CN101631309A - Method, device and system for authenticating terminal based on home base station network - Google Patents
Method, device and system for authenticating terminal based on home base station network Download PDFInfo
- Publication number
- CN101631309A CN101631309A CN200810040806.8A CN200810040806A CN101631309A CN 101631309 A CN101631309 A CN 101631309A CN 200810040806 A CN200810040806 A CN 200810040806A CN 101631309 A CN101631309 A CN 101631309A
- Authority
- CN
- China
- Prior art keywords
- random number
- access point
- base station
- home base
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method, a device and a system for authenticating a terminal based on a home base station network. The method comprises the following steps: generating a random number; sending the random number to the terminal through a home base station access point; receiving a request which is sent by the terminal and carries an authentication response parameter and the random number; and checking whether the random number carried by the request is the same as the random number sent to the terminal, and if so, sending an authentication request message to a location register or an authentication center and starting a terminal authenticating flow and corresponding device and system. The random number required by terminal authentication is generated by an entity on a network side of which the security is ensured, so that attacks to the authentication by attackers through the home base station access point are avoided, and further that the attackers acquire corresponding communication content is avoided.
Description
Technical field
The present invention relates to network communications technology field, particularly terminal is carried out method, equipment and the system of authentication based on home base station network.
Background technology
Home eNodeB is the small-sized honeycomb base station, is called Femto Cell or Home NodeB again, is the cutting edge technology in 3G field.Described Femto Cell allows the mobile subscriber in the dwelling house be connected to 3G network by cable broadband network, obtain mobile voice, video and the data, services of enhancing, can with original macrocell base stations (Macrocell) seamless link of operator, can fully make the existing broadband access resource of user, finally, the user moves and fixed network fusion (FMC, Fixed Mobile Convergence) business for providing.By the 3G Home eNodeB, a large amount of mobile services is absorbed by indoor Femto Cell, can reduce the quantity of operator's macrocellular greatly, for operator saves a large amount of equipment investment expense and maintenance cost, also can improve indoor covering, improve indoor broadband access rate, reduce time delay, satisfy the various multimedia application of user and experience.
Referring to Fig. 1, the structure chart of Femto Cell network comprises that travelling carriage/(MS, MobileStation/AT access terminal, Access Terminal), access point, security gateway, grand network, grand network base station controller (BSC, Base Station Controller) and macro base station.Femto Cell access point and Femto Cell security gateway are network entity, and Femto Cell has finished functions such as base station, BSC in the original grand network.FemtoCell is by Asymmetrical Digital Subscriber Line (ADSL, Asymmetric Digital Subscriber Line) or cable modem (CM, Cable Modem) etc. cable network inserts grand server net, because data and signaling need be passed through unsafe network, for example common IP network, in order to guarantee that fail safe has increased described this entity of Femto Cell security gateway, between described Femto Cell access point and described Femto Cell security gateway, set up the tunnel of safety, guarantee the safety of data and signaling.Femto Cell access point can be supported the access of different types of terminals, as the terminal of 3G network and traditional wireless terminal, in order to guarantee code division multiple access (CDMA, Code Division Multiple Access) access of the MS of 20001x, described Femto Cell access point need be finished the function of various described CDMA20001x networks, comprises access authentication.
Referring to Fig. 2, the authorizing procedure figure of CDMA2000 1x circuit domain in the prior art.May further comprise the steps:
1, BSC is broadcast to MS in access control channel with the random number (RAND, Random Variable) that is generated.
2, MS sends call message to described BSC according to cipher key shared, described RAND and other calculation of parameter Authentication Response parameter (AUTHR, Authentication Response).
3, described BSC sends business request information to mobile switching centre (MSC, Mobile SwitchingCenter), has carried described RAND and described AUTHR in the message.
4, described MSC finds to have comprised described RAND and described AUTHR in the message, therefore to attaching position register or the (HLR/AC of authentication center, Home Location Register/Authentication Center) sends authentication request message, comprised described RAND and described AUTHR in the message.
5, described HLR/AC is according to the described RAND that obtains, and the same procedure of utilizing described MS to calculate described AUTHR is calculated AUTHR, if result of calculation is identical with the AUTHR that receives from described MSC, then authentication success represents that described MS has legal shared key.Described HLR/AC loopback authentication success message is given described MSC, carried the encryption key of space interface signaling and speech in the message, be Signaling Message Encryption key (SENKEY, Signaling Message Encrypting Key) and private long code mask (PLCM, PrivateLong Code Mask).
6, described MSC receives described authentication success message, therefore sends the interface-free resources assignment messages to described BSC, has carried described SENKEY and PLCM in this message.
7, described BSC preserves described SENKEY and PLCM, and to described MS transmitting channel assignment messages, promptly distributes interface-free resources, and described MS sets up with BSC and eats dishes without rice or wine to be connected, and follow-up signaling uses described SENKEY to protect, and speech uses described PLCM to protect.
For described Femto Cell network,, therefore need to generate described random number RA ND and be handed down to described MS, so that MS carries out follow-up authentication process because Femto Cell access point is born the function of CDMA20001x BSC.But in carrying out the invention process, the inventor finds that there are the following problems at least in the prior art: Femto Cell access point generates RAND and has certain potential safety hazard, because Femto Cell access point is positioned at family or office, attacked easily, perhaps utilized by the user of malice.For example, if the assailant has write down described RAND and AUTHR in the original authentication process of certain MS, and preserved the packet of MS and network service; Afterwards the assailant by revising Femto Cell access point program or intrude into Femto Cell access point inside, allow Femto Cell access point send authentication message, and the RAND and the AUTHR that have write down before having carried in the described authentication message, then network side is by checking, find that the AUTHR value is correct, therefore generate corresponding signaling and speech key, and send to Femto Cell access point.Because described signaling and speech key are identical with before value, so the described key that the utilization of Femto Cell access point obtains is decrypted the communication data packet of preserving before, thereby knows Content of Communication before.If the content of MS communication is secret or highstrung incident, this is all very unfavorable for user and communication counterpart.
Summary of the invention
The embodiment of the invention provide based on home base station network terminal is carried out method, equipment and the system of authentication, avoided the assailant to utilize Femto Cell access point to implement attack, thereby avoided the assailant to obtain the corresponding communication content authentication.
The embodiment of the invention provide based on home base station network terminal is carried out the method for authentication, comprising: generate random number; By home base station access point described random number is sent to terminal; Receive the request of carrying Authentication Response parameter and described random number that described terminal sends; When checking that random number that described request is carried is consistent with the above-mentioned described random number that is sent to described terminal, send authentication request message to location register or authentication center, calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, the authentication success.
The embodiment of the invention also provides a kind of home base station network equipment, comprising: generation unit is used to generate random number; First transmitting element is used for by home base station access point described random number being sent to terminal; Receiving element receives the request of carrying Authentication Response parameter and described random number that described terminal sends; Inspection unit is used to check when random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, notifies second transmitting element; Second transmitting element is used to send authentication request to described location register or authentication center.
The embodiment of the invention also provide based on home base station network terminal is carried out the system of authentication, comprising: the entity, terminal, home base station access point, attaching position register or the authentication center that generate random number; The entity of described generation random number is used to generate described random number, sends described random number to home base station access point; Described home base station access point is used to broadcast described random number to described terminal; Described terminal is used to send the request of carrying Authentication Response parameter and described random number; The entity of described generation random number receives described request; Check whether random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, if then send authentication request extremely described location register or authentication center; Described location register or authentication center are used to calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, and the authentication success.
Above technical scheme, the needed random number of terminal authentication is generated by guaranteed network side entity on the safety, described network side entity sends described random number to Femto Cell access point, whether the random number that network side entity inspection service requesting information is carried is identical with the random number of transmission, the identical terminal access process that then starts.Because described random number is not to be generated by Femto Cell access point, and assurance has been arranged on safety, has avoided the assailant to utilize the attack of Femto Cell access point enforcement, thereby avoided the assailant to obtain the corresponding communication content authentication.
Description of drawings
Fig. 1 is the structure chart of Femto Cell network;
Fig. 2 is the authorizing procedure figure of CDMA2000 1x circuit domain in the prior art;
Fig. 3 is based on the first embodiment of the invention method flow diagram;
Fig. 4 is based on the second embodiment of the invention method flow diagram;
Fig. 5 is based on the third embodiment of the invention method flow diagram;
Fig. 6 is based on the fourth embodiment of the invention method flow diagram;
Fig. 7 is based on the fifth embodiment of the invention method flow diagram;
Fig. 8 a, Fig. 8 b are based on embodiment of the invention authentication access device schematic diagram;
Fig. 9 is an embodiment of the invention network terminal authentication connecting system structure chart;
Figure 10 is based on the first example structure figure of system of the present invention;
Figure 11 is based on the second example structure figure of system of the present invention;
Figure 12 is based on the 3rd example structure figure of system of the present invention;
Figure 13 is based on the 4th example structure figure of system of the present invention.
Embodiment
At first the embodiment of the invention is realized describing based on the method that terminal is carried out authentication of home base station network, comprising:
Generate random number; By home base station access point described random number is sent to terminal; Receive the request of carrying Authentication Response parameter and described random number that described terminal sends; When checking that random number that described request is carried is consistent with the above-mentioned described random number that is sent to described terminal, send authentication request message to location register or authentication center, calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, the authentication success.
Below in conjunction with accompanying drawing, embodiments of the present invention is described in detail.
Embodiment one:
Referring to Fig. 3, based on the first embodiment of the invention method flow diagram.
The external interface of Femto Cell access point is BSC and MSC interface in the network configuration of present embodiment, i.e. A1/A1p interface, and terminal is MS.In the present embodiment, described random number RA ND is generated by Femto Cell security gateway, and this method need be expanded the Internet Key Exchange message (IKE, Intemet KeyExchange).
101, in order to guarantee the signaling and the safety of user data of the Femto network that Femto Cell access point and Femto Cell security gateway are transmitted; Femto Cell access point at first passes through IKE protocol negotiation IPsec security association (SA with Femto Cell security gateway; and use described SA that signaling and user data are protected Security Association).
102, Femto Cell access point passes through IKE message to Femto Cell security gateway request random number RA ND.
103, Femto Cell security gateway generates RAND, and passes through IKE message with described RAND, and the lifetime of described RAND is sent to described Femto Cell access point.
104, Femto Cell access point is broadcasted described RAND to described MS.
105, described MS send CDMA2000 1x circuit domain call message to described Femto Cell access point, described call message comprises described RAND, and the described AUTHR that calculates according to device identification, the identify label of described RAND, MS.
106, Femto Cell access point is received described call message, initiates business request information to MSC, carries described RAND and AUTHR in the described business request information; Described business request information is transmitted in the IPsec secure tunnel that FemtoCell access point and Femto Cell security gateway are set up.
107, Femto Cell security gateway receives described business request information, check whether the RAND that sends to described Femto Cell access point in the described RAND that carries in this message and the step 103 is identical, if enter step 108, otherwise abandon this business request information.
108, Femto Cell security gateway sends described business request information to described MSC.
109, described MSC checks whether contain described RAND and AUTHR in the described business request information, if contain, then sends authentication request message to HLR/AC.
110, described HLR/AC is according to the authentication request that obtains, inquire about the shared key of corresponding MS, the AUTHR of computing network side, judge whether identical with the AUTHR that receives, if identical, then authentication is passed through, and continues to calculate the required key of eating dishes without rice or wine, be SMEKEY and PLCM, send and contain the authentication responses message of described key to MSC.
111, after described MSC received described authentication responses message, the assignment messages that transmission contains described SMEKEY and PLCM was transmitted by Femto Cell security gateway therebetween to access point, and indicating described Femto Cell access point is that MS distributes interface-free resources.
112, described Femto Cell security gateway is transmitted described assignment messages to described Femto Cell access point.
113, described Femto Cell access point is preserved SMEKEY and the PLCM in the described assignment messages, sends described assignment messages to described MS, for described MS distributes interface-free resources.
The information exchange message of the preferred IKE of described IKE message in the present embodiment can certainly select the IKE message of other types to realize this method.
In the present embodiment in the step 103 Femto Cell security gateway send the lifetime of RAND to described Femto Cell access point, can change Femto Cell security gateway into and periodically send RAND to described Femto Cell access point, both effects are the same, it is ageing to be that RAND has, only in the certain hour section effectively.Effective like this fail safe that has guaranteed that terminal inserts has been avoided stealing RAND in the middle of the malicious attacker, and authentication is passed through access network.
Embodiment two:
Referring to Fig. 4, based on the second embodiment of the invention method flow diagram.
Embodiment two is that the step 107 among the embodiment one is checked the handling process when described RAND is inequality, and wherein step 201-206 is identical with step 101-106 among the embodiment one, does not repeat them here, and only narrates follow-up processing flow, and is as follows:
207, the RAND after described Femto Cell security gateway upgrades by described IKE message transmission is to described Femto Cell access point.
208, after described Femto Cell access point is received described RAND, be broadcast to described MS.MS can resend call message, uses the described RAND after upgrading.Its workflow is identical with the flow process of embodiment one.
The information exchange message of the preferred IKE of described IKE message in the present embodiment can certainly select the IKE message of other types to realize this method.
Embodiment three:
Referring to Fig. 5, based on the third embodiment of the invention method flow diagram.
Identical with embodiment one, the external interface of Femto Cell access point is BSC and MSC interface in the network configuration of present embodiment, i.e. A1/A1p interface, and terminal is described MS.Different with embodiment one is, in the present embodiment, described random number RA ND is generated by MSC, and this method need be expanded A1/A1p.
Step 301 is identical with the step 101 of embodiment one, does not repeat them here.
302, Femto Cell access point to MSC request random number RA ND, has carried the identifier (FAP ID, Femto Access PointIdentifier) of Femto Cell access point by A1/A1p message in the described A1/A1p message.
303, described MSC generates RAND, and passes through A1/A1p message with described RAND, and the lifetime of this RAND sends to described Femto Cell access point.
Step 304-305 is identical with the step 104-105 of embodiment one, does not repeat them here.
306, Femto Cell access point is received described call message, initiates business request information to MSC, carries described RAND, AUTHR and FAP ID in the described business request information; Described business request information is transmitted in the IPsec secure tunnel that Femto Cell access point and Femto Cell security gateway are set up.
307, Femto Cell security gateway sends described business request information to described MSC.
308, MSC receives business request information, finds to include RAND, AUHTR, FAPID in the message, therefore check described RAND with step 103 in RAND to this Femto Cell access point transmission whether identical, if then continue to carry out, otherwise abandon this this business request information.
309, MSC sends authentication request message to HLR/AC.
Step 310-313 is identical with the step 110-113 of embodiment one, does not repeat them here.
Can not carry described FAP ID in the message of A1/A1p described in the present embodiment, add described FAPID, can make the more effective identification access point of MSC, because the random number difference that described MSC generates for each access point.
Embodiment four:
Referring to Fig. 6, based on the fourth embodiment of the invention method flow diagram.
Different with embodiment one, Femto Cell access point is as IP Multimedia System (IMS in the network configuration of present embodiment, IP Multimedia Subsystem) client of network, external interface uses session initiation protocol (SIP, Session Initiation Protocol) signaling, increase the signaling conversion entity in the network, finished MAP (MAP, the Mobile Application Part) signaling of described CDMA20001x and the conversion of SIP signaling.Identical with embodiment one is that in the present embodiment, terminal is described MS; Described random number RA ND is generated by Femto Cell security gateway.
Step 401 is identical with the step 101 of embodiment one, does not repeat them here.
402, Femto Cell access point inserts IMS network, i.e. IMS registration process as the IMS client.Femto Cell access point is registered to service call conversation control function (S-CSCF, Serving Call SessionControl Function).
403, Femto Cell access point passes through IKE message to Femto Cell security gateway request random number RA ND.
404, Femto Cell security gateway generates RAND, and passes through IKE message with described RAND, and the lifetime of described RAND is sent to described Femto Cell access point.
405, Femto Cell access point is broadcasted described RAND to described MS.
406, described MS send CDMA2000 1x circuit domain call message to described Femto Cell access point, described call message comprises described RAND, and the described AUTHR that calculates according to device identification, the identify label of described RAND, MS.
407, Femto Cell access point converts described call message to sip message, sends described sip message to the IMS network, and described sip message transmits in the IPsec secure tunnel that Femto Cell access point and Femto Cell security gateway are set up.
Whether the RAND that is sent to Femto Cell access point in 408, the sip message received of Femto Cell security gateway deciphering, the RAND that checks described sip message and step 4 is identical, if then execution in step 409, otherwise abandons this message.
409, Femto Cell security gateway is transmitted described sip message, is routed to described signaling conversion entity.
410, described signaling conversion entity is converted to the MAP signaling of CDMA2000 1x with the sip message that receives, and comprises RAND and AUTHR in the described signaling, and the signaling conversion entity sends authentication request message to described HLR/AC.
411, described HLR/AC is according to the authentication request message that obtains, inquire about the shared key of corresponding MS, the AUTHR of computing network side, judge whether identical with the AUTHR that receives, if identical, then authentication is passed through, and continues to calculate the required key of eating dishes without rice or wine, be SMEKEY and PLCM, transmission contains the authentication responses message of described key to described signaling conversion entity.
412, after described signaling conversion entity was received described authentication responses message, the sip message that transmission contains described SMEKEY and PLCM was transmitted by security gateway therebetween to access point, and indicating described Femto Cell access point is that MS distributes interface-free resources.
413, described Femto Cell security gateway is transmitted described SIP signaling to described Femto Cell.
414, Femto Cell access point is preserved SMEKEY and the PLCM in the described SIP signaling, sends described SIP signaling to described MS, for described MS distributes interface-free resources.
The information exchange message of the preferred IKE of described IKE message in the present embodiment can certainly select the IKE message of other types to realize this method.
Embodiment five:
Referring to Fig. 7, based on the fifth embodiment of the invention method flow diagram.
Present embodiment has identical network configuration with embodiment four, be the client of Femto Cell access point as the IMS network, external interface uses the SIP signaling, has increased the signaling conversion entity in the network, finishes the conversion of MAP signaling and the SIP signaling of described CDMA2000 1x; Terminal is described MS.Different with embodiment four is that in the present embodiment, described random number RA ND is generated by described signaling conversion entity.
Step 501-502 is identical with the step 401-402 of embodiment four, does not repeat them here.
503, described Femto Cell access point by sip message to signaling conversion entity request random number RA ND.
504, described signaling conversion entity generates RAND, and passes through SIP information with described RAND, and the lifetime of described RAND is sent to described Femto Cell access point.
Step 505-507 is identical with the 405-407 of embodiment four, does not repeat them here.
508, Femto Cell security gateway is deciphered the sip message of receiving, transmits described sip message, and described sip message is routed to the signaling conversion entity.
509, described signaling conversion entity checks that whether the RAND in the described SIP information is whether be sent to the RAND of Femto Cell access point in the step 4 identical, if then execution in step 510, otherwise abandons this information.
Step 510-514 is identical with step 410-414 among the embodiment four, does not repeat them here.
Need to prove, embodiment three to embodiment five described methods, similar with the follow-up processing flow of embodiment two when failed authentication, promptly send the RAND after upgrading, terminal resends call message according to new RAND.
Need to prove that embodiment one to embodiment five, the lifetime that sends random number is to described FemtoCell access point, promptly random number have ageing, only in a period of time effectively, guaranteed the fail safe that terminal inserts like this; Also can periodically send RAND to described Femto Cell access point, both effects are the same, and promptly RAND has ageing, only effective in the certain hour section.Effective like this fail safe that has guaranteed that terminal inserts has been avoided stealing RAND in the middle of the malicious attacker, and authentication is passed through access network.The entity that generates random number sends described random number and can send for the request earlier of described Femto Cell access point again, can also comprise FAP ID in the request of described Femto Cell access point; Also can be for initiatively being sent to described Femto Cell access point.
The embodiment of the invention provides a kind of Femto Cell network terminal access device, referring to Fig. 8 a, and embodiment of the invention authentication access device schematic diagram.
First transmitting element 802, the lifetime that sends described RAND and described RAND, described Femto Cell access point was broadcasted described RAND to described terminal to Femto Cell access point; Described terminal can be travelling carriage, also can be for accessing terminal.Described Femto Cell access point is at first to the described RAND of described first transmitting element, 802 requests.
Receiving element 803 receives the service requesting information of carrying Authentication Response parameter and described RAND that described terminal sends;
Second transmitting element 805 sends described service requesting information to described location register or authentication center.
The described RAND that checks RAND that described service requesting information is carried and the above-mentioned Femto of being sent to Cell access point when described inspection unit 804 not simultaneously, described equipment also comprises the discarding unit 806 among Fig. 8 b, is used to abandon described service requesting information.So just avoid the assailant to insert Femto Cell network, stolen Content of Communication.
The present invention also provides a kind of Femto network terminal connecting system.Referring to Fig. 9, embodiment of the invention network terminal connecting system structure chart.Comprise the entity 901, home location register/authentication center HLR/AC902, Femto Cell access point 903, the terminal 904 that generate random number.
Femto Cell access point 903 is to the entity 901 request RAND that generate RAND;
The entity 901 of described generation random number generates described RAND, and the lifetime that sends described RAND and described RAND is to Femto Cell access point 903;
Described Femto Cell access point 903 is broadcasted described RAND to described terminal 904;
Described terminal 904, transmission are carried the entity 901 of the service requesting information of Authentication Response parameter and described RAND to described generation random number;
The entity 901 of described generation random number checks whether the RAND that described service requesting information carries is identical with the described RAND of the above-mentioned Femto of being sent to Cell access point; If then authentication is passed through, send described service requesting information to described location register or authentication center 902;
Described location register or authentication center 902 start described terminal access process.
The invention provides a kind of Femto network terminal connecting system, be divided into three embodiment according to the entity difference that generates random number, promptly described RAND is generated by the generation of Femto Cell security gateway, MSC or the signaling conversion entity generates.
First embodiment of system:
Femto Cell security gateway generates described RAND, and system also comprises MSC.Referring to Figure 10, based on the first example structure figure of system of the present invention.Comprise Femto Cell security gateway 1001, MS1002, Femto Cell access point 1003, HLR/AC1004, MSC1005.
Femto Cell access point 1003 is to Femto Cell security gateway 1001 request RAND;
Described Femto Cell security gateway 1001 generates described RAND, and the lifetime that sends described RAND and described RAND is to Femto Cell access point 1003;
Described Femto Cell access point 1003 is broadcasted described RAND to described MS 1002;
Described MS1002 sends and carries the service requesting information of Authentication Response parameter and described RAND to Femto Cell security gateway 1001;
Described security gateway 1001 checks whether the RAND that described service requesting information carries is identical with the described RAND of the above-mentioned Femto of being sent to Cell access point 1003; If then authentication is passed through, send described service requesting information to described HLR/AC1004;
Described HLR/AC1004 starts described terminal access process.
In the said system, described Femto Cell access point external interface is BSC and MSC interface.
Second embodiment of system:
Different with first embodiment of system is that MSC generates described random number.Referring to Figure 11, based on the second example structure figure of system of the present invention.Comprise Femto Cell security gateway 1101, MS 1102, FemtoCell access point 1103, HLR/AC1104, MSC1105.
Identical with the each several part function of system embodiment one, do not repeat them here; Different is to generate described random number by MSC, thus at last by MSC check RAND whether with sent originally identical.
The 3rd embodiment of system:
In the present embodiment, Femto Cell access point is as a client of IMS network, and Femto Cell security gateway generates random number.Referring to Figure 12, based on the 3rd example structure figure of system of the present invention.Comprise Femto Cell security gateway 1201, MS 1202, Femto Cell access point 1203, signaling conversion entity 1204, HLR/AC1205, S-CSCF1206.
Femto Cell access point 1203 inserts the IMS network as the client of IMS, at first will be registered to S-CSCF1206.
Femto Cell access point 1203 is to Femto Cell security gateway 1201 request RAND.
Described Femto Cell security gateway 1201 generates described RAND, and the lifetime that sends described RAND and described RAND is to Femto Cell access point 1203.
Femto Cell access point 1203 sends described RAND to described MS 1202.
Described MS1202 sends page response to described Femto Cell access point 1203, and the described page response of described Femto Cell access point 1203 conversions is a sip message, is sent to Femto Cell security gateway 1201.
Described Femto Cell security gateway 1201 check the RAND that carries in the described sip message whether be sent to the identical of Femto Cell access point 1203, if, Femto Cell security gateway 1201 is transmitted described sip message, and described sip message is routed to described signaling conversion entity 1204.
Described signaling conversion entity 1204 sends authentication request message to described HLR/AC1205.
Described HLR/AC1205 checks whether the Authentication Response parameter of carrying in the described authentication request message is correct, if then send authentication responses message to described signaling conversion entity 1204.
Described signaling conversion entity 1204 sends sip message by described Femto Cell security gateway 1201 to described FemtoCell access point 1203, and indication Femto Cell access point 1203 distributes interface-free resources for MS.Described signaling conversion entity can integrate with described attaching position register.
The 4th embodiment of system:
What present embodiment and system embodiment three were different is to generate random number by the signaling conversion entity.Referring to Figure 13, based on the 4th example structure figure of system of the present invention.Comprise Femto Cell security gateway 1301, MS
1302, Femto Cell access point 1303, signaling conversion entity 1304, HLR/AC1305, S-CSCF1306.
Generate described random number by signaling conversion entity 1304 in the present embodiment, so check by described signaling conversion entity 1304 whether the random number in the sip message is identical with the random number that is sent to Femto Cell access point 1303, other each several parts are identical with embodiment three, do not repeat them here.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the said method execution mode is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, this program can comprise the content of aforesaid each execution mode of communication means when carrying out.Here the alleged storage medium that gets, as: ROM/RAM, magnetic disc, CD etc.
In sum, what the embodiment of the invention provided based on home base station network carries out the method for authentication to terminal, the needed random number of terminal authentication is generated by guaranteed network side entity on the safety, described network side entity sends described random number to Femto Cell access point, whether the random number that network side entity inspection service requesting information is carried is identical with the random number of transmission, the identical terminal access process that then starts.Because described random number is not to be generated by Femto Cell access point, thereby on the safety assurance has been arranged, has avoided the assailant to utilize the attack of Femto Cell access point enforcement, thereby avoided the assailant to obtain the corresponding communication content authentication.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, this program comprises the steps: to generate random number when carrying out; By home base station access point described random number is sent to terminal; Receive the request of carrying Authentication Response parameter and described random number that described terminal sends; When checking that random number that described request is carried is consistent with the above-mentioned described random number that is sent to described terminal, send authentication request message to location register or authentication center, calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, the authentication success.
Claims (18)
1, based on home base station network terminal is carried out the method for authentication, it is characterized in that, comprising:
Generate random number;
By home base station access point described random number is sent to terminal;
Receive the request of carrying Authentication Response parameter and described random number that described terminal sends;
When checking that random number that described request is carried is consistent with the above-mentioned described random number that is sent to described terminal, send authentication request message to location register or authentication center, calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, the authentication success.
2, method according to claim 1 is characterized in that, the described Authentication Response parameter of described calculating when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, is finished by described location register or authentication center.
3, method according to claim 1, it is characterized in that, further comprise: when checking that random number that described request is carried and the above-mentioned described random number that is sent to described terminal are inequality, abandon described request, resend described random number to home base station access point.
4, method according to claim 1 is characterized in that, the external interface of described home base station access point is the interface of base station controller and mobile switching centre.
5, method according to claim 4 is characterized in that, the entity that generates described random number is a mobile switching centre, and described random number is sent to described home base station access point by interoperability standard A1 or A1p interface message.
6, method according to claim 1 is characterized in that, described home base station access point is as a client of IP Multimedia System network, and external interface uses conversation initiating protocol message.
According to claim 4 or 6 described methods, it is characterized in that 7, the entity that generates described random number is the home base station network security gateway, described random number is sent to described home base station access point by the Internet Key Exchange message.
8, method according to claim 6 is characterized in that, the entity that generates described random number is the signaling conversion entity, and described random number is sent to described home base station access point by conversation initiating protocol message.
9, method according to claim 1 is characterized in that, comprises that also the lifetime that sends described random number is to described home base station access point.
10, method according to claim 1 is characterized in that, comprises that also sending described random number sends described random number to described home base station access point or after receiving the home base station access point request.
11, method according to claim 10 is characterized in that, the random number request that described home base station access point sends comprises the identify label of described home base station access point.
12, a kind of home base station network equipment is characterized in that, comprising:
Generation unit is used to generate random number;
First transmitting element is used for by home base station access point described random number being sent to terminal;
Receiving element receives the request of carrying Authentication Response parameter and described random number that described terminal sends;
Inspection unit is used to check when random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, notifies second transmitting element;
Second transmitting element is used to send authentication request to described location register or authentication center.
13, equipment according to claim 12 is characterized in that, described equipment is positioned at described home base station network security gateway, mobile switching centre or signaling conversion entity.
14, equipment according to claim 12 is characterized in that, also comprises discarding unit, when checking random number that described request is carried and the above-mentioned described random number that is sent to home base station access point not simultaneously, abandons described service requesting information.
15, based on home base station network terminal is carried out the system of authentication, it is characterized in that, comprising: the entity, terminal, home base station access point, attaching position register or the authentication center that generate random number;
The entity of described generation random number is used to generate described random number, sends described random number to home base station access point;
Described home base station access point is used to broadcast described random number to described terminal;
Described terminal is used to send the request of carrying Authentication Response parameter and described random number;
The entity of described generation random number receives described request; Check whether random number that described request carries is identical with the above-mentioned described random number that is sent to home base station access point, if then send authentication request extremely described location register or authentication center;
Described location register or authentication center are used to calculate described Authentication Response parameter, when relatively the Authentication Response parameter of carrying with the described authentication request message of receiving is identical, and the authentication success.
16, system according to claim 15, it is characterized in that, when the entity of described generation random number was the home base station network security gateway, described system also comprised mobile switching centre, and being used at the described access point of described terminal access process indication is the terminal distribution interface-free resources.
17, system according to claim 15 is characterized in that, when the entity of described generation random number was mobile switching centre, described system also comprised the home base station network security gateway, is used to transmit described business request information to described mobile switching centre.
18, system according to claim 15 is characterized in that, when the entity of described generation random number is the signaling switching entity, also comprises the entity that endpoint registration is provided, and is used to terminal to provide to be registered to the service of network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810040806.8A CN101631309B (en) | 2008-07-17 | 2008-07-17 | Method, device and system for authenticating terminal based on home base station network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810040806.8A CN101631309B (en) | 2008-07-17 | 2008-07-17 | Method, device and system for authenticating terminal based on home base station network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101631309A true CN101631309A (en) | 2010-01-20 |
| CN101631309B CN101631309B (en) | 2013-03-20 |
Family
ID=41576206
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810040806.8A Active CN101631309B (en) | 2008-07-17 | 2008-07-17 | Method, device and system for authenticating terminal based on home base station network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631309B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854629A (en) * | 2010-05-21 | 2010-10-06 | 西安电子科技大学 | Method of access authentication and recertification in home NodeB system of user terminal |
| WO2011109936A1 (en) * | 2010-03-09 | 2011-09-15 | 上海贝尔股份有限公司 | Method and equipment for authenticating subscriber terminal |
| CN102546540A (en) * | 2010-12-17 | 2012-07-04 | 北京中创智信科技有限公司 | Data processing method |
| CN102571337A (en) * | 2010-12-17 | 2012-07-11 | 北京中创智信科技有限公司 | Data processing method |
| CN102612078A (en) * | 2011-01-25 | 2012-07-25 | 电信科学技术研究院 | Wireless access system and device and data transmission method |
| CN103945383A (en) * | 2014-04-22 | 2014-07-23 | 福建三元达通讯股份有限公司 | Method for managing access of user device through home base station |
| CN104468314A (en) * | 2014-12-09 | 2015-03-25 | 北京歌华有线数字媒体有限公司 | 4G base station network system |
| US9510255B2 (en) | 2011-11-08 | 2016-11-29 | Huawei Technologies Co., Ltd. | Network handover method and apparatus |
| WO2019000171A1 (en) * | 2017-06-26 | 2019-01-03 | Zte Corporation | Methods and computing device for authenticating a user equipment via a home network |
| WO2019137232A1 (en) * | 2018-01-15 | 2019-07-18 | 华为技术有限公司 | Method and apparatus for sending message |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1297155C (en) * | 2003-06-10 | 2007-01-24 | 华为技术有限公司 | Authentication method for user of global mobile communication system when roaming to CDMA network |
| CN1288875C (en) * | 2004-02-18 | 2006-12-06 | Ut斯达康通讯有限公司 | PHS mobile phone network discriminating method |
| CN1835626A (en) * | 2005-03-15 | 2006-09-20 | 北京信威通信技术股份有限公司 | Power authentication system and method of SCDMA communicating system |
| CN100484292C (en) * | 2007-04-05 | 2009-04-29 | 华为技术有限公司 | Method, system and base station for locking illegal copied mobile terminal |
-
2008
- 2008-07-17 CN CN200810040806.8A patent/CN101631309B/en active Active
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102474722B (en) * | 2010-03-09 | 2013-12-25 | 上海贝尔股份有限公司 | Method and equipment for authenticating subscriber terminal |
| WO2011109936A1 (en) * | 2010-03-09 | 2011-09-15 | 上海贝尔股份有限公司 | Method and equipment for authenticating subscriber terminal |
| CN102474722A (en) * | 2010-03-09 | 2012-05-23 | 上海贝尔股份有限公司 | Method and equipment for authenticating subscriber terminal |
| EP2547133A4 (en) * | 2010-03-09 | 2015-08-12 | Alcatel Lucent | Method and equipment for authenticating subscriber terminal |
| US8813195B2 (en) | 2010-03-09 | 2014-08-19 | Alcatel Lucent | Method and apparatus for authenticating a user equipment |
| CN101854629A (en) * | 2010-05-21 | 2010-10-06 | 西安电子科技大学 | Method of access authentication and recertification in home NodeB system of user terminal |
| CN101854629B (en) * | 2010-05-21 | 2013-02-27 | 西安电子科技大学 | Method of access authentication and recertification in home NodeB system of user terminal |
| CN102571337A (en) * | 2010-12-17 | 2012-07-11 | 北京中创智信科技有限公司 | Data processing method |
| CN102546540B (en) * | 2010-12-17 | 2015-02-11 | 北京中创智信科技有限公司 | Data processing method |
| CN102546540A (en) * | 2010-12-17 | 2012-07-04 | 北京中创智信科技有限公司 | Data processing method |
| CN102612078A (en) * | 2011-01-25 | 2012-07-25 | 电信科学技术研究院 | Wireless access system and device and data transmission method |
| US9510255B2 (en) | 2011-11-08 | 2016-11-29 | Huawei Technologies Co., Ltd. | Network handover method and apparatus |
| CN103945383A (en) * | 2014-04-22 | 2014-07-23 | 福建三元达通讯股份有限公司 | Method for managing access of user device through home base station |
| CN103945383B (en) * | 2014-04-22 | 2018-03-23 | 福建三元达网络技术有限公司 | A kind of method of Home eNodeB management user equipment access |
| CN104468314A (en) * | 2014-12-09 | 2015-03-25 | 北京歌华有线数字媒体有限公司 | 4G base station network system |
| WO2019000171A1 (en) * | 2017-06-26 | 2019-01-03 | Zte Corporation | Methods and computing device for authenticating a user equipment via a home network |
| WO2019137232A1 (en) * | 2018-01-15 | 2019-07-18 | 华为技术有限公司 | Method and apparatus for sending message |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101631309B (en) | 2013-03-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101631309B (en) | Method, device and system for authenticating terminal based on home base station network | |
| Cao et al. | A survey on security aspects for LTE and LTE-A networks | |
| KR101508576B1 (en) | Home node-b apparatus and security protocols | |
| RU2464729C2 (en) | Method to authenticate mobile devices connected to femtocell acting according to multistation access with code channel division | |
| JP4652754B2 (en) | Wireless LAN access authentication method based on security value associated with cellular system | |
| JP5597676B2 (en) | Key material exchange | |
| Degefa et al. | Performance and security enhanced authentication and key agreement protocol for SAE/LTE network | |
| US10694376B2 (en) | Network authentication method, network device, terminal device, and storage medium | |
| CN101552986B (en) | Access authentication method and system of streaming media service | |
| CN102868665A (en) | Method and device for data transmission | |
| WO2020248624A1 (en) | Communication method, network device, user equipment and access network device | |
| CN104285422A (en) | Secure communications for computing devices utilizing proximity services | |
| CN101562813A (en) | Method for implementing real-time data service, real-time data service system and mobile terminal | |
| JP5399545B2 (en) | Method for authenticating a mobile device connected to a femtocell operating with code division multiple access | |
| Khan et al. | Vulnerabilities of UMTS access domain security architecture | |
| CN107659935B (en) | Authentication method, authentication server, network management system and authentication system | |
| Sharma et al. | Improved IP multimedia subsystem authentication mechanism for 3G-WLAN networks | |
| Fang et al. | Security requirement and standards for 4G and 5G wireless systems | |
| US20080176572A1 (en) | Method of handoff | |
| Lin et al. | A fast iterative localized re-authentication protocol for heterogeneous mobile networks | |
| CN106559402B (en) | User terminal and identity authentication method and device for encrypted voice telephone service thereof | |
| US9485654B2 (en) | Method and apparatus for supporting single sign-on in a mobile communication system | |
| CN102340773A (en) | Femto access point (AP) and method for reducing authentication time of user in IP multimedia subsystem network by using same | |
| Singh et al. | Security analysis of lte/sae networks with the possibilities of tampering e-utran on ns3 | |
| Rodríguez-Piñeiro et al. | Long term evolution security analysis for railway communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |