CN100466806C - Right discriminating method between mobile terminal and network equipment - Google Patents
Right discriminating method between mobile terminal and network equipment Download PDFInfo
- Publication number
- CN100466806C CN100466806C CNB200510070970XA CN200510063496A CN100466806C CN 100466806 C CN100466806 C CN 100466806C CN B200510070970X A CNB200510070970X A CN B200510070970XA CN 200510063496 A CN200510063496 A CN 200510063496A CN 100466806 C CN100466806 C CN 100466806C
- Authority
- CN
- China
- Prior art keywords
- authentication
- portable terminal
- random number
- network
- coding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
A method for verifying right between mobile terminal and network device includes setting a safety cipher key corresponding to mobile terminal separately in said device and in said terminal in advance, generating right verification information corresponding to said terminal by said device according to said cipher key and right verification cipher key of user card as well as random number, sending right verification information to said terminal by said device, judging whether right verification of network is passed or not by said terminal according to safety cipher key set by itself and right verification cipher of user card as well as right verification information.
Description
Technical field
The present invention relates to method for authenticating, be specifically related to portable terminal in a kind of mobile communications network and the method for authenticating between the network equipment.
Background technology
Present portable terminal great majority adopt the mode of separation between machine and card, and just portable terminal itself is two independent parts with the subscriber card of having preserved the information that is used for the checking wireless network user, bond them together in use to get final product.Present subscriber card mainly is the Subscriber Identity Module card that is used for wireless communication system, such as, Subscriber Identity Module (SIM) card of global mobile communication (GSM) system, Universal Mobile Telecommunications System (UMTS), as UMTS subscriber identification module (USIM) card of Wideband Code Division Multiple Access (WCDMA) (WCDMA) communication system, subscriber identification module (UIM) card of code division multiple access (CDMA) communication system or the like.This mode has a lot of outstanding advantages, for example the user wants to change the words of a portable terminal, only need to buy a new portable terminal and original SIM card is inserted into new portable terminal to get final product, like this, because user's information does not need to change, so the user does not need to handle to the communication operator formality of any replacing portable terminal yet.This mode also has an outstanding more advantage to be, mobile communication carrier carries out mobile service and can separate well with the sale of portable terminal such as work such as distribute telephone numbers, thereby be convenient to carrying out of mobile service, and portable terminal sell relatively independent, bring very big flexibility to mobile service operation and portable terminal sale.
But under the separation between machine and card mode, if steal and change a new subscriber card on the portable terminal of robbing and just can have no obstacle ground and use.Thereby the robber can sail again the steal portable terminal of robbing and sell profit like this, thereby, be unfavorable for stoping portable terminal to steal the generation of robbing phenomenon.
It is to build a large amount of equipment identity register (EIR) equipment that a kind of solution is arranged, and the International Mobile Station Equipment Identification (IMEI) of those stolen mobile terminals is put into the blacklist of corresponding EIR.Like this, portable terminal when starting shooting logging in network at every turn, its IMEI is reported network, the network equipment relevant in the network checks whether the pairing IMEI of this portable terminal is added in the blacklist in EIR equipment, if in blacklist, found the IMEI of this portable terminal correspondence, network thinks that this portable terminal is a stolen mobile terminal, and this mobile terminal user is the disabled user, thereby refusal provides Network for it.But this method need be built a large amount of EIR equipment, needs to increase the construction of the network equipment, in addition, is applied to other carrier network in order to prevent the stolen portable terminal of robbing, and also needs a plurality of producers to build EIR equipment jointly.Therefore, this method also can increase the complexity of the mobile service operation of Virtual network operator.
At present some mobile communications network, universal mobile communications network (UMTS) as the 3G (Third Generation) Moblie network, employed method for authenticating, subscriber card can carry out authentication to mobile communications network, after the authentication success, subscriber card can normally use, and behind failed authentication, subscriber card can not normally use in mobile communications network.But this method can only solve subscriber card safety issue in the portable terminal, and can not solve the antitheft problem of portable terminal itself.For example, the robber steals and has robbed after the portable terminal of validated user, the subscriber card of validated user can be replaced by the subscriber card of oneself, like this in existing method for authenticating this subscriber card will authentication success, the robber still can use the portable terminal that this robber robs and can not forbid that stolen mobile terminal continues to use like this, thereby can not reach portable terminal is carried out antitheft effect.And second generation mobile communications network does not support the portable terminal of separation between machine and card to network authentication yet, therefore, can not solve antitheft problem.
Summary of the invention
In view of this, a goal of the invention of the present invention provides the method that the network equipment in a kind of mobile communications network generates authentication information, so that portable terminal can carry out authentication to network, thereby the fail safe that improves portable terminal prevents from that portable terminal is stolen to rob.
Another object of the present invention provides portable terminal in a kind of mobile communications network network is carried out the method for authentication, and with by the authentication of network is improved the fail safe of portable terminal, thereby preventing that portable terminal is stolen robs.
Of the present invention also have a purpose to provide method for authenticating in a kind of mobile communications network, and by portable terminal the authentication of network being improved the fail safe of portable terminal, thereby preventing that portable terminal is stolen robs.
According to a first aspect of the invention, the method that the network equipment generates authentication information in a kind of mobile communications network comprises at least: a1, in advance a safe key corresponding to portable terminal is set in the network equipment; B1, the network equipment are according to described safe key, generate authentication information corresponding to this portable terminal corresponding to the sequence number of the KI of portable terminal active user card, random number and setting.
Described authentication information comprises described random number and authentication signature, and wherein authentication signature comprises the sequence number and the message authentication coding of setting at least.
The described generation of step b1 corresponding to the authentication information of this portable terminal is: b11, the network equipment generate the message authentication coding according to the sequence number of safe key, KI, random number and setting; Sequence number and message authentication that b12, combination are provided with are encoded to authentication signature; B13, combining random number and authentication signature form described authentication information corresponding to this portable terminal.
The process of the described generation message authentication coding of step b11 is: the network equipment calculates a provisional random number according to KI and random number earlier, and the sequence number that re-uses safe key, provisional random number and setting produces the message authentication coding.
The process of the described generation message authentication coding of step b11 is: the network equipment produces a message authentication coding according to the sequence number of KI, random number and setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, new message authentication coding is encoded as the message authentication of forming authentication signature.
The described network equipment comprises attaching position register/authentication center HLR/AUC, and this method further comprises: c, HLR/AUC generate Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps the random number according to safe key and self generation generates Expected Response, encryption key and Integrity Key; Perhaps the random number according to KI, safe key and self generation generates Expected Response, encryption key and Integrity Key, at last the described authentication information of the Expected Response, encryption key, Integrity Key and the step b1 that generate is formed polynary group of authentication.
The described network equipment further comprises mobile switching center MSC/VLR, and this method further comprises: HLR/AUC sends to MSC/VLR for polynary group with authentication.
Described authentication is for polynary group to receive from polynary group of request message of the authentication of MSC/VLR, or sends when need upgrading polynary group of the authentication of MSC/VLR; Polynary group of the authentication of the described MSC/VLR of sending to is polynary group of one or more authentication of the corresponding portable terminal that generated.
Polynary group of request message of described authentication from MSC/VLR is that MSC/VLR finds not have polynary group of the authentication of corresponding portable terminal or use the back for polynary group in all authentications of corresponding portable terminal to send to HLR/AUC when authentication.
This method further comprises: MSC/VLR is behind the request message that receives from the triggering authentication of portable terminal, or the authentication information in polynary group sends to portable terminal with authentication when the network equipment need carry out authentication to portable terminal.
Described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
The described safe key of step a1 is the safe key corresponding to mobile terminal features information, and this mobile terminal features information is mobile terminal equipment to identify information IMEI; Perhaps be safe key corresponding to the signatory relevant information of mobile phone users, the IMSI International Mobile Subscriber Identity IMSI that the signatory relevant information of this mobile phone users is a mobile phone users or mobile phone users card numbering or mobile directory number MSISDN.
Because the network equipment in the mobile communications network is when generating authentication information, safe key and the KI that set in advance have been used corresponding to portable terminal, thereby the authentication information that makes the inventive method is different from the authentication information of not considering safe key in the prior art, cooperate the processing of portable terminal after receiving authentication information again, can realize network being carried out authentication, by subscriber card network be carried out authentication and be different from the prior art by portable terminal.
Network is being carried out under the situation of authentication by portable terminal, rob if portable terminal is stolen, the disabled user is after changing a subscriber card, because the safe key of preserving in the portable terminal is the safe key that is provided with for this portable terminal according to the validated user card corresponding to the network equipment, the safe key that is provided with in the CAMEL-Subscription-Information such as validated user, and and the safe key that is provided with in disabled user's the CAMEL-Subscription-Information inconsistent, so portable terminal will can not pass through the authentication of network.Like this, the disabled user can not normally use this portable terminal; Perhaps safe key is the safe key that is provided with according to this mobile terminal identification corresponding to the network equipment, in case the user goes to the operator place to revise the safe key information of network equipment side corresponding to the mobile terminal device of oneself after losing portable terminal like this, this portable terminal can not pass through the authentication of network yet, and this portable terminal also can not normally use.Therefore, portable terminal can improve the fail safe of portable terminal effectively to the authentication of network, and prevents effectively that portable terminal is stolen and rob.
Because when producing authentication information, simultaneously according to KI, therefore, the present invention supports to improve together the raising that the user card authentication algorithm security guarantees whole authentication security.
According to a second aspect of the invention, portable terminal comprises at least to the method that communication network carries out authentication in a kind of mobile communications network: a2, in advance a safe key corresponding to this portable terminal is set in portable terminal; B2, portable terminal receive the authentication information from the network equipment, described authentication information comprises random number and authentication signature, wherein authentication signature comprises sequence number and message authentication coding at least, portable terminal is received sequence number in the authentication information and random number according to KI, the institute of the own safe key that is provided with, active user's card and calculates a mobile terminal message authentication and encode, and described calculating mobile terminal message authentication is encoded corresponding with the message authentication that the comprises generating mode of encoding in the reception authentication information; Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
The described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to the KI in the card with by the random number that portable terminal receives, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting.
The described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, the random number that is received according to the KI in the subscriber card, from portable terminal by subscriber card and calculate a message authentication coding from the sequence number that portable terminal receives and send to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, and this new message authentication is encoded to described mobile terminal message authentication coding.
Before judgement was passed through the authentication of network, this method also comprised:
Portable terminal judges according to the sequence number that oneself is provided with whether the authentication information from the network equipment is up-to-date step, if up-to-date, then judge network authentication is passed through, otherwise initiates the operation of SYN to network.
Described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
The safe key that is provided with described in the step a2 is the safe key that is set to corresponding to mobile phone users card characteristic information, and described subscriber card characteristic information is IMSI International Mobile Subscriber Identity IMSI or the subscriber card numbering in the subscriber card.
This method further comprises:
C2, portable terminal or subscriber card generate Expected Response, encryption key and Integrity Key according to KI and the random number that receives; Perhaps portable terminal generates Expected Response, encryption key and Integrity Key according to the random number of safe key and reception; Perhaps according to KI, safe key and the random number generation Expected Response that receives, encryption key and Integrity Key generation Expected Response, encryption key and Integrity Key, portable terminal or subscriber card return to the network equipment with Expected Response.
Because portable terminal basis oneself is preserved after receiving authentication information safe key, KI and the authentication information that receives judge directly whether the authentication of network is passed through, and are different from the prior art to be come network is carried out authentication by subscriber card.As previously mentioned, owing to realized by the authentication of portable terminal self to network, the fail safe that has improved portable terminal has prevented from effectively that portable terminal is stolen to rob.
According to a third aspect of the present invention, the method for authenticating in a kind of mobile communications network comprises at least: a3, be provided with one respectively to safe key that should portable terminal in the network equipment and portable terminal in advance; B3, the network equipment generate authentication information corresponding to this portable terminal according to safe key, KI, the random number corresponding to portable terminal active user card and the sequence number that is provided with; C3, the network equipment send to described portable terminal with described authentication information; D3, portable terminal judge according to the KI of the safe key that oneself is provided with, active user's card and the authentication information of reception whether the authentication of network is passed through.
Described authentication information comprises random number and authentication signature, and wherein authentication signature comprises sequence number and message authentication coding at least.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment generates authentication signature according to the sequence number of safe key, KI, random number and setting; Combining random number and authentication signature form described authentication information; The process whether described judgement of the d3 of step is passed through the authentication of network comprises: portable terminal calculates a mobile terminal message authentication coding according to the KI of the safe key that oneself is provided with, active user's card, sequence number and the random number that is received in the authentication information; Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment calculates a provisional random number according to KI and random number earlier, re-use safe key and provisional random number and produce the message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to KI and random number in the card, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting, whether the message authentication coding that relatively calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment produces a message authentication coding according to the sequence number and the random number of KI, setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, calculates a message authentication coding by subscriber card according to KI, the random number that is received from portable terminal and sequence number in the card and sends to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, whether the new message authentication coding that relatively self calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
The described network equipment comprises HLR/AUC and MSC/VLR, and before step c3, this method further comprises: the HLR/AUC in the network equipment generates Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of safe key and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of KI, safe key and self generation; HLR/AUC forms polynary group of MSC/VLR that sends in the network equipment of authentication with the described authentication information of Expected Response, encryption key, Integrity Key and step b3, and MSC/VLR sends to portable terminal with the authentication information in polynary group of the authentication;
After described steps d 3, this method also comprises: portable terminal will send to subscriber card from the random number of HLR/AUC, subscriber card generates Expected Response and sends to portable terminal according to oneself KI and described random number, and portable terminal sends to MSC/VLR with the Expected Response that receives; Or
Portable terminal generates Expected Response according to oneself safe key and described random number, and the Expected Response that generates is sent to MSC/VLR; Or
Subscriber card generates provisional random number and issues portable terminal according to oneself KI and described random number, and portable terminal generates Expected Response according to oneself safe key and described provisional random number, and the Expected Response that generates is sent to MSC/VLR; Or
Portable terminal or subscriber card generate Expected Response according to the KI and the described random number of subscriber card, and portable terminal sends to MSC/VLR with the Expected Response that generates again;
Whether the Expected Response in polynary group of the Expected Response that MSC/VLR relatively is received from portable terminal and the authentication of the correspondence that is received from HLR/AUC is consistent, if consistent, network passes through the authentication of portable terminal; Otherwise network does not pass through the authentication of portable terminal.
When described portable terminal or subscriber card generate Expected Response, also generate encryption key and Integrity Key according to safe key that is provided with and the random number that is received in the authentication information; Perhaps generate encryption key and Integrity Key according to KI that is provided with and the random number that is received in the authentication information; Perhaps behind the random number generation provisional random number according to the KI that is provided with and the authentication information that receives, the safe key according to provisional random number and setting generates encryption key and Integrity Key again.
As previously mentioned,, realized by the authentication of portable terminal self therefore that the fail safe that has improved portable terminal has prevented from effectively that portable terminal is stolen to rob to network owing to combine first aspect and second aspect.Further, portable terminal can also send to Expected Response the mobile switching center (MSC/VLR) in the network equipment, whether the Expected Response that MSC/VLR relatively is received from portable terminal is consistent with the Expected Response of attaching position register/AUC (HLR/AUC) in being received from the network equipment, thereby realizing to carry out authentication by network to portable terminal after portable terminal is to the authentication of network, further perfect authentication process has improved the authentication effect.
Description of drawings
Fig. 1 is the flow chart that the network equipment of the present invention generates authentication information;
Fig. 2 is the flow chart that the network equipment of the present invention generates a specific embodiment of authentication information;
Fig. 3 is portable terminal of the present invention carries out authentication to network a flow chart;
Fig. 4 is portable terminal of the present invention carries out a specific embodiment of authentication to network a flow chart;
Fig. 5 is the flow chart of authentication operations of the present invention;
Fig. 6 is the flow chart of first specific embodiment of authentication operations of the present invention;
Fig. 7 has comprised further among Fig. 6 that network carries out the flow chart of a kind of processing procedure of authentication to terminal;
Fig. 8 is the flow chart of second specific embodiment of authentication operations of the present invention;
Fig. 9 is the flow chart of the 3rd specific embodiment of authentication operations of the present invention;
Figure 10 is the flow chart of the 4th specific embodiment of authentication operations of the present invention.
Embodiment
The present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 shows the overview flow chart that generates authentication information according to the network equipment of the present invention.As shown in Figure 1, in step 101, the safe key (SKEY) of a corresponding portable terminal is set in the network equipment.
The SKEY that corresponding portable terminal is set here can be the SKEY that corresponding mobile terminal features information is set, and the SKEY corresponding to IMEI for example is set; Also can be to be provided with corresponding to the mobile phone users CAMEL-Subscription-Information, or perhaps the SKEY of mobile phone users card characteristic information, for example be SKEY corresponding to IMSI International Mobile Subscriber Identity (IMSI), or corresponding to the SKEY of mobile phone users card numbering, or corresponding to the SKEY of Mobile Directory Number (MSISDN).
In step 102, the network equipment produces a random number (RAND) when generating authentication information at some portable terminals.
In step 103, network equipment utilization is to the KI (KI) of SKEY that should portable terminal, corresponding portable terminal active user card (or active user) and the RAND generation authentication information that produces.
In the present invention, authentication information comprises random number and authentication signature (AUTN).AUTN can comprise sequence number (SQN) and message authentication coding (MAC) at least, and may further include authentication management field (AMF).AMF and SQN are predefined in the network equipment, in generating the process of authentication information, can be used for generating the MAC among the AUTN, have promptly constituted AUTN and existing SQN and AMF and the MAC that calculates combined.
The present invention generates authentication information by the network equipment can comprise two stages on specific implementation: the phase I generates polynary group of the authentication that comprises authentication information and other information by HLR/AUC, then with polynary group of MSC/VLR that sends to network side of authentication; Second stage is extracted the authentication information in polynary group of the authentication by MSC/VLR and to send to portable terminal.Its idiographic flow as shown in Figure 2.
Except RAND and AUTN, also comprise Expected Response (XRES), encryption key (CK) and Integrity Key (IK) in polynary group of the authentication here.Other three parameters are preserved by MSC/VLR after sending to MSC/VLR, and wherein XRES is used for using when MSC/VLR carries out authentication to portable terminal, and CK is used for data encrypting and deciphering, the checking summary info that IK is used for the data integrity checking and produces data.The present invention will be explained in the back.
Above-mentioned SKEY produces according to a random number and KI.Such as, portable terminal and network relevant device are when for example HLR/AUC consult to produce SKEY, can produce a random number by a side wherein, and this random number sent to the opposing party, the network equipment carries out certain calculating according to the KI corresponding to this portable terminal active user card of this random number and oneself preservation, as digest calculations, obtain a result of calculation, and with this result of calculation as SKEY.Correspondingly, portable terminal carries out corresponding calculated according to the KI in random number and the subscriber card and obtains a result of calculation, and this result of calculation is kept at portable terminal as SKEY.Send random number to subscriber card such as portable terminal, subscriber card carries out corresponding calculated according to random number and KI and obtains the SKEY of portable terminal needs and send to portable terminal.Above-mentioned digest calculations algorithm can be selected according to practical application.
Produce safe key SKEY by random number and KI, can guarantee that SKEY itself need not transmit, and has guaranteed the fail safe of SKEY between the network equipment and portable terminal.Simultaneously, this method has realized the logical bundle of SKEY and KI, helps to use the complete alternate user card of portable terminal to finish with network and carries out mutual authentication.
As shown in Figure 2, in step 201, in HLR/AUC, preserve the SKEY of corresponding portable terminal.
In step 202, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 203, HLR/AUC utilizes KI that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
In step 204, HLR/AUC utilizes SKEY, KI and the RAND and the SQN generation MAC of the corresponding portable terminal that sets in advance.The SQN here is current known, for example pre-sets.
In step 205, HLR/AUC is combined into AUTN with the MAC of step 204 generation and known SQN.
In step 206, polynary group of the authentication of the XRES that the AUTN that HLR/AUC obtains RAND, step 205, step 203 obtain, CK and this portable terminal of IK composition.
In step 207, HLR/AUC sends to MSC/VLR for polynary group with authentication.
In step 208, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
This step can be that portable terminal begins to trigger message of network transmission.In the middle of the reality, when portable terminal was initiated position updating request or service request, MSC/VLR can initiate authentication request to portable terminal, can initiate authentication request to portable terminal such as MSC/VLR when mobile terminal-opening lands network.Certainly, also portable terminal can be initiated position updating request or service request here and be interpreted as the request message that has comprised the triggering authentication, MSC/VLR sends authentication information to portable terminal when receiving these requests.
This step also can be that the network equipment is initiatively initiated, in the time of setting, do not receive the related news of portable terminal such as, MSC/VLR, when comprising the information that triggers authentication, initiatively initiate an authorizing procedure, do not need the triggering message of portable terminal in this case.
Comprise at AUTN and further consider AMF under the situation of AMF in step 204, such as utilizing SKEY, KI, RAND, SQN and AMF to generate MAC, wherein AMF also is current known, such as, pre-set.In step 205, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
Here, before step 204, may further include a HLR/AUC and judge whether to carry out the step that generates authentication information according to SKEY etc., if, execution in step 204; Otherwise directly generate authentication information according to existing procedure, for example use KI, RAND, SQN and AMF to generate MAC, be combined into AUTN then and further be combined into polynary group of authentication according to KI and random number.
It can be at HLR/AUC a safe mark to be set in advance that HLR/AUC judges whether to carry out according to SKEY generation authentication information, if this safe mark is the value that expression need generate authentication information according to SKEY, for example set is 1, then mean and to generate authentication information according to SKEY, if safe mark is to represent not need to generate according to SKEY the value of authentication information, for example set is 0, and then meaning does not need to generate authentication information according to SKEY.
Alternately, it can be to judge whether SKEY is a particular value that HLR/AUC judges whether to carry out according to SKEY generation authentication information, for example be 0, if, then expression does not need to generate authentication information according to SKEY, if not 0 but other arbitrary values, then expression need generate authentication information according to SKEY.
In said method, authentication of the every generation of HLR/AUC is just once upgraded SQN for polynary group afterwards, and in other words, each authentication all has different SQN for polynary group.For the renewal of SQN, can carry out according to certain algorithm, algorithm generates new SQN according to original SQN.Specifically can be with reference to the related protocol regulation of 3GPP 33.102/29.002.
In the prior art, the subscriber card in HLR/AUC and the portable terminal all can be preserved a SQN, and needs to guarantee two SQN unanimities before carrying out authentication process.SQN of the present invention can use the SQN identical with prior art, promptly is used for the SQN of user card authentication, also is the corresponding SQN that preserves of network and subscriber card, specifically can be with reference to the related protocol regulation of 3GPP 33.102/29.002.But preferably, the present invention is provided with a SQN who is specifically designed to the portable terminal authentication in addition separately, and portable terminal and HLR/AUC also can carry out Synchronous Processing to this SQN.Certainly can understand, separately the SQN that preserves in the SQN that is provided with and the subscriber card can get identical value.
Usually, HLR/AUC sends to MSC/VLR and carries out after authentication is the polynary group of message of request authentication that is receiving from MSC/VLR for polynary group in the step 207, perhaps carries out when needs refresh polynary group of the authentication of preserving among the MSC/VLR.Before polynary group of MSC/VLR transmission authentication, HLR/AUC generally can generate polynary group of a plurality of authentications of a portable terminal, like this after the request message that obtains polynary group of authentication that receives from MSC/VLR, can once only send polynary group an of authentication to MSC/VLR, also a plurality of authentications can be sent to MSC/VLR for polynary group together, such as, once send three authentications and arrive MSC/VLR for polynary group.Certainly, may further include the quantity of polynary group of the authentication that needs HLR/AUC to return in the request message that the acquisition request authentication of MSC/VLR is polynary group, HLR/AUC decides polynary group of quantity of the authentication that returns to MSC/VLR according to the quantity of polynary group of the authentication of the request of MSC/VLR and own current preservation, such as, HLR/AUC has produced polynary group of 5 authentications, polynary group of 3 authentications of MSC/VLR request, then HLR/AUC returns 3 to MSC/VLR, if HLR/AUC has produced polynary group of 2 authentications, polynary group of 3 authentications of MSC/VLR request, then HLR/AUC returns polynary group of 2 authentications to MSC/VLR.
MSC/VLR is when authentication, such as being behind the request message that receives from the triggering authentication of portable terminal, when needing that perhaps portable terminal carried out authentication, can from polynary group of the authentication of this portable terminal of preserving, take out polynary group an of authentication, authentication informations such as the RAND that wherein comprises and AUTN are sent to this portable terminal.If MSC/VLR when getting polynary group of authentication, finds that the authentication of sending from HLR/AUC uses up for polynary group, then MSC/VLR can send the order of obtaining polynary group of authentication to HLR/AUC.
In the middle of the reality, polynary group of operation of aforementioned calculation authentication can be to finish in AUC, AUC sends to HLR for polynary group with the authentication that calculates and preserves temporarily, HLR is when receiving the request message of polynary group of MSC/VLR request authentication, perhaps when needs refresh polynary group of the authentication of preserving among the MSC/VLR, polynary group of one or more authentications are sent to MSC/VLR preserve.Because in the middle of the reality, HLR and AUC generally can integrate, and therefore, are called HLR/AUC in the present invention.
Correspondingly, MSC/VLR is the general designation of mobile switching centre and VLR Visitor Location Register module, in the middle of the reality, for the preservation of polynary group of authentication, can be realized by VLR to HLR polynary group of authentication of request and to the operations such as authentication judgement of terminal.Because VLR generally is implemented as the module of MSC, therefore, in the present invention MSC and VLR are referred to as MSC/VLR.
In the middle of the reality, in the step 203, also can be that HLR/AUC utilizes SKEY that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK in the above.In this case, realized that the complete alternate user card of portable terminal finishes the mutual authentication process with network.In this case, comparatively ideal way is that the SKEY of portable terminal produces according to KI KI.Certainly, also can be that HLR/AUC utilizes KI, SKEY that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
After SKEY is set, may further include the step that the authentication of preserving among the renewal MSC/VLR is polynary group.After SKEY was provided with, originally the authentication information in polynary group of the authentication that produces according to original SKEY lost efficacy, and therefore, need regenerate polynary group of authentication and polynary group of the authentication upgrading to preserve among the MSC/VLR.
If specially for the portable terminal authentication is provided with SQN, then after SKEY is set, can reinitialize the SQN that this is provided with for the portable terminal authentication specially.Certainly, it also is feasible keeping this SQN constant.
Above-mentioned authentication generally is the authentication five-tuple for polynary group.
HLR/AUC can be to calculate a provisional random number TmpRAND according to KI and RAND earlier according to polynary group of processes of generation authentication such as SKEY, KI and RAND, then, produce the protocol processes mode of authentication five-tuple according to existing 3GPP, utilize SKEY to substitute KI and utilize the alternative RAND of provisional random number TmpRAND to wait to produce AUTN, XRES, CK and IK, and form polynary group of authentication by AUTN, XRES, CK and the IK of former RAND and generation.
Certainly, HLR/AUC can be to produce polynary group of authentication according to KI and RAND according to the protocol processes mode that existing 3GPP produces the authentication five-tuple earlier according to polynary group of processes of generation authentication such as SKEY, KI and RAND, then calculate according to the MAC among the AUTN in polynary group of SKEY and the authentication, obtain a new message authentication coding MAC2, and the MAC among the alternative AUTN of use MAC2, thereby obtain polynary group of new authentication.
The above-mentioned network equipment that illustrated generates the processing of authentication information, this authentication information can be sent to corresponding mobile terminal after the network equipment generates authentication information, the following describes portable terminal and receives the processing of being carried out after this authentication information.
Fig. 3 shows portable terminal in the mobile communications network carries out authentication to mobile communications network group method flow process.As shown in Figure 3, in step 301, portable terminal is provided with a SKEY, and the SKEY here generally is identical with the SKEY corresponding to this portable terminal that the network equipment is preserved.
In step 302, portable terminal is after the authentication information that receives from the network equipment, SKEY and KI according to this authentication information and oneself preservation judge whether the authentication of network is passed through, if pass through, at the normal access network of step 303, if do not pass through, assert that then the current mobile terminal user is illegal, stop the normal use of oneself in step 304.
Here the normal use that stops oneself can be not allow connection of mobile terminal into network, perhaps directly outage or shutdown etc., and can cooperate the operations such as notifying kith and kin or safe office that for example sends SMS message.
Corresponding to situation shown in Figure 2, portable terminal is shown in Fig. 4 to the specific embodiment that network carries out authentication.
In step 401, portable terminal is provided with a SKEY, and the SKEY here is consistent with the SKEY corresponding to this portable terminal that the network equipment is preserved.In general, what the terminal and the network equipment were preserved respectively is a pair of symmetric key, and generally this is identical to symmetric key.
In step 402, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, calculate a MAC value according to the SKEY of oneself, KI and the RAND of reception, the SQN among the AUTN in active user's card, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
In step 404, portable terminal judges whether AUTN can accept, if acceptable, then judge in step 405 authentication of network is passed through; Otherwise, think that at step 406 portable terminal the SQN that oneself is preserved is asynchronous with the corresponding SQN that preserves of the network equipment, further initiate the synchronous SQN operation.
Portable terminal judges according to the SQN that oneself preserves whether AUTN can accept.The portable terminal and the network equipment can be preserved a SQN in advance synchronously, whether portable terminal satisfies predetermined condition by relatively more own SQN that preserves and the SQN among the AUTN and judges whether AUTN can accept, and this predetermined condition can be that the difference of SQN of SQN among the AUTN and portable terminal oneself preservation is in a preset range.If portable terminal is judged the difference of SQN among the AUTN and the SQN that oneself preserves and in described preset range, is judged that then AUTN is acceptable; Otherwise judge that AUTN is unacceptable.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 402, further consider AMF under the situation of AMF, such as SKEY, the KI of utilization oneself, the RAND of reception, SQN and the AMF generation MAC value among the AUTN.
Here, before step 402, may further include one and judge whether to carry out according to SKEY network is carried out the step of authentication, if, execution in step 402; Otherwise according to existing procedure RAND is sent to subscriber card, network is carried out authentication by subscriber card.
Step 402 can further be: portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, RAND is sent to subscriber card, calculate a provisional random number TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal.TmpRAND, the SQN among the AUTN that the SKEY of portable terminal basis oneself and subscriber card calculate calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
In step 402 can also further be: portable terminal receiving after the authentication information of being made up of RAND and AUTN from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal.The MAC that SKEY that portable terminal root oneself is preserved and subscriber card calculate calculates, obtain a new message authentication coding MAC2, and whether the MAC2 value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
Portable terminal judges whether that it can be to set in advance a safe mark that execution is carried out authentication according to SKEY to network, if this safe mark is expression need be carried out authentication according to SKEY to network a value, for example set is 1, then mean and to carry out authentication according to SKEY to network, if safe mark is to represent not need according to SKEY network to be carried out the value of authentication, for example set is 0, and then meaning does not need according to SKEY network to be carried out authentication.
Alternately, portable terminal judges whether that it can be to judge whether SKEY is a particular value that execution is carried out authentication according to SKEY to network, for example be 0, if, then expression does not need according to SKEY network to be carried out authentication, if not 0 but other arbitrary values, then expression need be carried out authentication to network according to SKEY.
Equally, the SQN here can use the SQN identical with prior art, promptly is used for the SQN of user card authentication, also is the corresponding SQN that preserves of network and subscriber card, specifically can be with reference to the related protocol regulation of 3GPP33.102/29.002.But preferably, the present invention is provided with a SQN who is specifically designed to the portable terminal authentication in addition separately, and portable terminal and HLR/AUC also can carry out Synchronous Processing to this SQN.Certainly can understand, separately the SQN that preserves in the SQN that is provided with and the subscriber card can get identical value.
Because the SKEY that preserves in the portable terminal is consistent with the SKEY that the network equipment is preserved, such as identical, therefore, the SKEY in portable terminal can be the SKEY corresponding to subscriber card is numbered or IMSI preserves.Certainly, when portable terminal was only supported a subscriber card, this SKEY can directly be kept at portable terminal, rather than preserved according to the subscriber card numbering or the IMSI that support.When portable terminal support during more than a subscriber card, during the SKEY that preserves corresponding to subscriber card numbering or IMSI, portable terminal can block numbering or which SKEY IMSI selects to use come network is carried out authentication according to the active user.Because support that the situation of many cards is expanded application examples of the present invention, those skilled in the art are easy to develop concrete application according to inventive concept, therefore, no longer are described in greater detail here.
Illustrated respectively that above the network equipment generates the flow process of authentication information and portable terminal carries out authentication to network flow process.The flow process of the method for authenticating in the mobile communications network of the present invention is described according to Fig. 5 below.
As shown in Figure 5, in step 501, the SKEY of a corresponding portable terminal authentication is set simultaneously in the network equipment and portable terminal.Certainly, the SKEY of network equipment setting here can be the SKEY that corresponding mobile terminal features information is provided with, and also can be the SKEY that the IMSI corresponding to subscriber card is provided with.The network equipment also can be provided with SKEY according to mobile subscriber's MSISDN.
In step 502, the network equipment produces a RAND when generating authentication information at some portable terminals.
In step 503, network equipment utilization is to SKEY that should portable terminal, generate authentication information corresponding to the KI of portable terminal active user card and the RAND of generation.
In step 504, the network equipment sends to corresponding mobile terminal with authentication information.
In step 505, portable terminal is after the authentication information that receives from the network equipment, according to this authentication information and the own SKEY that preserves and the judgement of the KI in the subscriber card whether the authentication of network is passed through, if pass through, at the normal access network of step 506, if do not pass through, assert that then the active user is illegal, enter exception handling procedure in step 507, such as, stop normal use, forbid Network.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN in the authentication information that receives to upgrade the SQN that oneself preserves.
The complete method for authenticating of specific embodiment explanation below in conjunction with Fig. 2 and Fig. 4.As shown in Figure 6, in step 601, the SKEY of corresponding portable terminal authentication is set simultaneously in HLR/AUC and portable terminal.
In step 602, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 603, HLR/AUC utilizes KI that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
In step 604, HLR/AUC utilizes SKEY, KI and the RAND and the SQN generation MAC of the corresponding portable terminal of preserving in advance.The SQN here is current known, such as, pre-set.
In step 605, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 604, further consider AMF under the situation of AMF that such as utilizing SKEY, KI, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 605, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 606, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 607, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 608, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
This step can be that portable terminal begins to trigger message of network transmission.In the middle of the reality, initiate position updating request, or during service request, MSC/VLR can initiate authentication request to terminal, can initiate authentication request to terminal such as MSC/VLR when mobile terminal-opening lands network at portable terminal.
This step can be that the network equipment is initiatively initiated, and does not receive the related news of portable terminal such as, the network equipment in the time of setting, and when comprising the information that triggers authentication, initiatively initiates an authorizing procedure.
In step 609, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SKEY, KI and the RAND of reception, the SQN among the AUTN according to oneself calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 610 judgement to network; Otherwise, execution in step 611.
In step 611, portable terminal judges at first whether AUTN can accept, such as the difference of the SQN that judges SQN among the AUTN and own preservation whether in a preset range, if not, judge that in step 612 AUTN is unacceptable, also promptly, the SQN of SQN that oneself preserves and network preservation loses synchronously; Otherwise the authentication of network is passed through in step 613 judgement.
In step 612, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network consistent.About the synchronous flow process of SQN, can with reference in the prior art about the synchronous description of SQN, referring to 3GPP 33.102/29.002 related protocol, do not repeat them here.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 609, further consider AMF under the situation of AMF, utilize own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN such as portable terminal.
Above-mentionedly illustrated that portable terminal of the present invention carries out the processing of authentication to network, the present invention can further include by network portable terminal is carried out the processing of authentication, just after step 613, continues to carry out network carries out authentication to terminal subsequent step.
As shown in Figure 7, step 701-713 and step 601-613 are identical, no longer repeat specification, and use an alphabetical A to substitute in the drawings.
In step 714, portable terminal sends to subscriber card with RAND.
In step 715, subscriber card uses the KI of oneself and the RAND of reception to generate XRES, CK and IK.
In step 716, subscriber card sends to portable terminal with the XRES that generates.
In step 717, the XRES that portable terminal will be received from subscriber card sends to MSC/VLR.
In step 718, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 719 decision network; Otherwise in step 720 decision network to the portable terminal failed authentication.
Here in step 714, for compatible with existing processing, portable terminal can send AUTN when sending RAND, and subscriber card can further carry out authentication according to AUTN and the KI of oneself to network like this.In this case, portable terminal can be arranged to the AUTN that sends to subscriber card authentication is carried out in an expression to network by portable terminal particular value, subscriber card is being judged after AUTN is this particular value, only use KI and RAND to produce XRES, CK and IK, and no longer network is carried out authentication according to AUTN and KI.
When subscriber card generates XRES, CK and IK according to KI and RAND, also can only produce XRES and CK, then XRES and the CK that produces sent to portable terminal, derive IK by portable terminal according to CK.
Above-mentioned steps 717, the XRES that portable terminal will be received from subscriber card sends to before the MSC/VLR, can judge whether network is second generation mobile communications network, if, portable terminal can according to derivation such as XRES, CK, IK be used for second generation network authentication symbol response (SRES2g, SignedResponse) and cryptographic key (KC2g, Cipher Key), use the SRES2g that generates to substitute XRES and send MSC/VLR to, use the KC2g and the network equipment to carry out the encryption and decryption of related communication data.Relevant derivation method related protocol in existing 3GPP has suggestion, does not repeat them here.
In addition, the authentication about second generation mobile communications network please refer to GSM03.20 and GSM09.02.
In addition, XRES, CK, IK also can be produced by SKEY and RAND, in the case, have proposed another embodiment as shown in Figure 8.
In step 801, at first in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 802, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 803, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance and the RAND of oneself generation to calculate XRES, CK and IK.
In step 804, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance, corresponding active user's KI and RAND and SQN generation MAC.The SQN here is current known, for example pre-sets.
In step 805, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 804, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 805, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 806, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 807, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 808, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 809, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SKEY, KI and the RAND of reception, the SQN among the AUTN according to oneself calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 810 judgement to network; Otherwise, execution in step 811.
In step 811, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 812; Otherwise, the authentication of network is passed through in step 813 judgement.
In step 812, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 809, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 814, portable terminal uses the SKEY of oneself and the RAND of reception to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
In step 815, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 816 decision network; Otherwise in step 817 decision network to the portable terminal failed authentication.
In addition, HLR/AUC is when generating polynary group of authentication according to SKEY, KI and RAND etc., can calculate a TmpRAND according to KI and RAND earlier, then, produce the protocol processes mode of authentication five-tuple according to existing 3GPP, utilize SKEY to substitute KI and utilize the alternative RAND of TmpRAND to wait to produce AUTN, XRES, CK and IK, and form polynary group of authentication by AUTN, XRES, CK and the IK of former RAND and generation; Accordingly, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, RAND is sent to subscriber card, calculate a TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal.TmpRAND, the SQN among the AUTN that the SKEY of portable terminal basis oneself and subscriber card calculate calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of judging network; Otherwise, further judge whether acceptable step of AUTN otherwise carry out.In the case, another embodiment has as shown in Figure 9 been proposed.
In step 901, in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 902, HLR/AUC utilizes the randomizer of oneself to produce a RAND, and calculates a TmpRAND according to KI and RAND.
In step 903, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance and TmpRAND to produce XRES, CK and IK.
In step 904, HLR/AUC utilizes SKEY, the TmpRAND of the corresponding portable terminal of preserving in advance and SQN to generate MAC.The SQN here is current known, for example pre-sets.
In step 905, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 904, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 905, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 906, HLR/AUC forms polynary group an of authentication with AUTN, XRES, CK and the IK of RAND and generation.
In step 907, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 908, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 909, portable terminal sends to subscriber card with RAND after the RAND and AUTN that receive from MSC/VLR, calculates a TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal; SQN among the AUTN of the SKEY of portable terminal basis oneself, the TmpRAND that subscriber card calculates and reception calculates a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 910 judgement to network; Otherwise, execution in step 911.
In step 911, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 912; Otherwise, the authentication of network is passed through in step 913 judgement.
In step 912, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 909, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 914, portable terminal uses the SKEY of oneself and the TmpRAND of subscriber card generation to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
In step 915, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 916 decision network; Otherwise in step 917 decision network to the portable terminal failed authentication.
Correspondingly, HLR/AUC is when generating polynary group of authentication according to SKEY, KI and RAND etc., can produce polynary group of authentication according to KI and RAND according to the protocol processes mode that existing 3GPP produces the authentication five-tuple earlier, then calculate according to the MAC among the AUTN in polynary group of SKEY and the authentication, obtain a new message authentication coding MAC2, and the MAC among the alternative AUTN of use MAC2, thereby obtain polynary group of new authentication; Correspondingly, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal.The MAC that SKEY that portable terminal root oneself is preserved and subscriber card calculate calculates, and obtains a MAC2, and whether the MAC2 that relatively oneself calculates is consistent with the MAC among the AUTN, if inconsistent, then judges the failed authentication to network; Otherwise, carry out and further to judge whether acceptable step of AUTN.In the case, another embodiment has as shown in figure 10 been proposed.
In step 1001, in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 1002, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 1003, HLR/AUC utilizes KI and RAND to produce XRES, CK and IK.
In step 1004, HLR/AUC utilizes KI, RAND and SQN to generate MAC, then calculates a MAC2 according to SKey and MAC.The SQN here is current known, for example pre-sets.
In step 1005, HLR/AUC is combined into AUTN with MAC2 and known SQN.
Comprise at AUTN and in step 1004, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 1005, further consider AMF equally, just MAC2, SQN and AMF are together to form AUTN.
In step 1006, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 1007, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 1008, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 1009, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal; The MAC that SKEY that the portable terminal basis oneself is preserved and subscriber card calculate calculates, obtain a MAC2, and whether the MAC2 value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 1010 judgement to network; Otherwise, execution in step 1011.
In step 1011, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 1012; Otherwise, the authentication of network is passed through in step 1013 judgement.
In step 1012, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 1009, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 1014, portable terminal uses the KI of active user's card and the RAND of reception to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
Here the process of portable terminal generation XRES, CK and IK can be finished by subscriber card, is judging that such as portable terminal network authentication is passed through the back sends an order to subscriber card, generates generation XRES, CK and IK by subscriber card.Subscriber card can further produce XRES, CK and IK in the above-mentioned steps 1009, and like this, step 1014 portable terminal has just no longer needed to produce XRES, CK and IK, that is, step 1014 sends to MSC/VLR for portable terminal with the XRES that subscriber card generates.
In step 1015, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 1016 decision network; Otherwise in step 1017 decision network to the portable terminal failed authentication.
In the above-mentioned the whole bag of tricks, comprise that further HLR/AUC upgraded the step of SQN before or after producing polynary group of authentication.
In the above-mentioned the whole bag of tricks, the network equipment, can once send when terminal sends authentication information such as MSC/VLR, also can send several times.Such as, transmit a RAND for the first time, transmit AUTN for the second time.In the middle of the reality, will decide branch to send several times according to the protocol capability of network.Such as, in third generation UMTS network, MSC/VLR can once send to portable terminal with authentication informations such as RAND, AUTN by the authentication order, and in second generation mobile communications network, MSC/VLR may need by twice or repeatedly the authentication order of authentication informations such as RAND, AUTN by second generation network be sent to portable terminal.
Producing RAND among the present invention, produce polynary group of authentication and produce the employed algorithm of XRES, CK, IK and MAC or the like, can be the algorithm that utilizes 3GPP existing protocol regulation or suggestion, also can determine algorithm separately.Authentication about the 3G (Third Generation) Moblie network please refer to 3G TS 33.102 and 3G TS 29.002.
Above-mentioned MSC/VLR is the equipment in the circuit-domain network, and for the network of packet domain, corresponding MSC/VLR equipment can be SGSN.
Be appreciated that the above only for preferred embodiment of the present invention, or not within the spirit and principles in the present invention not all in order to restriction the present invention, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (26)
1, the method for network equipment generation authentication information in a kind of mobile communications network is characterized in that this method comprises at least:
A1, in advance a safe key corresponding to portable terminal is set in the network equipment;
B1, the network equipment are according to described safe key, generate authentication information corresponding to this portable terminal corresponding to the sequence number of the KI of portable terminal active user card, random number and setting.
2, method according to claim 1 is characterized in that, described authentication information comprises described random number and authentication signature, and wherein authentication signature comprises the sequence number and the message authentication coding of setting at least.
3, method according to claim 2 is characterized in that, the described generation of step b1 corresponding to the authentication information of this portable terminal is:
B11, the network equipment generate the message authentication coding according to the sequence number of safe key, KI, random number and setting;
Sequence number and message authentication that b12, combination are provided with are encoded to authentication signature;
B13, combining random number and authentication signature form described authentication information corresponding to this portable terminal.
4, method according to claim 3, it is characterized in that, the process of the described generation message authentication coding of step b11 is: the network equipment calculates a provisional random number according to KI and random number earlier, and the sequence number that re-uses safe key, provisional random number and setting produces the message authentication coding.
5, method according to claim 3, it is characterized in that, the process of the described generation message authentication coding of step b11 is: the network equipment produces a message authentication coding according to the sequence number of KI, random number and setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, new message authentication coding is encoded as the message authentication of forming authentication signature.
6, method according to claim 1 is characterized in that, the described network equipment comprises attaching position register/authentication center HLR/AUC, and this method further comprises:
C, HLR/AUC generate Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps the random number according to safe key and self generation generates Expected Response, encryption key and Integrity Key; Perhaps the random number according to KI, safe key and self generation generates Expected Response, encryption key and Integrity Key; And with polynary group of the described authentication information composition of Expected Response, encryption key, Integrity Key and step b1 authentication.
7, method according to claim 6 is characterized in that, the described network equipment further comprises mobile switching center MSC/VLR, and this method further comprises: HLR/AUC sends to MSC/VLR for polynary group with authentication.
8, method according to claim 7 is characterized in that, described authentication is for polynary group to receive from polynary group of request message of the authentication of MSC/VLR, or sends when need upgrading polynary group of the authentication of MSC/VLR;
Polynary group of the authentication of the described MSC/VLR of sending to is polynary group of one or more authentication of the corresponding portable terminal that generated.
9, method according to claim 8, it is characterized in that polynary group of request message of described authentication from MSC/VLR is that MSC/VLR finds not have polynary group of the authentication of corresponding portable terminal or use the back for polynary group in all authentications of corresponding portable terminal to send to HLR/AUC when authentication.
10, method according to claim 7, it is characterized in that, this method further comprises: MSC/VLR is behind the request message that receives from the triggering authentication of portable terminal, or the authentication information in polynary group sends to portable terminal with authentication when the network equipment need carry out authentication to portable terminal.
According to claim 2,3,4 or 5 described methods, it is characterized in that 11, described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
12, method according to claim 1 is characterized in that, the described safe key of step a1 is the safe key corresponding to mobile terminal features information, and this mobile terminal features information is mobile terminal equipment to identify information IMEI; Perhaps be safe key corresponding to the signatory relevant information of mobile phone users, the IMSI International Mobile Subscriber Identity IMSI that the signatory relevant information of this mobile phone users is a mobile phone users or mobile phone users card numbering or mobile directory number MSISDN.
13, portable terminal carries out the method for authentication to communication network in a kind of mobile communications network, it is characterized in that this method comprises at least:
A2, in advance a safe key corresponding to this portable terminal is set in portable terminal;
B2, portable terminal receive the authentication information from the network equipment, and described authentication information comprises random number and authentication signature, and wherein authentication signature comprises sequence number and message authentication coding at least,
Portable terminal is received sequence number in the authentication information and random number according to KI, the institute of the own safe key that is provided with, active user's card and calculates a mobile terminal message authentication and encode, and described calculating mobile terminal message authentication is encoded corresponding with the message authentication that the comprises generating mode of encoding in the reception authentication information;
Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
14, method according to claim 13 is characterized in that, the described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to the KI in the card with from the random number that portable terminal receives, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting.
15, method according to claim 13 is characterized in that, the described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, the random number that is received according to the KI in the subscriber card, from portable terminal by subscriber card and calculate a message authentication coding from the sequence number that portable terminal receives and send to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, and this new message authentication is encoded to described mobile terminal message authentication coding.
According to any method described in the claim 13~14, it is characterized in that 16, before judgement was passed through the authentication of network, this method also comprised:
Portable terminal judges according to the sequence number that oneself is provided with whether the authentication information from the network equipment is up-to-date step, if up-to-date, then judge network authentication is passed through, otherwise initiates the operation of SYN to network.
17, method according to claim 13 is characterized in that, described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
18, method according to claim 13, it is characterized in that, the safe key that is provided with described in the step a2 is the safe key that is set to corresponding to mobile phone users card characteristic information, and described subscriber card characteristic information is IMSI International Mobile Subscriber Identity IMSI or the subscriber card numbering in the subscriber card.
19, according to any one described method in the claim 13,14 and 15, it is characterized in that this method further comprises:
C2, portable terminal or subscriber card generate Expected Response, encryption key and Integrity Key according to KI and the random number that receives; Perhaps generate Expected Response, encryption key and Integrity Key according to safe key and the random number that receives; Perhaps generate Expected Response, encryption key and Integrity Key, and Expected Response is returned to the network equipment according to KI, safe key and the random number that receives.
20, the method for authenticating in a kind of mobile communications network is characterized in that, this method comprises at least:
A3, in the network equipment and portable terminal, be provided with one respectively to safe key that should portable terminal in advance;
B3, the network equipment generate authentication information corresponding to this portable terminal according to safe key, KI, the random number corresponding to portable terminal active user card and the sequence number that is provided with;
C3, the network equipment send to described portable terminal with described authentication information;
D3, portable terminal judge according to the KI of the safe key that oneself is provided with, active user's card and the authentication information of reception whether the authentication of network is passed through.
21, method according to claim 20 is characterized in that, described authentication information comprises random number and authentication signature, and wherein authentication signature comprises sequence number and message authentication coding at least.
22, method according to claim 21 is characterized in that, the described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment generates authentication signature according to the sequence number of safe key, KI, random number and setting;
Combining random number and authentication signature form described authentication information;
The process whether described judgement of the d3 of step is passed through the authentication of network comprises:
Portable terminal calculates a mobile terminal message authentication coding according to the KI of the safe key that oneself is provided with, active user's card, sequence number and the random number that is received in the authentication information;
Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
23, method according to claim 21, it is characterized in that, the described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment calculates a provisional random number according to KI and random number earlier, re-use safe key and provisional random number and produce the message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to KI and random number in the card, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting, whether the message authentication coding that relatively calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
24, method according to claim 21, it is characterized in that, the described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment produces a message authentication coding according to the sequence number and the random number of KI, setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, calculates a message authentication coding by subscriber card according to KI, the random number that is received from portable terminal and sequence number in the card and sends to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, whether the new message authentication coding that relatively self calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
25, according to claim 20,22,23 or 24 described methods, it is characterized in that, the described network equipment comprises HLR/AUC and MSC/VLR, before step c3, this method further comprises: the HLR/AUC in the network equipment generates Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of the safe key of preserving in advance and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of KI, safe key and self generation; HLR/AUC forms polynary group of MSC/VLR that sends in the network equipment of authentication with the described authentication information of the Expected Response, encryption key, Integrity Key and the step b3 that generate, and MSC/VLR sends to portable terminal with the authentication information in polynary group of the authentication;
After described steps d 3, this method also comprises:
Portable terminal will send to subscriber card from the random number of HLR/AUC, and subscriber card generates Expected Response and sends to portable terminal according to oneself KI and described random number, and portable terminal sends to MSC/VLR with the Expected Response that receives; Or
Portable terminal generates Expected Response according to oneself safe key and described random number, and the Expected Response that generates is sent to MSC/VLR; Or
Subscriber card generates provisional random number and issues portable terminal according to oneself KI and described random number, and portable terminal generates Expected Response according to oneself safe key and described provisional random number, and the Expected Response that generates is sent to MSC/VLR; Or
Portable terminal or subscriber card generate Expected Response according to the KI and the described random number of subscriber card, and portable terminal sends to MSC/VLR with the Expected Response that generates again;
Whether the Expected Response in polynary group of the Expected Response that MSC/VLR relatively is received from portable terminal and the authentication of the correspondence that is received from HLR/AUC is consistent, if consistent, network passes through the authentication of portable terminal; Otherwise network does not pass through the authentication of portable terminal.
26, method according to claim 25 is characterized in that, when described portable terminal or subscriber card generate Expected Response, also generates encryption key and Integrity Key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510070970XA CN100466806C (en) | 2005-04-11 | 2005-04-11 | Right discriminating method between mobile terminal and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510070970XA CN100466806C (en) | 2005-04-11 | 2005-04-11 | Right discriminating method between mobile terminal and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1848995A CN1848995A (en) | 2006-10-18 |
| CN100466806C true CN100466806C (en) | 2009-03-04 |
Family
ID=37078314
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510070970XA Expired - Fee Related CN100466806C (en) | 2005-04-11 | 2005-04-11 | Right discriminating method between mobile terminal and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100466806C (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101272251B (en) * | 2007-03-22 | 2012-04-18 | 华为技术有限公司 | Authentication and cryptographic key negotiation method, authentication method, system and equipment |
| CN101291525A (en) * | 2007-04-19 | 2008-10-22 | 华为技术有限公司 | Default bearing establishing method for wireless network, and system thereof |
| CN101466096B (en) * | 2007-12-17 | 2010-07-21 | 大唐移动通信设备有限公司 | Method and system for triggering synchronous failure of authentication process |
| CN102056171A (en) * | 2009-11-10 | 2011-05-11 | 中国移动通信集团公司 | Method, system and device for authentication of user card roaming in different networks |
| CN102196431B (en) * | 2011-05-13 | 2014-10-22 | 南京邮电大学 | Internet of things application scene-based protection method of privacy query and private identity verification |
| CN103905192B (en) * | 2012-12-26 | 2018-10-12 | 锐迪科(重庆)微电子科技有限公司 | A kind of encrypted authentication method, apparatus and system |
| CN111182534B (en) * | 2019-12-20 | 2020-10-13 | 翱捷科技股份有限公司 | Mobile terminal and method for serial authentication of mobile terminal in WCDMA network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
| US20020114469A1 (en) * | 2001-02-21 | 2002-08-22 | Stefano Faccin | Method and system for delegation of security procedures to a visited domain |
| US20020187808A1 (en) * | 2001-06-12 | 2002-12-12 | Jari Vallstrom | Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network |
| CN1419793A (en) * | 2000-03-30 | 2003-05-21 | 诺基亚公司 | Subscriber authentication |
-
2005
- 2005-04-11 CN CNB200510070970XA patent/CN100466806C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1341338A (en) * | 1999-02-22 | 2002-03-20 | 格姆普拉斯公司 | Authentication in radiotelephone network |
| CN1419793A (en) * | 2000-03-30 | 2003-05-21 | 诺基亚公司 | Subscriber authentication |
| US20020114469A1 (en) * | 2001-02-21 | 2002-08-22 | Stefano Faccin | Method and system for delegation of security procedures to a visited domain |
| US20020187808A1 (en) * | 2001-06-12 | 2002-12-12 | Jari Vallstrom | Method and arrangement for encrypting data transfer at an interface in mobile equipment in radio network, and mobile equipment in radio network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1848995A (en) | 2006-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1767430B (en) | Authentication method | |
| CN100583767C (en) | Key updating method and device | |
| US9467431B2 (en) | Application specific master key selection in evolved networks | |
| USRE45873E1 (en) | Subscriber authentication | |
| EP0976278B1 (en) | Preventing misuse of a copied subscriber identity in a mobile communication system | |
| EP1757148B1 (en) | Security in a mobile communications system | |
| CN100466806C (en) | Right discriminating method between mobile terminal and network equipment | |
| CA3033619C (en) | Authentication server of a cellular telecommunication network and corresponding uicc | |
| JP2002084276A (en) | Improved method for authentication of user subscription identity module | |
| CN102318386A (en) | Service-based authentication to a network | |
| CN101163003A (en) | System and method for authenticating network for terminal when SIM card use UMTS terminal and UMTS system | |
| CN104521213A (en) | Manipulation and restoration of authentication challenge parameters in network authentication procedures | |
| CN104219650A (en) | Method and user device for sending user identity authentication information | |
| KR102095136B1 (en) | A method for replacing at least one authentication parameter for authenticating a secure element, and a corresponding secure element | |
| CN100518056C (en) | Method for producing user card authentication random number of network apparatus and authentication method | |
| CN101160784B (en) | Cipher key updating negotiation method and apparatus | |
| CN101730093B (en) | Safe switching method and system | |
| CN100396156C (en) | Synchronous SQN processing method | |
| CN100579274C (en) | Safety key setting-up method | |
| CN1968096B (en) | Synchronous flow optimization method and system | |
| CN100441036C (en) | Method for validating security of mobile terminal in CDMA network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI HUAWEI TECHNOLOGIES CO., LTD. Free format text: FORMER OWNER: HUAWEI TECHNOLOGY CO LTD Effective date: 20100914 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518129 BANTIAN HEADQUARTER BUILDING OF HUAWEI, LONGGANG DISTRICT, SHENZHEN CITY, GUANGDONG PROVINCE TO: 200121 NO.615, NINGQIAO ROAD, PUDONG NEW DISTRICT, SHANGHAI |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20100914 Address after: 200121 No. 615 Nanjing Road, Shanghai, Pudong New Area Patentee after: Shanghai Huawei Technologies Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: Huawei Technologies Co., Ltd. |
|
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090304 Termination date: 20130411 |