WO2017193889A1 - Terminal access method and device - Google Patents

Terminal access method and device Download PDF

Info

Publication number
WO2017193889A1
WO2017193889A1 PCT/CN2017/083470 CN2017083470W WO2017193889A1 WO 2017193889 A1 WO2017193889 A1 WO 2017193889A1 CN 2017083470 W CN2017083470 W CN 2017083470W WO 2017193889 A1 WO2017193889 A1 WO 2017193889A1
Authority
WO
WIPO (PCT)
Prior art keywords
base station
information
authentication
terminal
response information
Prior art date
Application number
PCT/CN2017/083470
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017193889A1 publication Critical patent/WO2017193889A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • This document relates to the field of terminal access technologies, and in particular, to a terminal access method and apparatus.
  • the EGPRS security architecture adopts a one-way authentication mode.
  • the authentication and key negotiation process needs to forward authentication information through the base station.
  • the Cellular Internet of Things (CIoT) terminal device first transmits the user identity information of the terminal device to the base station when attaching to the network, and then receives the authentication information and the key forwarded by the base station.
  • Negotiate challenge information The CIoT terminal device generates a session key and authentication response information according to the authentication information, and transmits the authentication response information to the base station. In this process, the CIoT device does not need to determine whether the base station is a legitimate base station or a malicious base station.
  • CeoT Cellular IoT
  • CIoT Cellular Internet of Things
  • the present invention will provide a terminal access method and apparatus to improve the security of terminal access.
  • a terminal access method includes: the terminal transmitting the user identity information to the base station; the terminal receiving the authentication challenge information and the base station response information sent by the base station; the terminal detecting the base station response information, detecting In the case of passing, the terminal accesses the base station according to the authentication challenge information.
  • the step of detecting, by the terminal, the base station response information includes the following manner In any one of the following manners, in the case that the base station response information carries the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the response information of the base station; and the terminal determines the response of the base station Whether the identity information of the base station corresponding to the information is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if yes, the detection passes; and the mode 1-2, the base station response information carries the base station authentication.
  • the terminal acquires the base station authentication result corresponding to the base station response information, and if the base station authentication result indicates that the base station is an illegal base station, the detection fails; if the base station authentication result indicates the The base station is a legal base station, and the detection passes; wherein the terminal acquires session key information through the authentication challenge information, and obtains the base station response information by using the session key information.
  • the step of obtaining the base station response information by using the session key information comprises: when the session key information includes an encryption key Ck, the terminal passes the session key The encryption key Ck in the information performs a third processing on the base station response information to obtain the carried content of the base station response information corresponding to the base station response information; the session key information includes the encryption key Ck and the integrity protection key Ik In the case that the terminal performs the fourth processing on the base station response information by using the integrity protection key Ik in the session key information, and uses the encryption key Ck in the session key information to perform the fourth The result of the processing is performed by the third processing to obtain the content of the base station response information.
  • the first processing refers to the processing performed by the authentication center to obtain the base station response information and the carrying content of the base station response information by using the encryption key Ck;
  • the second processing refers to processing of the result of the first processing by the authentication center through the integrity protection key Ik for acquiring the base station response information, and the third processing is
  • the first process corresponds to an inverse process, and the fourth process is an inverse process corresponding to the second process.
  • a terminal access method includes: an authentication center receives base station identity information and user identity information sent by a base station; the authentication center performs authentication on the base station according to the identity information of the base station, and the The terminal performs authentication; when the authentication of the terminal passes, generates corresponding authentication information, and sends the authentication information to the base station.
  • the method further includes: performing the generating corresponding to the case that the authentication of the base station is passed The step of authenticating the information; in the case where the authentication of the base station is not passed, the termination is terminated. The access process of the terminal.
  • the method further includes: mode 2-1: performing the generation corresponding to the case that the authentication of the base station is passed Step of authenticating information; generating base station response information, and transmitting the base station response information to the base station; if the authentication of the base station fails, terminating the access process of the terminal; or, mode 2-2: generating a base station response And transmitting the base station response information to the base station; wherein the corresponding base station response information is set according to the authentication result of the base station.
  • the authentication information includes authentication challenge information, session key information, and authentication response information; in the case of mode 2-1, the carrying content of the base station response information includes base station identity information; In the case of -2, the carrying content of the base station response information includes base station identity information and base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal; and the generating base station response information includes:
  • the session key information processes the carried content of the base station response information to obtain corresponding base station response information.
  • processing the carried content of the base station response information by using the session key information includes: when the session key information generated by the authentication center includes the encryption key Ck, the authentication center passes the encryption key Ck The base station responds to the carried content of the information to perform the first processing to obtain the corresponding base station response information; or, in the case that the session key information generated by the authentication center includes the encryption key Ck and the integrity protection key Ik, the authentication center first The first processing is performed on the carrying content of the base station response information by using the encryption key Ck, and the second processing is performed on the result of the first processing by using the integrity protection key Ik, thereby obtaining base station response information corresponding to the carried content of the base station response information.
  • a terminal access method includes: the base station receives the user identity information sent by the terminal; the base station sends the base station identity information and the user identity information to the authentication center base station to receive the authentication information sent by the authentication center; the base station authenticates The authentication challenge information in the information is sent to the terminal.
  • the method further includes: the base station receiving the authentication center to send the base station response information; and the base station sending the base station response information Give the terminal.
  • a terminal access device is disposed on a terminal, where the device includes: a first sending unit, a first receiving unit, a detecting unit, and an access unit, where the first sending unit is configured to: send user identity information
  • the first receiving unit is configured to: receive the authentication challenge information and the base station response information sent by the base station;
  • the detecting unit is configured to: detect the base station response information;
  • the access unit is configured to: detect In the case of passing, access to the base station is performed according to the authentication challenge information.
  • the detecting unit comprises at least one of a first detecting module and a second detecting module, wherein the first detecting module is configured to: in case the carrying content of the base station response information includes base station identity information
  • the terminal acquires the identity information of the base station corresponding to the response information of the base station; determines whether the identity information of the base station corresponding to the response information of the base station is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if yes, the detection passes;
  • the second detection module is configured to: when the carrying content of the base station response information includes the base station authentication result, obtain the base station authentication result corresponding to the base station response information, and if the base station authentication result is an illegal base station, the detection fails; if the base station authentication result is legal And detecting, by the base station, the first detecting module and/or the second detecting module acquiring the session key information by using the authentication challenge information, and obtaining the carrying content of the base station response information by using the session key information.
  • the first detecting module and/or the second detecting module are configured to obtain the carrying content of the base station response information by using the session key information as follows: the session key information includes the encryption key Ck In the case where the base station response information is subjected to the third processing by the encryption key Ck in the session key information, the carried content of the base station response information is obtained; in the case where the key information includes the encryption key Ck and the integrity protection key Ik And performing fourth processing on the base station response information by using the integrity protection key Ik in the session key information, and performing third processing on the result of the fourth processing by using the encryption key Ck in the session key information to obtain the base station response information.
  • a terminal access device is disposed at an authentication center, where the device includes a second receiving unit, an authentication unit, and a processing unit, where the second receiving unit is configured to: receive base station identity information and user identity information sent by the base station
  • the authentication unit is configured to: authenticate the base station according to the identity information of the base station, and authenticate the terminal according to the user identity information
  • the processing unit is configured to: generate corresponding authentication information when the authentication of the terminal is passed And transmitting the authentication information to the base station.
  • the processing unit includes a first processing module, configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes; and if the authentication of the base station fails End the access process of the terminal.
  • the processing unit includes any one of a second processing module and a third processing module, wherein the second processing module is configured to perform the generation corresponding to the authentication of the base station The process of authenticating information; and generating base station response information, and transmitting the base station response information to the base station; if the authentication of the base station fails, terminating the access process of the terminal; the third processing module is configured to: Generating base station response information, and transmitting the base station response information to the base station; wherein the corresponding base station response information is set according to the authentication result of the base station.
  • the authentication information includes authentication challenge information, session key information, and authentication response information;
  • the carrying content of the base station response information generated by the second processing module includes base station identity information;
  • the carrying content of the base station response information generated by the processing module includes the base station identity information and the base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal;
  • the second processing module and/or the third processing module are configured.
  • the base station response information is generated in the following manner: the carried content of the base station response information is processed by the session key information to obtain corresponding base station response information.
  • the second processing module and/or the third processing module are configured to process the carried content of the base station response information by the session key information as follows: the session key information generated at the authentication center includes In the case of the encryption key Ck, the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information; or the session key information generated in the authentication center includes the encryption key. In the case of the key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the carried content of the base station response information by using the encryption key Ck, and then performs the first processing result by the integrity protection key Ik. Second processing, thereby obtaining a basis The base station response information corresponding to the carried content of the station response information.
  • a terminal access device is disposed at a base station, where the device includes: a third receiving unit and a third sending unit, where the third receiving unit is configured to: receive user identity information sent by the terminal; The unit is configured to: send the base station identity information and the user identity information to the authentication center; the third receiving unit is further configured to: receive the authentication information sent by the authentication center; the third sending unit is further configured to: The authentication challenge information in the authentication information is sent to the terminal.
  • the third receiving unit is further configured to: receive base station response information sent by the authentication center; the third sending unit is further configured to: send the base station response information to the terminal.
  • the technical solution provided by the present invention includes: the terminal sends the user identity information to the base station; the terminal receives the authentication challenge information and the base station response information sent by the base station; and the terminal detects the response information of the base station, and the detected In the case, the terminal accesses the base station according to the authentication challenge information.
  • the authentication center authenticates the base station to which the terminal is attached, and the authentication center may decide whether to terminate the access process according to the authentication result of the base station, or may be determined by the authentication center.
  • the authentication result of the base station is sent to the terminal, and the terminal determines whether it is connected to the base station.
  • the malicious base station improves the terminal connection from the legal base station to the malicious base station by means of spoofing, thereby improving the terminal connection. Security when entering the base station.
  • FIG. 1A and FIG. 1B are flowcharts of a method for accessing a terminal according to an embodiment of the present invention
  • FIG. 2 is a flowchart of another terminal access method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of still another terminal access method according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a terminal access device according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of another terminal access device according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of still another terminal access device according to an embodiment of the present invention.
  • an embodiment of the present invention provides a terminal access method, where the method includes:
  • Step 110 The terminal sends the user identity information IMSI to the base station.
  • Step 120 The base station sends the base station identity information and the user identity information IMSI to the authentication center.
  • Step 130 The authentication center authenticates the base station.
  • Step 140 If the authentication of the base station fails, the access procedure is terminated.
  • the authentication center also authenticates the terminal; if the authentication of the terminal fails, the access process, that is, the attach process, is also terminated.
  • the method further includes:
  • Step 150 In the case that the authentication of the base station and the terminal is passed by the authentication center, the authentication center generates the authentication information corresponding to the terminal;
  • the authentication information includes authentication challenge information, session key information, and authentication response information.
  • the session key information includes an encryption key Ck, or the session key information includes an encryption key Ck and an integrity protection key Ik.
  • Step 160 The authentication center sends the authentication information to the base station.
  • Step 170 The base station sends the authentication challenge information in the authentication information to the terminal.
  • the base station obtains the session key information and the authentication response information in the authentication information, and the base station compares the obtained authentication response information with the authentication response information sent by the terminal to complete the authentication of the terminal.
  • the base station performs secure communication with the terminal according to the session key information acquired in the authentication information.
  • Step 180 The terminal receives the authentication challenge information sent by the base station, and generates session key information and authentication response information according to the authentication challenge information.
  • Step 190 The terminal accesses the base station according to the authentication response information.
  • the terminal sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and allows the terminal to access the base station if the comparison is consistent. After the terminal successfully accesses, the terminal performs secure communication with the base station through the session key information generated according to the authentication challenge information.
  • an embodiment of the present invention further provides another terminal access method, where the method includes:
  • Step 210 The terminal sends the user identity information IMSI to the base station.
  • Step 220 The base station sends the base station identity information and the user identity information IMSI to the authentication center.
  • the step 220 may include: the base station transmitting the base station identity information and the user identity information IMSI to the SGSN; the SGSN forwarding the received base station identity information and the user identity information IMSI to the authentication center;
  • Step 230 The authentication center authenticates the base station and the terminal; in the case that the authentication passes, the authentication center generates the base station response information and the authentication information; if the authentication fails, the attachment process is terminated.
  • the authentication center authenticates the base station and the terminal; when the authentication is passed, the authentication center generates the base station response information and the authentication information: the authentication center authenticates the base station; and when the authentication passes, the authentication center generates the base station response.
  • the authentication center authenticates the terminal; when the authentication is passed, the authentication center generates authentication information corresponding to the terminal.
  • the authentication of the base station and the authentication of the terminal can be performed separately.
  • the step 230 specifically includes:
  • Step 231 The authentication center verifies the identity information of the base station, and if the verification passes, step 232 is performed; otherwise, the attach process is terminated.
  • Step 232 In the case that both the base station and the terminal are authenticated, the authentication center generates the authentication information and the base station response information.
  • the authentication center generates authentication information according to the user identity information
  • the generated authentication information includes: authentication challenge information, session key information, and authentication response information;
  • the session key information includes the encryption key Ck
  • the generating, by the authentication center, the base station response information includes: the authentication center performing the first processing on the base station identity information by using the encryption key Ck to obtain the corresponding base station response information; in one or more embodiments, the first processing refers to the encryption process.
  • the session key information includes the encryption key Ck and the integrity protection key Ik
  • the generating center base station response information includes: the authentication center first performs the first processing on the base station identity information by using the encryption key Ck, and then uses the integrity protection key Ik to perform the first processing result, that is, the ciphertext of the base station identity information. Performing a second process, thereby obtaining base station response information corresponding to the base station identity information.
  • the second process refers to processing the message with an integrity key to calculate integrity information of the message.
  • Step 240 The authentication center sends the authentication information and the base station response information to the base station.
  • Step 240 may include: the authentication center sends the authentication information and the base station response information to the SGSN; the SGSN forwards the received authentication information and the base station response information to the base station.
  • Step 250 The base station sends the received base station response information and the authentication challenge information in the authentication information to the terminal.
  • Step 260 The terminal acquires, according to the received authentication challenge information and the base station response information, the base station identity information corresponding to the base station response information.
  • the terminal acquires session key information by using authentication challenge information, the session key information includes an encryption key Ck, and the terminal performs base station response information by using the encryption key Ck.
  • the third process is performed to obtain base station identity information corresponding to the base station response information; wherein the third process is an inverse process corresponding to the first process, that is, a decryption process.
  • the terminal acquires session key information by using authentication challenge information, the session key information includes an encryption key Ck and an integrity protection key Ik, and the terminal performs base station response information through the integrity protection key Ik.
  • a fourth process and performing a third process on the result of the fourth process by using the encryption key Ck to obtain base station identity information corresponding to the base station response information; wherein the third process is an inverse process corresponding to the first process, The fourth process is an inverse process corresponding to the second process.
  • Step 270 The terminal determines whether the identity information of the base station corresponding to the base station response information is consistent with the identity information of the base station detected by the terminal; if not, the terminal terminates the attach process; if yes, step 280 is performed.
  • Step 280 If the judgment result is consistent, the terminal accesses the base station.
  • the terminal generates the authentication response information according to the authentication challenge, and sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and the comparison is performed. Next, the terminal is allowed to access to the base station. After the terminal successfully accesses, the terminal performs secure communication with the terminal through the session key information generated according to the authentication challenge information.
  • the terminal determines whether to terminate the attachment according to the received base station response information.
  • the terminal is a CIoT terminal device.
  • the two base stations are in close proximity.
  • the legal base station acquires the authentication information and the base station response information corresponding to the terminal from the authentication center, and the illegal base station X1 intercepts.
  • the authentication information acquired by the legal base station A1 and the base station response information are sent to the terminal, and after receiving the authentication information and the base station response information sent by the illegal base station X1, the terminal performs access to the illegal base station X1.
  • the terminal access method of the embodiment of the present invention after receiving the authentication information and the base station response information sent by the illegal base station X1, the terminal determines whether the base station identity information corresponding to the base station response information is consistent with the base station identity information detected by the terminal.
  • the base station identity information corresponding to the base station response information is not the identity information of the base station A1.
  • the base station identity information detected by the terminal is an illegal base station X1, which is inconsistent. Therefore, the terminal will terminate the attachment process to the illegal base station X1.
  • an embodiment of the present invention further provides another terminal access method, where the method includes:
  • Step 310 The terminal sends the user identity information IMSI to the base station.
  • Step 320 The base station sends the base station identity information and the user identity information IMSI to the authentication center.
  • the step 320 may include: the base station transmitting the base station identity information and the user identity information IMSI to the SGSN; the SGSN forwarding the received base station identity information and the user identity information IMSI to the authentication center;
  • Step 330 The authentication center authenticates the base station and the terminal.
  • the authentication center When the authentication of the terminal passes, the authentication center generates the base station response information and the authentication information, and sets the base station response information according to the authentication result of the base station; In the case of the termination process.
  • the authentication center authenticates the base station and the terminal; in the case that the terminal authentication passes, the authentication center generates the base station response information and the authentication information, including: the authentication center authenticates the terminal; and when the authentication of the terminal passes, The authentication center generates the authentication information corresponding to the terminal, and the authentication center authenticates the base station; and according to the base station authentication result, sets the corresponding base station response information.
  • the authentication of the base station and the authentication of the terminal can be performed separately.
  • step 330 specifically includes:
  • Step 331 The authentication center authenticates the terminal.
  • Step 332 In the case that the authentication of the terminal is passed, the authentication center generates the authentication information corresponding to the terminal, and generates corresponding base station response information according to the authentication result of the identity information of the base station.
  • the authentication center generates authentication information according to the user identity information
  • the generated authentication information includes: authentication challenge information, session key information, and authentication response information;
  • the base station response information includes base station identity information and base station authentication result
  • the base station authentication result may be identifier information used to indicate that the base station is illegal or legal;
  • the base station authentication result carries the identifier information indicating that the base station is legal; if the authentication of the base station fails, The base station authentication result carries identification information indicating that the base station is illegal.
  • the authentication center performs the first processing on the base station identity information and the base station authentication result by using the encryption key Ck to obtain corresponding base station response information;
  • the authentication center first performs the first processing on the base station identity information and the base station authentication result by using the encryption key Ck, and then passes the integrity protection key. Ik performs a second process on the result of the first process, thereby obtaining corresponding base station response information.
  • Step 340 The authentication center sends the authentication information and the base station response information to the base station.
  • the step 340 may specifically include: the authentication center sends the authentication information and the base station response information to the SGSN; and the SGSN receives the authentication information and the base station response information to the base station.
  • Step 350 The base station sends the received base station response information and the authentication challenge information in the authentication information to the terminal.
  • Step 360 The terminal acquires the base station authentication result carried in the authentication information according to the received authentication challenge information and the base station response information.
  • the terminal acquires session key information by using the authentication challenge information.
  • the session key information includes the encryption key Ck
  • the terminal performs third processing on the base station response information by using the encryption key Ck.
  • the base station response information corresponds to the base station identity information and the base station authentication result; wherein the third process is an inverse process corresponding to the first process.
  • the terminal acquires session key information by using authentication challenge information.
  • the session key information includes the encryption key Ck and the integrity protection key Ik
  • the terminal passes the integrity protection key Ik.
  • Step 370 The terminal detects the base station authentication result. If the base station authentication result is an illegal base station, the terminal terminates the attach process. If the base station authentication result is a legal base station, step 380 is performed.
  • Step 380 When the base station authentication result is a legal base station, the terminal accesses the base station.
  • the terminal generates the authentication response information according to the authentication challenge, and sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and the comparison is performed. Next, the terminal is allowed to access to the base station. After the terminal successfully accesses, the terminal performs secure communication with the terminal through the session key information generated according to the authentication challenge information.
  • the terminal determines whether to terminate the attachment according to the received base station authentication result information.
  • the processing of the authentication center in each of the above embodiments will be described below by means of a table 1.
  • the authentication result is 1 to indicate that the authentication is passed, and 0 is the authentication failure.
  • the process that does not pass the terminal and the base station authentication is the termination access process, which is not shown in Table 1.
  • Table 1 Schematic diagram of the authentication center performing different processing procedures based on the authentication result
  • a terminal access device which is disposed on a terminal.
  • a terminal access device includes:
  • the first sending unit 10 is configured to: send user identity information to the base station;
  • the first receiving unit 20 is configured to: receive the authentication challenge information and the base station response information that are sent by the base station;
  • the detecting unit 30 is configured to: detect the base station response information
  • the access unit 40 is configured to: when the detection passes, access to the base station according to the authentication challenge information.
  • the detecting unit 30 includes at least one of the following modules:
  • the first detecting module is configured to: when the carrying content of the base station response information includes the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the base station response information;
  • the second detecting module is configured to: when the carrying content of the base station response information includes the base station authentication result, obtain the base station authentication result corresponding to the base station response information, and if the base station authentication result is an illegal base station, the detection result of the base station response information is If the base station authentication result is a legal base station, the detection result of the base station response information is passed.
  • the first detecting module and/or the second detecting module acquires session key information by using the authentication challenge information, and obtains the carrying content of the base station response information by using the session key information.
  • the content of the base station response information is obtained by using the session key information.
  • the session key information include:
  • the base station response information is subjected to the third processing by the encryption key Ck in the session key information, and the carried content of the base station response information is obtained; wherein the third processing is Describe the inverse processing corresponding to the first processing;
  • the base station response information is subjected to the fourth processing by the integrity protection key Ik in the session key information, and is passed through the session key information.
  • the encryption key Ck performs a third process on the result of the fourth process to obtain the carried content of the base station response information; wherein the third process is an inverse process corresponding to the first process, and the fourth process is the second process Processing the corresponding inverse processing;
  • the first processing refers to the processing of the base station identity information or the base station authentication result by the authentication center for acquiring the base station response information by using the encryption key Ck; the second processing refers to the integrity of the authentication center for obtaining the base station response information.
  • the protection key Ik processes the result of the first process.
  • a terminal access device which is disposed on an authentication center.
  • a terminal access device includes:
  • the second receiving unit 50 is configured to: receive base station identity information and user identity information sent by the base station;
  • the authentication unit 60 is configured to: perform authentication on the base station according to the identity information of the base station, and authenticate the terminal according to the identity information of the user;
  • the processing unit 70 is configured to generate corresponding authentication information when the authentication of the terminal passes, and send the authentication information to the base station.
  • the processing unit 70 includes a first processing module, configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes, and fail to pass the authentication of the base station Next, terminate the access process of the terminal.
  • the processing unit includes any one of the following modules:
  • a second processing module configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes; generate base station response information, and send the base station response information To the base station; in the case that the authentication of the base station fails, the access procedure of the terminal is terminated;
  • the third processing module is configured to: generate base station response information, and send the base station response information to the base station; where, the corresponding base station response information is set according to the authentication result of the base station.
  • the authentication information includes authentication challenge information, session key information, and authentication response information
  • the carried content of the base station response information generated by the second processing module includes base station identity information
  • the carrying content of the base station response information generated by the third processing module includes base station identity information and a base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal;
  • the generating, by the second processing module and/or the third processing module, the base station response information includes:
  • processing the carried content of the base station response information by using the session key information includes:
  • the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information;
  • the authentication center first performs the first processing on the carried content of the base station response information through the encryption key Ck, and then completes the complete processing.
  • the sex protection key Ik performs a second process on the result of the first process, thereby obtaining base station response information corresponding to the carried content of the base station response information.
  • a terminal access device which is disposed on a base station.
  • a terminal access device includes:
  • the third receiving unit 80 is configured to: receive user identity information sent by the terminal;
  • the third sending unit 90 is configured to: send the base station identity information and the user identity information To the authentication center;
  • the third receiving unit 80 is further configured to: receive the authentication information sent by the authentication center;
  • the third sending unit 90 is further configured to: send the authentication challenge information in the authentication information to the terminal.
  • the third receiving unit 80 is further configured to: receive an authentication center to send base station response information;
  • the third sending unit 90 is further configured to: send the base station response information to the terminal.
  • the embodiment of the present invention further provides a terminal, where the terminal includes any terminal access device provided on the terminal provided by the embodiment of the present invention.
  • the embodiment of the present invention further provides a base station, where the base station includes any terminal access device disposed on a base station according to an embodiment of the present invention.
  • the embodiment of the present invention further provides an authentication center, where the authentication center includes any terminal access device provided in the authentication center provided by the embodiment of the present invention.
  • the embodiment of the invention further discloses a computer program, comprising program instructions, when the program instruction is executed by the terminal, so that the terminal can perform any of the above methods for detecting wireless network access security.
  • the embodiment of the invention also discloses a carrier carrying the computer program.
  • all or part of the steps of the above embodiments may also be implemented using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be made into A single integrated circuit module is implemented. Thus, the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the technical solution provided by the present invention includes: the terminal sends the user identity information to the base station; the terminal receives the authentication challenge information and the base station response information sent by the base station; the terminal detects the response information of the base station, and if the detection passes, the terminal according to the authentication The challenge information is accessed into the base station.
  • the authentication center authenticates the base station to which the terminal is attached, and the authentication center may decide whether to terminate the access process according to the authentication result of the base station, or may be determined by the authentication center.
  • the authentication result of the base station is sent to the terminal, and the terminal determines whether it is connected to the base station.
  • the malicious base station improves the terminal connection from the legal base station to the malicious base station by means of spoofing, thereby improving the terminal connection. Security when entering the base station. Therefore, the present invention has strong industrial applicability.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A terminal access method and device. The method comprises: a terminal sends subscriber identity information to a base station; the terminal receives authentication challenge information and base station response information sent by the base station; the terminal detects the base station response information, and if the detection is passed, the terminal accesses the base station according to the authentication challenge information. By means of the solution, in the terminal access process, a base station to which a terminal is attached is authenticated by an authentication center. The authentication center can determine whether to terminate the access process according to an authentication result of the base station, and send the authentication result of the base station to the terminal. Then the terminal determines whether to connect to the base station. By means of the procedure, a malicious base station cannot cheat a terminal to transfer from a legal base station to the malicious base station, and the security when a terminal accesses a base station is increased.

Description

一种终端接入方法和装置Terminal access method and device 技术领域Technical field
本文涉及终端接入技术领域,尤指一种终端接入方法和装置。This document relates to the field of terminal access technologies, and in particular, to a terminal access method and apparatus.
背景技术Background technique
目前,EGPRS安全架构采用单向认证方式,认证和密钥协商过程需要经过基站转发认证信息。在基于EGPRS的蜂窝物联网中,蜂窝物联网(CIoT,Cellular Internet of Things)终端设备在附着到网络时,先向基站发送终端设备的用户身份信息,然后,接收基站转发的认证信息和密钥协商挑战信息。CIoT终端设备根据认证信息生成会话密钥和认证响应信息,并将认证响应信息发送给基站。在这个过程中,CIoT设备不需要,也无法确定基站是合法基站还是恶意基站。Currently, the EGPRS security architecture adopts a one-way authentication mode. The authentication and key negotiation process needs to forward authentication information through the base station. In the EGPRS-based cellular Internet of Things, the Cellular Internet of Things (CIoT) terminal device first transmits the user identity information of the terminal device to the base station when attaching to the network, and then receives the authentication information and the key forwarded by the base station. Negotiate challenge information. The CIoT terminal device generates a session key and authentication response information according to the authentication information, and transmits the authentication response information to the base station. In this process, the CIoT device does not need to determine whether the base station is a legitimate base station or a malicious base station.
在基于EGPRS的CIoT(Cellular IoT)系统中,对于蜂窝物联网(CIoT,Cellular Internet of Things)终端设备,在附着时,由于EGPRS安全架构采用单向认证方式,因此,CIoT终端设备无法识别接收到的认证和密钥协商信息是否来自合法基站。恶意基站有可能通过欺骗的方式使得CIoT终端设备从一个合法基站转移附着到该恶意基站上。这将导致CIoT终端设备相关信息的泄露。In the CeoT (Cellular IoT) system based on EGPRS, for the Cellular Internet of Things (CIoT) terminal device, when the EGPRS security architecture adopts the one-way authentication mode, the CIoT terminal device cannot recognize the received one. Whether the authentication and key agreement information comes from a legitimate base station. It is possible for a malicious base station to cause a CIoT terminal device to be transferred from a legitimate base station to the malicious base station by means of spoofing. This will result in the disclosure of information about the CIoT terminal device.
发明内容Summary of the invention
本发明将提出一种终端接入方法和装置,以提高终端接入的安全性。The present invention will provide a terminal access method and apparatus to improve the security of terminal access.
为了达到上述目的,采用如下技术方案:In order to achieve the above objectives, the following technical solutions are adopted:
一种终端接入方法,所述方法包括:终端将用户身份信息发送给基站;所述终端接收所述基站发送的认证挑战信息和基站响应信息;所述终端检测所述基站响应信息,在检测通过的情况下,所述终端根据所述认证挑战信息接入到所述基站中。A terminal access method, the method includes: the terminal transmitting the user identity information to the base station; the terminal receiving the authentication challenge information and the base station response information sent by the base station; the terminal detecting the base station response information, detecting In the case of passing, the terminal accesses the base station according to the authentication challenge information.
在一个实施例中,所述终端检测所述基站响应信息的步骤包括如下方式 中的任一种:方式1-1,在所述基站响应信息携带基站身份信息的情况下,所述终端获取所述基站响应信息对应的所述基站身份信息;所述终端判断所述基站响应信息对应的所述基站身份信息和所述终端检测到的基站身份信息是否一致;如果不一致,则检测不通过;如果一致,则检测通过;方式1-2,在所述基站响应信息携带基站认证结果的情况下,所述终端获取所述基站响应信息对应的所述基站认证结果,如果所述基站认证结果表明所述基站为非法基站,则检测不通过;如果所述基站认证结果表明所述基站为合法基站,则检测通过;其中,所述终端通过所述认证挑战信息获取会话密钥信息,通过所述会话密钥信息得到所述基站响应信息。In an embodiment, the step of detecting, by the terminal, the base station response information includes the following manner In any one of the following manners, in the case that the base station response information carries the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the response information of the base station; and the terminal determines the response of the base station Whether the identity information of the base station corresponding to the information is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if yes, the detection passes; and the mode 1-2, the base station response information carries the base station authentication. In the case of the result, the terminal acquires the base station authentication result corresponding to the base station response information, and if the base station authentication result indicates that the base station is an illegal base station, the detection fails; if the base station authentication result indicates the The base station is a legal base station, and the detection passes; wherein the terminal acquires session key information through the authentication challenge information, and obtains the base station response information by using the session key information.
在一个实施例中,所述通过所述会话密钥信息得到所述基站响应信息的步骤包括:在所述会话密钥信息包括加密密钥Ck的情况下,所述终端通过所述会话密钥信息中的加密密钥Ck对所述基站响应信息进行第三处理,得到基站响应信息对应的基站响应信息的携带内容;在所述会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,所述终端通过所述会话密钥信息中的完整性保护密钥Ik对所述基站响应信息进行第四处理,并通过所述会话密钥信息中的加密密钥Ck对第四处理的结果进行所述第三处理,得到基站响应信息的携带内容;其中,第一处理是指鉴权中心为获取基站响应信息而通过加密密钥Ck对基站响应信息的携带内容进行的处理;第二处理是指鉴权中心为获取基站响应信息而通过完整性保护密钥Ik对第一处理的结果进行的处理,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二处理对应的逆处理过程。In an embodiment, the step of obtaining the base station response information by using the session key information comprises: when the session key information includes an encryption key Ck, the terminal passes the session key The encryption key Ck in the information performs a third processing on the base station response information to obtain the carried content of the base station response information corresponding to the base station response information; the session key information includes the encryption key Ck and the integrity protection key Ik In the case that the terminal performs the fourth processing on the base station response information by using the integrity protection key Ik in the session key information, and uses the encryption key Ck in the session key information to perform the fourth The result of the processing is performed by the third processing to obtain the content of the base station response information. The first processing refers to the processing performed by the authentication center to obtain the base station response information and the carrying content of the base station response information by using the encryption key Ck; The second processing refers to processing of the result of the first processing by the authentication center through the integrity protection key Ik for acquiring the base station response information, and the third processing is The first process corresponds to an inverse process, and the fourth process is an inverse process corresponding to the second process.
一种终端接入方法,所述方法包括:鉴权中心接收基站发送的基站身份信息和用户身份信息;鉴权中心根据所述基站身份信息对所述基站进行认证,根据用户身份信息对所述终端进行认证;在对终端的认证通过的情况下,生成对应的认证信息,并将所述认证信息发送给所述基站。A terminal access method, the method includes: an authentication center receives base station identity information and user identity information sent by a base station; the authentication center performs authentication on the base station according to the identity information of the base station, and the The terminal performs authentication; when the authentication of the terminal passes, generates corresponding authentication information, and sends the authentication information to the base station.
在一个实施例中,在所述鉴权中心根据所述基站身份信息对所述基站进行认证的步骤之后,所述方法还包括:在对基站的认证通过的情况下,执行所述生成对应的认证信息的步骤;在对基站的认证没有通过的情况下,终止 所述终端的接入过程。In an embodiment, after the step of authenticating the base station according to the base station identity information by the authentication center, the method further includes: performing the generating corresponding to the case that the authentication of the base station is passed The step of authenticating the information; in the case where the authentication of the base station is not passed, the termination is terminated. The access process of the terminal.
在一个实施例中,在所述鉴权中心根据所述基站身份信息对基站进行认证之后,所述方法还包括:方式2-1:在对基站的认证通过的情况下,执行所述生成对应的认证信息的步骤;生成基站响应信息,并将所述基站响应信息发送给基站;在对基站的认证没有通过的情况下,终止终端的接入过程;或,方式2-2:生成基站响应信息,并将所述基站响应信息发送给基站;其中,根据对基站的认证结果设置对应的基站响应信息。In an embodiment, after the authentication center authenticates the base station according to the base station identity information, the method further includes: mode 2-1: performing the generation corresponding to the case that the authentication of the base station is passed Step of authenticating information; generating base station response information, and transmitting the base station response information to the base station; if the authentication of the base station fails, terminating the access process of the terminal; or, mode 2-2: generating a base station response And transmitting the base station response information to the base station; wherein the corresponding base station response information is set according to the authentication result of the base station.
在一个实施例中,所述认证信息包括认证挑战信息、会话密钥信息,以及认证响应信息;在方式2-1的情况下,所述基站响应信息的携带内容包括基站身份信息;在方式2-2的情况下,所述基站响应信息的携带内容包括基站身份信息和基站认证结果,所述基站认证结果包括用于表示基站非法或合法的标识信息;所述生成基站响应信息包括:通过所述会话密钥信息对基站响应信息的携带内容进行处理从而得到对应的基站响应信息。In an embodiment, the authentication information includes authentication challenge information, session key information, and authentication response information; in the case of mode 2-1, the carrying content of the base station response information includes base station identity information; In the case of -2, the carrying content of the base station response information includes base station identity information and base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal; and the generating base station response information includes: The session key information processes the carried content of the base station response information to obtain corresponding base station response information.
在一个实施例中,通过会话密钥信息对基站响应信息的携带内容进行处理包括:在鉴权中心生成的会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站响应信息的携带内容进行第一处理从而得到对应的基站响应信息;或,在鉴权中心生成的会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站响应信息的携带内容进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到基站响应信息的携带内容对应的基站响应信息。In an embodiment, processing the carried content of the base station response information by using the session key information includes: when the session key information generated by the authentication center includes the encryption key Ck, the authentication center passes the encryption key Ck The base station responds to the carried content of the information to perform the first processing to obtain the corresponding base station response information; or, in the case that the session key information generated by the authentication center includes the encryption key Ck and the integrity protection key Ik, the authentication center first The first processing is performed on the carrying content of the base station response information by using the encryption key Ck, and the second processing is performed on the result of the first processing by using the integrity protection key Ik, thereby obtaining base station response information corresponding to the carried content of the base station response information.
一种终端接入方法,所述方法包括:基站接收终端发送的用户身份信息;基站将基站身份信息以及所述用户身份信息发送给鉴权中心基站接收鉴权中心发送的认证信息;基站将认证信息中的认证挑战信息发送给终端。A terminal access method, the method includes: the base station receives the user identity information sent by the terminal; the base station sends the base station identity information and the user identity information to the authentication center base station to receive the authentication information sent by the authentication center; the base station authenticates The authentication challenge information in the information is sent to the terminal.
在一个实施例中,在所述将基站身份信息以及所述用户身份信息发送给鉴权中心之后,所述方法还包括:基站接收鉴权中心发送基站响应信息;基站将所述基站响应信息发送给终端。 In an embodiment, after the sending the base station identity information and the user identity information to the authentication center, the method further includes: the base station receiving the authentication center to send the base station response information; and the base station sending the base station response information Give the terminal.
一种终端接入装置,设置在终端上,所述装置包括:第一发送单元、第一接收单元、检测单元和接入单元,其中,所述第一发送单元设置成:将用户身份信息发送给基站;所述第一接收单元设置成:接收基站所述发送的认证挑战信息和基站响应信息;所述检测单元设置成:检测所述基站响应信息;所述接入单元设置成:在检测通过的情况下,根据认证挑战信息接入到基站中。A terminal access device is disposed on a terminal, where the device includes: a first sending unit, a first receiving unit, a detecting unit, and an access unit, where the first sending unit is configured to: send user identity information The first receiving unit is configured to: receive the authentication challenge information and the base station response information sent by the base station; the detecting unit is configured to: detect the base station response information; and the access unit is configured to: detect In the case of passing, access to the base station is performed according to the authentication challenge information.
在一个实施例中,所述检测单元包括第一检测模块和第二检测模块中的至少一个,其中,所述第一检测模块设置成:在基站响应信息的携带内容包括基站身份信息的情况下,终端获取基站响应信息对应的基站身份信息;判断基站响应信息对应的基站身份信息和终端检测到的基站身份信息是否一致;如果不一致,则检测不通过;如果一致,则检测通过;所述第二检测模块设置成:在基站响应信息的携带内容包括基站认证结果的情况下,获取基站响应信息对应的基站认证结果,如果基站认证结果为非法基站,则检测不通过;如果基站认证结果为合法基站,则检测通过;其中,第一检测模块和/或第二检测模块通过认证挑战信息获取会话密钥信息,通过所述会话密钥信息得到基站响应信息的携带内容。In an embodiment, the detecting unit comprises at least one of a first detecting module and a second detecting module, wherein the first detecting module is configured to: in case the carrying content of the base station response information includes base station identity information The terminal acquires the identity information of the base station corresponding to the response information of the base station; determines whether the identity information of the base station corresponding to the response information of the base station is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if yes, the detection passes; The second detection module is configured to: when the carrying content of the base station response information includes the base station authentication result, obtain the base station authentication result corresponding to the base station response information, and if the base station authentication result is an illegal base station, the detection fails; if the base station authentication result is legal And detecting, by the base station, the first detecting module and/or the second detecting module acquiring the session key information by using the authentication challenge information, and obtaining the carrying content of the base station response information by using the session key information.
在一个实施例中,所述第一检测模块和/或第二检测模块设置成按照如下方式通过所述会话密钥信息得到基站响应信息的携带内容:在会话密钥信息包括加密密钥Ck的情况下,通过会话密钥信息中的加密密钥Ck对基站响应信息进行第三处理,得到基站响应信息的携带内容;在密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,通过会话密钥信息中的完整性保护密钥Ik对基站响应信息进行第四处理,并通过会话密钥信息中的加密密钥Ck对第四处理的结果进行第三处理,得到基站响应信息的携带内容;其中,第一处理是指鉴权中心为获取基站响应信息而通过加密密钥Ck对基站身份信息或基站认证结果进行的处理;第二处理是指鉴权中心为获取基站响应信息而通过完整性保护密钥Ik对第一处理的结果进行的处理,其中,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二处理对应的逆处理过程。 In an embodiment, the first detecting module and/or the second detecting module are configured to obtain the carrying content of the base station response information by using the session key information as follows: the session key information includes the encryption key Ck In the case where the base station response information is subjected to the third processing by the encryption key Ck in the session key information, the carried content of the base station response information is obtained; in the case where the key information includes the encryption key Ck and the integrity protection key Ik And performing fourth processing on the base station response information by using the integrity protection key Ik in the session key information, and performing third processing on the result of the fourth processing by using the encryption key Ck in the session key information to obtain the base station response information. The first processing means that the authentication center processes the base station identity information or the base station authentication result by using the encryption key Ck for acquiring the base station response information; the second processing means that the authentication center is acquiring the base station response information. And processing the result of the first process by the integrity protection key Ik, wherein the third process is a inverse corresponding to the first process Processing procedure, the fourth process is a second process corresponding to an inverse process.
一种终端接入装置,设置在鉴权中心,所述装置包括第二接收单元、认证单元和处理单元,其中,所述第二接收单元设置成:接收基站发送的基站身份信息和用户身份信息;所述认证单元设置成:根据所述基站身份信息对基站进行认证,根据用户身份信息对终端进行认证;所述处理单元设置成:在对终端的认证通过的情况下,生成对应的认证信息,并将所述认证信息发送给基站。A terminal access device is disposed at an authentication center, where the device includes a second receiving unit, an authentication unit, and a processing unit, where the second receiving unit is configured to: receive base station identity information and user identity information sent by the base station The authentication unit is configured to: authenticate the base station according to the identity information of the base station, and authenticate the terminal according to the user identity information; the processing unit is configured to: generate corresponding authentication information when the authentication of the terminal is passed And transmitting the authentication information to the base station.
在一个实施例中,所述处理单元包括第一处理模块,设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;在对基站的认证没有通过的情况下,终止终端的接入过程。In an embodiment, the processing unit includes a first processing module, configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes; and if the authentication of the base station fails End the access process of the terminal.
在一个实施例中,所述处理单元包括第二处理模块和第三处理模块的任一个,其中,所述第二处理模块设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;并生成基站响应信息,并将所述基站响应信息发送给基站;在对基站的认证没有通过的情况下,终止终端的接入过程;所述第三处理模块设置成:生成基站响应信息,并将所述基站响应信息发送给基站;其中,根据对基站的认证结果设置对应的基站响应信息。In one embodiment, the processing unit includes any one of a second processing module and a third processing module, wherein the second processing module is configured to perform the generation corresponding to the authentication of the base station The process of authenticating information; and generating base station response information, and transmitting the base station response information to the base station; if the authentication of the base station fails, terminating the access process of the terminal; the third processing module is configured to: Generating base station response information, and transmitting the base station response information to the base station; wherein the corresponding base station response information is set according to the authentication result of the base station.
在一个实施例中,所述认证信息包括认证挑战信息、会话密钥信息,以及认证响应信息;所述第二处理模块生成的所述基站响应信息的携带内容包括基站身份信息;所述第三处理模块生成的基站响应信息的携带内容包括基站身份信息和基站认证结果,所述基站认证结果包括用于表示基站非法或合法的标识信息;所述第二处理模块和/或第三处理模块设置成按照如下方式生成基站响应信息:通过所述会话密钥信息对基站响应信息的携带内容进行处理从而得到对应的基站响应信息。In one embodiment, the authentication information includes authentication challenge information, session key information, and authentication response information; the carrying content of the base station response information generated by the second processing module includes base station identity information; The carrying content of the base station response information generated by the processing module includes the base station identity information and the base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal; the second processing module and/or the third processing module are configured. The base station response information is generated in the following manner: the carried content of the base station response information is processed by the session key information to obtain corresponding base station response information.
在一个实施例中,所述第二处理模块和/或第三处理模块设置成按照如下方式通过会话密钥信息对基站响应信息的携带内容进行处理:在鉴权中心生成的会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站响应信息的携带内容进行第一处理从而得到对应的基站响应信息;或,在鉴权中心生成的会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站响应信息的携带内容进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到基 站响应信息的携带内容对应的基站响应信息。In an embodiment, the second processing module and/or the third processing module are configured to process the carried content of the base station response information by the session key information as follows: the session key information generated at the authentication center includes In the case of the encryption key Ck, the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information; or the session key information generated in the authentication center includes the encryption key. In the case of the key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the carried content of the base station response information by using the encryption key Ck, and then performs the first processing result by the integrity protection key Ik. Second processing, thereby obtaining a basis The base station response information corresponding to the carried content of the station response information.
一种终端接入装置,设置在基站,所述装置包括:第三接收单元和第三发送单元,其中,所述第三接收单元设置成:接收终端发送的用户身份信息;所述第三发送单元设置成:将基站身份信息以及所述用户身份信息发送给鉴权中心;所述第三接收单元还设置成:接收鉴权中心发送的认证信息;所述第三发送单元还设置成:将认证信息中的认证挑战信息发送给终端。A terminal access device is disposed at a base station, where the device includes: a third receiving unit and a third sending unit, where the third receiving unit is configured to: receive user identity information sent by the terminal; The unit is configured to: send the base station identity information and the user identity information to the authentication center; the third receiving unit is further configured to: receive the authentication information sent by the authentication center; the third sending unit is further configured to: The authentication challenge information in the authentication information is sent to the terminal.
在一个实施例中,所述第三接收单元还设置成:接收鉴权中心发送的基站响应信息;所述第三发送单元还设置成:将所述基站响应信息发送给终端。In an embodiment, the third receiving unit is further configured to: receive base station response information sent by the authentication center; the third sending unit is further configured to: send the base station response information to the terminal.
与相关技术相比,本发明提供的技术方案包括:终端将用户身份信息发送给基站;终端接收基站所述发送的认证挑战信息和基站响应信息;终端检测所述基站响应信息,在检测通过的情况下,终端根据认证挑战信息接入到基站中。通过本发明的方案,在终端接入过程中,由鉴权中心对终端所附着的基站进行认证,可以由鉴权中心根据对基站的认证结果决定是否终止接入过程,也可以由鉴权中心将对基站的认证结果发送给终端,由终端确定是否连接到基站,通过该流程,改善了恶意基站通过欺骗的方式使得终端从一个合法基站转移附着到该恶意基站上的情况,提高了终端接入基站时的安全性。Compared with the related art, the technical solution provided by the present invention includes: the terminal sends the user identity information to the base station; the terminal receives the authentication challenge information and the base station response information sent by the base station; and the terminal detects the response information of the base station, and the detected In the case, the terminal accesses the base station according to the authentication challenge information. With the solution of the present invention, in the terminal access process, the authentication center authenticates the base station to which the terminal is attached, and the authentication center may decide whether to terminate the access process according to the authentication result of the base station, or may be determined by the authentication center. The authentication result of the base station is sent to the terminal, and the terminal determines whether it is connected to the base station. Through the process, the malicious base station improves the terminal connection from the legal base station to the malicious base station by means of spoofing, thereby improving the terminal connection. Security when entering the base station.
附图概述BRIEF abstract
下面对本发明实施例中的附图进行说明,实施例中的附图是用于对本发明的进一步理解,与说明书一起用于解释本发明,并不构成对本发明保护范围的限制。The drawings in the following description of the embodiments of the present invention are intended to illustrate the invention, and are not intended to limit the scope of the invention.
图1A和图1B为本发明实施例提供的一种终端接入方法的流程图;1A and FIG. 1B are flowcharts of a method for accessing a terminal according to an embodiment of the present invention;
图2为本发明实施例提供的另一种终端接入方法的流程图;2 is a flowchart of another terminal access method according to an embodiment of the present invention;
图3为本发明实施例提供的又一种终端接入方法的流程图;FIG. 3 is a flowchart of still another terminal access method according to an embodiment of the present invention;
图4为本发明实施例提供的一种终端接入装置的结构组成示意图;FIG. 4 is a schematic structural diagram of a terminal access device according to an embodiment of the present disclosure;
图5为本发明实施例提供的另一种终端接入装置的结构组成示意图; FIG. 5 is a schematic structural diagram of another terminal access device according to an embodiment of the present disclosure;
图6为本发明实施例提供的又一种终端接入装置的结构组成示意图。FIG. 6 is a schematic structural diagram of still another terminal access device according to an embodiment of the present invention.
详述Detailed
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
为了便于本领域技术人员的理解,下面结合附图对本发明作进一步的描述,并不能用来限制本发明的保护范围。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。In order to facilitate the understanding of those skilled in the art, the present invention is further described below in conjunction with the accompanying drawings, and is not intended to limit the scope of the present invention. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
参见图1A,本发明实施例提出了一种终端接入方法,所述方法包括:Referring to FIG. 1A, an embodiment of the present invention provides a terminal access method, where the method includes:
步骤110,终端将用户身份信息IMSI发送给基站;Step 110: The terminal sends the user identity information IMSI to the base station.
步骤120,基站将基站身份信息和上述用户身份信息IMSI发送给鉴权中心;Step 120: The base station sends the base station identity information and the user identity information IMSI to the authentication center.
步骤130,鉴权中心对基站进行认证;Step 130: The authentication center authenticates the base station.
步骤140,在对基站的认证没有通过的情况下,终止接入过程;Step 140: If the authentication of the base station fails, the access procedure is terminated.
此外,鉴权中心还会对终端进行认证;在对终端的认证没有通过的情况下,也会终止接入过程,即附着过程。In addition, the authentication center also authenticates the terminal; if the authentication of the terminal fails, the access process, that is, the attach process, is also terminated.
在图1A所示的终端接入方法的基础上,如图1B所示,在步骤130之后,还包括:On the basis of the terminal access method shown in FIG. 1A, as shown in FIG. 1B, after step 130, the method further includes:
步骤150,在鉴权中心对基站和终端的认证均通过的情况下,鉴权中心生成终端对应的认证信息;Step 150: In the case that the authentication of the base station and the terminal is passed by the authentication center, the authentication center generates the authentication information corresponding to the terminal;
本发明实施例中,认证信息包括认证挑战信息、会话密钥信息、以及认证响应信息。其中,会话密钥信息包括加密密钥Ck,或者会话密钥信息包括加密密钥Ck和完整性保护密钥Ik。In the embodiment of the present invention, the authentication information includes authentication challenge information, session key information, and authentication response information. The session key information includes an encryption key Ck, or the session key information includes an encryption key Ck and an integrity protection key Ik.
步骤160,鉴权中心将认证信息发送给基站;Step 160: The authentication center sends the authentication information to the base station.
步骤170,基站将认证信息中的认证挑战信息发送给终端;Step 170: The base station sends the authentication challenge information in the authentication information to the terminal.
基站获取认证信息中的会话密钥信息和认证响应信息,基站用获取的认证响应信息和终端发送的认证响应信息进行比对,以完成对终端的认证。在 终端成功接入之后,基站将根据认证信息中获取的会话密钥信息与终端进行安全通信。The base station obtains the session key information and the authentication response information in the authentication information, and the base station compares the obtained authentication response information with the authentication response information sent by the terminal to complete the authentication of the terminal. In After the terminal successfully accesses, the base station performs secure communication with the terminal according to the session key information acquired in the authentication information.
步骤180,终端接收基站发送的认证挑战信息,并根据该认证挑战信息生成会话密钥信息和认证响应信息;Step 180: The terminal receives the authentication challenge information sent by the base station, and generates session key information and authentication response information according to the authentication challenge information.
步骤190,终端根据认证响应信息接入到基站中。Step 190: The terminal accesses the base station according to the authentication response information.
其中,终端将生成的认证响应信息发送给基站,基站对从认证信息中获取的认证响应信息与终端发送的认证响应信息进行比对,在比对符合的情况下,允许终端接入到基站。在终端成功接入之后,终端将通过根据认证挑战信息生成的会话密钥信息与基站进行安全通信。The terminal sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and allows the terminal to access the base station if the comparison is consistent. After the terminal successfully accesses, the terminal performs secure communication with the base station through the session key information generated according to the authentication challenge information.
图1A和1B给出的终端对基站进行认证的方法中,当终端试图附着到伪基站时,由网络直接终止附着。In the method for authenticating a base station by the terminal shown in FIGS. 1A and 1B, when the terminal attempts to attach to the pseudo base station, the attachment is directly terminated by the network.
参见图2,本发明实施例还提出了另一种终端接入方法,所述方法包括:Referring to FIG. 2, an embodiment of the present invention further provides another terminal access method, where the method includes:
步骤210,终端将用户身份信息IMSI发送给基站;Step 210: The terminal sends the user identity information IMSI to the base station.
步骤220,基站将基站身份信息和上述用户身份信息IMSI发送给鉴权中心;Step 220: The base station sends the base station identity information and the user identity information IMSI to the authentication center.
其中,步骤220可以包括,基站将基站身份信息和上述用户身份信息IMSI发送给SGSN;SGSN将收到的基站身份信息和上述用户身份信息IMSI转发给鉴权中心;The step 220 may include: the base station transmitting the base station identity information and the user identity information IMSI to the SGSN; the SGSN forwarding the received base station identity information and the user identity information IMSI to the authentication center;
步骤230,鉴权中心对基站和终端进行认证;在认证通过的情况下,鉴权中心生成基站响应信息和认证信息;在认证没有通过的情况下,终止附着过程。Step 230: The authentication center authenticates the base station and the terminal; in the case that the authentication passes, the authentication center generates the base station response information and the authentication information; if the authentication fails, the attachment process is terminated.
其中,鉴权中心对基站和终端进行认证;在认证通过的情况下,鉴权中心生成基站响应信息和认证信息:鉴权中心对基站认证;在认证通过的情况下,鉴权中心生成基站响应信息;鉴权中心对终端进行认证;在认证通过的情况下,鉴权中心生成终端对应的认证信息。其中,对基站的认证和对终端的认证可以分别执行。The authentication center authenticates the base station and the terminal; when the authentication is passed, the authentication center generates the base station response information and the authentication information: the authentication center authenticates the base station; and when the authentication passes, the authentication center generates the base station response. The authentication center authenticates the terminal; when the authentication is passed, the authentication center generates authentication information corresponding to the terminal. The authentication of the base station and the authentication of the terminal can be performed separately.
其中,步骤230具体包括: The step 230 specifically includes:
步骤231,鉴权中心对基站身份信息进行验证,在验证通过的情况下,并执行步骤232,否则,终止附着过程。Step 231: The authentication center verifies the identity information of the base station, and if the verification passes, step 232 is performed; otherwise, the attach process is terminated.
步骤232,在对基站和终端的认证均通过的情况下,鉴权中心生成认证信息和基站响应信息,Step 232: In the case that both the base station and the terminal are authenticated, the authentication center generates the authentication information and the base station response information.
其中,鉴权中心根据用户身份信息生成认证信息;The authentication center generates authentication information according to the user identity information;
其中,生成的认证信息包括:认证挑战信息、会话密钥信息,以及认证响应信息;The generated authentication information includes: authentication challenge information, session key information, and authentication response information;
其中,在会话密钥信息包括加密密钥Ck的情况下,Wherein, in the case where the session key information includes the encryption key Ck,
鉴权中心生成基站响应信息包括:鉴权中心通过加密密钥Ck对基站身份信息进行第一处理从而得到对应的基站响应信息;在一个或多个实施例中,第一处理是指加密处理。The generating, by the authentication center, the base station response information includes: the authentication center performing the first processing on the base station identity information by using the encryption key Ck to obtain the corresponding base station response information; in one or more embodiments, the first processing refers to the encryption process.
或者,or,
在会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,In the case where the session key information includes the encryption key Ck and the integrity protection key Ik,
鉴权中心生成基站响应信息包括:鉴权中心先通过加密密钥Ck对基站身份信息进行第一处理,再通过完整性保护密钥Ik对第一处理的结果,即对基站身份信息的密文进行第二处理,从而得到基站身份信息对应的基站响应信息。在一个或多个实施例中,第二处理是指用完整性密钥对消息进行处理,计算消息的完整性信息。The generating center base station response information includes: the authentication center first performs the first processing on the base station identity information by using the encryption key Ck, and then uses the integrity protection key Ik to perform the first processing result, that is, the ciphertext of the base station identity information. Performing a second process, thereby obtaining base station response information corresponding to the base station identity information. In one or more embodiments, the second process refers to processing the message with an integrity key to calculate integrity information of the message.
步骤240,鉴权中心将认证信息和基站响应信息发送给基站;Step 240: The authentication center sends the authentication information and the base station response information to the base station.
步骤240可以包括:鉴权中心将认证信息和基站响应信息发送给SGSN;SGSN将收到的认证信息和基站响应信息转发给基站。Step 240 may include: the authentication center sends the authentication information and the base station response information to the SGSN; the SGSN forwards the received authentication information and the base station response information to the base station.
步骤250,基站将收到的基站响应信息和认证信息中的认证挑战信息发送给终端;Step 250: The base station sends the received base station response information and the authentication challenge information in the authentication information to the terminal.
步骤260,终端根据收到的认证挑战信息和基站响应信息,获取所述基站响应信息对应的基站身份信息;Step 260: The terminal acquires, according to the received authentication challenge information and the base station response information, the base station identity information corresponding to the base station response information.
在一个或多个实施例中,终端通过认证挑战信息获取会话密钥信息,会话密钥信息包括加密密钥Ck,终端通过加密密钥Ck对基站响应信息进行第 三处理,得到基站响应信息对应的基站身份信息;其中,第三处理是与所述第一处理对应的逆处理过程,即解密处理。In one or more embodiments, the terminal acquires session key information by using authentication challenge information, the session key information includes an encryption key Ck, and the terminal performs base station response information by using the encryption key Ck. The third process is performed to obtain base station identity information corresponding to the base station response information; wherein the third process is an inverse process corresponding to the first process, that is, a decryption process.
在一个或多个实施例中,终端通过认证挑战信息获取会话密钥信息,会话密钥信息包括加密密钥Ck和完整性保护密钥Ik,终端通过完整性保护密钥Ik对基站响应信息进行第四处理,并通过加密密钥Ck对第四处理的结果进行第三处理,得到基站响应信息对应的基站身份信息;其中,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二处理对应的逆处理过程。In one or more embodiments, the terminal acquires session key information by using authentication challenge information, the session key information includes an encryption key Ck and an integrity protection key Ik, and the terminal performs base station response information through the integrity protection key Ik. a fourth process, and performing a third process on the result of the fourth process by using the encryption key Ck to obtain base station identity information corresponding to the base station response information; wherein the third process is an inverse process corresponding to the first process, The fourth process is an inverse process corresponding to the second process.
步骤270,终端判断基站响应信息对应的基站身份信息和终端检测到的基站身份信息是否一致;如果不一致,则终端终止附着过程;如果一致,则执行步骤280。Step 270: The terminal determines whether the identity information of the base station corresponding to the base station response information is consistent with the identity information of the base station detected by the terminal; if not, the terminal terminates the attach process; if yes, step 280 is performed.
步骤280,在判断结果为一致的情况下,终端接入到基站中。Step 280: If the judgment result is consistent, the terminal accesses the base station.
其中,终端根据认证挑战生成认证响应信息,并将生成的认证响应信息发送给基站,基站对从认证信息中获取的认证响应信息与终端发送的认证响应信息进行比对,在比对符合的情况下,允许终端接入到基站。在终端成功接入之后,终端将通过根据认证挑战信息生成的会话密钥信息与终端进行安全通信。The terminal generates the authentication response information according to the authentication challenge, and sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and the comparison is performed. Next, the terminal is allowed to access to the base station. After the terminal successfully accesses, the terminal performs secure communication with the terminal through the session key information generated according to the authentication challenge information.
图2给出的终端对基站认证的方法中,当终端试图附着到伪基站时,由终端根据收到的基站响应信息确定是否终止附着。In the method for terminal-to-base station authentication shown in FIG. 2, when the terminal attempts to attach to the pseudo base station, the terminal determines whether to terminate the attachment according to the received base station response information.
本发明实施例中,终端为CIoT终端设备。In the embodiment of the present invention, the terminal is a CIoT terminal device.
下面结合一个具体的应用场景进行说明。在终端附近存在合法基站A1和非法基站X1,两个基站位置相近,在终端设备接入到A1的过程,合法基站从鉴权中心获取终端对应的认证信息和基站响应信息之后,非法基站X1截获该合法基站A1获取的认证信息和基站响应信息,并将认证信息和基站响应信息发送给终端,终端在接收到非法基站X1发送的认证信息和基站响应信息之后,将执行接入到非法基站X1流程,根据本发明实施例的终端接入方法,终端在接收到非法基站X1发送的认证信息和基站响应信息之后,将判断基站响应信息对应的基站身份信息和终端检测到的基站身份信息是否一致,由于基站响应信息对应的基站身份信息未合法基站A1的身份信息, 而终端检测到的基站身份信息是非法基站X1,不一致,因此,终端将终止接入到非法基站X1的附着过程。The following describes a specific application scenario. There are a legal base station A1 and an illegal base station X1 in the vicinity of the terminal. The two base stations are in close proximity. After the terminal device accesses the A1, the legal base station acquires the authentication information and the base station response information corresponding to the terminal from the authentication center, and the illegal base station X1 intercepts. The authentication information acquired by the legal base station A1 and the base station response information are sent to the terminal, and after receiving the authentication information and the base station response information sent by the illegal base station X1, the terminal performs access to the illegal base station X1. According to the terminal access method of the embodiment of the present invention, after receiving the authentication information and the base station response information sent by the illegal base station X1, the terminal determines whether the base station identity information corresponding to the base station response information is consistent with the base station identity information detected by the terminal. The base station identity information corresponding to the base station response information is not the identity information of the base station A1. The base station identity information detected by the terminal is an illegal base station X1, which is inconsistent. Therefore, the terminal will terminate the attachment process to the illegal base station X1.
参见图3,本发明实施例还提出了另一种终端接入方法,所述方法包括:Referring to FIG. 3, an embodiment of the present invention further provides another terminal access method, where the method includes:
步骤310,终端将用户身份信息IMSI发送给基站;Step 310: The terminal sends the user identity information IMSI to the base station.
步骤320,基站将基站身份信息和上述用户身份信息IMSI发送给鉴权中心;Step 320: The base station sends the base station identity information and the user identity information IMSI to the authentication center.
其中,步骤320可以包括,基站将基站身份信息和上述用户身份信息IMSI发送给SGSN;SGSN将收到的基站身份信息和上述用户身份信息IMSI转发给鉴权中心;The step 320 may include: the base station transmitting the base station identity information and the user identity information IMSI to the SGSN; the SGSN forwarding the received base station identity information and the user identity information IMSI to the authentication center;
步骤330,鉴权中心对基站和终端进行认证;在对终端的认证通过的情况下,鉴权中心生成基站响应信息和认证信息,根据对基站的认证结果设置基站响应信息;在终端认证没有通过的情况下,终止附着过程。Step 330: The authentication center authenticates the base station and the terminal. When the authentication of the terminal passes, the authentication center generates the base station response information and the authentication information, and sets the base station response information according to the authentication result of the base station; In the case of the termination process.
其中,鉴权中心对基站和终端进行认证;在终端认证通过的情况下,鉴权中心生成基站响应信息和认证信息包括:鉴权中心对终端进行认证;在对终端的认证通过的情况下,鉴权中心生成终端对应的认证信息,鉴权中心对基站认证;根据基站认证结果,设置对应的基站响应信息。其中,对基站的认证和对终端的认证可以分别执行。The authentication center authenticates the base station and the terminal; in the case that the terminal authentication passes, the authentication center generates the base station response information and the authentication information, including: the authentication center authenticates the terminal; and when the authentication of the terminal passes, The authentication center generates the authentication information corresponding to the terminal, and the authentication center authenticates the base station; and according to the base station authentication result, sets the corresponding base station response information. The authentication of the base station and the authentication of the terminal can be performed separately.
其中,步骤330具体包括:Wherein, step 330 specifically includes:
步骤331,鉴权中心对终端进行认证;Step 331: The authentication center authenticates the terminal.
步骤332,在对终端的认证通过的情况下,鉴权中心生成终端对应的认证信息,并根据对基站身份信息的认证结果,生成对应的基站响应信息。Step 332: In the case that the authentication of the terminal is passed, the authentication center generates the authentication information corresponding to the terminal, and generates corresponding base station response information according to the authentication result of the identity information of the base station.
其中,鉴权中心根据用户身份信息生成认证信息;The authentication center generates authentication information according to the user identity information;
其中,生成的认证信息包括:认证挑战信息、会话密钥信息、以及认证响应信息;The generated authentication information includes: authentication challenge information, session key information, and authentication response information;
基站响应信息中包括基站身份信息和基站认证结果;The base station response information includes base station identity information and base station authentication result;
其中,基站认证结果可以是用于表示基站非法或合法的标识信息; The base station authentication result may be identifier information used to indicate that the base station is illegal or legal;
根据对基站身份信息的认证结果,生成对应的基站响应信息包括:在对基站的认证通过的情况下,在基站认证结果中携带表示基站合法的标识信息;在对基站的认证没有通过的情况下,在基站认证结果中携带表示基站非法的标识信息。And generating the corresponding base station response information according to the authentication result of the base station identity information, where: when the authentication of the base station is passed, the base station authentication result carries the identifier information indicating that the base station is legal; if the authentication of the base station fails, The base station authentication result carries identification information indicating that the base station is illegal.
其中,在会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站身份信息和基站认证结果进行第一处理从而得到对应的基站响应信息;Wherein, in the case that the session key information includes the encryption key Ck, the authentication center performs the first processing on the base station identity information and the base station authentication result by using the encryption key Ck to obtain corresponding base station response information;
或者,or,
在会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站身份信息和基站认证结果进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到对应的基站响应信息。In the case that the session key information includes the encryption key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the base station identity information and the base station authentication result by using the encryption key Ck, and then passes the integrity protection key. Ik performs a second process on the result of the first process, thereby obtaining corresponding base station response information.
步骤340,鉴权中心将认证信息和基站响应信息发送给基站;Step 340: The authentication center sends the authentication information and the base station response information to the base station.
步骤340具体可以包括:鉴权中心将认证信息和基站响应信息发送给SGSN;SGSN收到的将认证信息和基站响应信息转发给基站。The step 340 may specifically include: the authentication center sends the authentication information and the base station response information to the SGSN; and the SGSN receives the authentication information and the base station response information to the base station.
步骤350,基站将收到的基站响应信息和认证信息中的认证挑战信息发送给终端;Step 350: The base station sends the received base station response information and the authentication challenge information in the authentication information to the terminal.
步骤360,终端根据收到的认证挑战信息和基站响应信息,获取认证信息中携带的基站认证结果;Step 360: The terminal acquires the base station authentication result carried in the authentication information according to the received authentication challenge information and the base station response information.
在一个或多个实施例中,终端通过认证挑战信息获取会话密钥信息,在会话密钥信息包括加密密钥Ck的情况下,终端通过加密密钥Ck对基站响应信息进行第三处理,得到基站响应信息对应的基站身份信息和基站认证结果;其中,第三处理是与所述第一处理对应的逆处理过程。In one or more embodiments, the terminal acquires session key information by using the authentication challenge information. In the case that the session key information includes the encryption key Ck, the terminal performs third processing on the base station response information by using the encryption key Ck. The base station response information corresponds to the base station identity information and the base station authentication result; wherein the third process is an inverse process corresponding to the first process.
在一个或多个实施例中,终端通过认证挑战信息获取会话密钥信息,在会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,终端通过完整性保护密钥Ik对基站响应信息进行第四处理,并通过加密密钥Ck对第四处理的结果进行第三处理,得到基站响应信息对应的基站身份信息和基站认证结果;其中,第三处理是与所述第一处理对应的逆处理过程,第四处理是 与所述第二处理对应的逆处理过程。In one or more embodiments, the terminal acquires session key information by using authentication challenge information. In case the session key information includes the encryption key Ck and the integrity protection key Ik, the terminal passes the integrity protection key Ik. Performing a fourth process on the base station response information, and performing a third process on the result of the fourth process by using the encryption key Ck, to obtain the base station identity information and the base station authentication result corresponding to the base station response information; wherein the third process is the first process Processing the corresponding inverse processing, the fourth processing is An inverse process corresponding to the second process.
步骤370,终端检测所述基站认证结果;如果基站认证结果为非法基站,则终端终止附着过程;如果基站认证结果为合法基站,则执行步骤380。Step 370: The terminal detects the base station authentication result. If the base station authentication result is an illegal base station, the terminal terminates the attach process. If the base station authentication result is a legal base station, step 380 is performed.
步骤380,在基站认证结果为合法基站的情况下,终端接入到基站中。Step 380: When the base station authentication result is a legal base station, the terminal accesses the base station.
其中,终端根据认证挑战生成认证响应信息,并将生成的认证响应信息发送给基站,基站对从认证信息中获取的认证响应信息与终端发送的认证响应信息进行比对,在比对符合的情况下,允许终端接入到基站。在终端成功接入之后,终端将通过根据认证挑战信息生成的会话密钥信息与终端进行安全通信。The terminal generates the authentication response information according to the authentication challenge, and sends the generated authentication response information to the base station, and the base station compares the authentication response information obtained from the authentication information with the authentication response information sent by the terminal, and the comparison is performed. Next, the terminal is allowed to access to the base station. After the terminal successfully accesses, the terminal performs secure communication with the terminal through the session key information generated according to the authentication challenge information.
图3给出的终端对基站认证的方法中,当终端试图附着伪基站时,由终端根据收到的基站认证结果信息确定是否终止附着。In the method for terminal-to-base station authentication shown in FIG. 3, when the terminal attempts to attach the pseudo base station, the terminal determines whether to terminate the attachment according to the received base station authentication result information.
下面通过一个表1对上述各个实施例中鉴权中心的处理进行说明。其中,认证结果为1说明认证通过,为0表示认证没有通过,其中,对于终端和基站认证均不通过的处理为终止接入过程,在表1中没有示出。The processing of the authentication center in each of the above embodiments will be described below by means of a table 1. The authentication result is 1 to indicate that the authentication is passed, and 0 is the authentication failure. The process that does not pass the terminal and the base station authentication is the termination access process, which is not shown in Table 1.
Figure PCTCN2017083470-appb-000001
Figure PCTCN2017083470-appb-000001
Figure PCTCN2017083470-appb-000002
Figure PCTCN2017083470-appb-000002
表1鉴权中心根据认证结果执行不同处理流程的示意表Table 1 Schematic diagram of the authentication center performing different processing procedures based on the authentication result
基于与上述实施例相同或相似的构思,本发明实施例还提供一种终端接入装置,设置在终端上,参见图4,本发明实施例提出的一种终端接入装置包括:Based on the same or similar concepts as the foregoing embodiments, the embodiment of the present invention further provides a terminal access device, which is disposed on a terminal. Referring to FIG. 4, a terminal access device according to an embodiment of the present invention includes:
第一发送单元10,设置成:将用户身份信息发送给基站;The first sending unit 10 is configured to: send user identity information to the base station;
第一接收单元20,设置成:接收基站所述发送的认证挑战信息和基站响应信息;The first receiving unit 20 is configured to: receive the authentication challenge information and the base station response information that are sent by the base station;
检测单元30,设置成:检测所述基站响应信息;The detecting unit 30 is configured to: detect the base station response information;
接入单元40,设置成:在检测通过的情况下,根据认证挑战信息接入到基站中。The access unit 40 is configured to: when the detection passes, access to the base station according to the authentication challenge information.
本发明实施例中,所述检测单元30包括以下模块中的至少一个:In the embodiment of the present invention, the detecting unit 30 includes at least one of the following modules:
第一检测模块,设置成:在基站响应信息的携带内容包括基站身份信息的情况下,终端获取基站响应信息对应的基站身份信息;The first detecting module is configured to: when the carrying content of the base station response information includes the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the base station response information;
判断基站响应信息对应的基站身份信息和终端检测到的基站身份信息是否一致;如果不一致,则对基站响应信息的检测结果为不通过;如果一致,则对基站响应信息的检测结果为通过;Determining whether the base station identity information corresponding to the base station response information is consistent with the base station identity information detected by the terminal; if not, the detection result of the base station response information is not passed; if they are consistent, the detection result of the base station response information is passed;
第二检测模块,设置成:在基站响应信息的携带内容包括基站认证结果的情况下,获取基站响应信息对应的基站认证结果,如果基站认证结果为非法基站,则对基站响应信息的检测结果为不通过;如果基站认证结果为合法基站,则对基站响应信息的检测结果为通过。The second detecting module is configured to: when the carrying content of the base station response information includes the base station authentication result, obtain the base station authentication result corresponding to the base station response information, and if the base station authentication result is an illegal base station, the detection result of the base station response information is If the base station authentication result is a legal base station, the detection result of the base station response information is passed.
其中,第一检测模块和/或第二检测模块通过认证挑战信息获取会话密钥信息,通过所述会话密钥信息得到基站响应信息的携带内容。The first detecting module and/or the second detecting module acquires session key information by using the authentication challenge information, and obtains the carrying content of the base station response information by using the session key information.
本发明实施例中,通过所述会话密钥信息得到基站响应信息的携带内容 包括:In the embodiment of the present invention, the content of the base station response information is obtained by using the session key information. include:
在会话密钥信息包括加密密钥Ck的情况下,通过会话密钥信息中的加密密钥Ck对基站响应信息进行第三处理,得到基站响应信息的携带内容;其中,第三处理是与所述第一处理对应的逆处理过程;In the case that the session key information includes the encryption key Ck, the base station response information is subjected to the third processing by the encryption key Ck in the session key information, and the carried content of the base station response information is obtained; wherein the third processing is Describe the inverse processing corresponding to the first processing;
在密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,通过会话密钥信息中的完整性保护密钥Ik对基站响应信息进行第四处理,并通过会话密钥信息中的加密密钥Ck对第四处理的结果进行第三处理,得到基站响应信息的携带内容;其中,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二处理对应的逆处理过程;In the case where the key information includes the encryption key Ck and the integrity protection key Ik, the base station response information is subjected to the fourth processing by the integrity protection key Ik in the session key information, and is passed through the session key information. The encryption key Ck performs a third process on the result of the fourth process to obtain the carried content of the base station response information; wherein the third process is an inverse process corresponding to the first process, and the fourth process is the second process Processing the corresponding inverse processing;
其中,第一处理是指鉴权中心为获取基站响应信息而通过加密密钥Ck对基站身份信息或基站认证结果进行的处理;第二处理是指鉴权中心为获取基站响应信息而通过完整性保护密钥Ik对第一处理的结果进行的处理。The first processing refers to the processing of the base station identity information or the base station authentication result by the authentication center for acquiring the base station response information by using the encryption key Ck; the second processing refers to the integrity of the authentication center for obtaining the base station response information. The protection key Ik processes the result of the first process.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种终端接入装置,设置在鉴权中心上,参见图5,本发明实施例提出的一种终端接入装置包括:Based on the same or similar concepts as the foregoing embodiments, the embodiment of the present invention further provides a terminal access device, which is disposed on an authentication center. Referring to FIG. 5, a terminal access device according to an embodiment of the present invention includes:
第二接收单元50,设置成:接收基站发送的基站身份信息和用户身份信息;The second receiving unit 50 is configured to: receive base station identity information and user identity information sent by the base station;
认证单元60,设置成:根据所述基站身份信息对基站进行认证,根据用户身份信息对终端进行认证;The authentication unit 60 is configured to: perform authentication on the base station according to the identity information of the base station, and authenticate the terminal according to the identity information of the user;
处理单元70,设置成:在对终端的认证通过的情况下,生成对应的认证信息,并将所述认证信息发送给基站。The processing unit 70 is configured to generate corresponding authentication information when the authentication of the terminal passes, and send the authentication information to the base station.
本发明实施例中,所述处理单元70包括第一处理模块,设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;在对基站的认证没有通过的情况下,终止终端的接入过程。In the embodiment of the present invention, the processing unit 70 includes a first processing module, configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes, and fail to pass the authentication of the base station Next, terminate the access process of the terminal.
本发明实施例中,在另一个示例中,所述处理单元包括如下模块的任一个:In an embodiment of the present invention, in another example, the processing unit includes any one of the following modules:
第二处理模块,设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;并生成基站响应信息,并将所述基站响应信息发送 给基站;在对基站的认证没有通过的情况下,终止终端的接入过程;a second processing module, configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes; generate base station response information, and send the base station response information To the base station; in the case that the authentication of the base station fails, the access procedure of the terminal is terminated;
第三处理模块,设置成:生成基站响应信息,并将所述基站响应信息发送给基站;其中,根据对基站的认证结果设置对应的基站响应信息。The third processing module is configured to: generate base station response information, and send the base station response information to the base station; where, the corresponding base station response information is set according to the authentication result of the base station.
本发明实施例中,所述认证信息包括认证挑战信息、会话密钥信息,以及认证响应信息;In the embodiment of the present invention, the authentication information includes authentication challenge information, session key information, and authentication response information;
第二处理模块生成的所述基站响应信息的携带内容包括基站身份信息;The carried content of the base station response information generated by the second processing module includes base station identity information;
第三处理模块生成的所述基站响应信息的携带内容包括基站身份信息和基站认证结果,所述基站认证结果包括用于表示基站非法或合法的标识信息;The carrying content of the base station response information generated by the third processing module includes base station identity information and a base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal;
所述第二处理模块和/或第三处理模块生成基站响应信息包括:The generating, by the second processing module and/or the third processing module, the base station response information includes:
通过所述会话密钥信息对基站响应信息的携带内容进行处理从而得到对应的基站响应信息。And processing the carried content of the base station response information by using the session key information to obtain corresponding base station response information.
本发明实施例中,通过会话密钥信息对基站响应信息的携带内容进行处理包括:In the embodiment of the present invention, processing the carried content of the base station response information by using the session key information includes:
在鉴权中心生成的会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站响应信息的携带内容进行第一处理从而得到对应的基站响应信息;In the case that the session key information generated by the authentication center includes the encryption key Ck, the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information;
或,or,
在鉴权中心生成的会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站响应信息的携带内容进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到基站响应信息的携带内容对应的基站响应信息。In the case that the session key information generated by the authentication center includes the encryption key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the carried content of the base station response information through the encryption key Ck, and then completes the complete processing. The sex protection key Ik performs a second process on the result of the first process, thereby obtaining base station response information corresponding to the carried content of the base station response information.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种终端接入装置,设置在基站上,参见图6,本发明实施例提出的一种终端接入装置包括:Based on the same or similar concepts as the foregoing embodiments, the embodiment of the present invention further provides a terminal access device, which is disposed on a base station. Referring to FIG. 6, a terminal access device according to an embodiment of the present invention includes:
第三接收单元80,设置成:接收终端发送的用户身份信息;The third receiving unit 80 is configured to: receive user identity information sent by the terminal;
第三发送单元90,设置成:将基站身份信息以及所述用户身份信息发送 给鉴权中心;The third sending unit 90 is configured to: send the base station identity information and the user identity information To the authentication center;
所述第三接收单元80还设置成:接收鉴权中心发送的认证信息;The third receiving unit 80 is further configured to: receive the authentication information sent by the authentication center;
所述第三发送单元90还设置成:将认证信息中的认证挑战信息发送给终端。The third sending unit 90 is further configured to: send the authentication challenge information in the authentication information to the terminal.
本发明实施例中,In the embodiment of the present invention,
所述第三接收单元80还设置成:接收鉴权中心发送基站响应信息;The third receiving unit 80 is further configured to: receive an authentication center to send base station response information;
所述第三发送单元90还设置成:将所述基站响应信息发送给终端。The third sending unit 90 is further configured to: send the base station response information to the terminal.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种终端,所述终端包括本发明实施例提供的任一设置在终端上的终端接入装置。Based on the same or similar concepts as the foregoing embodiments, the embodiment of the present invention further provides a terminal, where the terminal includes any terminal access device provided on the terminal provided by the embodiment of the present invention.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种基站,所述基站包括本发明实施例提供的任一设置在基站上的终端接入装置。Based on the same or similar concepts as the foregoing embodiments, the embodiment of the present invention further provides a base station, where the base station includes any terminal access device disposed on a base station according to an embodiment of the present invention.
基于与上述实施例相同或相似的构思,本发明实施例还提供一种鉴权中心,所述鉴权中心包括本发明实施例提供的任一设置在鉴权中心上的终端接入装置。Based on the same or similar concepts as the above embodiments, the embodiment of the present invention further provides an authentication center, where the authentication center includes any terminal access device provided in the authentication center provided by the embodiment of the present invention.
需要说明的是,以上所述的实施例仅是为了便于本领域的技术人员理解而已,并不用于限制本发明的保护范围,在不脱离本发明的发明构思的前提下,本领域技术人员对本发明所做出的任何显而易见的替换和改进等均在本发明的保护范围之内。It should be noted that the above-mentioned embodiments are only for the purpose of facilitating the understanding of those skilled in the art, and are not intended to limit the scope of the present invention, and those skilled in the art will Any obvious substitutions and improvements made by the invention are within the scope of the invention.
本发明实施例还公开了一种计算机程序,包括程序指令,当该程序指令被终端执行时,使得该终端可执行上述任意的检测无线网络接入安全的方法。The embodiment of the invention further discloses a computer program, comprising program instructions, when the program instruction is executed by the terminal, so that the terminal can perform any of the above methods for detecting wireless network access security.
本发明实施例还公开了一种载有所述的计算机程序的载体。The embodiment of the invention also discloses a carrier carrying the computer program.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行, 在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, System, device, device, device, etc.) In execution, one or a combination of the steps of the method embodiments is included.
在一个或多个实施例中,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。In one or more embodiments, all or part of the steps of the above embodiments may also be implemented using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be made into A single integrated circuit module is implemented. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。Variations or substitutions are readily conceivable within the scope of the present invention by those skilled in the art and are within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
工业实用性Industrial applicability
本发明提供的技术方案包括:终端将用户身份信息发送给基站;终端接收基站所述发送的认证挑战信息和基站响应信息;终端检测所述基站响应信息,在检测通过的情况下,终端根据认证挑战信息接入到基站中。通过本发明的方案,在终端接入过程中,由鉴权中心对终端所附着的基站进行认证,可以由鉴权中心根据对基站的认证结果决定是否终止接入过程,也可以由鉴权中心将对基站的认证结果发送给终端,由终端确定是否连接到基站,通过该流程,改善了恶意基站通过欺骗的方式使得终端从一个合法基站转移附着到该恶意基站上的情况,提高了终端接入基站时的安全性。因此本发明具有很强的工业实用性。 The technical solution provided by the present invention includes: the terminal sends the user identity information to the base station; the terminal receives the authentication challenge information and the base station response information sent by the base station; the terminal detects the response information of the base station, and if the detection passes, the terminal according to the authentication The challenge information is accessed into the base station. With the solution of the present invention, in the terminal access process, the authentication center authenticates the base station to which the terminal is attached, and the authentication center may decide whether to terminate the access process according to the authentication result of the base station, or may be determined by the authentication center. The authentication result of the base station is sent to the terminal, and the terminal determines whether it is connected to the base station. Through the process, the malicious base station improves the terminal connection from the legal base station to the malicious base station by means of spoofing, thereby improving the terminal connection. Security when entering the base station. Therefore, the present invention has strong industrial applicability.

Claims (20)

  1. 一种终端接入方法,所述方法包括:A terminal access method, the method comprising:
    终端将用户身份信息发送给基站;The terminal sends the user identity information to the base station;
    所述终端接收所述基站发送的认证挑战信息和基站响应信息;Receiving, by the terminal, authentication challenge information and base station response information sent by the base station;
    所述终端检测所述基站响应信息,在检测通过的情况下,所述终端根据所述认证挑战信息接入到所述基站中。The terminal detects the response information of the base station, and if the detection passes, the terminal accesses the base station according to the authentication challenge information.
  2. 根据权利要求1所述的终端接入方法,其中,所述终端检测所述基站响应信息的步骤包括如下方式中的任一种:The terminal access method according to claim 1, wherein the step of detecting, by the terminal, the base station response information comprises any one of the following:
    方式1-1,在所述基站响应信息携带基站身份信息的情况下,所述终端获取所述基站响应信息对应的所述基站身份信息;1-1, in a case that the base station response information carries the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the response information of the base station;
    所述终端判断所述基站响应信息对应的所述基站身份信息和所述终端检测到的基站身份信息是否一致;如果不一致,则检测不通过;如果一致,则检测通过;Determining, by the terminal, whether the identity information of the base station corresponding to the base station response information is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if yes, the detection is passed;
    方式1-2,在所述基站响应信息携带基站认证结果的情况下,所述终端获取所述基站响应信息对应的所述基站认证结果,如果所述基站认证结果表明所述基站为非法基站,则检测不通过;如果所述基站认证结果表明所述基站为合法基站,则检测通过;1-2, in a case that the base station response information carries a base station authentication result, the terminal acquires the base station authentication result corresponding to the base station response information, and if the base station authentication result indicates that the base station is an illegal base station, The detection fails; if the base station authentication result indicates that the base station is a legal base station, the detection passes;
    其中,所述终端通过所述认证挑战信息获取会话密钥信息,通过所述会话密钥信息得到所述基站响应信息。The terminal acquires session key information by using the authentication challenge information, and obtains the base station response information by using the session key information.
  3. 根据权利要求2所述的终端接入方法,其中,所述通过所述会话密钥信息得到所述基站响应信息的步骤包括:The terminal access method according to claim 2, wherein the step of obtaining the base station response information by using the session key information comprises:
    在所述会话密钥信息包括加密密钥Ck的情况下,所述终端通过所述会话密钥信息中的加密密钥Ck对所述基站响应信息进行第三处理,得到基站响应信息对应的基站响应信息的携带内容;In the case that the session key information includes the encryption key Ck, the terminal performs a third process on the base station response information by using the encryption key Ck in the session key information to obtain a base station corresponding to the base station response information. The content of the response information;
    在所述会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,所述终端通过所述会话密钥信息中的完整性保护密钥Ik对所述基站响应信息进行第四处理,并通过所述会话密钥信息中的加密密钥Ck对第四处理的 结果进行所述第三处理,得到基站响应信息的携带内容;In a case where the session key information includes an encryption key Ck and an integrity protection key Ik, the terminal performs fourth response to the base station response information by using an integrity protection key Ik in the session key information. Processing and passing the encryption key Ck in the session key information to the fourth processing As a result, the third processing is performed to obtain the carried content of the base station response information;
    其中,第一处理是指鉴权中心为获取基站响应信息而通过加密密钥Ck对基站响应信息的携带内容进行的处理;第二处理是指鉴权中心为获取基站响应信息而通过完整性保护密钥Ik对第一处理的结果进行的处理,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二处理对应的逆处理过程。The first processing refers to the processing of the carrying content of the base station response information by the authentication center for acquiring the base station response information by using the encryption key Ck; the second processing means that the authentication center passes the integrity protection for acquiring the base station response information. The key Ik processes the result of the first process, the third process is an inverse process corresponding to the first process, and the fourth process is an inverse process corresponding to the second process.
  4. 一种终端接入方法,所述方法包括:A terminal access method, the method comprising:
    鉴权中心接收基站发送的基站身份信息和用户身份信息;The authentication center receives the base station identity information and the user identity information sent by the base station;
    鉴权中心根据所述基站身份信息对所述基站进行认证,根据用户身份信息对所述终端进行认证;The authentication center authenticates the base station according to the identity information of the base station, and authenticates the terminal according to the user identity information;
    在对终端的认证通过的情况下,生成对应的认证信息,并将所述认证信息发送给所述基站。When the authentication of the terminal passes, corresponding authentication information is generated, and the authentication information is transmitted to the base station.
  5. 根据权利要求4所述的终端接入方法,其中,在所述鉴权中心根据所述基站身份信息对所述基站进行认证的步骤之后,所述方法还包括:The terminal access method according to claim 4, wherein after the step of authenticating the base station according to the base station identity information, the method further includes:
    在对基站的认证通过的情况下,执行所述生成对应的认证信息的步骤;And performing the step of generating the corresponding authentication information when the authentication of the base station is passed;
    在对基站的认证没有通过的情况下,终止所述终端的接入过程。In the case that the authentication of the base station fails, the access procedure of the terminal is terminated.
  6. 根据权利要求4所述的终端接入方法,其中,在所述鉴权中心根据所述基站身份信息对基站进行认证之后,所述方法还包括:The terminal access method according to claim 4, wherein after the authentication center authenticates the base station according to the base station identity information, the method further includes:
    方式2-1:在对基站的认证通过的情况下,执行所述生成对应的认证信息的步骤;生成基站响应信息,并将所述基站响应信息发送给基站;在对基站的认证没有通过的情况下,终止终端的接入过程;或,Mode 2-1: performing the step of generating corresponding authentication information when the authentication of the base station passes, generating base station response information, and transmitting the base station response information to the base station; failing to pass the authentication of the base station In case, the access process of the terminal is terminated; or,
    方式2-2:生成基站响应信息,并将所述基站响应信息发送给基站;其中,根据对基站的认证结果设置对应的基站响应信息。Mode 2-2: Generate base station response information, and send the base station response information to the base station; where, corresponding base station response information is set according to the authentication result of the base station.
  7. 根据权利要求6所述的终端接入方法,其中,所述认证信息包括认证挑战信息、会话密钥信息,以及认证响应信息;The terminal access method according to claim 6, wherein the authentication information includes authentication challenge information, session key information, and authentication response information;
    在方式2-1的情况下,所述基站响应信息的携带内容包括基站身份信息;In the case of the mode 2-1, the carrying content of the base station response information includes base station identity information;
    在方式2-2的情况下,所述基站响应信息的携带内容包括基站身份信息 和基站认证结果,所述基站认证结果包括用于表示基站非法或合法的标识信息;In the case of mode 2-2, the carrying content of the base station response information includes base station identity information. And the base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal;
    所述生成基站响应信息包括:The generating base station response information includes:
    通过所述会话密钥信息对基站响应信息的携带内容进行处理从而得到对应的基站响应信息。And processing the carried content of the base station response information by using the session key information to obtain corresponding base station response information.
  8. 根据权利要求7所述的终端接入方法,其中,通过会话密钥信息对基站响应信息的携带内容进行处理包括:The terminal access method according to claim 7, wherein processing the carried content of the base station response information by using the session key information comprises:
    在鉴权中心生成的会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站响应信息的携带内容进行第一处理从而得到对应的基站响应信息;或,In the case that the session key information generated by the authentication center includes the encryption key Ck, the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information; or
    在鉴权中心生成的会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站响应信息的携带内容进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到基站响应信息的携带内容对应的基站响应信息。In the case that the session key information generated by the authentication center includes the encryption key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the carried content of the base station response information through the encryption key Ck, and then completes the complete processing. The sex protection key Ik performs a second process on the result of the first process, thereby obtaining base station response information corresponding to the carried content of the base station response information.
  9. 一种终端接入方法,所述方法包括:A terminal access method, the method comprising:
    基站接收终端发送的用户身份信息;The base station receives user identity information sent by the terminal;
    基站将基站身份信息以及所述用户身份信息发送给鉴权中心The base station sends the base station identity information and the user identity information to the authentication center.
    基站接收鉴权中心发送的认证信息;The base station receives the authentication information sent by the authentication center;
    基站将认证信息中的认证挑战信息发送给终端。The base station transmits the authentication challenge information in the authentication information to the terminal.
  10. 根据权利要求9所述的终端接入方法,其中,在所述将基站身份信息以及所述用户身份信息发送给鉴权中心之后,所述方法还包括:The terminal access method according to claim 9, wherein after the sending the base station identity information and the user identity information to the authentication center, the method further includes:
    基站接收鉴权中心发送基站响应信息;The base station receives the authentication center to send the base station response information;
    基站将所述基站响应信息发送给终端。The base station sends the base station response information to the terminal.
  11. 一种终端接入装置,设置在终端上,所述装置包括:第一发送单元、第一接收单元、检测单元和接入单元,其中,A terminal access device is disposed on a terminal, where the device includes: a first sending unit, a first receiving unit, a detecting unit, and an access unit, where
    所述第一发送单元设置成:将用户身份信息发送给基站;The first sending unit is configured to: send user identity information to a base station;
    所述第一接收单元设置成:接收基站所述发送的认证挑战信息和基站响 应信息;The first receiving unit is configured to: receive the authentication challenge information sent by the base station, and the base station ringing Information
    所述检测单元设置成:检测所述基站响应信息;The detecting unit is configured to: detect the base station response information;
    所述接入单元设置成:在检测通过的情况下,根据认证挑战信息接入到基站中。The access unit is configured to: access to the base station according to the authentication challenge information if the detection passes.
  12. 根据权利要求11所述的终端接入装置,其中,所述检测单元包括第一检测模块和第二检测模块中的至少一个,其中The terminal access device according to claim 11, wherein the detecting unit comprises at least one of a first detecting module and a second detecting module, wherein
    所述第一检测模块设置成:在基站响应信息的携带内容包括基站身份信息的情况下,终端获取基站响应信息对应的基站身份信息;The first detecting module is configured to: when the carrying content of the base station response information includes the identity information of the base station, the terminal acquires the identity information of the base station corresponding to the base station response information;
    判断基站响应信息对应的基站身份信息和终端检测到的基站身份信息是否一致;如果不一致,则检测不通过;如果一致,则检测通过;Determining whether the identity information of the base station corresponding to the response information of the base station is consistent with the identity information of the base station detected by the terminal; if not, the detection fails; if they are consistent, the detection is passed;
    所述第二检测模块设置成:在基站响应信息的携带内容包括基站认证结果的情况下,获取基站响应信息对应的基站认证结果,如果基站认证结果为非法基站,则检测不通过;如果基站认证结果为合法基站,则检测通过;The second detecting module is configured to: when the carrying content of the base station response information includes the base station authentication result, obtain the base station authentication result corresponding to the base station response information, and if the base station authentication result is an illegal base station, the detection fails; if the base station authenticates The result is a legal base station, and the test passes;
    其中,第一检测模块和/或第二检测模块通过认证挑战信息获取会话密钥信息,通过所述会话密钥信息得到基站响应信息的携带内容。The first detecting module and/or the second detecting module acquires session key information by using the authentication challenge information, and obtains the carrying content of the base station response information by using the session key information.
  13. 根据权利要求12所述的终端接入装置,其中,所述第一检测模块和/或第二检测模块设置成按照如下方式通过所述会话密钥信息得到基站响应信息的携带内容:The terminal access device according to claim 12, wherein the first detecting module and/or the second detecting module are configured to obtain the carried content of the base station response information by using the session key information as follows:
    在会话密钥信息包括加密密钥Ck的情况下,通过会话密钥信息中的加密密钥Ck对基站响应信息进行第三处理,得到基站响应信息的携带内容;In the case that the session key information includes the encryption key Ck, the base station response information is subjected to a third process by using the encryption key Ck in the session key information to obtain the carried content of the base station response information;
    在密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,通过会话密钥信息中的完整性保护密钥Ik对基站响应信息进行第四处理,并通过会话密钥信息中的加密密钥Ck对第四处理的结果进行第三处理,得到基站响应信息的携带内容;In the case where the key information includes the encryption key Ck and the integrity protection key Ik, the base station response information is subjected to the fourth processing by the integrity protection key Ik in the session key information, and is passed through the session key information. The encryption key Ck performs a third processing on the result of the fourth processing to obtain the carried content of the base station response information;
    其中,第一处理是指鉴权中心为获取基站响应信息而通过加密密钥Ck对基站身份信息或基站认证结果进行的处理;第二处理是指鉴权中心为获取基站响应信息而通过完整性保护密钥Ik对第一处理的结果进行的处理,其中,第三处理是与所述第一处理对应的逆处理过程,第四处理是与所述第二 处理对应的逆处理过程。The first processing refers to the processing of the base station identity information or the base station authentication result by the authentication center for acquiring the base station response information by using the encryption key Ck; the second processing refers to the integrity of the authentication center for obtaining the base station response information. The protection key Ik processes the result of the first process, wherein the third process is an inverse process corresponding to the first process, and the fourth process is the second process Process the corresponding inverse process.
  14. 一种终端接入装置,设置在鉴权中心,所述装置包括第二接收单元、认证单元和处理单元,其中,A terminal access device is disposed at an authentication center, where the device includes a second receiving unit, an authentication unit, and a processing unit, where
    所述第二接收单元设置成:接收基站发送的基站身份信息和用户身份信息;The second receiving unit is configured to: receive base station identity information and user identity information sent by the base station;
    所述认证单元设置成:根据所述基站身份信息对基站进行认证,根据用户身份信息对终端进行认证;The authentication unit is configured to: perform authentication on the base station according to the identity information of the base station, and perform authentication on the terminal according to the identity information of the user;
    所述处理单元设置成:在对终端的认证通过的情况下,生成对应的认证信息,并将所述认证信息发送给基站。The processing unit is configured to: when the authentication of the terminal passes, generate corresponding authentication information, and send the authentication information to the base station.
  15. 根据权利要求14所述的终端接入装置,其中,所述处理单元包括第一处理模块,设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;在对基站的认证没有通过的情况下,终止终端的接入过程。The terminal access device according to claim 14, wherein the processing unit comprises a first processing module, configured to: execute the process of generating corresponding authentication information in the case that the authentication of the base station is passed; If the authentication of the base station fails, the access procedure of the terminal is terminated.
  16. 根据权利要求14所述的终端接入装置,其中,所述处理单元包括第二处理模块和第三处理模块的任一个,其中The terminal access device according to claim 14, wherein the processing unit comprises any one of a second processing module and a third processing module, wherein
    所述第二处理模块设置成:在对基站的认证通过的情况下,执行所述生成对应的认证信息的过程;并生成基站响应信息,并将所述基站响应信息发送给基站;在对基站的认证没有通过的情况下,终止终端的接入过程;The second processing module is configured to: perform the process of generating corresponding authentication information when the authentication of the base station passes; generate base station response information, and send the base station response information to the base station; If the authentication fails, the terminal access process is terminated;
    所述第三处理模块设置成:生成基站响应信息,并将所述基站响应信息发送给基站;其中,根据对基站的认证结果设置对应的基站响应信息。The third processing module is configured to: generate base station response information, and send the base station response information to the base station; wherein, the corresponding base station response information is set according to the authentication result of the base station.
  17. 根据权利要求16所述的终端接入装置,其中,所述认证信息包括认证挑战信息、会话密钥信息,以及认证响应信息;The terminal access device according to claim 16, wherein the authentication information includes authentication challenge information, session key information, and authentication response information;
    所述第二处理模块生成的所述基站响应信息的携带内容包括基站身份信息;The carried content of the base station response information generated by the second processing module includes base station identity information;
    所述第三处理模块生成的基站响应信息的携带内容包括基站身份信息和基站认证结果,所述基站认证结果包括用于表示基站非法或合法的标识信息;The content of the base station response information generated by the third processing module includes the base station identity information and the base station authentication result, where the base station authentication result includes identifier information indicating that the base station is illegal or legal;
    所述第二处理模块和/或第三处理模块设置成按照如下方式生成基站响应信息: The second processing module and/or the third processing module are configured to generate base station response information as follows:
    通过所述会话密钥信息对基站响应信息的携带内容进行处理从而得到对应的基站响应信息。And processing the carried content of the base station response information by using the session key information to obtain corresponding base station response information.
  18. 根据权利要求17所述的终端接入装置,其中,所述第二处理模块和/或第三处理模块设置成按照如下方式通过会话密钥信息对基站响应信息的携带内容进行处理:The terminal access device according to claim 17, wherein the second processing module and/or the third processing module are configured to process the carried content of the base station response information by the session key information as follows:
    在鉴权中心生成的会话密钥信息包括加密密钥Ck的情况下,鉴权中心通过加密密钥Ck对基站响应信息的携带内容进行第一处理从而得到对应的基站响应信息;或,In the case that the session key information generated by the authentication center includes the encryption key Ck, the authentication center performs the first processing on the carried content of the base station response information by using the encryption key Ck to obtain the corresponding base station response information; or
    在鉴权中心生成的会话密钥信息包括加密密钥Ck和完整性保护密钥Ik的情况下,鉴权中心先通过加密密钥Ck对基站响应信息的携带内容进行第一处理,再通过完整性保护密钥Ik对第一处理的结果进行第二处理,从而得到基站响应信息的携带内容对应的基站响应信息。In the case that the session key information generated by the authentication center includes the encryption key Ck and the integrity protection key Ik, the authentication center first performs the first processing on the carried content of the base station response information through the encryption key Ck, and then completes the complete processing. The sex protection key Ik performs a second process on the result of the first process, thereby obtaining base station response information corresponding to the carried content of the base station response information.
  19. 一种终端接入装置,设置在基站,所述装置包括:第三接收单元和第三发送单元,其中A terminal access device is disposed at a base station, where the device includes: a third receiving unit and a third sending unit, where
    所述第三接收单元设置成:接收终端发送的用户身份信息;The third receiving unit is configured to: receive user identity information sent by the terminal;
    所述第三发送单元设置成:将基站身份信息以及所述用户身份信息发送给鉴权中心;The third sending unit is configured to: send the base station identity information and the user identity information to the authentication center;
    所述第三接收单元还设置成:接收鉴权中心发送的认证信息;The third receiving unit is further configured to: receive authentication information sent by the authentication center;
    所述第三发送单元还设置成:将认证信息中的认证挑战信息发送给终端。The third sending unit is further configured to: send the authentication challenge information in the authentication information to the terminal.
  20. 根据权利要求19所述的终端接入装置,其中,The terminal access device according to claim 19, wherein
    所述第三接收单元还设置成:接收鉴权中心发送的基站响应信息;The third receiving unit is further configured to: receive base station response information sent by the authentication center;
    所述第三发送单元还设置成:将所述基站响应信息发送给终端。 The third sending unit is further configured to: send the base station response information to the terminal.
PCT/CN2017/083470 2016-05-10 2017-05-08 Terminal access method and device WO2017193889A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610307103.1A CN107360573B (en) 2016-05-10 2016-05-10 Terminal access method and device
CN201610307103.1 2016-05-10

Publications (1)

Publication Number Publication Date
WO2017193889A1 true WO2017193889A1 (en) 2017-11-16

Family

ID=60266317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/083470 WO2017193889A1 (en) 2016-05-10 2017-05-08 Terminal access method and device

Country Status (2)

Country Link
CN (1) CN107360573B (en)
WO (1) WO2017193889A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113905379A (en) * 2021-10-15 2022-01-07 绍兴建元电力集团有限公司 Method for 5G base station to participate in local optimization of terminal security communication authentication

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114449513A (en) * 2020-10-16 2022-05-06 中移(上海)信息通信科技有限公司 Authentication method, device and equipment of road side equipment and computer storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056456A (en) * 2006-04-10 2007-10-17 华为技术有限公司 Method and secure system for authenticating the radio evolution network
CN104010305A (en) * 2014-05-09 2014-08-27 中国人民解放军信息工程大学 Bidirectional authentication reinforcement method of terminal and access network based on physical layer secret key
CN104703181A (en) * 2013-12-09 2015-06-10 重庆重邮信科通信技术有限公司 Access node authentication method and terminal
US20150296378A1 (en) * 2014-04-11 2015-10-15 Blackberry Limited Method and apparatus for a dual radio user equipment
CN105188055A (en) * 2015-08-14 2015-12-23 中国联合网络通信集团有限公司 Wireless network access method, wireless access point and server

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1005244A1 (en) * 1998-11-25 2000-05-31 ICO Services Ltd. Connection authentication in a mobile network
CN100571134C (en) * 2005-04-30 2009-12-16 华为技术有限公司 The method of authenticated user terminal in IP Multimedia System
CN101854629B (en) * 2010-05-21 2013-02-27 西安电子科技大学 Method of access authentication and recertification in home NodeB system of user terminal
CN102014389B (en) * 2010-11-30 2015-04-01 中兴通讯股份有限公司 Access method for terminal in WiMAX system and WiMAX access system
CN103096311B (en) * 2011-10-31 2018-11-09 中兴通讯股份有限公司 The method and system of Home eNodeB secure accessing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056456A (en) * 2006-04-10 2007-10-17 华为技术有限公司 Method and secure system for authenticating the radio evolution network
CN104703181A (en) * 2013-12-09 2015-06-10 重庆重邮信科通信技术有限公司 Access node authentication method and terminal
US20150296378A1 (en) * 2014-04-11 2015-10-15 Blackberry Limited Method and apparatus for a dual radio user equipment
CN104010305A (en) * 2014-05-09 2014-08-27 中国人民解放军信息工程大学 Bidirectional authentication reinforcement method of terminal and access network based on physical layer secret key
CN105188055A (en) * 2015-08-14 2015-12-23 中国联合网络通信集团有限公司 Wireless network access method, wireless access point and server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113905379A (en) * 2021-10-15 2022-01-07 绍兴建元电力集团有限公司 Method for 5G base station to participate in local optimization of terminal security communication authentication
CN113905379B (en) * 2021-10-15 2024-05-03 绍兴建元电力集团有限公司 Method for locally optimizing security communication authentication of 5G base station participation terminal

Also Published As

Publication number Publication date
CN107360573A (en) 2017-11-17
CN107360573B (en) 2020-11-27

Similar Documents

Publication Publication Date Title
US10856135B2 (en) Method and apparatus for network access
US9094823B2 (en) Data processing for securing local resources in a mobile device
US11777936B2 (en) Friend key sharing
CN109729523B (en) Terminal networking authentication method and device
WO2017049461A1 (en) Access method, device and system for user equipment (ue)
ES2766856T3 (en) Procedure, device and WiFi network authentication system
EP2939493A1 (en) Device-to-device (d2d) discovery without authenticating through cloud
US9807088B2 (en) Method and network node for obtaining a permanent identity of an authenticating wireless device
US20130305325A1 (en) Methods for Thwarting Man-In-The-Middle Authentication Hacking
CN110392998B (en) Data packet checking method and equipment
JP2014160942A5 (en)
US9332432B2 (en) Methods and system for device authentication
ES2431625T3 (en) Authentication of personal data in telecommunications systems
CN106559785B (en) Authentication method, device and system, access device and terminal
TW201729562A (en) Server, mobile terminal, and internet real name authentication system and method
US8442527B1 (en) Cellular authentication for authentication to a service
US20190238532A1 (en) Authentication system utilizing secondary connection
WO2017193889A1 (en) Terminal access method and device
WO2018099407A1 (en) Account authentication login method and device
WO2018009692A1 (en) Methods and systems for augmenting security of biometric user authentication
KR101910757B1 (en) Local authentication
WO2017107745A1 (en) Terminal authentication method, device and system
CN113032761A (en) Securing remote authentication
WO2018137239A1 (en) Authentication method, authentication server, and core network equipment
WO2017132906A1 (en) Method and device for acquiring and sending user equipment identifier

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17795507

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17795507

Country of ref document: EP

Kind code of ref document: A1