CN102026178B - User identity protection method based on public-key mechanism - Google Patents
User identity protection method based on public-key mechanism Download PDFInfo
- Publication number
- CN102026178B CN102026178B CN201010615953.0A CN201010615953A CN102026178B CN 102026178 B CN102026178 B CN 102026178B CN 201010615953 A CN201010615953 A CN 201010615953A CN 102026178 B CN102026178 B CN 102026178B
- Authority
- CN
- China
- Prior art keywords
- ver
- hss
- imsi
- public
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the secret communication field of mobile communication technologies, and discloses a user identity protection method based on a public-key mechanism. The method comprises the following steps: an HSS (hierarchical service system) produces a pair of keys, namely, a public key PK and a secret key SK, then the public key PK is preset to a USIM (universal subscriber identity module) card of UE (user equipment) belonging to the public key PK in the form of a public key file PKF, and the secret key SK is stored in the HSS; a mobile phone sends the following information to an MME (mobility management entity), including HSS identification: HSS_ID, public-key PK version number: VER_PK; and data (IMSI || R|| VER_PK) encrypted by using an asymmetric encryption algorithm; after receiving the information, the MME sends the VER_PK and the (IMSI || R|| VER_PK) to the HSS according to the HSS_ID; and the HSS decrypts the VER_PK and the (IMSI || R|| VER_PK) by using the secret key SK. Because attackers do not know the secret key SK of the HSS, the attackers can not decrypt the (IMSI || R|| VER_PK).
Description
Technical field
The present invention relates to the secure communication field of mobile communication technology, relate in particular to a kind of user identity protection method based on public-key mechanism.
Background technology
Public-key mechanism protection IMSI(international mobile subscriber identity: International Mobile Subscriber Identity, difference mobile subscriber's sign) information, avoid mobile subscriber person under attack illegal tracking and location.Long Term Evolution), (the 4th third-generation mobile communication technology: 4rd-generation), prior art generally adopts casual user's identity GUTI mechanism to 4G in mobile communication system 3G(3G (Third Generation) Moblie technology: 3rd-generation), LTE(Long Term Evolution:
(The unique temporary identity in the whole world: Globally Unique Temporary Identity) user identity is protected.When passing through the AKA(Authentication and Key Agreement: Authentication and key agreement) MME(mobile management entity after the authentication: Mobility Management Entity) to the UE(subscriber equipment: User Equipment, comprise ME and USIM) distribute the interim identify label GUTI that distributes, and the corresponding relation between storage GUTI and IMSI.The user uses GUTI and network foundation to contact afterwards, as asking access network, routing update, adhering to request, beep-page message etc.This mechanism has reduced the transmission of IMSI on wireless channel, has increased the difficulty that the assailant intercepts and captures, and certain effect has been played in protection to IMSI.Can't obtain GUTI but work as user or network, in the time of perhaps can't obtaining the corresponding relation of IMSI and GUTI, the user must identify own identity with IMSI, and IMSI will be exposed in air interface with the plaintext form this moment.
If the assailant obtains certain specific user's permanent identification IMSI by passive or active attack, and when getting the corresponding relation of user real identification and permanent identification, privacy of user will be leaked.Therefore GUTI mechanism is incomplete for protection IMSI, can not satisfy the demand of some high-end user.
Summary of the invention
Permanent identification IMSI for the user who exists in prior art leaks the technical problem that causes privacy of user to be leaked, and therefore is necessary to provide a kind of user identity protection method based on public-key mechanism.
The invention provides a kind of user identity protection method based on public-key mechanism, the method includes the steps of:
(1) produce a pair of public private key pair PK and SK by HSS, PKI PK is preset in the usim card of its UE of ownership with the form of PKI file PKF, and private key SK is stored in HSS;
(2) MME sends the user identity request to the mobile phone of preserving usim card in step (1);
When (3) mobile phone networks with following message:
HSS sign: HSS_ID;
PKI PK version number: VER_PK;
The data (IMSI||R||VER_PK) that adopt rivest, shamir, adelman to encrypt;
Send to MME;
Wherein R is random number, mixes with IMSI before encrypting;
(4) after MME receives message in step (3), according to HSS_ID, VER_PK, (IMSI||R||VER_PK) are sent to corresponding HSS;
(5) HSS receives that the rear private key SK that uses of VER_PK, (IMSI||R||VER_PK) that MME sends is decrypted judgement.
Preferably, the utilization private key SK in described step (5) be decrypted the judgement comprise the following steps:
At first differentiate PK version number, call corresponding private key SK (IMSI||R||VER_PK) is decrypted, decrypt IMSI and VER_PK*;
Preferably, described step (5) comprises that also VER_PK that HSS reports USIM and the VER_PK of own use compare, if the VER_PK version number that USIM reports is current latest edition, need not to upgrade the PKI file; If USIM reports VER_PK version number is early version, upgrade the PKI file.
Preferably, described method is further comprising the steps of:
HSS issues the IMSI data of mobile phone and the Ciphering Key that produces according to IMSI to MME, if need to upgrade the PKI file, attaches and issues new PKI file PKFn; If do not need to upgrade the PKI file, do not issue this parameter.
Preferably, described method is further comprising the steps of:
Enter authorizing procedure between mobile phone and MME, and the authentication success.
Preferably, described method is further comprising the steps of:
MME distributes GUTI to MS, if need to upgrade the PKI file, attaches and issues new PKI file PKFn; If do not need to upgrade the PKI file, do not issue this parameter.
Preferably, described method is further comprising the steps of:
If mobile phone is received PKFn, USIM if verify unsuccessful abandon this parameter, continues to use old PKI file PKFo with the signature of the new PKI file PKFn of old PKI file PKo checking; If be proved to be successful replace old PKFo, adopt new PKn to encrypt IMSI when network next time.
Preferably, described method is further comprising the steps of:
Mobile phone reports the allocation result of GUTI and PKFn to MME.
Preferably, the asymmetric arithmetic in described step (3) is RSA Algorithm.
Preferably, the asymmetric arithmetic in described step (3) is the ECC algorithm.
Beneficial effect of the present invention is: at first because the assailant does not know the private key of HSS, can not be decrypted (IMSI||R||VER_PK).Simultaneously add random number R in (IMSI||R||VER_PK), made the assailant can not obtain the correlation of each reported data.Secondly: HSS will decipher the VER_PK data and compare with plaintext VER_PK data, guarantee the integrality of data, and prevent assailant's distorting data.When key was changed, HSS signed to PK and has guaranteed validity and the legitimacy that key is changed, and prevents from palming off network to the deception of mobile phone.The public private key pair of HSS is convenient to safeguard, management and changing, and SK is kept in HSS forever, and the assailant can not derive SK by PK.Adopt key replacing mechanism that security intensity is further improved, increased assailant's decoding difficulty.There is no private key at the usim card end, PKI can be changed online.
Description of drawings
Fig. 1 is PKI file PKF structure in the present invention;
Fig. 2 is the IMSI guard method based on public-key mechanism.
Embodiment
Illustrate the specific embodiment of the present invention below in conjunction with Figure of description.
The invention provides a kind of user identity protection method based on public-key mechanism, wherein encryption and decryption and signature checking method adopt RSA Algorithm, ECC algorithm or other rivest, shamir, adelmans, and for ease of describing, the implementation procedure in the present embodiment adopts the ECC algorithm for example.Said method is the IMSI guard method based on public-key mechanism, as shown in Figure 2, wherein: at ECC(PK, (IMSI||R||VER_PK)) in ECC represent that asymmetric arithmetic, PK represent PKI, the encrypted data of (IMSI||R||VER_PK) expression; Just issue PKFn when (PKFn) the PKI file need is upgraded in expression, when not required this parameter not just; When HSS transmitted IMSI to MME, its fail safe was guaranteed by core net.It specifically comprises following steps:
(1) by the HSS(home subscriber server: Home Subscriber Server) produce a pair of public private key pair PK and SK, PKI PK is preset to the USIM(universal subscriber identity module of its UE of ownership with the form of PKI file PKF: Universal Subscriber Identity Module) in the card, private key SK is stored in HSS.
(2) as UE first during access service network, MME sends the user identity request to the mobile phone of preserving usim card in step (1); (referring to 3GPP TS33.401, the 6.1.3 joint)
When (3) mobile phone networks with following message:
HSS sign: HSS_ID;
PKI PK version number: VER_PK;
Adopt rivest, shamir, adelman, as the data of ECC algorithm for encryption: ECC(PK, (IMSI||R||VER_PK));
Send to MME;
Wherein R is random number, mixes with IMSI before encrypting, and guarantees that each encrypted result is different; It is for VER_PK is carried out integrity protection that VER_PK is encrypted.
(4) after MME receives message in step (3), according to HSS_ID with VER_PK, ECC(PK, (IMSI||R||VER_PK)) send to corresponding HSS;
(5) HSS receives VER_PK, the ECC(PK that MME sends, (IMSI||R||VER_PK)) after proceed as follows:
(6) HSS issues the IMSI data of mobile phone and the Ciphering Key that produces according to IMSI to MME, if need to upgrade the PKI file, attaches and issues new PKI file PKFn, if do not need to upgrade the PKI file, does not issue this parameter.PKI file PKF structure as shown in Figure 1.
(7) enter authorizing procedure between UE and MME, and the authentication success.(referring to 3GPP TS33.401, the 6.1.1 joint)
(8) MME is to the ME(mobile device: Mobile Equipment) distribute GUTI, if need to upgrade the PKI file, subsidiaryly issuing new PKI file PKFn, if do not need to upgrade the PKI file, do not issue this parameter.
(9) if mobile phone is received PKFn, USIM if verify unsuccessful abandon this parameter, continues to use old PKI file PKFo with the signature of the new PKI file PKFn of old PKI file PKo checking.If be proved to be successful replace old PKFo, adopt new PKn to encrypt IMSI when network next time.
(10) mobile phone reports the allocation result of the middle GUTI of step (9) and PKFn to MME.
User identity protection method based on public-key mechanism of the present invention has the following advantages: at first because the assailant does not know the private key of HSS, can not be to ECC(PK, (IMSI||R||VER_PK)) be decrypted.Simultaneously at ECC(PK, (IMSI||R||VER_PK)) in added random number R, make the assailant can not obtain the correlation of each reported data.Secondly: HSS will decipher the VER_PK data and compare with plaintext VER_PK data, guarantee the integrality of data, and prevent assailant's distorting data.When key was changed, HSS signed to PK and has guaranteed validity and the legitimacy that key is changed, and prevents from palming off network to the deception of mobile phone.The public private key pair of HSS is convenient to safeguard, management and changing, and SK is kept in HSS forever, and the assailant can not derive SK by PK.Adopt key replacing mechanism that security intensity is further improved, increased assailant's decoding difficulty.There is no private key at the usim card end, PKI can be changed online.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above is only specific embodiments of the invention; be not limited to the present invention; within the spirit and principles in the present invention all, any modification of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (9)
1. user identity protection method based on public-key mechanism, the method includes the steps of:
(1) produce a pair of public private key pair PK and SK by HSS, PKI PK is preset in the usim card of its UE of ownership with the form of PKI file PKF, and private key SK is stored in HSS;
(2) MME sends the user identity request to the mobile phone of preserving usim card in step (1);
When (3) mobile phone networks with following message:
HSS sign: HSS_ID;
PKI PK version number: VER_PK;
The data (IMSI||R||VER_PK) that adopt rivest, shamir, adelman to encrypt;
Send to MME;
Wherein R is random number, mixes with IMSI before encrypting;
(4) after MME receives message in step (3), according to HSS_ID, VER_PK, (IMSI||R||VER_PK) are sent to corresponding HSS;
(5) HSS receives that the rear private key SK that uses of VER_PK, (IMSI||R||VER_PK) that MME sends is decrypted judgement; Utilization private key SK in described step (5) is decrypted judgement and comprises the following steps:
1. at first differentiate PK version number, call corresponding private key SK (IMSI||R||VER_PK) is decrypted, decrypt IMSI and VER_PK*;
The VER_PK* that decrypts and the plaintext VER_PK that receives are compared, if equate represent that VER_PK is not tampered; If do not wait represent that VER_PK is tampered, stop the IMSI guard method.
2. the user identity protection method based on public-key mechanism as claimed in claim 1, it is characterized in that described step (5) comprises that also HSS compares the USIM VER_PK that reports and the VER_PK that oneself uses, if USIM reports VER_PK version number is current latest edition, need not to upgrade the PKI file; If USIM reports VER_PK version number is early version, upgrade the PKI file.
3. the user identity protection method based on public-key mechanism as claimed in claim 2 is characterized in that described method is further comprising the steps of:
HSS issues the IMSI data of mobile phone and the Ciphering Key that produces according to IMSI to MME, if need to upgrade the PKI file, attaches and issues new PKI file PKFn; If do not need to upgrade the PKI file, do not issue this parameter.
4. the user identity protection method based on public-key mechanism as claimed in claim 3 is characterized in that described method is further comprising the steps of:
Enter authorizing procedure between mobile phone and MME, and the authentication success.
5. the user identity protection method based on public-key mechanism as claimed in claim 4 is characterized in that described method is further comprising the steps of:
MME distributes GUTI to MS, if need to upgrade the PKI file, attaches and issues new PKI file PKFn; If do not need to upgrade the PKI file, do not issue this parameter.
6. the user identity protection method based on public-key mechanism as claimed in claim 5 is characterized in that described method is further comprising the steps of:
If mobile phone is received PKFn, USIM if verify unsuccessful abandon this parameter, continues to use old PKI file PKFo with the signature of the new PKI file PKFn of old PKI file PKo checking; If be proved to be successful replace old PKFo, adopt new PKn to encrypt IMSI when network next time.
7. the user identity protection method based on public-key mechanism as claimed in claim 6 is characterized in that described method is further comprising the steps of:
Mobile phone reports the allocation result of GUTI and PKFn to MME.
8. the user identity protection method based on public-key mechanism as claimed in claim 1, is characterized in that the asymmetric arithmetic in described step (3) is RSA Algorithm.
9. the user identity protection method based on public-key mechanism as claimed in claim 1, is characterized in that the asymmetric arithmetic in described step (3) is the ECC algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010615953.0A CN102026178B (en) | 2010-12-31 | 2010-12-31 | User identity protection method based on public-key mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010615953.0A CN102026178B (en) | 2010-12-31 | 2010-12-31 | User identity protection method based on public-key mechanism |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102026178A CN102026178A (en) | 2011-04-20 |
| CN102026178B true CN102026178B (en) | 2013-06-12 |
Family
ID=43866895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010615953.0A Active CN102026178B (en) | 2010-12-31 | 2010-12-31 | User identity protection method based on public-key mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102026178B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US12003957B2 (en) | 2019-09-30 | 2024-06-04 | Google Llc | Distributed network cellular identity management |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102395121B (en) * | 2011-10-27 | 2014-06-04 | 大唐移动通信设备有限公司 | Method, system and device for resending update-location-request information |
| EP2775742A1 (en) | 2013-03-05 | 2014-09-10 | Sandeep Mittal | A method to launch an application on a mobile device using short code |
| CN104955040B (en) * | 2014-03-27 | 2019-12-24 | 西安西电捷通无线网络通信股份有限公司 | Network authentication method and equipment |
| CN104955039B (en) * | 2014-03-27 | 2019-10-25 | 西安西电捷通无线网络通信股份有限公司 | A kind of method and apparatus of network authentication certification |
| US10390224B2 (en) | 2014-05-20 | 2019-08-20 | Nokia Technologies Oy | Exception handling in cellular authentication |
| CN106465109A (en) * | 2014-05-20 | 2017-02-22 | 诺基亚技术有限公司 | Cellular network authentication |
| CN106576237B (en) * | 2014-07-21 | 2020-10-16 | 宇龙计算机通信科技(深圳)有限公司 | Mobile management entity, home server, terminal, identity authentication system and method |
| CN106714159B (en) * | 2015-11-16 | 2019-12-20 | 普天信息技术有限公司 | Network access control method and system |
| US10382206B2 (en) * | 2016-03-10 | 2019-08-13 | Futurewei Technologies, Inc. | Authentication mechanism for 5G technologies |
| US10873464B2 (en) | 2016-03-10 | 2020-12-22 | Futurewei Technologies, Inc. | Authentication mechanism for 5G technologies |
| CN106888092B (en) * | 2016-09-12 | 2019-06-25 | 中国移动通信有限公司研究院 | Information processing method and device |
| CN106878009B (en) * | 2017-02-21 | 2021-04-09 | 蔚来(安徽)控股有限公司 | Key updating method and system |
| CN108880813B (en) * | 2017-05-08 | 2021-07-16 | 中国移动通信有限公司研究院 | Method and device for realizing attachment process |
| CN109391942A (en) | 2017-08-07 | 2019-02-26 | 华为技术有限公司 | Trigger the method and relevant device of network authentication |
| CN109905879B (en) * | 2019-03-23 | 2021-04-02 | 西安电子科技大学 | ECC algorithm-based safe access method for power transmission line monitoring terminal |
| CN113132979B (en) * | 2019-12-30 | 2023-03-21 | 中移雄安信息通信科技有限公司 | Method for acquiring and issuing IMSI encrypted public key and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1790984A (en) * | 2004-12-14 | 2006-06-21 | 中兴通讯股份有限公司 | User identity secret-keeping method in communication system |
| CN101616002A (en) * | 2008-06-23 | 2009-12-30 | 阿里巴巴集团控股有限公司 | A kind of user ID authentication method and device |
| CN101720086A (en) * | 2009-12-23 | 2010-06-02 | 成都三零瑞通移动通信有限公司 | Identity protection method for mobile communication user |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100652125B1 (en) * | 2005-06-03 | 2006-12-01 | 삼성전자주식회사 | Mutual authentication method for managing and authenticating between service provider, terminal and user identify module at one time and terminal, and the system thereof |
-
2010
- 2010-12-31 CN CN201010615953.0A patent/CN102026178B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1790984A (en) * | 2004-12-14 | 2006-06-21 | 中兴通讯股份有限公司 | User identity secret-keeping method in communication system |
| CN101616002A (en) * | 2008-06-23 | 2009-12-30 | 阿里巴巴集团控股有限公司 | A kind of user ID authentication method and device |
| CN101720086A (en) * | 2009-12-23 | 2010-06-02 | 成都三零瑞通移动通信有限公司 | Identity protection method for mobile communication user |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US12003957B2 (en) | 2019-09-30 | 2024-06-04 | Google Llc | Distributed network cellular identity management |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102026178A (en) | 2011-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102026178B (en) | User identity protection method based on public-key mechanism | |
| US11122428B2 (en) | Transmission data protection system, method, and apparatus | |
| Van Den Broek et al. | Defeating IMSI catchers | |
| CN101511082B (en) | Method, equipment and system for updating group cipher key | |
| CN101969638B (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
| CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
| Saxena et al. | Authentication protocol for an IoT-enabled LTE network | |
| CN101094065B (en) | Method and system for distributing cipher key in wireless communication network | |
| CN105553951A (en) | Data transmission method and data transmission device | |
| US20150079941A1 (en) | Secure Paging | |
| CN100589381C (en) | User identity secret-keeping method in communication system | |
| CN101635924B (en) | CDMA port-to-port encryption communication system and key distribution method thereof | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN102106111A (en) | Method of deriving and updating traffic encryption key | |
| Abdo et al. | Ensured confidentiality authentication and key agreement protocol for EPS | |
| CN101552668A (en) | Certificating method, user equipment and base station for accessing user equipment into network | |
| CN101228766A (en) | Exchange of key material | |
| CN103533539A (en) | Virtual SIM (subscriber identity module) card parameter management method and device | |
| CN113228721B (en) | Communication method and related product | |
| WO2021103772A1 (en) | Data transmission method and apparatus | |
| Muthana et al. | Analysis of user identity privacy in LTE and proposed solution | |
| CN111314919B (en) | Enhanced 5G authentication method for protecting user identity privacy at authentication server | |
| CN1964259B (en) | A method to manage secret key in the course of switch-over | |
| CN112054905B (en) | Secure communication method and system of mobile terminal | |
| WO2021129012A1 (en) | Privacy information transmission method, apparatus, computer device and computer-readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |