CN113473475A - Operation method and device for hiding position of mobile user based on wide area network - Google Patents
Operation method and device for hiding position of mobile user based on wide area network Download PDFInfo
- Publication number
- CN113473475A CN113473475A CN202010244179.0A CN202010244179A CN113473475A CN 113473475 A CN113473475 A CN 113473475A CN 202010244179 A CN202010244179 A CN 202010244179A CN 113473475 A CN113473475 A CN 113473475A
- Authority
- CN
- China
- Prior art keywords
- network
- sim card
- tunnel
- user
- wide area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/12—Setup of transport tunnels
Abstract
The invention provides an operation method and a device for hiding the position of a mobile user based on a wide area network, comprising the following steps: deploying a special gateway on the wide area network to connect the mobile user and a core network to which the mobile user belongs; making a user terminal device execute network connection; a first SIM card (flow card) in the user terminal equipment is connected with the special gateway so as to establish a special IP security tunnel at the special gateway; a second SIM card (subscriber card) in the user equipment completes the access and service execution of the second SIM card in its core network through the dedicated IP tunnel established by the first SIM card. The first SIM card is irrelevant to the identity of the user, the second SIM card is relevant to the identity of the user, and the user identity relevant information of the second SIM card is transmitted based on an exclusive IP security tunnel, so that identity leakage based on a pseudo base station and leakage of the position and identity information of the mobile user based on an operator wireless base station are effectively prevented.
Description
Technical Field
The present invention relates to the field of communications security technologies, and in particular, to an operating method and an operating device for implementing location hiding of a mobile user over a wide area network.
Background
In recent years, with the continuous development of various black technologies, information security of mobile users gets more and more attention, and existing mature technologies mainly focus on user authentication and data (circuit domain + packet domain) encryption at various levels, but have no good solution on location hiding (user identity, user location leakage, etc.). At present, the main channels for leaking the position information and the identity of the mobile user are as follows:
1. locating real location information of a mobile subscriber by means of a radio base station of an operator
2. Directly obtaining user identity information through core network of operator
3. Lawless persons can steal user identity information through pseudo base station
As can be seen from the above description, it is difficult for the existing communication system to avoid the above leakage channel.
As is well known, IPSec is a series of open IP security standards formally customized by The Internet Engineering Task Force (IETF) based on IP networks (including Intranet, Extranet and Internet), providing a complete set of security protocols and services for IP networks, which in combination provide different types of services, since IPSec works at The IP layer, it can provide transparent security services for upper layer protocols and applications. IPSec provides users with secure tunneling services, which can be encrypted and authentication protected, although transmitted over public networks.
In view of the above, the present invention provides an operation method and apparatus for implementing location hiding of a mobile user based on a wan through careful experiments and studies in view of the shortcomings in the prior art, so as to solve the above technical problems in the prior art, and the present invention is finally conceived to overcome the above problems.
Disclosure of Invention
The invention aims to provide an operation method and a device for hiding the position of a mobile user based on a wide area network, wherein a first SIM card (flow card) in client equipment is connected with a special gateway so as to establish a special IP (Internet protocol) security tunnel at the special gateway; the access and service execution of the second SIM card in the core network of the second SIM card are completed through the exclusive IP tunnel established by the second SIM card (user card) through the first SIM card, so that the user information leakage and identity eavesdropping of the pseudo base station on the operator level (base station + core network) can be solved.
To achieve the purpose of the present invention, a technical solution provided by the present invention is as follows:
an operation method for hiding the position of a mobile user based on a wide area network comprises the following steps: deploying a special gateway on the wide area network to connect the mobile user and a core network to which the mobile user belongs;
making a user terminal device execute network connection;
connecting a special gateway through a first SIM card in user equipment to establish a special IP security tunnel in the special gateway;
and the second SIM card in the user terminal equipment passes through the exclusive IP security tunnel to complete the access and service execution of the core network to which the second SIM card belongs.
In one possible design, the ue connects to a dedicated gateway deployed on a wan through a first SIM card and establishes a first network tunnel to the ue, performs user identity authentication with the dedicated gateway through a preconfigured key or digital certificate, and establishes a second network tunnel connecting to a dedicated IP security tunnel after the identity authentication is determined, so as to complete access and service execution of the second SIM card in a core network to which the second SIM card belongs.
In one possible design, the first network tunnel and the second network tunnel are established based on user security credentials associated with the customer premises device, and data is allowed to be securely exchanged between the customer premises device and the network of the private gateway through the first network tunnel and the second network tunnel.
In one possible design, the first network tunnel and the second network tunnel are IPsec tunnels.
In one possible design, the first network tunnel and the second network tunnel are established using extensible authentication protocol EAP, asymmetric encryption algorithm RSA, or pre-configured key PSK.
In one possible design, the client device is authenticated by the authentication server to have an exchange public-private key correspondence.
In one possible design, authentication by the authentication server and data encryption are data packets associated with the customer premise equipment.
To achieve an objective of the present invention, a technical solution provided by the present invention is as follows:
a device for hiding the position of a mobile user based on a wide area network is characterized in that a special gateway is deployed on the wide area network to connect the mobile user and a core network to which the mobile user belongs; the device for realizing the mobile user position hiding based on the wide area network comprises a processor unit, a first SIM card, a second SIM card, a communication module and a key processing module, wherein the processor unit is provided with instructions for executing an operation method for realizing the mobile user position hiding based on the wide area network; wherein
The first SIM card is used for establishing an exclusive IP security tunnel in the private gateway;
the second SIM card is used for providing access and service execution to the core network based on the IP security tunnel;
the communication module is used for providing relevant signaling and service data sending and receiving of the processor unit, the first SIM card and the second SIM card;
the key processing module is used for providing related key data storage, encryption and decryption calculation processing for the establishment of the exclusive IP security tunnel.
In one possible design, the processor unit includes an application processor and a communication processor, the application processor is used for completing the execution of the user service requirement, and the communication processor is connected with the communication module to process the related data received from the communication module so as to complete the access of the wireless network and the transceiving of the wireless signals.
In one possible design, the key processing module is an encryption T-card having a microprocessor, an encryption/decryption algorithm and an internal memory, for storing, encrypting and decrypting the related key data established for the exclusive IP security tunnel.
Drawings
FIG. 1 is a flow chart of the method of operation of the present invention.
Fig. 2 is a block diagram of a data packet transported over a proprietary IP security tunnel in accordance with the present invention.
FIG. 3 is a schematic diagram of the operation of FIG. 1 according to the present invention.
Fig. 4 is a schematic configuration diagram of a ue performing the operation method of fig. 2 according to the present invention.
Description of reference numerals: 100-UE,200-WAG,210,213-data packet, 211,214-IP header, 212, 218-data field, 215-ESP header, 216-external IP header, 217-original IP header 219-internal IP header, 300-customer premise equipment, 310-processor unit, 320-first SIM card, 330-second SIM card, 340-communication module, 350-storage module, S10-S40-method flow for operation based on secure link over wireless wide area network.
Detailed Description
The following detailed description and technical contents of the present invention are described with reference to the drawings, which are provided for reference and illustration purposes only and are not intended to limit the present invention. Various embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention is not limited to only these embodiments. The invention is intended to cover alternatives, modifications, equivalents, and alternatives that may be included within the spirit and scope of the invention. In the following description of the preferred embodiments of the present invention, specific details are set forth in order to provide a thorough understanding of the present invention, and it will be apparent to those skilled in the art that the present invention may be practiced without these specific details.
Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention belongs. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The use of "including," "comprising," "having," and the like in this disclosure is intended to mean that the component or object before the word "appears in the art" includes reference to the component or object listed after the word and its equivalents, rather than excluding other components or objects. The terms "upper", "lower", and the like are used only to indicate relative positional relationships, and when the absolute position of the object to be described is changed, the relative positional relationships may be changed accordingly.
The invention provides a user end equipment based on a wireless wide area network and an operation method scheme thereof, which mainly considers the following 2 aspects: shielding a real wireless base station, and preventing information theft of a pseudo base station or positioning of an operator base station on a terminal; the core network of the operator to which the first SIM card belongs is shielded (because the first SIM card is not bound with the user identity), the identity authentication of the operator core network to the user is prevented, and the position information of the user can be prevented from being acquired through a base station. Based on the above considerations, before describing the operation method of the present invention, first, the ESP encryption security mechanism of IPSec of the present invention is described, and the ESP encryption mechanism ensures the confidentiality of data by encoding the data, so as to prevent the data from being intercepted during transmission. The ESP protocol defines the application method of encryption and optional authentication, providing reliability guarantees. The mode of operation of Ipsec is mainly security encapsulation by means of an ESP header (Ipsec ESP encapsulation security load header).
Referring to fig. 1 in conjunction with fig. 2-3, the operation method of the present invention includes the following steps:
s10, a special gateway is deployed on the wide area network to connect the mobile user and the core network to which the mobile user belongs;
s20, making a user end device execute network connection;
s30, connecting the special gateway through a first SIM card in the user terminal equipment to establish a special IP tunnel in the special gateway;
s40, completing the access and service execution of the second SIM card in the core network to which the second SIM card belongs through the exclusive IP security tunnel by the second SIM card in the user terminal equipment;
many aspects of the invention are described in terms of sequences of actions or functions performed by elements of a computer system or other hardware capable of executing programmed instructions in accordance with the above-described methods of operation. It will be recognized that various actions could be performed by specialized circuits, by program instructions being executed by one or more processors, or by a combination of both. Moreover, it is additionally contemplated that the invention may be embodied entirely within any form of computer readable carrier or carrier wave containing an appropriate set of computer instructions that would cause a processor to carry out the techniques described herein.
It is described herein that a secure network tunnel is established between trusted networks on a public wide area network, the trusted networks comprising a plurality of customer premises devices interconnected by a network, typically a Local Area Network (LAN) such as an ethernet network, connected to the public wide area network via a dedicated gateway and a dedicated gateway, respectively. The network tunnel is established over an underlying wide area network. The data transmitted over the tunnel is invisible to the wide area network and is isolated from traffic of the wide area network by encapsulation. The traffic within the tunnel appears to the wide area network to be just another traffic flow to traverse. In addition, data packets carrying the payload between the two networks are encapsulated within packets of the wide area network protocol, along with additional packet identification and security information.
Fig. 2 illustrates an example of a data packet sent over an IPsec-based VPN tunnel such as a tunnel. The data packet 210 includes an IP header 211 and a data field 212. The IP header 211 typically contains the data type, packet number, total number of packets transmitted, and the IP addresses of the sender and receiver. In order to keep the contents of the IP header 211 and data fields 212 secret to the sender and receiver, these fields are included within a larger data packet 213 when sent over a wide area network. The data packet 213 includes a new IP header 214 and an Encapsulating Security Payload (ESP) header 215. The new IP header 214 and ESP header 215 are referred to as the outer IP header (216). The raw IP header 217 and data field 218 are referred to as the inner IP header (219) of the data packet 213. For additional security protection, the inner IP header 219 and the original data field 212 are typically encrypted by the sending node prior to transmission and then decrypted by the receiving node.
Fig. 3 shows an example of a network configuration for allowing a user equipment UE to access a private network through a 3GPP network operator wireless network using a private gateway. The actual customer premise equipment can access to the special gateway through a cellular network (for example, 2/3/4G mobile communication network) of a 3GPP standard and a wireless local area network (for example, IEEE 802.11a/b/G/n) for communication between the second SIM card and a core network to which the second SIM card belongs. In order to prevent unauthorized user access to the private gateway for user signaling and traffic transmission through public or operator networks, the private gateway authenticates the user and employs a secure tunnel to exchange data between the end user device and its core network.
In this embodiment, the UE accesses to a dedicated gateway deployed in a wan through a first SIM card to establish a first network tunnel to the UE, performs user identity authentication with the dedicated gateway through a Pre-configured Key PSK (Pre-Shared-Key) or a digital certificate pki (public Key infrastructure) format, and establishes a second network tunnel connected to a dedicated IP security tunnel after the identity authentication is determined, so as to complete access and service execution of the second SIM card to a core network to which the second SIM card belongs. IPSec can complete the establishment of an IPSec security tunnel by two authentication modes of pre-configuration key PSK and digital certificate PKI. Both entities using the pre-configured key for authentication to establish the IPSec link must maintain a pair of pre-configured keys, which limits further reduces deployment security and increases the probability of errors. Under the condition of large-scale networking, the preconfigured key PSK has the defects of complex configuration, difficult maintenance and the like, so when a plurality of general sites exist, a digital certificate PKI authentication mode can be adopted from the aspects of maintenance operation and security. The digital Certificate (CA) is used for encrypting or decrypting information, data and the like in network communication of network users, and the integrity and the safety of the information and the data are guaranteed. The basic architecture of the digital Certificate (CA) is a public key PKI, namely, a pair of keys is used for encryption and decryption, the keys comprise private keys and public keys, the private keys are mainly used for signature and decryption, and are customized by a user and only known by the user; the public key is used for signature verification and encryption and can be shared by a plurality of users.
Firstly, the overall architecture configuration of the digital certificate PKI authentication operation is explained, which mainly comprises a CA server, a special gateway and user equipment UE; in the above network elements, the functions related to establishing the IPSec tunnel are as follows:
the special gateway: an IPSec security tunnel is established with the user side equipment, and the security of data transmission between the user side equipment and the core network at the front end is ensured.
The CA server: and responding to the certificate application, certificate updating and key updating requests of the user end equipment, issuing and revoking the certificate to the user end equipment and the special gateway, and providing certificate state inquiry.
User Equipment (UE): applying for a digital certificate from a CA server (user equipment UE accesses to the CA server through a packet service established by a first SIM card and requests to acquire the digital certificate, the mode of accessing the packet service to the CA server can also be other methods, such as wifi access, and the method can also be used), and then establishing a security tunnel with a special gateway:
the first stage of establishing the secure tunnel: negotiating with a special gateway to create an identity authentication and security protected communication channel ISAKMP SA, namely, a first network tunnel access of a security association (IKE SA) of a network key exchange protocol is accessed to the special gateway deployed in a wide area network; the negotiation process of the main mode in the first stage comprises SA exchange, key exchange and authentication exchange.
And a second stage of establishing the safety tunnel: a first network tunnel (ISAKMP SA) established by the user equipment UE in the first stage is an IPsec negotiation security service, that is, a specific SA for IPsec negotiation, and a second network tunnel (IPsec SA) for final secure transmission of IP data is established by using the established first network tunnel (ISAKMP SA). In particular, negotiating the SA is done via a fast switching mode. The rapid exchange mode uses the key generated in the first stage to verify the integrity and identity of the ISAKMP SA message, and uses the key to encrypt the ISAKMP message, so that the exchange safety is ensured. In the fast switching mode, both communication parties negotiate various parameters of IPSec SA and derive a secret key for data transmission; the fast switching mode can complete the establishment of IPSec SA of both parties through 3 messages:
message 1, sending the security parameters and identity authentication information of the local terminal;
a message 2, a response message 1, which is used for sending the security parameters and the identity authentication information of the responder and generating a new key;
message 3 response message 2 confirming that communication with the responder is possible and the negotiation is complete.
That is, the purpose of phase 2 is to establish IPSec SA for data transmission, to accomplish these services in two phases to help speed up key exchange, and to establish a proprietary IP security tunnel at the private gateway. The IPSec identity authentication (CA certificate authentication mode in PKI) is simple to maintain. With the increasing number of parts, only the certificate is required to be applied to the CA server, the security risk is low, different parts use different certificates, and corresponding keys are different, so that the problems of user information leakage at an operator level (base station + core network) and identity eavesdropping of a pseudo base station are solved.
In an exemplary embodiment of the invention, user equipment UE authentication for wireless networks may be implemented based on the Extensible Authentication Protocol (EAP), which is an authentication framework often used for wireless networks and point-to-point connections. Although the EAP framework is not limited to wireless networks and can be used for wired local area network authentication, it is more commonly used in wireless environments; it can also be implemented based on the asymmetric encryption algorithm RSA.
Specifically, according to the operation method of the present invention, in steps S30 to S40, communication with the private gateway network is mainly established between the first SIM card (user card) in the user equipment UE and the 3GPP network operator wireless network or between the user equipment UE and the public wireless network. And then, the identity of the user end equipment UE is authenticated through an authentication server of the deployed private network. When the UE is authenticated by the authentication server associated with the private network, a dedicated IP security tunnel is established between the UE and a gateway of the private network, thereby allowing the UE to securely access the private network. A user equipment UE may refer to, for example, any user equipment or consumer electronics device that may be a mobile communication device, tablet, pen-phone, etc., in other words, it may be any user equipment or consumer electronics device that supports a WiFi interface (e.g., IEEE 802.11 interface) in addition to possibly other cellular interfaces such as LTE or 5G. The customer premises equipment UE mentioned above utilizes a WiFi interface connection in order to access the internet and/or the user's operator packet core network and services.
Based on the operation method for realizing the position hiding of the mobile user on the wide area network, only the flow card can be seen and the user card cannot be seen at the level of the wireless access network, and the flow card adopts the data card which is not in binding relationship with the mobile user, so that the position locating of the mobile user based on the wireless base station can be well prevented, the position hiding of the mobile terminal user is realized, and meanwhile, the identity stealing of a fake base station is well prevented. The traffic card only executes the communication from the user card to the special gateway based on the secure IP tunnel, the traffic of the traffic card is forbidden, and all the information of the user card is the IP communication based on the secure IP tunnel, thus the identity stealing of the false base station is well prevented. Because the user card bound with the user identity is invisible in the actual position on the operator network (NAS signaling and PayLoad are encrypted and transmitted based on a secure IP tunnel between the terminal and the special gateway, and the special gateway cannot feed back the real position information of the user card to the core network to which the user card belongs), the leakage of the user identity is well prevented, and the function of hiding the real identity is realized.
Referring to fig. 1 in conjunction with fig. 4, the operation method is described. The invention further provides a device for hiding the position of the mobile user based on the wide area network. The apparatus 300 comprises at least one processor unit 310, wherein the processor unit 310 is configured to execute the operation method of the above embodiment; the two independent SIM cards mainly comprise the first SIM card and the second SIM card (320,330), the first SIM card 320 is used for connecting with the special gateway to establish a special IP security tunnel at the special gateway, and the second SIM card 330 is used for completing the access and service execution of the second SIM card in the core network to which the second SIM card belongs through the special IP security tunnel; the processor unit 310 includes an Application Processor (AP) and a Communication Processor (CP) and operates under a single operating system, and the Application Processor (AP) mainly functions to perform operation processing corresponding to an AP software suite under the operating system; a communication module 340 (e.g., baseband circuit and radio frequency circuit, etc.) for providing signaling and service data transmission and reception related to the processor unit 310, the first SIM card 320 and the second SIM card 330; wherein the communication processor is connected to the communication module 340 to process the related data received from the communication module 340 to complete the access of the wireless network and the transceiving of wireless signals.
To supplement the description, the operating system is responsible for the data service communication of the client device 300, and the specific data service communication may include: the operating system comprises mobile internet access, SNS (Social Network Service) application access, P2P data communication and the like, wherein the user of the operating system can set personal information such as an address book and short messages of the user to be prohibited from being accessed, so that the personal information of the user is prevented from being leaked or attacked by internet viruses or malicious application programs; in addition, the operating system is also responsible for traditional voice call and short message communication, and can access the address book and short messages of the user.
In this regard, the first SIM card 320 is used to provide a command message for establishing the dedicated IP tunnel; the second SIM card 330 is used to provide the authorized user identity of the core network; the communication module 340 is used for performing data services and signaling through the operating system according to the operation of the first SIM card 320 and the second SIM card 330.
According to an embodiment of the present invention, the ue 300 further includes a key processing module 350, such as an encryption T-card including a microprocessor, an encryption/decryption algorithm and an internal memory, which is mainly used for process management for establishing the dedicated IP security tunnel and related key data storage, encryption and decryption calculation processing. Further, the functional division between the AP software suite and the T card may be performed according to actual situations, for example, the protocol (NAS) implementation is performed, the secure tunnel implementation is all put in the T card, and the AP software suite is only adapted to the commercial terminal, or only the secure tunnel implementation is put in the T card.
According to an embodiment of the invention, the communication module 340 supports 2G/3G/4G, WI-FI, Bluetooth and NFC near field communication.
According to an embodiment of the present invention, the processor unit UE runs in a single operating system, and the operating system is an iOS, Android, or Windows operating system.
The client device of the present invention may take the form of a computer program product embodied in one or more computer-readable media having computer-readable program code embodied therein. Any combination of one or more computer-readable media may be used. The user end equipment of the invention mainly refers to mobile phone terminal equipment.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's cell phone terminal device through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external cell phone terminal device (for example, through the WAN using a wide area network service provider).
These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus or other devices to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the handset terminal device, other programmable apparatus or other devices to produce a handset terminal device implemented process such that the instructions which execute on the handset terminal device or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The invention relates to a user end device based on a wide area network safety link and an operation method thereof, which are different from the prior conventional operation mode, the prior mode is to distribute the newly added functions of each layer into the corresponding processing cores to realize, such as the NAS protocol function is realized in a communication processor, the safety IP tunnel is established and realized in an application processor, the safety encryption function is realized by software or an independent hardware processor, thus leading each new user end device to lead in the function and needing to modify the realization of each processor, aiming at the communication processor, basically, no method is provided for leading in according to the loading mode of an independent module, and the development, debugging and testing period of the user end device is very long. The configuration of the user end equipment of the invention is realized by integrating all functions in an AP software suite and an encryption T card, and when the terminal imports the functions, the terminal only needs to carry out a small amount of interface adaptation according to the software operated by the AP processor. Accordingly, identity hiding functionality is accomplished in a centralized fashion within this newly added two-part component. The functional division of the two components (the software for running the AP processor and the T card) can be divided and adjusted according to the actual situation (for example, protocol (NAS) implementation, where both security tunnel implementation are put in the T card, the software for running the AP processor is only adapted to a commercial terminal, or only the security tunnel implementation is put in the T card, and other terminal adaptation and protocol implementation are put in the software for running the AP processor).
To sum up, the ue based on the wan secure link and the operating method thereof provided by the present invention have the following features:
1. the first SIM card used for establishing the secure IP tunnel to the special gateway adopts the data card which has no binding relation with the mobile user, so that the position positioning of the mobile user based on the wireless base station can be well prevented, the position hiding of the mobile terminal user is realized, and the identity stealing of a pseudo base station is also well prevented.
2. Only the communication of the second SIM card to the special gateway based on the secure IP tunnel is executed on the first SIM card, the service of the first SIM card is completely forbidden, and all information of the second SIM card is IP communication based on the secure IP tunnel, so that the identity stealing of a pseudo base station is well prevented.
3. Because the second SIM card bound with the user identity is invisible in the actual position on the operator network (NAS signaling and Pay Load are encrypted and transmitted based on a secure IP tunnel between the terminal and the special gateway, and the special gateway cannot feed back the real position information of the user card to the core network to which the user card belongs), the leakage of the user identity is well prevented, and the function of hiding the real identity is realized.
4. The location hiding function is integrated in an AP software suite and an encryption T card (or other cards with microprocessors), so that each terminal manufacturer can quickly import the location hiding function.
The foregoing description shows and describes several preferred embodiments of the invention, but as before, it is to be understood that the invention is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the inventive concept as expressed herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (11)
1. An operation method for hiding the position of a mobile user based on a wide area network is characterized by comprising the following steps:
deploying a special gateway on the wide area network to connect the mobile user and a core network to which the mobile user belongs;
making a user terminal device execute network connection;
connecting the special gateway through a first SIM card in the user terminal equipment so as to establish a special IP security tunnel at the special gateway;
and completing the access and service execution of the second SIM card in the core network to which the second SIM card belongs through the exclusive IP security tunnel by the second SIM card in the user terminal equipment.
2. The wide area network-based operation method for hiding the location of a mobile subscriber according to claim 1, wherein the ue connects to a dedicated gateway deployed on the wide area network through the first SIM card and establishes a first network tunnel to the ue, performs subscriber identity authentication with the dedicated gateway through a digital certificate PKI or a pre-configured key PSK, and establishes the second network tunnel connecting to a dedicated IP security tunnel after the identity authentication is determined, so as to complete access and service execution of the second SIM card on a core network to which the second SIM card belongs.
3. The method of claim 2, wherein the first network tunnel and the second network tunnel are established according to a user security certificate associated with the ue, and data is allowed to be securely exchanged between the ue and the network of the private gateway through the first network tunnel and the second network tunnel.
4. The method of claim 2, wherein the first network tunnel and the second network tunnel are IPsec tunnels.
5. The method as claimed in claim 2, wherein the first network tunnel and the second network tunnel are established using extensible authentication protocol EAP.
6. The wide area network-based operation method for implementing location hiding of a mobile subscriber according to claim 2, wherein said first network tunnel and said second network tunnel are established using an asymmetric encryption algorithm RSA.
7. The wide area network-based operation method for hiding the location of a mobile subscriber according to claim 2, wherein said authentication server authenticates that said ue has a public-private key exchange relationship.
8. The wide area network-based operation method for implementing location hiding of mobile subscribers of claim 7, wherein authentication and data encryption by said authentication server are data packets associated with said subscriber end device.
9. An apparatus for implementing location hiding of a mobile subscriber over a wide area network, the apparatus comprising a processor unit, the first SIM card, the second SIM card, a communication module, and a key processing module, the processor unit having instructions for performing the method according to any one of claims 1 to 7;
wherein the first SIM card is used for establishing a dedicated IP security tunnel at the dedicated gateway;
the second SIM card is used for providing access and service execution to the core network based on the IP security tunnel;
the communication module is used for providing related signaling and service data sending and receiving of the processor unit, the first SIM card and the second SIM card;
the key processing module is used for providing related key data storage, encryption and decryption calculation processing for the establishment of the exclusive IP security tunnel.
10. The user end device based on the secure link over the wide area network of claim 6, wherein the processor unit comprises an application processor and a communication processor, the application processor is configured to perform the user service requirement execution, and the communication processor is connected to the communication module to process the related data received from the communication module to perform the wireless network access and the wireless signal transceiving.
11. The user end device based on the secure link over the wide area network as claimed in claim 9, wherein the key processing module is an encryption T-card having a microprocessor, an encryption/decryption algorithm and an internal memory for storing, encrypting and decrypting the related key data established by the dedicated IP security tunnel.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010244179.0A CN113473475A (en) | 2020-03-31 | 2020-03-31 | Operation method and device for hiding position of mobile user based on wide area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010244179.0A CN113473475A (en) | 2020-03-31 | 2020-03-31 | Operation method and device for hiding position of mobile user based on wide area network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113473475A true CN113473475A (en) | 2021-10-01 |
Family
ID=77865431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010244179.0A Pending CN113473475A (en) | 2020-03-31 | 2020-03-31 | Operation method and device for hiding position of mobile user based on wide area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113473475A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1604485A1 (en) * | 2003-03-19 | 2005-12-14 | Way Systems, Inc. | System and method for mobile transactions using the bearer independent protocol |
| CN101990199A (en) * | 2009-08-04 | 2011-03-23 | 联发科技股份有限公司 | Method for handling data transmission by a mobile station and system utilizing the same |
| US20180110081A1 (en) * | 2016-10-14 | 2018-04-19 | Telefonica Digital Espana | Method and system for a mobile communication device to access through a second mobile telecommunication network to services offered by a first mobile telecommunication network |
| US20190098487A1 (en) * | 2017-09-28 | 2019-03-28 | Apple Inc. | Methods and apparatus for accessing services of multiple wireless networks via a single radio access network |
-
2020
- 2020-03-31 CN CN202010244179.0A patent/CN113473475A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1604485A1 (en) * | 2003-03-19 | 2005-12-14 | Way Systems, Inc. | System and method for mobile transactions using the bearer independent protocol |
| CN101990199A (en) * | 2009-08-04 | 2011-03-23 | 联发科技股份有限公司 | Method for handling data transmission by a mobile station and system utilizing the same |
| US20180110081A1 (en) * | 2016-10-14 | 2018-04-19 | Telefonica Digital Espana | Method and system for a mobile communication device to access through a second mobile telecommunication network to services offered by a first mobile telecommunication network |
| US20190098487A1 (en) * | 2017-09-28 | 2019-03-28 | Apple Inc. | Methods and apparatus for accessing services of multiple wireless networks via a single radio access network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10943005B2 (en) | Secure authentication of devices for internet of things | |
| KR101438243B1 (en) | Sim based authentication | |
| KR101287309B1 (en) | Home node-b apparatus and security protocols | |
| US9668139B2 (en) | Secure negotiation of authentication capabilities | |
| US20100119069A1 (en) | Network relay device, communication terminal, and encrypted communication method | |
| CN110891269B (en) | Data protection method, equipment and system | |
| EP3328108A1 (en) | Authentication method, re-authentication method and communication apparatus | |
| CN108880813B (en) | Method and device for realizing attachment process | |
| WO2016114842A1 (en) | End-to-end service layer authentication | |
| US11582233B2 (en) | Secure authentication of devices for Internet of Things | |
| GB2586549A (en) | Communicating with a machine to machine device | |
| CN108012264A (en) | The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations | |
| WO2020133543A1 (en) | Communication method and related product | |
| US11917416B2 (en) | Non-3GPP device access to core network | |
| WO2019091668A1 (en) | Secure authentication in a 5g communication network in non-3gpp access | |
| US20230354013A1 (en) | Secure communication method and device | |
| WO2014177938A2 (en) | Digital credential with embedded authentication instructions | |
| CN104168565A (en) | Method for controlling safe communication of intelligent terminal under undependable wireless network environment | |
| Hall | Detection of rogue devices in wireless networks | |
| CN113473475A (en) | Operation method and device for hiding position of mobile user based on wide area network | |
| Lei et al. | 5G security system design for all ages | |
| WO2021236078A1 (en) | Simplified method for onboarding and authentication of identities for network access | |
| CN116347445A (en) | Security protocol channel establishment method, transmission method and system based on non-3 GPP network element | |
| Santorinaios | Privacy Evaluation of 5G Networks | |
| CN104053153A (en) | Wireless Mesh network access authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |