CN100531034C - Method for distributing one time ciphers for access networks - Google Patents
Method for distributing one time ciphers for access networks Download PDFInfo
- Publication number
- CN100531034C CN100531034C CNB2003101001569A CN200310100156A CN100531034C CN 100531034 C CN100531034 C CN 100531034C CN B2003101001569 A CNB2003101001569 A CN B2003101001569A CN 200310100156 A CN200310100156 A CN 200310100156A CN 100531034 C CN100531034 C CN 100531034C
- Authority
- CN
- China
- Prior art keywords
- password
- otp
- subscriber terminal
- mobile subscriber
- hlr
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
This invention discloses a method for distributing one-shot cipher OTP used in access network by USSD, the key of which is that an authentication server (AS) receives an OTP request started by the user end to generate an OTP cipher then AS utilizes the standard USSD signaling to send the self-generated OTP cipher to its corresponding mobile user end by the mobile communication network to increase its distribution modes to let the OTP cipher access authentication mode used in the combined network of WLAN and mobile communication network.
Description
Technical field
The invention belongs to the secure authentication technology field, relate in particular to a kind of method that is used for the one-time password (otp) of access network by unstructured supplementary service data (USSD) distribution of services.
Background technology
Current, for the transmission security of business, there are following several access authentication modes in the modes that adopt access authentication during user access network more in the prior art:
1, the access authentication mode of fixed-line subscriber name and password, this mode adopts fixing username and password to realize access procedure, in different access procedures, the username and password that the user adopted is constant, though this kind mode can realize access authentication, but, therefore, under the situation that username and password is usurped by the people, cause damage easily because user's employing is the username and password of fixing;
2, one-time password (otp) access authentication mode, this kind mode adopts disposal password to realize access authentication procedure, when the user inserts at every turn, certificate server all generates an interim disposal password, and send to the user by the approach of safety, the user realizes access authentication procedure according to this password, and this kind mode has advantage simple, easy to use, safe.
Undertaken by OTP in the process of access authentication, its access procedure passes through following link in proper order:
User applies OTP password, certificate server generate OTP password, certificate server to the user issue the OTP password, the user uses the OTP password access network of receiving;
Wherein, the process of user applies OTP password, certificate server generation OTP password comprises:
The user sends the application code message to certificate server, certificate server carries out Signalling exchange with attaching position register after receiving this message, thereby on attaching position register, obtain this user's subscription data, then, certificate server judges according to subscription data whether this user is the contracted user, if then generate the OTP password, otherwise, do not allow the user to obtain the OTP password;
Certificate server comprises to the process that the user issues the OTP password: certificate server sends to short message service center with the OTP password that generates, and short message service center utilizes short message this OTP password to be sent to user's portable terminal again;
In above-mentioned process of carrying out access authentication by OTP, though adopt the mode of short message the OTP password that certificate server generated can be distributed to user's portable terminal, but this kind distribution implementation is single, is unfavorable for promoting the use of of OTP access authentication mode.
In addition, current wireless local area network (LAN) (WLAN) and the mobile communications network of for example gsm (GSM) combine, this kind can utilize mobile communications network to solve the problem that WLAN user charges in conjunction with the popularization that helps the WLAN business on the one hand; On the other hand, mobile communication network operator can increase the attraction to high-end user by means of combining with WLAN; The network environment that combines with mobile communications network at WLAN, need the OTP password distribution method in a kind of and this network application environment corresponding OTP access authentication solution and this solution, yet, in the prior art, also do not have corresponding scheme and method.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method that is used for the OTP password of access network by the USSD distribution, this method makes certificate server the OTP password that is generated to be distributed to mobile subscriber terminal by USSD, has increased the ways of distribution of OTP password.
The invention discloses a kind of method that is used for the disposal password OTP of access network by unstructured supplementary service data USSD distribution, this method key is: certificate server AS receives the OTP request that user side is initiated, according to the user name in the described OTP request, carry out Signalling exchange with the attaching position register HLR of the pairing mobile subscriber terminal ownership of this user name, obtain the subscription data of this mobile subscriber terminal; Whether AS is that the contracted user of access network carries out authentication according to resulting subscription data to this mobile subscriber terminal, authentication generates the OTP password by the back, AS utilizes standard USSD signaling then, and the OTP password that himself generates is sent to corresponding mobile subscriber terminal by mobile communications network.
Wherein, described certificate server utilizes standard USSD signaling, comprises to the mobile subscriber terminal transmission OTP of correspondence password:
Steps A: AS utilizes standard USSD signaling, and the attaching position register HLR in mobile communications network sends password and sends a notification message, and the OTP password that AS generated is sent to the HLR of described corresponding mobile subscriber terminal ownership;
After step B:HLR receives that password sends a notification message, the OTP password in this message is sent to described corresponding mobile subscriber terminal by mobile communications network.
Wherein, after the execution in step B, this method further comprises:
Step C:HLR utilizes standard USSD signaling to send password to AS and sends the notice response message.
Wherein, after the described step C, this method further comprises:
AS sends USSD end of conversation message to HLR, after HLR receives this message, closes HLR and is connected with dialogue between the mobile subscriber terminal.
Wherein, after HLR received that password sends a notification message, described step B was:
HLR determines the mobile subscriber terminal position according to the information of mobile subscriber terminal, then, HLR sends to this mobile subscriber terminal with the OTP password by mobile communications network according to determined this position, and this mobile subscriber terminal returns the transmission success message to HLR after receiving this OTP password.
Wherein, after AS sent to mobile subscriber terminal with the OTP password, this method further comprised:
AS sends application password success message to the user side of access network.
Wherein, described access network is WLAN (wireless local area network) WLAN.
Wherein, described access network is the Internet protocol IP network.
Wherein, described mobile communications network is a gsm GSM network.
Wherein, described standard USSD signaling is the standard USSD signaling in the GSM MAP.
As seen, the present invention has following beneficial effect:
(1) the present invention can utilize the OTP password of existing mobile communication network distribution access network, and the signaling manipulation of accepted standard between certificate server and mobile communications network need not to revise any network element of mobile communications network, thereby makes that this method is easy to realize;
(2), therefore, adopt USSD to obtain the real-time that the OTP password can guarantee to obtain the OTP password because USSD is a kind of service that connection is arranged.
In addition, OTP distribution method of the present invention makes OTP access authentication mode be applied under WLAN and the network environment that the communication network of for example GSM combines.
Description of drawings
The networking schematic diagram that Fig. 1 combines with WLAN for GSM network among the present invention.
Fig. 2 realizes distributing the flow chart of OTP password for the present invention.
Embodiment
The present invention is a kind of method of distributing the OTP password of access network by USSD, adopt this method, certificate server (AS) utilizes standard USSD signaling, through mobile communications network this OTP password is sent to mobile subscriber terminal, the OTP password issues Signalling exchange in the process and adopts standard signaling in the mobile communications network, thereby makes that the present invention is easy to realize.
The present invention at access network can be Internet protocol (IP) network, also can be WLAN, perhaps also can be other networks that can adopt OTP access authentication mode.
Be the GSM network with the mobile communications network below, the network that is inserted is WLAN, and wlan network and GSM network are integrated as example, and the present invention is described in detail in conjunction with the accompanying drawings.
Referring to Fig. 1, wlan network combines with GSM and comprises following network element in the network that is constituted:
Client (Client), this client can insert the equipment of the Internet for personal computer (PC) or other utilize WLAN;
Access point (AP), the micro radio base station equipment of WLAN business network is in order to finish wireless access function;
Access control equipment (AC) inserts wlan network in order to the control user side;
AS in order to the user side that inserts is carried out authentication, under the situation that authentication is passed through, allows user side to insert the Internet;
HLR, this equipment is the equipment in the GSM network, in order to storing subscriber information, transmits the USSD message in the GSM network;
Mobile subscriber terminal (MS) is generally mobile phone, in order to application and reception OTP password.
The present invention in the network shown in fig. 1, utilize USSD business realizing among the GSM to obtain the OTP password of WLAN, wherein, USSD is a kind of supplementary service that the GSM network is provided, being used to provides information with interactive mode to the user, its realization has dual mode: a kind of is to be provided and user-dependent information service by the GSM network, another kind be the GSM network as carrying, provide information service by special information-bearing center; In networking diagram shown in Figure 1, adopt the standard USSD operation in the GSM MAP between AS and GSM network, any network element among the GSM does not need to revise.
Referring to Fig. 2, the present invention utilizes the standard USSD operation in the GSM MAP to distribute the OTP password to mobile subscriber terminal, and the process of distribution OTP password adopts the standard USSD signaling manipulation in the GSM MAP, and idiographic flow comprises:
Step 201:AS sends password to HLR and sends a notification message, the OTP password that AS generated is sent to the HLR of mobile subscriber terminal ownership, in embodiments of the present invention, adopt the MAP_UNSTRUCTED_SS_NOTIFY_req message in the standard USSD signaling to send a notification message as above-mentioned password;
After step 202:HLR receives that password sends a notification message, determine the position of mobile subscriber terminal according to the information of mobile subscriber terminal, then, HLR is according to the position of determined mobile subscriber terminal, OTP password during this password sent a notification message sends to mobile subscriber terminal by the GSM network, mobile subscriber terminal returns the transmission success message to HLR after receiving this OTP password, and notice HLR sends successfully;
After step 203:HLR receives the transmission success message that mobile subscriber terminal returns, send password to AS and send the notice response message, HLR successfully sends to mobile subscriber terminal by the GSM network with the OTP password to the AS notice, wherein, it is the response message that password sends a notification message in the step 201 that password in this step sends the notice response message, adopts the MAP_UNSTRUCTED_SS_NOTIFY_rsp message in the standard USSD signaling to send the notice response message as above-mentioned password in the embodiment of the invention;
Step 204:AS sends USSD end of conversation message to HLR, finishes the USSD conversation between AS and the HLR, in embodiments of the present invention, adopts MAP_CLOSE_IND message as above-mentioned USSD end of conversation message;
After step 205:HLR receives USSD end of conversation message, close with mobile subscriber terminal between dialogue be connected.
Wherein, above-mentioned steps 204 and step 205 are optional step, and execution in step 204 and 205 can not realize the distribution of OTP password yet.
Referring to Fig. 2, before carrying out above-mentioned password distribution procedure, also carry out following steps:
The user of WLAN sends the application code message by user side to AS, includes the user name that WLAN user inputs at user side in this message; AS is according to the user name in the application code message of being received, the HLR that belongs to the pairing mobile subscriber terminal of this user name carries out Signalling exchange, obtains the subscription data of this mobile subscriber terminal; Whether AS is that the contracted user of WLAN carries out authentication according to resulting subscription data to this mobile subscriber terminal, after authentication is passed through then AS generate the OTP password, then, AS utilizes above-mentioned steps 201~step 205 that this OTP password is distributed to corresponding mobile subscriber terminal; Wherein, above-mentioned WLAN user can send the application code message to AS by the WLAN user side, also can send the application code message to AS by the mobile subscriber terminal of this WLAN user's correspondence.
Referring to Fig. 2, after carrying out above-mentioned password distribution procedure, also carry out following steps, utilize the OTP password to insert wlan network to realize the WLAN user side:
After AS successfully is distributed to the OTP password that is generated corresponding mobile subscriber terminal, AS sends application password success message to the WLAN user side, notice WLAN user side OTP password has sent to this WLAN user's mobile subscriber terminal, wherein, this application password success message is the response message of above-mentioned application code message; The user of current mobile user terminal inputs this OTP password when his employed WLAN user side is initiated the access authentication of WLAN, this OTP password transfers to AS through behind AP, the AC shown in Figure 1 successively, carry out the access authentication of OTP mode according to this OTP password by AS, AS allows this user side to insert the Internet by WLAN after judging that the OTP password effectively.
The above specific embodiment is under wlan network and network environment that the GSM network combines, obtain the method for the OTP password that inserts WLAN, the present invention also can be applicable to the network application environment that wlan network combines with other mobile communications network of for example Wideband Code Division Multiple Access (WCDMA) (WCDMA), perhaps, the present invention also can be applicable to the network application environment that IP network combines with other mobile communications network, and its implementation is identical with the described method of the foregoing description.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1, a kind of method that is used for the disposal password OTP of access network by unstructured supplementary service data USSD distribution, it is characterized in that, certificate server AS receives the OTP request that user side is initiated, according to the user name in the described OTP request, carry out Signalling exchange with the attaching position register HLR of the pairing mobile subscriber terminal ownership of this user name, obtain the subscription data of this mobile subscriber terminal; Whether AS is that the contracted user of access network carries out authentication according to resulting subscription data to this mobile subscriber terminal, authentication generates the OTP password by the back, AS utilizes standard USSD signaling then, and the OTP password that himself generates is sent to corresponding mobile subscriber terminal by mobile communications network.
2, method according to claim 1 is characterized in that, described certificate server utilizes standard USSD signaling to comprise to the mobile subscriber terminal transmission OTP of correspondence password:
Steps A: AS utilizes standard USSD signaling, and the attaching position register HLR in mobile communications network sends password and sends a notification message, and the OTP password that AS generated is sent to the HLR of described corresponding mobile subscriber terminal ownership;
After step B:HLR receives that password sends a notification message, the OTP password in this message is sent to described corresponding mobile subscriber terminal by mobile communications network.
3, method according to claim 2 is characterized in that, after the execution in step B, this method further comprises:
Step C:HLR utilizes standard USSD signaling to send password to AS and sends the notice response message.
4, method according to claim 3 is characterized in that, after the described step C, this method further comprises:
AS sends USSD end of conversation message to HLR, after HLR receives this message, closes HLR and is connected with dialogue between the mobile subscriber terminal.
5, method according to claim 2 is characterized in that, after HLR received that password sends a notification message, described step B was:
HLR determines the mobile subscriber terminal position according to the information of mobile subscriber terminal, then, HLR sends to this mobile subscriber terminal with the OTP password by mobile communications network according to determined this position, and this mobile subscriber terminal returns the transmission success message to HLR after receiving this OTP password.
6, method according to claim 1 is characterized in that this method further comprises after AS sends to mobile subscriber terminal with the OTP password:
AS sends application password success message to the user side of access network.
7, method according to claim 1 is characterized in that, described access network is WLAN (wireless local area network) WLAN.
8, method according to claim 1 is characterized in that, described access network is the Internet protocol IP network.
9, method according to claim 1 is characterized in that, described mobile communications network is a gsm GSM network.
10, method according to claim 9 is characterized in that, described standard USSD signaling is the standard USSD signaling in the GSMMAP agreement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101001569A CN100531034C (en) | 2003-10-13 | 2003-10-13 | Method for distributing one time ciphers for access networks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101001569A CN100531034C (en) | 2003-10-13 | 2003-10-13 | Method for distributing one time ciphers for access networks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1607765A CN1607765A (en) | 2005-04-20 |
| CN100531034C true CN100531034C (en) | 2009-08-19 |
Family
ID=34755847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101001569A Expired - Fee Related CN100531034C (en) | 2003-10-13 | 2003-10-13 | Method for distributing one time ciphers for access networks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100531034C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369893B (en) * | 2008-10-06 | 2010-08-18 | 中国移动通信集团设计院有限公司 | Method for local area network access authentication of casual user |
| CN102123361B (en) * | 2010-12-31 | 2014-01-01 | 华为技术有限公司 | Method and device for realizing encrypted message communication |
| CN105682093A (en) * | 2014-11-20 | 2016-06-15 | 中兴通讯股份有限公司 | Wireless network access method and access device, and client |
-
2003
- 2003-10-13 CN CNB2003101001569A patent/CN100531034C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1607765A (en) | 2005-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230076628A1 (en) | Network security management method, and apparatus | |
| CN100474956C (en) | Method and system for providing access via a first network to a service of a second network | |
| EP1495585B1 (en) | Method and system for authenticating user of data transfer device | |
| EP1713289B1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
| CN1835436B (en) | General power authentication frame and method of realizing power auttientication | |
| US7203480B2 (en) | Wireless data service apparatus and method in broadcast mobile communication system | |
| CN110140380A (en) | The opening access point of urgent call | |
| US20070192841A1 (en) | Mutual authentication apparatus and method | |
| EP1705828B1 (en) | A method of obtaining the user identification for the network application entity | |
| WO2004102876A1 (en) | Radio lan access authentication system | |
| JP2003524353A (en) | Integrity check in communication systems | |
| EP1305967A1 (en) | Control of unciphered user traffic | |
| CN104244229B (en) | A kind of virtual-number network authentication processing system and method based on intelligent terminal | |
| CN100486347C (en) | Method for providing safety value-added service to mobile communication network | |
| CN100531034C (en) | Method for distributing one time ciphers for access networks | |
| KR20130036875A (en) | Method and inter working function for roaming gateway service in a mobile communication system | |
| US7200750B1 (en) | Method for distributing encryption keys for an overlay data network | |
| CN101159970A (en) | Handset remote controlled method | |
| EP1176760A1 (en) | Method of establishing access from a terminal to a server | |
| CN100550729C (en) | A kind of method for authenticating when in code division multiple access system, using for digital clustering operation | |
| CN100362819C (en) | Method for acquiring WLAN accessing one-time password | |
| CN100353794C (en) | Method of proceeding grouping business audiomonitoring according to user mark | |
| CN100466567C (en) | A method of access authentication for WLAN | |
| EP1379053A1 (en) | Method for transferring a user-ID password pair, and a wireless network | |
| KR20100021690A (en) | Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160513 Address after: American California Patentee after: Snaptrack, Inc. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: Huawei Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090819 Termination date: 20191013 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |