路功能,該無線網路用戶裝置11依先後順序需執行 探測(Probe)、驗證(Authentication)以及連結 (Association)。前述之三階段訊息溝通已於習知之 IEEE 802. 1 1標準中所規範,因而不在此贅述。 其次,開始可擴充認證通訊協定(Extensible Authentication Protocol over LAN,EAP0L)/可擴充 認證通訊協定(Extensible Authentication (s ) 12 200915819Interoperability for Microwave Access, fiMAX). The base stations 121, 131 of the wireless network and the authentication server 15 are interconnected by a wired network, so that the wireless network base stations 121, 131 can be connected to the authentication feeder 15 for authentication, and can also be authenticated by a router ( R〇uter) i4 connects to other networks, such as the Internet. It should be noted that for convenience of explanation, the network architecture in this embodiment only exposes a specific number of wireless networks and only exposes a specific number of wireless network base stations in each wireless network towel. It is known in the art that the number of wireless network and wireless network base stations can be adjusted according to actual needs, and is not limited to the embodiment. The authentication method of the wireless communication device of this embodiment is performed by the wireless network user device 11. The wireless network user device u has an electronic device that can be wirelessly connected to the corresponding base station, and can be a desktop computer, a notebook computer, a mobile phone, a personal digital assistant (pDA), a smart phone (SmartPhQne). , WiFi Ph (4) or any mobile device with wireless network capabilities. Referring to FIG. 2, the present invention is applied to integrate heterogeneous: the wireless network user device function block of the device and method is: a wireless network protocol module 2, a mobile communication network Id疋...3, Mobile phone user identification module (10) SCriber heart (4) Module, training) card / universal user identification 200915819 (Universal Subscriber Identity. Module, USIM) card 2 31, a main system for performing electronic device functions 2 4 and integrated heterogeneous wireless of the present invention Network authentication module 22. The authentication module 22 of the integrated heterogeneous wireless network has a wireless network control unit 221, a SIM/USIM card control unit 222, and an authentication control unit 223. The wireless network control unit 221 is configured to receive the authentication packet information from the wireless network protocol module 21 and transmit the authentication packet information to the wireless network protocol module 21. § IM/US I Leica Control Early 2 2 2 is used to control the SIM/USI Leica, which can read the data in the s IM/USIΜ card, write the data in the SIM/USIM card, and control the SIM/USIM card to execute the SIM. /USIM card encryption algorithm to obtain the golden record and authentication result required for encryption. The authentication control unit 2 2 3 is used to select the authentication mode and version, generate a random random number (N0NCE__mt), execute a Secure Hash Algorithm (SHAl) algorithm, execute a Pseudo-random Function (PRF) algorithm, and execute a Hash-based Message Authentication Code. Based on SHA1 (HMAC-SHA1 -128) algorithm and determine whether the connected wireless network is trustworthy. Here, the functions and features of the algorithm performed by the aforementioned members 21, 23, 231, 24 and member 223 are well known to those skilled in the art and are not the focus of the improvement of the present invention, and thus will not be described herein. (s 11 200915819 Please refer to FIG. 3 and FIG. 4, FIG. 3 is an embodiment of an authentication device and method for integrating a heterogeneous wireless network according to the present invention. Extensible Authentication Protocol Method for GSM Subscriber Identity Modules (ΕΑΡ-SIM) authentication success message processing Flowchart, FIG. 4 is a flowchart of an Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) authentication success message processing according to another embodiment of the present invention, and the EAP-SIM authentication success message processing flow in FIG. The figure is described as an embodiment. However, it is familiar with the art that the authentication agreement, the step procedure and the exception processing can be adjusted according to actual needs, and are not limited to the embodiment. According to the foregoing components and functions, the following figure is combined with the figure. Third, the authentication processing procedure of this embodiment is described. First, when the wireless network user device 11 is turned on and its wireless network function is enabled, the wireless network user device 11 needs to perform detection, authentication, and authentication in sequence. And the association. The aforementioned three-stage information groove Has the conventional IEEE 802. 1 1 in the standard specification, and therefore not be described here. Next, start an Extensible Authentication Protocol (Extensible Authentication Protocol over LAN, EAP0L) / extensible authentication protocol (Extensible Authentication (s) 12 200915819
Protocol,ΕΑΡ)之認證流程,該EAP0L/EAP認證流程訊 息溝通則於IEEE 802. lx標準中所規範。 而後,無線網路用戶裝置11之SIM/USIM卡控制單 元222會控制SIM/USIM卡231,藉以讀取SIM/USIM卡 231内之國際行動電話用戶識別碼(International Mobile Subscriber Identity,IMSI)。並且認證控制 單元223藉由無線網路控制單元221將IMSI封裝並送 交給無線網路協定模組21,無線網路協定模組21傳送 'EAP Response/Identity〃訊息給無線網路。 接著,無線網路用戶裝置11收到無線網路所傳送的 、EAP Request/SIM-Start〃訊息,在該訊息中載有支 援的認證協定版本VERSI0N_LIST。無線網路用戶裝置 11執行包括下列程序: a. 認證控制單元223選擇一認證協定散本 SELECTED—VERSION ; b. 認證控制單元223產生一隨機亂數N0NCE_MT ; 以及 c. 認證控制單元223藉由無線網路控制單元221 將SELECTED_VERSION與N0NCE_MT封裝並且送交 給無線網路協定模組21,無線網路協定模組21傳 送、'EAPResponse/SIM-Start〃 訊息給無線網路。 13 200915819 然後,無線網路用戶裝置11收到無線網路所傳送的 、、EAP Request/SIM-Challenge〃訊息,在該訊息中載 有隨機亂數RAND以及訊息認證碼MAC。無線網路用戶 裝置11執行包括下列程序: a. SIM/USIM卡控制單元222將接收到之隨機亂數 RAND 傳入 SIM/USIM 卡 231,並且控制 SIM/USIM 卡2 31執行A 3 / A 8加密演算法,藉以取得加密及 驗證所需之加密金錄(cipher key,Kc)及簽署結 果(signed result , SRES); b. 認證控制單元223利用IMSI、Kc、N0NCE_MT、 VERSI01LIST 以及 SELECTED_VERSION 為參數,帶 入執行SHA1演算法,得到主金鑰(Master Key, MK); c. 認證控制單元223將MK帶入PRF演箅法可得128 bits K_encr 、 128 bits K_aut 、 64 bits Master Session Key(MSK)與 64 bits Extended Master Session Key(EMSK); d. 認證控制單元223以K_aut、N0NCE_MT以及接 收到的ΕΑΡ封包為參數,帶入執行HMAC-SHA1-128 演算法後,產生訊息認證碼MAC ; e. 認證控制單元223檢查計算所得的MAC是否與 C S ) 14 200915819 所接收到的MAC相符。若檢查結果相符,則表示 網路端是可信賴的; f.認證控制單元223UK肩t、SRES以及欲傳送 的ΕΑΡ封包為參數,帶入執行hmac_shai_i28演 算法後,產生另一訊息認證碼MAC,;以及 g-忒證控制單元223藉由無線網路控制單元 將MAC’封裝並且送交給無線網路協定模組21, 無線網路協定模組21傳送、、ΕΑΡ ReSp〇nse/siM-Challenge’,訊息給無線網路。 緊接著’無線網路用戶裝置11會收到、' EAP Success„ 訊息’表示已成功完成通過認證。 【特點及功效】 本發明所提供之應用於整合異質無線網路的認 證方法,與其他習用技術相互比較時,更具備下列 優點: 1.本發明可大幅簡化使用者於使用無線網路前之用 戶識別碼及密碼之輸入’可使使用者達到快速自 動完成認證之功效’亦可避免因用戶識別碼及密 碼遭竊取使用所將造成用戶付費上之損失。 2·本發明可大幅簡化使用者於多個帳號之管理,使 用者僅需一個帳號身分即可通過多個異質無線網 15 200915819 路認證並且漫遊(roaming)使用。 3.本發明可簡化單—帳號卻同時多次登入使用之管 理’避免SI用戶識別碼及密碼外流,造成單一帳 就部同時有多次登入使用之情形。 •本七明可使擁有兩個異質無線網路以上的系統業 者簡化用戶之管理,達到單一用戶服務之控管^ 及帳務合併管理之功效,並可避免重複花費在建 立多個用戶資料庫之投資成本。 上列詳細說明乃針對本發明之—可行實施例進行呈 體說明’惟該實施例並非用以限制本發明之專利範圍二 凡未脫離本發明技藝精神所為之等效實施或變更,均應 包含於本案之專利範圍中。 〜 綜上所述’本案不僅於技術思想上轉屬創新,並具 借習用之傳統方法所不及之上述多項功效,已充分符合 新穎性及進步性之法定發明專利要件,差依法提出; 請’懇請f局核准本件發明專利申請案,以勵發明, 至感德便。 【圖式簡單說明】 請參閲有關本發明之詳細說明及其附圖,將可進一 步瞭解本發明之技術内容及其目的功效;㈣附圖為·· 圖一為本發明應用於整合異質無線網路的認證裝置 16 200915819 與方法之網路環境架構圖; 圖二為該應用於整合異質無線網路的認證裝置與方 - 法之無線網路用戶裝置功能方塊圖; 圖三為該應用於整合異質無線網路的認證裝置與方 法之實施例EAP-SIΜ認證成功訊息處理流程圖;以及 圖四為該應用於整合異質無線網路的認證裝置與方 法之實施例ΕΑΡ-ΑΚΑ認證成功訊息處理流程圖。 【主要元件符號說明】 < S ) 11 無線網路用戶裝置 12、 13 無線網路 121 、131無線網路基地台 14 路由器 15 認證伺服器 16 網際網路 17 本籍用戶伺服器/本籍位址紀錄器 18 行動通信網路 21 無線網路協定模組 22 整合異質無線網路的認證裝置 221 無線網路控制單元 222 SIM/USIM卡控制單元 223 認證控制單元 23 行動通信網路協定模組 231 SIM/USIM 卡 24 主系統 17Protocol, ΕΑΡ) certification process, the EAP0L / EAP certification process information communication is regulated in the IEEE 802. lx standard. The SIM/USIM card control unit 222 of the wireless network user device 11 then controls the SIM/USIM card 231 to read the International Mobile Subscriber Identity (IMSI) in the SIM/USIM card 231. And the authentication control unit 223 encapsulates and delivers the IMSI to the wireless network protocol module 21 via the wireless network control unit 221, and the wireless network protocol module 21 transmits an 'EAP Response/Identity〃 message to the wireless network. Next, the wireless network user device 11 receives the EAP Request/SIM-Start message transmitted by the wireless network, in which the authentication protocol version VERSI0N_LIST of the support is carried. The wireless network user device 11 performs the following procedures: a. The authentication control unit 223 selects an authentication protocol SELECTED_VERSION; b. the authentication control unit 223 generates a random random number N0NCE_MT; and c. the authentication control unit 223 uses wireless The network control unit 221 encapsulates and sends SELECTED_VERSION and NOCEE_MT to the wireless network protocol module 21, and the wireless network protocol module 21 transmits an 'EAPResponse/SIM-Start〃 message to the wireless network. 13 200915819 Then, the wireless network user device 11 receives the EAP Request/SIM-Challenge message transmitted by the wireless network, and the message carries the random random number RAND and the message authentication code MAC. The wireless network user device 11 performs the following procedures: a. The SIM/USIM card control unit 222 passes the received random random number RAND to the SIM/USIM card 231, and controls the SIM/USIM card 2 31 to execute A 3 / A 8 The encryption algorithm is used to obtain the cipher key (Kc) and the signed result (SRES) required for encryption and verification; b. the authentication control unit 223 uses IMSI, Kc, NOCCE_MT, VERSI01LIST, and SELECTED_VERSION as parameters. Bringing in the execution of the SHA1 algorithm to obtain the master key (MK); c. The authentication control unit 223 brings the MK into the PRF deduction method to obtain 128 bits K_encr, 128 bits K_aut, 64 bits Master Session Key (MSK) And the 64-bit Extended Master Session Key (EMSK); d. The authentication control unit 223 takes the K_aut, the N0NCE_MT, and the received packet as parameters, and carries the HMAC-SHA1-128 algorithm to generate the message authentication code MAC; e. The authentication control unit 223 checks whether the calculated MAC matches the MAC received by CS) 14 200915819. If the check result is consistent, it means that the network end is trustworthy; f. The authentication control unit 223UK shoulders, SRES, and the packet to be transmitted are parameters, and after the execution of the hmac_shai_i28 algorithm, another message authentication code MAC is generated. And the g-忒证 control unit 223 encapsulates and delivers the MAC' to the wireless network protocol module 21 via the wireless network control unit, and the wireless network protocol module 21 transmits, ΕΑΡ ReSp〇nse/siM-Challenge ', the message to the wireless network. Immediately after the 'wireless network user device 11 receives, 'EAP Success' message indicates that the authentication has been successfully completed. [Features and effects] The authentication method provided by the present invention for integrating heterogeneous wireless networks, and other conventional uses When the technologies are compared with each other, the following advantages are obtained: 1. The invention can greatly simplify the input of the user identification code and the password before the user uses the wireless network, and the user can achieve the effect of quickly and automatically completing the authentication. The user identification code and the password are stolen and used, which will cause the user to lose the payment. 2. The invention can greatly simplify the management of the user's multiple accounts, and the user only needs one account identity to pass through multiple heterogeneous wireless networks 15 200915819 Road authentication and roaming use 3. The present invention can simplify the management of single-accounts but multiple logins at the same time 'avoiding SI user identification code and password outflow, resulting in multiple logins at the same time. • Ben Qiming enables system operators with two heterogeneous wireless networks to simplify user management and achieve single user service Controlling the effectiveness of the management and accounting consolidation management, and avoiding the overhead of repeatedly investing in the establishment of multiple user databases. The detailed description above is for the physical description of the feasible embodiment of the present invention. The scope of the invention is not limited to the scope of the invention, and should be included in the scope of the patent of the present invention. ~ In summary, the case is not only technically innovative. And the above-mentioned multiple functions that are beyond the traditional methods of borrowing, have fully complied with the statutory invention patent requirements of novelty and progressiveness, and have been submitted according to law; please 'please request the bureau to approve the invention patent application to encourage invention, to [Description of the drawings] Please refer to the detailed description of the present invention and its accompanying drawings, and the technical contents of the present invention and the effects thereof can be further understood; (4) The drawings are as shown in the drawings. The network environment architecture diagram of the authentication device 16 200915819 and the method for integrating the heterogeneous wireless network; Figure 2 is the authentication for the integration of the heterogeneous wireless network. Functional block diagram of the wireless network user device of the device and the method - FIG. 3 is a flow chart of the EAP-SI authentication successful message processing of the embodiment of the authentication device and method for integrating the heterogeneous wireless network; and FIG. 4 is the application Embodiment of authentication device and method for integrating heterogeneous wireless network 流程图-ΑΚΑ authentication success message processing flow chart. [Main component symbol description] < S ) 11 wireless network user device 12, 13 wireless network 121, 131 wireless Network Base Station 14 Router 15 Authentication Server 16 Internet 17 Local User Server/Traditional Address Recorder 18 Mobile Communication Network 21 Wireless Network Protocol Module 22 Authentication Device for Integrating Heterogeneous Wireless Network 221 Wireless Network Control unit 222 SIM/USIM card control unit 223 Authentication control unit 23 Mobile communication network protocol module 231 SIM/USIM card 24 Main system 17