Summary of the invention
In view of this, a goal of the invention of the present invention provides the method that the network equipment in a kind of mobile communications network generates authentication information, so that portable terminal can carry out authentication to network, thereby the fail safe that improves portable terminal prevents from that portable terminal is stolen to rob.
Another object of the present invention provides portable terminal in a kind of mobile communications network network is carried out the method for authentication, and with by the authentication of network is improved the fail safe of portable terminal, thereby preventing that portable terminal is stolen robs.
Of the present invention also have a purpose to provide method for authenticating in a kind of mobile communications network, and by portable terminal the authentication of network being improved the fail safe of portable terminal, thereby preventing that portable terminal is stolen robs.
According to a first aspect of the invention, the method that the network equipment generates authentication information in a kind of mobile communications network comprises at least: a1, in advance a safe key corresponding to portable terminal is set in the network equipment; B1, the network equipment are according to described safe key, generate authentication information corresponding to this portable terminal corresponding to the sequence number of the KI of portable terminal active user card, random number and setting.
Described authentication information comprises described random number and authentication signature, and wherein authentication signature comprises the sequence number and the message authentication coding of setting at least.
The described generation of step b1 corresponding to the authentication information of this portable terminal is: b11, the network equipment generate the message authentication coding according to the sequence number of safe key, KI, random number and setting; Sequence number and message authentication that b12, combination are provided with are encoded to authentication signature; B13, combining random number and authentication signature form described authentication information corresponding to this portable terminal.
The process of the described generation message authentication coding of step b11 is: the network equipment calculates a provisional random number according to KI and random number earlier, and the sequence number that re-uses safe key, provisional random number and setting produces the message authentication coding.
The process of the described generation message authentication coding of step b11 is: the network equipment produces a message authentication coding according to the sequence number of KI, random number and setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, new message authentication coding is encoded as the message authentication of forming authentication signature.
The described network equipment comprises attaching position register/authentication center HLR/AUC, and this method further comprises: c, HLR/AUC generate Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps the random number according to safe key and self generation generates Expected Response, encryption key and Integrity Key; Perhaps the random number according to KI, safe key and self generation generates Expected Response, encryption key and Integrity Key, at last the described authentication information of the Expected Response, encryption key, Integrity Key and the step b1 that generate is formed polynary group of authentication.
The described network equipment further comprises mobile switching center MSC/VLR, and this method further comprises: HLR/AUC sends to MSC/VLR for polynary group with authentication.
Described authentication is for polynary group to receive from polynary group of request message of the authentication of MSC/VLR, or sends when need upgrading polynary group of the authentication of MSC/VLR; Polynary group of the authentication of the described MSC/VLR of sending to is polynary group of one or more authentication of the corresponding portable terminal that generated.
Polynary group of request message of described authentication from MSC/VLR is that MSC/VLR finds not have polynary group of the authentication of corresponding portable terminal or use the back for polynary group in all authentications of corresponding portable terminal to send to HLR/AUC when authentication.
This method further comprises: MSC/VLR is behind the request message that receives from the triggering authentication of portable terminal, or the authentication information in polynary group sends to portable terminal with authentication when the network equipment need carry out authentication to portable terminal.
Described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
The described safe key of step a1 is the safe key corresponding to mobile terminal features information, and this mobile terminal features information is mobile terminal equipment to identify information IMEI; Perhaps be safe key corresponding to the signatory relevant information of mobile phone users, the IMSI International Mobile Subscriber Identity IMSI that the signatory relevant information of this mobile phone users is a mobile phone users or mobile phone users card numbering or mobile directory number MSISDN.
Because the network equipment in the mobile communications network is when generating authentication information, safe key and the KI that set in advance have been used corresponding to portable terminal, thereby the authentication information that makes the inventive method is different from the authentication information of not considering safe key in the prior art, cooperate the processing of portable terminal after receiving authentication information again, can realize network being carried out authentication, by subscriber card network be carried out authentication and be different from the prior art by portable terminal.
Network is being carried out under the situation of authentication by portable terminal, rob if portable terminal is stolen, the disabled user is after changing a subscriber card, because the safe key of preserving in the portable terminal is the safe key that is provided with for this portable terminal according to the validated user card corresponding to the network equipment, the safe key that is provided with in the CAMEL-Subscription-Information such as validated user, and and the safe key that is provided with in disabled user's the CAMEL-Subscription-Information inconsistent, so portable terminal will can not pass through the authentication of network.Like this, the disabled user can not normally use this portable terminal; Perhaps safe key is the safe key that is provided with according to this mobile terminal identification corresponding to the network equipment, in case the user goes to the operator place to revise the safe key information of network equipment side corresponding to the mobile terminal device of oneself after losing portable terminal like this, this portable terminal can not pass through the authentication of network yet, and this portable terminal also can not normally use.Therefore, portable terminal can improve the fail safe of portable terminal effectively to the authentication of network, and prevents effectively that portable terminal is stolen and rob.
Because when producing authentication information, simultaneously according to KI, therefore, the present invention supports to improve together the raising that the user card authentication algorithm security guarantees whole authentication security.
According to a second aspect of the invention, portable terminal comprises at least to the method that communication network carries out authentication in a kind of mobile communications network: a2, in advance a safe key corresponding to this portable terminal is set in portable terminal; B2, portable terminal receive the authentication information from the network equipment, described authentication information comprises random number and authentication signature, wherein authentication signature comprises sequence number and message authentication coding at least, portable terminal is received sequence number in the authentication information and random number according to KI, the institute of the own safe key that is provided with, active user's card and calculates a mobile terminal message authentication and encode, and described calculating mobile terminal message authentication is encoded corresponding with the message authentication that the comprises generating mode of encoding in the reception authentication information; Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
The described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to the KI in the card with by the random number that portable terminal receives, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting.
The described process that calculates a mobile terminal message authentication coding comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, the random number that is received according to the KI in the subscriber card, from portable terminal by subscriber card and calculate a message authentication coding from the sequence number that portable terminal receives and send to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, and this new message authentication is encoded to described mobile terminal message authentication coding.
Before judgement was passed through the authentication of network, this method also comprised:
Portable terminal judges according to the sequence number that oneself is provided with whether the authentication information from the network equipment is up-to-date step, if up-to-date, then judge network authentication is passed through, otherwise initiates the operation of SYN to network.
Described sequence number is to be used for the sequence number of mobile phone users card authentication or the sequence number that is used for the portable terminal authentication that is provided with separately.
The safe key that is provided with described in the step a2 is the safe key that is set to corresponding to mobile phone users card characteristic information, and described subscriber card characteristic information is IMSI International Mobile Subscriber Identity IMSI or the subscriber card numbering in the subscriber card.
This method further comprises:
C2, portable terminal or subscriber card generate Expected Response, encryption key and Integrity Key according to KI and the random number that receives; Perhaps portable terminal generates Expected Response, encryption key and Integrity Key according to the random number of safe key and reception; Perhaps according to KI, safe key and the random number generation Expected Response that receives, encryption key and Integrity Key generation Expected Response, encryption key and Integrity Key, portable terminal or subscriber card return to the network equipment with Expected Response.
Because portable terminal basis oneself is preserved after receiving authentication information safe key, KI and the authentication information that receives judge directly whether the authentication of network is passed through, and are different from the prior art to be come network is carried out authentication by subscriber card.As previously mentioned, owing to realized by the authentication of portable terminal self to network, the fail safe that has improved portable terminal has prevented from effectively that portable terminal is stolen to rob.
According to a third aspect of the present invention, the method for authenticating in a kind of mobile communications network comprises at least: a3, be provided with one respectively to safe key that should portable terminal in the network equipment and portable terminal in advance; B3, the network equipment generate authentication information corresponding to this portable terminal according to safe key, KI, the random number corresponding to portable terminal active user card and the sequence number that is provided with; C3, the network equipment send to described portable terminal with described authentication information; D3, portable terminal judge according to the KI of the safe key that oneself is provided with, active user's card and the authentication information of reception whether the authentication of network is passed through.
Described authentication information comprises random number and authentication signature, and wherein authentication signature comprises sequence number and message authentication coding at least.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment generates authentication signature according to the sequence number of safe key, KI, random number and setting; Combining random number and authentication signature form described authentication information; The process whether described judgement of the d3 of step is passed through the authentication of network comprises: portable terminal calculates a mobile terminal message authentication coding according to the KI of the safe key that oneself is provided with, active user's card, sequence number and the random number that is received in the authentication information; Whether the message authentication that comprises in mobile terminal message authentication that portable terminal relatively calculates coding and the receives authentication information encodes consistent, if unanimity, judgement is passed through the authentication of network; Otherwise judge failed authentication to network.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment calculates a provisional random number according to KI and random number earlier, re-use safe key and provisional random number and produce the message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with the random number in the reception authentication information, calculates a provisional random number by subscriber card according to KI and random number in the card, and provisional random number is sent to portable terminal;
Portable terminal calculates a message authentication coding according to safe key and the provisional random number that subscriber card calculates, the sequence number that is received in the authentication information of oneself setting, whether the message authentication coding that relatively calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
The described generation of step b3 corresponding to the process of the authentication information of this portable terminal is: the network equipment produces a message authentication coding according to the sequence number and the random number of KI, setting earlier, re-use this message authentication coding and safe key and calculate a new message authentication coding, combined message authentication coding and the sequence number that is provided with are authentication signature, and combined right-discriminating mark and random number are authentication information;
The process whether steps d 3 described judgements are passed through the authentication of network comprises:
Portable terminal sends to subscriber card with random number in the reception authentication information and sequence number, calculates a message authentication coding by subscriber card according to KI, the random number that is received from portable terminal and sequence number in the card and sends to portable terminal;
The message authentication coding that safe key that portable terminal is preserved according to self and subscriber card calculate calculates a new message authentication coding, whether the new message authentication coding that relatively self calculates is consistent with the message authentication coding in the reception authentication information, if inconsistent, then judge failed authentication to network; Otherwise, judge the authentication of network passed through.
The described network equipment comprises HLR/AUC and MSC/VLR, and before step c3, this method further comprises: the HLR/AUC in the network equipment generates Expected Response, encryption key and Integrity Key according to the random number of KI and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of safe key and self generation; Perhaps HLR/AUC generates Expected Response, encryption key and Integrity Key according to the random number of KI, safe key and self generation; HLR/AUC forms polynary group of MSC/VLR that sends in the network equipment of authentication with the described authentication information of Expected Response, encryption key, Integrity Key and step b3, and MSC/VLR sends to portable terminal with the authentication information in polynary group of the authentication;
After described steps d 3, this method also comprises: portable terminal will send to subscriber card from the random number of HLR/AUC, subscriber card generates Expected Response and sends to portable terminal according to oneself KI and described random number, and portable terminal sends to MSC/VLR with the Expected Response that receives; Or
Portable terminal generates Expected Response according to oneself safe key and described random number, and the Expected Response that generates is sent to MSC/VLR; Or
Subscriber card generates provisional random number and issues portable terminal according to oneself KI and described random number, and portable terminal generates Expected Response according to oneself safe key and described provisional random number, and the Expected Response that generates is sent to MSC/VLR; Or
Portable terminal or subscriber card generate Expected Response according to the KI and the described random number of subscriber card, and portable terminal sends to MSC/VLR with the Expected Response that generates again;
Whether the Expected Response in polynary group of the Expected Response that MSC/VLR relatively is received from portable terminal and the authentication of the correspondence that is received from HLR/AUC is consistent, if consistent, network passes through the authentication of portable terminal; Otherwise network does not pass through the authentication of portable terminal.
When described portable terminal or subscriber card generate Expected Response, also generate encryption key and Integrity Key according to safe key that is provided with and the random number that is received in the authentication information; Perhaps generate encryption key and Integrity Key according to KI that is provided with and the random number that is received in the authentication information; Perhaps behind the random number generation provisional random number according to the KI that is provided with and the authentication information that receives, the safe key according to provisional random number and setting generates encryption key and Integrity Key again.
As previously mentioned,, realized by the authentication of portable terminal self therefore that the fail safe that has improved portable terminal has prevented from effectively that portable terminal is stolen to rob to network owing to combine first aspect and second aspect.Further, portable terminal can also send to Expected Response the mobile switching center (MSC/VLR) in the network equipment, whether the Expected Response that MSC/VLR relatively is received from portable terminal is consistent with the Expected Response of attaching position register/AUC (HLR/AUC) in being received from the network equipment, thereby realizing to carry out authentication by network to portable terminal after portable terminal is to the authentication of network, further perfect authentication process has improved the authentication effect.
Embodiment
The present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 shows the overview flow chart that generates authentication information according to the network equipment of the present invention.As shown in Figure 1, in step 101, the safe key (SKEY) of a corresponding portable terminal is set in the network equipment.
The SKEY that corresponding portable terminal is set here can be the SKEY that corresponding mobile terminal features information is set, and the SKEY corresponding to IMEI for example is set; Also can be to be provided with corresponding to the mobile phone users CAMEL-Subscription-Information, or perhaps the SKEY of mobile phone users card characteristic information, for example be SKEY corresponding to IMSI International Mobile Subscriber Identity (IMSI), or corresponding to the SKEY of mobile phone users card numbering, or corresponding to the SKEY of Mobile Directory Number (MSISDN).
In step 102, the network equipment produces a random number (RAND) when generating authentication information at some portable terminals.
In step 103, network equipment utilization is to the KI (KI) of SKEY that should portable terminal, corresponding portable terminal active user card (or active user) and the RAND generation authentication information that produces.
In the present invention, authentication information comprises random number and authentication signature (AUTN).AUTN can comprise sequence number (SQN) and message authentication coding (MAC) at least, and may further include authentication management field (AMF).AMF and SQN are predefined in the network equipment, in generating the process of authentication information, can be used for generating the MAC among the AUTN, have promptly constituted AUTN and existing SQN and AMF and the MAC that calculates combined.
The present invention generates authentication information by the network equipment can comprise two stages on specific implementation: the phase I generates polynary group of the authentication that comprises authentication information and other information by HLR/AUC, then with polynary group of MSC/VLR that sends to network side of authentication; Second stage is extracted the authentication information in polynary group of the authentication by MSC/VLR and to send to portable terminal.Its idiographic flow as shown in Figure 2.
Except RAND and AUTN, also comprise Expected Response (XRES), encryption key (CK) and Integrity Key (IK) in polynary group of the authentication here.Other three parameters are preserved by MSC/VLR after sending to MSC/VLR, and wherein XRES is used for using when MSC/VLR carries out authentication to portable terminal, and CK is used for data encrypting and deciphering, the checking summary info that IK is used for the data integrity checking and produces data.The present invention will be explained in the back.
Above-mentioned SKEY produces according to a random number and KI.Such as, portable terminal and network relevant device are when for example HLR/AUC consult to produce SKEY, can produce a random number by a side wherein, and this random number sent to the opposing party, the network equipment carries out certain calculating according to the KI corresponding to this portable terminal active user card of this random number and oneself preservation, as digest calculations, obtain a result of calculation, and with this result of calculation as SKEY.Correspondingly, portable terminal carries out corresponding calculated according to the KI in random number and the subscriber card and obtains a result of calculation, and this result of calculation is kept at portable terminal as SKEY.Send random number to subscriber card such as portable terminal, subscriber card carries out corresponding calculated according to random number and KI and obtains the SKEY of portable terminal needs and send to portable terminal.Above-mentioned digest calculations algorithm can be selected according to practical application.
Produce safe key SKEY by random number and KI, can guarantee that SKEY itself need not transmit, and has guaranteed the fail safe of SKEY between the network equipment and portable terminal.Simultaneously, this method has realized the logical bundle of SKEY and KI, helps to use the complete alternate user card of portable terminal to finish with network and carries out mutual authentication.
As shown in Figure 2, in step 201, in HLR/AUC, preserve the SKEY of corresponding portable terminal.
In step 202, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 203, HLR/AUC utilizes KI that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
In step 204, HLR/AUC utilizes SKEY, KI and the RAND and the SQN generation MAC of the corresponding portable terminal that sets in advance.The SQN here is current known, for example pre-sets.
In step 205, HLR/AUC is combined into AUTN with the MAC of step 204 generation and known SQN.
In step 206, polynary group of the authentication of the XRES that the AUTN that HLR/AUC obtains RAND, step 205, step 203 obtain, CK and this portable terminal of IK composition.
In step 207, HLR/AUC sends to MSC/VLR for polynary group with authentication.
In step 208, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
This step can be that portable terminal begins to trigger message of network transmission.In the middle of the reality, when portable terminal was initiated position updating request or service request, MSC/VLR can initiate authentication request to portable terminal, can initiate authentication request to portable terminal such as MSC/VLR when mobile terminal-opening lands network.Certainly, also portable terminal can be initiated position updating request or service request here and be interpreted as the request message that has comprised the triggering authentication, MSC/VLR sends authentication information to portable terminal when receiving these requests.
This step also can be that the network equipment is initiatively initiated, in the time of setting, do not receive the related news of portable terminal such as, MSC/VLR, when comprising the information that triggers authentication, initiatively initiate an authorizing procedure, do not need the triggering message of portable terminal in this case.
Comprise at AUTN and further consider AMF under the situation of AMF in step 204, such as utilizing SKEY, KI, RAND, SQN and AMF to generate MAC, wherein AMF also is current known, such as, pre-set.In step 205, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
Here, before step 204, may further include a HLR/AUC and judge whether to carry out the step that generates authentication information according to SKEY etc., if, execution in step 204; Otherwise directly generate authentication information according to existing procedure, for example use KI, RAND, SQN and AMF to generate MAC, be combined into AUTN then and further be combined into polynary group of authentication according to KI and random number.
It can be at HLR/AUC a safe mark to be set in advance that HLR/AUC judges whether to carry out according to SKEY generation authentication information, if this safe mark is the value that expression need generate authentication information according to SKEY, for example set is 1, then mean and to generate authentication information according to SKEY, if safe mark is to represent not need to generate according to SKEY the value of authentication information, for example set is 0, and then meaning does not need to generate authentication information according to SKEY.
Alternately, it can be to judge whether SKEY is a particular value that HLR/AUC judges whether to carry out according to SKEY generation authentication information, for example be 0, if, then expression does not need to generate authentication information according to SKEY, if not 0 but other arbitrary values, then expression need generate authentication information according to SKEY.
In said method, authentication of the every generation of HLR/AUC is just once upgraded SQN for polynary group afterwards, and in other words, each authentication all has different SQN for polynary group.For the renewal of SQN, can carry out according to certain algorithm, algorithm generates new SQN according to original SQN.Specifically can be with reference to the related protocol regulation of 3GPP 33.102/29.002.
In the prior art, the subscriber card in HLR/AUC and the portable terminal all can be preserved a SQN, and needs to guarantee two SQN unanimities before carrying out authentication process.SQN of the present invention can use the SQN identical with prior art, promptly is used for the SQN of user card authentication, also is the corresponding SQN that preserves of network and subscriber card, specifically can be with reference to the related protocol regulation of 3GPP 33.102/29.002.But preferably, the present invention is provided with a SQN who is specifically designed to the portable terminal authentication in addition separately, and portable terminal and HLR/AUC also can carry out Synchronous Processing to this SQN.Certainly can understand, separately the SQN that preserves in the SQN that is provided with and the subscriber card can get identical value.
Usually, HLR/AUC sends to MSC/VLR and carries out after authentication is the polynary group of message of request authentication that is receiving from MSC/VLR for polynary group in the step 207, perhaps carries out when needs refresh polynary group of the authentication of preserving among the MSC/VLR.Before polynary group of MSC/VLR transmission authentication, HLR/AUC generally can generate polynary group of a plurality of authentications of a portable terminal, like this after the request message that obtains polynary group of authentication that receives from MSC/VLR, can once only send polynary group an of authentication to MSC/VLR, also a plurality of authentications can be sent to MSC/VLR for polynary group together, such as, once send three authentications and arrive MSC/VLR for polynary group.Certainly, may further include the quantity of polynary group of the authentication that needs HLR/AUC to return in the request message that the acquisition request authentication of MSC/VLR is polynary group, HLR/AUC decides polynary group of quantity of the authentication that returns to MSC/VLR according to the quantity of polynary group of the authentication of the request of MSC/VLR and own current preservation, such as, HLR/AUC has produced polynary group of 5 authentications, polynary group of 3 authentications of MSC/VLR request, then HLR/AUC returns 3 to MSC/VLR, if HLR/AUC has produced polynary group of 2 authentications, polynary group of 3 authentications of MSC/VLR request, then HLR/AUC returns polynary group of 2 authentications to MSC/VLR.
MSC/VLR is when authentication, such as being behind the request message that receives from the triggering authentication of portable terminal, when needing that perhaps portable terminal carried out authentication, can from polynary group of the authentication of this portable terminal of preserving, take out polynary group an of authentication, authentication informations such as the RAND that wherein comprises and AUTN are sent to this portable terminal.If MSC/VLR when getting polynary group of authentication, finds that the authentication of sending from HLR/AUC uses up for polynary group, then MSC/VLR can send the order of obtaining polynary group of authentication to HLR/AUC.
In the middle of the reality, polynary group of operation of aforementioned calculation authentication can be to finish in AUC, AUC sends to HLR for polynary group with the authentication that calculates and preserves temporarily, HLR is when receiving the request message of polynary group of MSC/VLR request authentication, perhaps when needs refresh polynary group of the authentication of preserving among the MSC/VLR, polynary group of one or more authentications are sent to MSC/VLR preserve.Because in the middle of the reality, HLR and AUC generally can integrate, and therefore, are called HLR/AUC in the present invention.
Correspondingly, MSC/VLR is the general designation of mobile switching centre and VLR Visitor Location Register module, in the middle of the reality, for the preservation of polynary group of authentication, can be realized by VLR to HLR polynary group of authentication of request and to the operations such as authentication judgement of terminal.Because VLR generally is implemented as the module of MSC, therefore, in the present invention MSC and VLR are referred to as MSC/VLR.
In the middle of the reality, in the step 203, also can be that HLR/AUC utilizes SKEY that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK in the above.In this case, realized that the complete alternate user card of portable terminal finishes the mutual authentication process with network.In this case, comparatively ideal way is that the SKEY of portable terminal produces according to KI KI.Certainly, also can be that HLR/AUC utilizes KI, SKEY that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
After SKEY is set, may further include the step that the authentication of preserving among the renewal MSC/VLR is polynary group.After SKEY was provided with, originally the authentication information in polynary group of the authentication that produces according to original SKEY lost efficacy, and therefore, need regenerate polynary group of authentication and polynary group of the authentication upgrading to preserve among the MSC/VLR.
If specially for the portable terminal authentication is provided with SQN, then after SKEY is set, can reinitialize the SQN that this is provided with for the portable terminal authentication specially.Certainly, it also is feasible keeping this SQN constant.
Above-mentioned authentication generally is the authentication five-tuple for polynary group.
HLR/AUC can be to calculate a provisional random number TmpRAND according to KI and RAND earlier according to polynary group of processes of generation authentication such as SKEY, KI and RAND, then, produce the protocol processes mode of authentication five-tuple according to existing 3GPP, utilize SKEY to substitute KI and utilize the alternative RAND of provisional random number TmpRAND to wait to produce AUTN, XRES, CK and IK, and form polynary group of authentication by AUTN, XRES, CK and the IK of former RAND and generation.
Certainly, HLR/AUC can be to produce polynary group of authentication according to KI and RAND according to the protocol processes mode that existing 3GPP produces the authentication five-tuple earlier according to polynary group of processes of generation authentication such as SKEY, KI and RAND, then calculate according to the MAC among the AUTN in polynary group of SKEY and the authentication, obtain a new message authentication coding MAC2, and the MAC among the alternative AUTN of use MAC2, thereby obtain polynary group of new authentication.
The above-mentioned network equipment that illustrated generates the processing of authentication information, this authentication information can be sent to corresponding mobile terminal after the network equipment generates authentication information, the following describes portable terminal and receives the processing of being carried out after this authentication information.
Fig. 3 shows portable terminal in the mobile communications network carries out authentication to mobile communications network group method flow process.As shown in Figure 3, in step 301, portable terminal is provided with a SKEY, and the SKEY here generally is identical with the SKEY corresponding to this portable terminal that the network equipment is preserved.
In step 302, portable terminal is after the authentication information that receives from the network equipment, SKEY and KI according to this authentication information and oneself preservation judge whether the authentication of network is passed through, if pass through, at the normal access network of step 303, if do not pass through, assert that then the current mobile terminal user is illegal, stop the normal use of oneself in step 304.
Here the normal use that stops oneself can be not allow connection of mobile terminal into network, perhaps directly outage or shutdown etc., and can cooperate the operations such as notifying kith and kin or safe office that for example sends SMS message.
Corresponding to situation shown in Figure 2, portable terminal is shown in Fig. 4 to the specific embodiment that network carries out authentication.
In step 401, portable terminal is provided with a SKEY, and the SKEY here is consistent with the SKEY corresponding to this portable terminal that the network equipment is preserved.In general, what the terminal and the network equipment were preserved respectively is a pair of symmetric key, and generally this is identical to symmetric key.
In step 402, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, calculate a MAC value according to the SKEY of oneself, KI and the RAND of reception, the SQN among the AUTN in active user's card, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
In step 404, portable terminal judges whether AUTN can accept, if acceptable, then judge in step 405 authentication of network is passed through; Otherwise, think that at step 406 portable terminal the SQN that oneself is preserved is asynchronous with the corresponding SQN that preserves of the network equipment, further initiate the synchronous SQN operation.
Portable terminal judges according to the SQN that oneself preserves whether AUTN can accept.The portable terminal and the network equipment can be preserved a SQN in advance synchronously, whether portable terminal satisfies predetermined condition by relatively more own SQN that preserves and the SQN among the AUTN and judges whether AUTN can accept, and this predetermined condition can be that the difference of SQN of SQN among the AUTN and portable terminal oneself preservation is in a preset range.If portable terminal is judged the difference of SQN among the AUTN and the SQN that oneself preserves and in described preset range, is judged that then AUTN is acceptable; Otherwise judge that AUTN is unacceptable.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 402, further consider AMF under the situation of AMF, such as SKEY, the KI of utilization oneself, the RAND of reception, SQN and the AMF generation MAC value among the AUTN.
Here, before step 402, may further include one and judge whether to carry out according to SKEY network is carried out the step of authentication, if, execution in step 402; Otherwise according to existing procedure RAND is sent to subscriber card, network is carried out authentication by subscriber card.
Step 402 can further be: portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, RAND is sent to subscriber card, calculate a provisional random number TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal.TmpRAND, the SQN among the AUTN that the SKEY of portable terminal basis oneself and subscriber card calculate calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
In step 402 can also further be: portable terminal receiving after the authentication information of being made up of RAND and AUTN from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal.The MAC that SKEY that portable terminal root oneself is preserved and subscriber card calculate calculates, obtain a new message authentication coding MAC2, and whether the MAC2 value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 403 judgement to network; Otherwise, execution in step 404.
Portable terminal judges whether that it can be to set in advance a safe mark that execution is carried out authentication according to SKEY to network, if this safe mark is expression need be carried out authentication according to SKEY to network a value, for example set is 1, then mean and to carry out authentication according to SKEY to network, if safe mark is to represent not need according to SKEY network to be carried out the value of authentication, for example set is 0, and then meaning does not need according to SKEY network to be carried out authentication.
Alternately, portable terminal judges whether that it can be to judge whether SKEY is a particular value that execution is carried out authentication according to SKEY to network, for example be 0, if, then expression does not need according to SKEY network to be carried out authentication, if not 0 but other arbitrary values, then expression need be carried out authentication to network according to SKEY.
Equally, the SQN here can use the SQN identical with prior art, promptly is used for the SQN of user card authentication, also is the corresponding SQN that preserves of network and subscriber card, specifically can be with reference to the related protocol regulation of 3GPP33.102/29.002.But preferably, the present invention is provided with a SQN who is specifically designed to the portable terminal authentication in addition separately, and portable terminal and HLR/AUC also can carry out Synchronous Processing to this SQN.Certainly can understand, separately the SQN that preserves in the SQN that is provided with and the subscriber card can get identical value.
Because the SKEY that preserves in the portable terminal is consistent with the SKEY that the network equipment is preserved, such as identical, therefore, the SKEY in portable terminal can be the SKEY corresponding to subscriber card is numbered or IMSI preserves.Certainly, when portable terminal was only supported a subscriber card, this SKEY can directly be kept at portable terminal, rather than preserved according to the subscriber card numbering or the IMSI that support.When portable terminal support during more than a subscriber card, during the SKEY that preserves corresponding to subscriber card numbering or IMSI, portable terminal can block numbering or which SKEY IMSI selects to use come network is carried out authentication according to the active user.Because support that the situation of many cards is expanded application examples of the present invention, those skilled in the art are easy to develop concrete application according to inventive concept, therefore, no longer are described in greater detail here.
Illustrated respectively that above the network equipment generates the flow process of authentication information and portable terminal carries out authentication to network flow process.The flow process of the method for authenticating in the mobile communications network of the present invention is described according to Fig. 5 below.
As shown in Figure 5, in step 501, the SKEY of a corresponding portable terminal authentication is set simultaneously in the network equipment and portable terminal.Certainly, the SKEY of network equipment setting here can be the SKEY that corresponding mobile terminal features information is provided with, and also can be the SKEY that the IMSI corresponding to subscriber card is provided with.The network equipment also can be provided with SKEY according to mobile subscriber's MSISDN.
In step 502, the network equipment produces a RAND when generating authentication information at some portable terminals.
In step 503, network equipment utilization is to SKEY that should portable terminal, generate authentication information corresponding to the KI of portable terminal active user card and the RAND of generation.
In step 504, the network equipment sends to corresponding mobile terminal with authentication information.
In step 505, portable terminal is after the authentication information that receives from the network equipment, according to this authentication information and the own SKEY that preserves and the judgement of the KI in the subscriber card whether the authentication of network is passed through, if pass through, at the normal access network of step 506, if do not pass through, assert that then the active user is illegal, enter exception handling procedure in step 507, such as, stop normal use, forbid Network.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN in the authentication information that receives to upgrade the SQN that oneself preserves.
The complete method for authenticating of specific embodiment explanation below in conjunction with Fig. 2 and Fig. 4.As shown in Figure 6, in step 601, the SKEY of corresponding portable terminal authentication is set simultaneously in HLR/AUC and portable terminal.
In step 602, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 603, HLR/AUC utilizes KI that oneself preserves and the RAND that oneself produces to calculate XRES, CK and IK.
In step 604, HLR/AUC utilizes SKEY, KI and the RAND and the SQN generation MAC of the corresponding portable terminal of preserving in advance.The SQN here is current known, such as, pre-set.
In step 605, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 604, further consider AMF under the situation of AMF that such as utilizing SKEY, KI, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 605, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 606, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 607, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 608, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
This step can be that portable terminal begins to trigger message of network transmission.In the middle of the reality, initiate position updating request, or during service request, MSC/VLR can initiate authentication request to terminal, can initiate authentication request to terminal such as MSC/VLR when mobile terminal-opening lands network at portable terminal.
This step can be that the network equipment is initiatively initiated, and does not receive the related news of portable terminal such as, the network equipment in the time of setting, and when comprising the information that triggers authentication, initiatively initiates an authorizing procedure.
In step 609, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SKEY, KI and the RAND of reception, the SQN among the AUTN according to oneself calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 610 judgement to network; Otherwise, execution in step 611.
In step 611, portable terminal judges at first whether AUTN can accept, such as the difference of the SQN that judges SQN among the AUTN and own preservation whether in a preset range, if not, judge that in step 612 AUTN is unacceptable, also promptly, the SQN of SQN that oneself preserves and network preservation loses synchronously; Otherwise the authentication of network is passed through in step 613 judgement.
In step 612, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network consistent.About the synchronous flow process of SQN, can with reference in the prior art about the synchronous description of SQN, referring to 3GPP 33.102/29.002 related protocol, do not repeat them here.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 609, further consider AMF under the situation of AMF, utilize own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN such as portable terminal.
Above-mentionedly illustrated that portable terminal of the present invention carries out the processing of authentication to network, the present invention can further include by network portable terminal is carried out the processing of authentication, just after step 613, continues to carry out network carries out authentication to terminal subsequent step.
As shown in Figure 7, step 701-713 and step 601-613 are identical, no longer repeat specification, and use an alphabetical A to substitute in the drawings.
In step 714, portable terminal sends to subscriber card with RAND.
In step 715, subscriber card uses the KI of oneself and the RAND of reception to generate XRES, CK and IK.
In step 716, subscriber card sends to portable terminal with the XRES that generates.
In step 717, the XRES that portable terminal will be received from subscriber card sends to MSC/VLR.
In step 718, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 719 decision network; Otherwise in step 720 decision network to the portable terminal failed authentication.
Here in step 714, for compatible with existing processing, portable terminal can send AUTN when sending RAND, and subscriber card can further carry out authentication according to AUTN and the KI of oneself to network like this.In this case, portable terminal can be arranged to the AUTN that sends to subscriber card authentication is carried out in an expression to network by portable terminal particular value, subscriber card is being judged after AUTN is this particular value, only use KI and RAND to produce XRES, CK and IK, and no longer network is carried out authentication according to AUTN and KI.
When subscriber card generates XRES, CK and IK according to KI and RAND, also can only produce XRES and CK, then XRES and the CK that produces sent to portable terminal, derive IK by portable terminal according to CK.
Above-mentioned steps 717, the XRES that portable terminal will be received from subscriber card sends to before the MSC/VLR, can judge whether network is second generation mobile communications network, if, portable terminal can according to derivation such as XRES, CK, IK be used for second generation network authentication symbol response (SRES2g, SignedResponse) and cryptographic key (KC2g, Cipher Key), use the SRES2g that generates to substitute XRES and send MSC/VLR to, use the KC2g and the network equipment to carry out the encryption and decryption of related communication data.Relevant derivation method related protocol in existing 3GPP has suggestion, does not repeat them here.
In addition, the authentication about second generation mobile communications network please refer to GSM03.20 and GSM09.02.
In addition, XRES, CK, IK also can be produced by SKEY and RAND, in the case, have proposed another embodiment as shown in Figure 8.
In step 801, at first in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 802, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 803, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance and the RAND of oneself generation to calculate XRES, CK and IK.
In step 804, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance, corresponding active user's KI and RAND and SQN generation MAC.The SQN here is current known, for example pre-sets.
In step 805, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 804, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 805, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 806, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 807, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 808, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 809, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SKEY, KI and the RAND of reception, the SQN among the AUTN according to oneself calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 810 judgement to network; Otherwise, execution in step 811.
In step 811, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 812; Otherwise, the authentication of network is passed through in step 813 judgement.
In step 812, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 809, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 814, portable terminal uses the SKEY of oneself and the RAND of reception to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
In step 815, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 816 decision network; Otherwise in step 817 decision network to the portable terminal failed authentication.
In addition, HLR/AUC is when generating polynary group of authentication according to SKEY, KI and RAND etc., can calculate a TmpRAND according to KI and RAND earlier, then, produce the protocol processes mode of authentication five-tuple according to existing 3GPP, utilize SKEY to substitute KI and utilize the alternative RAND of TmpRAND to wait to produce AUTN, XRES, CK and IK, and form polynary group of authentication by AUTN, XRES, CK and the IK of former RAND and generation; Accordingly, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, RAND is sent to subscriber card, calculate a TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal.TmpRAND, the SQN among the AUTN that the SKEY of portable terminal basis oneself and subscriber card calculate calculate a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of judging network; Otherwise, further judge whether acceptable step of AUTN otherwise carry out.In the case, another embodiment has as shown in Figure 9 been proposed.
In step 901, in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 902, HLR/AUC utilizes the randomizer of oneself to produce a RAND, and calculates a TmpRAND according to KI and RAND.
In step 903, HLR/AUC utilizes the SKEY of the corresponding portable terminal of preserving in advance and TmpRAND to produce XRES, CK and IK.
In step 904, HLR/AUC utilizes SKEY, the TmpRAND of the corresponding portable terminal of preserving in advance and SQN to generate MAC.The SQN here is current known, for example pre-sets.
In step 905, HLR/AUC is combined into AUTN with MAC and known SQN.
Comprise at AUTN and in step 904, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 905, further consider AMF equally, just MAC, SQN and AMF are together to form AUTN.
In step 906, HLR/AUC forms polynary group an of authentication with AUTN, XRES, CK and the IK of RAND and generation.
In step 907, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 908, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 909, portable terminal sends to subscriber card with RAND after the RAND and AUTN that receive from MSC/VLR, calculates a TmpRAND by subscriber card according to KI and RAND in the card, and TmpRAND is sent to portable terminal; SQN among the AUTN of the SKEY of portable terminal basis oneself, the TmpRAND that subscriber card calculates and reception calculates a MAC value, and whether the MAC value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 910 judgement to network; Otherwise, execution in step 911.
In step 911, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 912; Otherwise, the authentication of network is passed through in step 913 judgement.
In step 912, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 909, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 914, portable terminal uses the SKEY of oneself and the TmpRAND of subscriber card generation to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
In step 915, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 916 decision network; Otherwise in step 917 decision network to the portable terminal failed authentication.
Correspondingly, HLR/AUC is when generating polynary group of authentication according to SKEY, KI and RAND etc., can produce polynary group of authentication according to KI and RAND according to the protocol processes mode that existing 3GPP produces the authentication five-tuple earlier, then calculate according to the MAC among the AUTN in polynary group of SKEY and the authentication, obtain a new message authentication coding MAC2, and the MAC among the alternative AUTN of use MAC2, thereby obtain polynary group of new authentication; Correspondingly, portable terminal is after the authentication information of being made up of RAND and AUTN that receives from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal.The MAC that SKEY that portable terminal root oneself is preserved and subscriber card calculate calculates, and obtains a MAC2, and whether the MAC2 that relatively oneself calculates is consistent with the MAC among the AUTN, if inconsistent, then judges the failed authentication to network; Otherwise, carry out and further to judge whether acceptable step of AUTN.In the case, another embodiment has as shown in figure 10 been proposed.
In step 1001, in HLR/AUC and portable terminal, preserve the SKEY of corresponding portable terminal authentication simultaneously.
In step 1002, HLR/AUC utilizes the randomizer of oneself to produce a RAND.
In step 1003, HLR/AUC utilizes KI and RAND to produce XRES, CK and IK.
In step 1004, HLR/AUC utilizes KI, RAND and SQN to generate MAC, then calculates a MAC2 according to SKey and MAC.The SQN here is current known, for example pre-sets.
In step 1005, HLR/AUC is combined into AUTN with MAC2 and known SQN.
Comprise at AUTN and in step 1004, further consider AMF under the situation of AMF that such as utilizing SKEY, RAND, SQN and AMF to generate MAC, wherein AMF also sets in advance.In step 1005, further consider AMF equally, just MAC2, SQN and AMF are together to form AUTN.
In step 1006, HLR/AUC forms polynary group an of authentication with RAND, AUTN, XRES, CK and IK.
In step 1007, HLR/AUC sends to MSC/VLR for polynary group with this authentication.
In step 1008, during authentication, MSC/VLR extracts RAND and AUTN in polynary group of the corresponding authentication of this portable terminal, send to portable terminal as authentication information.
In step 1009, portable terminal is after the RAND and AUTN that receive from MSC/VLR, SQN among RAND and the AUTN is sent to subscriber card, calculate a MAC value by subscriber card according to KI, RAND and the SQN among the AUTN in the card, and MAC is sent to portable terminal; The MAC that SKEY that the portable terminal basis oneself is preserved and subscriber card calculate calculates, obtain a MAC2, and whether the MAC2 value that relatively oneself calculates is consistent with MAC value among the AUTN, if inconsistent, then at the failed authentication of step 1010 judgement to network; Otherwise, execution in step 1011.
In step 1011, portable terminal judges whether AUTN can accept, such as the difference of judging SQN among the AUTN and the own SQN that preserves whether in a preset range, if not, a judgement AUTN is unacceptable in step 1012; Otherwise, the authentication of network is passed through in step 1013 judgement.
In step 1012, portable terminal can further send the unacceptable order of AUTN to network, such as, initiate the synch command of a synchronous SQN, by synchronous flow process, make the corresponding SQN that preserves of portable terminal and network synchronous.
After the portable terminal judgement is passed through the authentication of network, use the SQN among the AUTN that receives to upgrade the SQN that oneself preserves.
Comprise at AUTN and in step 1009, further consider AMF under the situation of AMF, such as utilizing own SKEY, KI, SQN and AMF generation MAC value among RAND, the AUTN.
In step 1014, portable terminal uses the KI of active user's card and the RAND of reception to generate XRES, CK and IK.And the XRES that oneself generates sent to MSC/VLR.
Here the process of portable terminal generation XRES, CK and IK can be finished by subscriber card, is judging that such as portable terminal network authentication is passed through the back sends an order to subscriber card, generates generation XRES, CK and IK by subscriber card.Subscriber card can further produce XRES, CK and IK in the above-mentioned steps 1009, and like this, step 1014 portable terminal has just no longer needed to produce XRES, CK and IK, that is, step 1014 sends to MSC/VLR for portable terminal with the XRES that subscriber card generates.
In step 1015, whether XRES is consistent in polynary group of the XRES that MSC/VLR relatively is received from portable terminal and the corresponding authentication of this portable terminal that is received from HLR/AUC.If consistent, the portable terminal authentication is passed through in step 1016 decision network; Otherwise in step 1017 decision network to the portable terminal failed authentication.
In the above-mentioned the whole bag of tricks, comprise that further HLR/AUC upgraded the step of SQN before or after producing polynary group of authentication.
In the above-mentioned the whole bag of tricks, the network equipment, can once send when terminal sends authentication information such as MSC/VLR, also can send several times.Such as, transmit a RAND for the first time, transmit AUTN for the second time.In the middle of the reality, will decide branch to send several times according to the protocol capability of network.Such as, in third generation UMTS network, MSC/VLR can once send to portable terminal with authentication informations such as RAND, AUTN by the authentication order, and in second generation mobile communications network, MSC/VLR may need by twice or repeatedly the authentication order of authentication informations such as RAND, AUTN by second generation network be sent to portable terminal.
Producing RAND among the present invention, produce polynary group of authentication and produce the employed algorithm of XRES, CK, IK and MAC or the like, can be the algorithm that utilizes 3GPP existing protocol regulation or suggestion, also can determine algorithm separately.Authentication about the 3G (Third Generation) Moblie network please refer to 3G TS 33.102 and 3G TS 29.002.
Above-mentioned MSC/VLR is the equipment in the circuit-domain network, and for the network of packet domain, corresponding MSC/VLR equipment can be SGSN.
Be appreciated that the above only for preferred embodiment of the present invention, or not within the spirit and principles in the present invention not all in order to restriction the present invention, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.