CN100550729C - A kind of method for authenticating when in code division multiple access system, using for digital clustering operation - Google Patents
A kind of method for authenticating when in code division multiple access system, using for digital clustering operation Download PDFInfo
- Publication number
- CN100550729C CN100550729C CNB2004100702227A CN200410070222A CN100550729C CN 100550729 C CN100550729 C CN 100550729C CN B2004100702227 A CNB2004100702227 A CN B2004100702227A CN 200410070222 A CN200410070222 A CN 200410070222A CN 100550729 C CN100550729 C CN 100550729C
- Authority
- CN
- China
- Prior art keywords
- authentication
- entity
- authenticating result
- travelling carriage
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Abstract
The invention discloses a kind of method for authenticating when in code division multiple access system, using for digital clustering operation, core network entity and authentication entity are set, set up being connected of core network entity and base station sub-system and authentication entity, this method also comprises: travelling carriage goes out authenticating result M1 by the system side authentication parameter that obtains, the authentication arithmetic and the cipher key calculation of preservation, and M1 is sent to authentication entity; Authentication entity goes out authenticating result M2 by the authentication arithmetic and the cipher key calculation of system side authentication parameter, preservation, judge whether M2 is identical with M1, if it is different, process ends, otherwise, authentication entity goes out authenticating result N1 by the end side authentication parameter that obtains, the authentication arithmetic and the cipher key calculation of preservation, and N1 is sent to travelling carriage; Travelling carriage goes out authenticating result N2 by the authentication arithmetic and the cipher key calculation of end side authentication parameter, preservation, judges whether N2 is identical with N1, if, then authentication success, otherwise failed authentication.The invention provides the bi-directional authentification process, greatly satisfied of the requirement of Digital Clustering business fail safe.
Description
Technical field
The present invention relates to the authentication techniques in the code division multiple access system, particularly relate to a kind of method for authenticating when in code division multiple access system, using for digital clustering operation.
Background technology
At present, the Digital Clustering business becomes business of popularizing day by day in code division multiple access (CDMA, the Code DivisionMultiple Access) system just gradually.The Digital Clustering business is very high to real-time and security requirement, still, does not but define any method of Digital Clustering business in the cdma system being carried out authentication in the prior protocols.
Existing authentication mode is the authentication of carrying out at the public mobile communication business in the cdma system.Because the public mobile communication business does not have specific (special) requirements to the confidentiality of user profile and dialog context, so the existing authentication mode of CDMA is a kind of unidirectional authentication process by the system verification terminal legality, and authentication process may comprise wireless side authentication and packet domain authentication.
In order to realize authentication, the terminal equipment in the cdma system is entity attaching position register (HLR) or the AUC (AC) that travelling carriage (MS) and system side are carried out authentication, preserves identical authentication arithmetic and Shared Secret Data (SSD) in inside.
When terminal is that MS carries out normal speech when professional, cdma system only carries out the authentication of wireless side to terminal.The precondition of CDMA wireless network authentication is the system requirements global challenge, ' 01 ' (the standard authentication pattern) that be changed to of the AUTH field among the Access Parameters Message is stated in the general messages of Forward Paging Channel broadcasting by the base station.The flow process that relates to authentication has: the authentication that the authentication of travelling carriage registration, the authentication of mobile originated, travelling carriage are exhaled eventually, authentication, unique challenge responder and the shared secret data (SSD) update message flow of mobile station data burst.
Fig. 1 is that signal flow when cdma system carries out the wireless side authentication in the prior art is to schematic diagram.Referring to Fig. 1, when prior art is carried out the wireless side authentication in cdma system, by base station sub-system (BSS), mobile switching centre (MSC) and VLR Visitor Location Register (VLR) service request is sent to HLR/AC by MS, HLR/AC will be sent to MS by VLR, MSC and BSS to the authenticating result of MS again.Fig. 2 is that cdma system carries out the flow chart of wireless side authentication in the prior art.Referring to Fig. 1 and Fig. 2, in the prior art, after system carried out the global challenge statement, the detailed process of carrying out the wireless side authentication in cdma system may further comprise the steps:
Step 201:MS and BSS set up Traffic Channel, and MS calculates authenticating result according to the authentication arithmetic and the SSD that self preserve then, send the service request of carrying this authenticating result field to MSC by BSS on Reverse Access Channel.
The service request of carrying the authenticating result field that step 202:MSC will receive sends to VLR.
The service request of carrying the authenticating result field that step 203:VLR will receive sends to HLR/AC.
Step 204:HLR/AC receives the service request of carrying the authenticating result field, calculate authenticating result according to the authentication arithmetic and the SSD that self preserve, and judge whether the authenticating result of carrying in authenticating result of self calculating and the service request that receives is identical, if it is identical, then execution in step 205, otherwise, execution in step 206.
Step 205:HLR/AC returns the access success message by VLR and MSC to MS, and instruct MS can insert, process ends.
Step 206:HLR/AC returns access failure message by VLR and MSC to MS, and refusal MS inserts.
When MS carried out Packet data service, cdma system at first carried out the authentication of above-mentioned wireless side to MS, after the success of wireless side authentication, carried out the packet domain authentication.Fig. 3 is that signal flow when cdma system carries out the packet domain authentication in the prior art is to schematic diagram.Referring to Fig. 3, when prior art is carried out the packet domain authentication in cdma system, MS is sent to authentication and authorization charging entity (AAA) by BSS, Packet Control Function entity (PCF) and packet data serving node (PDSN) with authentication request, and AAA is sent to MS with the authentication result by PDSN, PCF and BSS again.
This shows that prior art does not have the authentication of realization to digital group service in cdma system,, then have following shortcoming again if adopt the existing authentication mode of cdma system that group service is carried out authentication:
1,,, and there is not the process of terminal verification system legitimacy only by the legitimacy of system verification terminal because the Digital Clustering business is very high to the requirement of fail safe, and the existing authentication mode of cdma system is unidirectional authentication mode.Though this unidirectional authentication mode can satisfy public mobile communication business not high to security requirement in the cdma system, but can't satisfy the Digital Clustering business very high to security requirement.
When 2, in cdma system, realizing Packet data service, must carry out wireless side authentication and twice authentication process of packet domain authentication, not only need a plurality of network entities in the cdma system to participate in authentication, expended the resource of system, and increased time of MS access network, thereby can't satisfy the requirement of the professional real-time of Digital Clustering.
Therefore, in cdma system, how to carry out authentication, satisfy the requirement of its real-time and fail safe, become a problem demanding prompt solution at the Digital Clustering business.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method for authenticating when using for digital clustering operation in code division multiple access system, make it satisfy cdma system carries out authentication to digital group service fail safe and real-time requirement.
In order to achieve the above object, technical scheme of the present invention is achieved in that
A kind of method for authenticating when in code division multiple access system, using for digital clustering operation, core network entity and authentication entity are set, and set up respectively being connected of core network entity and base station sub-system and authentication entity, at travelling carriage and set authentication entity storage inside authentication arithmetic and key, this method is further comprising the steps of:
A, travelling carriage obtain the system side authentication parameter, authenticating result M1 according to this system side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and this authenticating result M1 is sent to authentication entity by base station sub-system and core network entity;
B, authentication entity go out authenticating result M2 according to the authentication arithmetic and the cipher key calculation of system side authentication parameter and self preservation, judge whether the authenticating result M1 that this authenticating result M2 and travelling carriage send is identical, if identical, execution in step C then, otherwise finish current authorizing procedure;
C, authentication entity obtain the end side authentication parameter, authenticating result N1 according to this end side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and this authenticating result N1 is sent to travelling carriage by core network entity and base station sub-system;
D, travelling carriage authenticating result N2 according to end side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and judge whether the authenticating result N1 that this authenticating result N2 and authentication entity send identical, if identical, then authentication successfully, otherwise failed authentication,
Wherein, when core network entity and authentication entity are set, when core net adopts circuit-mode, with moving exchanging center MSC and VLR Visitor Location Register VLR as core network entity, attaching position register HLR or the AC of AUC are carried out the packet domain authentication functions expand, and the HLR after function expanded or AC are as authentication entity;
When core net adopts group mode, Packet Control Function entity PCF and packet data serving node PDSN as core network entity, are carried out the wireless side authentication functions with authentication and authorization charging entity A AA and expand, and the AAA after function expanded is as authentication entity;
Wherein, the interface after described core network entity and authentication entity expand by linkage function is connected.
The authentication arithmetic and the key of described authentication entity and travelling carriage storage inside comprise: system is to the authentication arithmetic of terminal and key and terminal authentication arithmetic and the key to system.
In the steps A, travelling carriage goes out described authenticating result M1 according to the system of system side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of terminal; Among the step B, authentication entity goes out described authenticating result M2 according to the system of system side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of terminal; Among the step C, authentication entity goes out described authenticating result N1 according to the terminal of end side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of system; Among the step D, travelling carriage goes out described authenticating result N2 according to the terminal of end side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of system.
In steps A, the step that described travelling carriage obtains the system side authentication parameter comprises:
A11, travelling carriage send business request information by base station sub-system and core network entity to authentication entity on backward channel;
After A12, authentication entity received business request information, generation system side authentication parameter at random was sent to travelling carriage by the service response message that core network entity and base station sub-system will be carried the system side authentication parameter then.
In steps A, the step that described travelling carriage obtains the system side authentication parameter is: travelling carriage receives the broadcast that base station sub-system sends, and obtains the system side authentication parameter from received broadcast.
Among the step C, the step that described authentication entity obtains the end side authentication parameter comprises:
C11, authentication entity send to travelling carriage with the authentication success message by core network entity and base station sub-system;
C12, travelling carriage produce the end side authentication parameter after receiving the authentication success message at random, by base station sub-system and core network entity this end side authentication parameter are sent to authentication entity then.
In steps A, travelling carriage produces the end side authentication parameter at random when obtaining the system side authentication parameter, by base station sub-system and core network entity authenticating result M1 and this end side authentication parameter that calculates is sent to authentication entity together, preserves this end side authentication parameter by authentication entity;
Among the step C, authentication entity is by self obtaining described end side authentication parameter.
Described authenticating result M1 and authenticating result N1 are carried in the message of redetermination to transmit, or transmit, or be carried at and transmit in arbitrary message on forward control channel or the service access channel with message that Data Burst Message encapsulation sends.
Described authenticating result M1 is carried in the request of applying for registration of and transmits.
As seen, the method that the present invention proposes has the following advantages:
1) the present invention proposes and a kind ofly carry out the method for authentication at CDMA Digital Clustering business, the system that not only realized in the prior art is to the authentication process of travelling carriage, and, also increased travelling carriage carries out authentication to system process.Owing in system and travelling carriage, all preserve two cover authentication arithmetic and keys, be authentication arithmetic and the key that system uses when travelling carriage is carried out authentication, and the travelling carriage authentication arithmetic and the key that use when system is carried out authentication, so when realizing that travelling carriage carries out authentication to system, authentication arithmetic and cipher key calculation that system and travelling carriage use in the time of can carrying out authentication according to the travelling carriage of self preserving to system respectively go out authenticating result, if the authenticating result that travelling carriage calculates is identical with the authenticating result that system-computed goes out, then travelling carriage assert that system is legal, otherwise the identification system is illegal.Therefore, method proposed by the invention is a kind of bi-directional authentification process, can satisfy in the cdma system Digital Clustering business to the requirement of fail safe.
2, in the present invention, use unified network configuration that the Digital Clustering business that comprises voice and Packet data service is unified authorizing procedure, therefore, Packet data service is also only needed to carry out an authentication process by less network entity to get final product, no longer distinguish wireless side authentication network configuration of the prior art and authorizing procedure, and twice authentication process of packet domain authentication network configuration and authorizing procedure, thereby greatly reduce the time delay that authorizing procedure causes, satisfied of the requirement of Digital Clustering business real-time.
3, simplification authorizing procedure proposed by the invention, only need travelling carriage and system to carry out signalling interactive process one time, be after authentication entity receives the service request that travelling carriage sends,, to return authentication success message or failed authentication message to travelling carriage according to authenticating result to travelling carriage.This simplification authorizing procedure has reduced the load of system handles signaling, has reduced the time delay of travelling carriage access network.
4, in authorizing procedure of the present invention, employed related news, such as service response message and authentication success message etc., all can obtain by the field of existing message in the existing business is expanded, thereby make that the present invention is easy to realize, and reduced flow processing and interacting message time, improved authentication process speed, accelerated the settling time of Digital Clustering business.
Description of drawings
Fig. 1 is that signal flow when cdma system carries out the wireless side authentication in the prior art is to schematic diagram.
Fig. 2 is that cdma system carries out the flow chart of wireless side authentication in the prior art.
Fig. 3 is that signal flow when cdma system carries out the packet domain authentication in the prior art is to schematic diagram.
Fig. 4 is the schematic network structure that realizes CDMA Digital Clustering business in the present invention.
Fig. 5 is the flow chart that when cdma system does not require global challenge in the present invention digital group service is carried out authentication.
During Fig. 6 cdma system requirement in the present invention global challenge digital group service is carried out the flow chart of authentication.
When Fig. 7 is the global challenge of cdma system requirement in the present invention digital group service is carried out the simplified flow chart of authentication.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and the specific embodiments.
Fig. 4 is the schematic network structure that realizes CDMA Digital Clustering business in the present invention.Referring to Fig. 4, carry out authentication at the Digital Clustering business in the cdma system, network entity used in the present invention is BSS, core network entity and authentication entity (Auth Entity), and links to each other by the Auth interface between core network entity and the authentication entity.Here, the present invention is provided with the network entity that Digital Clustering business in the cdma system is carried out authentication according to realizing that the different bearer pattern that group service adopted is circuit-mode or group mode.When adopting circuit-mode to realize group service, core network entity mainly comprises MSC and VLR, authentication entity then is to expand by carry out corresponding function on HLR/AC, make it can carry out the group service authentication, and, message interface between VLR and the existing HLR/AC is carried out corresponding function expand, make it have the function that connects the HLR/AC after VLR and the function expansion, be referred to as the Auth interface.When adopting group mode to realize group service, core network entity mainly comprises PCF and PDSN, authentication entity then is to expand by carry out corresponding function on AAA, make it can carry out the group service authentication, and, message interface between PDSN and the existing AAA is carried out corresponding function expand, make it have the function that connects the AAA after PDSN and the function expansion, be referred to as the Auth interface.
Authentication arithmetic AuthMSFunction and key K sn that the present invention uses when authentication entity and MS storage inside system carry out authentication to MS in advance, and key K sn only is stored in the position that authentication entity and MS inside are difficult for being read, and can aloft not transmit.Simultaneously, the authentication arithmetic AuthNetFunction and the key K sm that when authentication entity and MS storage inside MS carry out authentication to system, use, and key K sm only is stored in the position that authentication entity and MS inside are difficult for being read, and can aloft not transmit.
Said system can be identical or different to the algorithm AuthNetFunction of system's authentication to the algorithm AuthMSFunction and the MS of MS authentication, and key K sn and Ksm can be identical or different.
Fig. 5 is the flow chart that when cdma system does not require global challenge in the present invention digital group service is carried out authentication.Referring to Fig. 4 and Fig. 5, if cdma system does not require global challenge, then the present invention realizes that the detailed process of digital group service being carried out bi-directional authentification may further comprise the steps:
Step 501:MS sends service request by BSS and core network entity to authentication entity on backward channel.
Here, MS sends service request by common signal channel or Traffic Channel.
Step 502: after authentication entity receives service request, generation system carries out the system side authentication parameter RAND_NET of authentication to terminal at random, and preserve, the service response message that will carry this system side authentication parameter RAND_NET by core network entity and BSS sends to MS then.
Step 503:MS receives the service response message that carries system side authentication parameter RAND_NET, utilize the authentication arithmetic AuthMSFunction and the key K sn that self preserve, and the system side authentication parameter RAND_NET in the service response message, calculate self authenticating result MS_RESULT, authenticating result MS_RESULT is carried in the terminal authentication response message sends to authentication entity then by BSS and core network entity.
Here, MS as a result the time, also can utilize self and authentication entity common other definite parameter of institute in advance in compute authentication.
Step 504: authentication entity receives the terminal authentication response message that carries MS_RESULT, the system side authentication parameter RAND_NET that preserves according to self and to the algorithm AuthMSFunction and the key K sn of MS authentication, calculate authenticating result, judge then whether the authenticating result that self calculates is identical with authenticating result MS_RESULT in the terminal authentication response message, if it is identical, then execution in step 506, otherwise, execution in step 505.
Here, if in step 503, the MS compute authentication has been used as a result the time and the authentication entity common parameter of determining of institute in advance, and then in step 504, the authentication entity compute authentication is same as a result the time uses this definite jointly parameter of institute in advance with MS.
Step 505: authentication entity is sent to MS by core network entity and BSS with failed authentication message, refusal MS access network, and process ends.
Step 506: authentication entity is sent to MS by core network entity and BSS with the authentication success message, allows the MS access network.
Step 507:MS receives the authentication success message, produce terminal at random and system is carried out the end side authentication parameter RAND_MS of authentication, and preserve, the authentication request message that will carry this end side authentication parameter RAND_MS by BSS and core network entity sends to authentication entity then.
Step 508: after authentication entity receives the authentication request message of carried terminal side authentication parameter RAND_MS, authentication arithmetic AuthNetFunction and key K sm according to the end side authentication parameter RAND_MS in this message and self preservation, calculate the authenticating result NET_RESULT of self, system's authentication response message that will carry authenticating result NET_RESULT by core network entity and BSS sends to MS then.
Here, authentication entity as a result the time, also can utilize self and MS common other definite parameter of institute in advance in compute authentication.
After step 509:MS receives the system's authentication response message that carries NET_RESULT, according to end side authentication parameter RAND_MS that self preserves and algorithm AuthNetFunction and the key K sm that system is carried out authentication, calculate authenticating result, judge then whether the authenticating result NET_RESULT that carries in the authenticating result that self calculates and the system authentication response message is identical, if it is identical, then execution in step 511, otherwise, execution in step 510.
Here, if in step 508, the authentication entity compute authentication has been used the common parameter of determining of institute in advance with MS as a result the time, then in step 509, and same the use and authentication entity this definite jointly parameter of institute in advance when MS calculates authenticating result.
Step 510:MS returns failed authentication message by BSS and core network entity to authentication entity, and shows network authentication failure information, process ends to the user.
Step 511:MS returns the authentication success message by BSS and core network entity to authentication entity, and shows that to the user to the network authentication successful information, the prompting user can carry out the Digital Clustering business.
So far, the present invention has finished system to terminal authentication and the terminal bi-directional authentification process to system's authentication.
When Fig. 6 is the global challenge of cdma system requirement in the present invention digital group service is carried out the flow chart of authentication.Referring to Fig. 4 and Fig. 6, if the CDMA digital cluster system requires global challenge, be that cdma system sends broadcast, and the system of carrying in broadcast carries out the system side authentication parameter RAND_NET of authentication to terminal, initiatively require MS to carry out authentication when transmission oppositely inserts message, the present invention realizes that the detailed process of digital group service being carried out bi-directional authentification may further comprise the steps so:
Step 601:MS receives the broadcast that BSS sends in the cdma system, authentication arithmetic AuthMSFunction and key K sn according to the system side authentication parameter RAND_NET that carries in the broadcast and self preservation, calculate self authenticating result MS_RESULT, authenticating result MS_RESULT is carried in the service request sends to authentication entity then by BSS and core network entity.
Step 602: authentication entity receives the service request that carries MS_RESULT, according to the system side authentication parameter RAND_NET in the broadcast and to the algorithm AuthMSFunction and the key K sn of MS authentication, calculate authenticating result, judge then whether the authenticating result that self calculates is identical with authenticating result MS_RESULT in the service request, if it is identical, then execution in step 604, otherwise, execution in step 603.
All descriptions of step 603~step 609 are described identical with all of step 505~step 511.
When Fig. 7 is the global challenge of cdma system requirement in the present invention digital group service is carried out the simplified flow chart of authentication.Referring to Fig. 4 and Fig. 7, if the CDMA digital cluster system requires global challenge, and when the system of carrying in broadcast carries out the system side authentication parameter RAND_NET of authentication to terminal, the present invention also can adopt a kind of flow process of simplification that digital group service is carried out bi-directional authentification, may further comprise the steps:
Step 701:MS receives the broadcast that BSS sends in the cdma system, authentication arithmetic AuthMSFunction and key K sn according to the system side authentication parameter RAND_NET that carries in the broadcast and self preservation, calculate self authenticating result MS_RESULT, and produce and preserve end side authentication parameter RAND_MS at random, authenticating result MS_RESULT and end side authentication parameter RAND_MS are carried in the service request send to authentication entity then by BSS and core network entity.
Step 702: after authentication entity receives the service request that carries authenticating result MS_RESULT and end side authentication parameter RAND_MS, authentication arithmetic AuthMSFunction and key K sn according to the system side authentication parameter RAND_NET that carries in the broadcast and self preservation, calculate authenticating result, judge then whether the authenticating result MS_RESULT that carries in the authenticating result self calculated and the service request is identical, if it is identical, then execution in step 704, otherwise, execution in step 703.
Here, authentication entity can obtain broadcast from BSS by core network entity.
Step 703: authentication entity returns failed authentication message by core network entity and BSS to MS, refusal MS access network, process ends.
Step 704: authentication entity is according to the authentication arithmetic AuthNetFunction and the key K sm of the end side authentication parameter RAND_MS that carries in the service request and self preservation, calculate the authenticating result NET_RESULT of self, return the authentication success message that carries this authenticating result NET_RESULT to MS by core network entity and BSS.
Step 705:MS receives the authentication success message that carries authenticating result NET_RESULT, according to the end side authentication parameter RAND_MS and authentication arithmetic AuthNetFunction and the key K sm that self preserve, calculate authenticating result, judge then whether the authenticating result that self calculates is identical with authenticating result NET_RESULT in the authentication success message, if it is identical, then execution in step 707, otherwise, execution in step 706.
Step 706:MS shows system's failed authentication information, process ends to the user.
Step 707:MS shows that to the user to system's authentication successful information, the prompting user can carry out the Digital Clustering business.
The part message of in above-mentioned Fig. 5, Fig. 6 and authentication process shown in Figure 7, being transmitted, comprising service response message, MS authentication response message, authentication success message, failed authentication message, authentication request message and system's authentication response message, can be the message of redetermination; Also can be the message that sends with Data BurstMessage encapsulation, promptly use Data Burst bearing mode but content is the message of described authentication content; Can also be that a certain message on forward control channel or the service access channel is carried out message after the respective extension, such as, the above-mentioned system's authentication response message that carries authenticating result NET_RESULT, the a certain field that can be the message Authentication ChallengeMessage that will send on the forward control channel is expanded, and it is carried obtain behind the parameter N ET_RESULT.
In order further to simplify the related flow process of authentication, the service request that the present invention also can only send at MS is just to carry out above-mentioned bi-directional authentification process when applying for registration of request, initiate other service request at MS, exhale, exhale eventually, when urgent call and other type of service request, do not carry out above-mentioned bi-directional authentification process such as the beginning.
Therefore, The present invention be directed in the prior art when speech business and Packet data service carried out authentication, it is consuming time and to carry out the authentication process that different authentication process flow processs are caused by network entities different in the cdma system, the shortcoming of waste system resource, in cdma system, adopt a kind of comparatively simple authentication network configuration, when being carried out authentication, the speech business of terminal and Packet data service all adopt this authentication network configuration, carry out unified authorizing procedure, thus conserve network resources.Simultaneously, the present invention is directed to prior art and only finish system the unidirectional authentication process of terminal, can't satisfy the shortcoming of Digital Clustering business to security requirement, adopt the authentication network configuration among the present invention, the system that finishes is to terminal and the terminal bi-directional authentification process to system.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1, a kind of method for authenticating when in code division multiple access system, using for digital clustering operation, it is characterized in that, core network entity and authentication entity are set, and set up respectively being connected of core network entity and base station sub-system and authentication entity, at travelling carriage and set authentication entity storage inside authentication arithmetic and key, this method is further comprising the steps of:
A, travelling carriage obtain the system side authentication parameter, authenticating result M1 according to this system side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and this authenticating result M1 is sent to authentication entity by base station sub-system and core network entity;
B, authentication entity go out authenticating result M2 according to the authentication arithmetic and the cipher key calculation of system side authentication parameter and self preservation, judge whether the authenticating result M1 that this authenticating result M2 and travelling carriage send is identical, if identical, execution in step C then, otherwise finish current authorizing procedure;
C, authentication entity obtain the end side authentication parameter, authenticating result N1 according to this end side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and this authenticating result N1 is sent to travelling carriage by core network entity and base station sub-system;
D, travelling carriage authenticating result N2 according to end side authentication parameter and the authentication arithmetic and the cipher key calculation of self preserving, and judge whether the authenticating result N1 that this authenticating result N2 and authentication entity send identical, if identical, then authentication successfully, otherwise failed authentication,
Wherein, when core network entity and authentication entity are set, when core net adopts circuit-mode, with moving exchanging center MSC and VLR Visitor Location Register VLR as core network entity, attaching position register HLR or the AC of AUC are carried out the packet domain authentication functions expand, and the HLR after function expanded or AC are as authentication entity;
When core net adopts group mode, Packet Control Function entity PCF and packet data serving node PDSN as core network entity, are carried out the wireless side authentication functions with authentication and authorization charging entity A AA and expand, and the AAA after function expanded is as authentication entity;
Wherein, the interface after described core network entity and authentication entity expand by linkage function is connected.
2, method according to claim 1 is characterized in that, the authentication arithmetic and the key of described authentication entity and travelling carriage storage inside comprise: system is to the authentication arithmetic of terminal and key and terminal authentication arithmetic and the key to system.
3, method according to claim 2 is characterized in that, in the steps A, travelling carriage goes out described authenticating result M1 according to the system of system side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of terminal; Among the step B, authentication entity goes out described authenticating result M2 according to the system of system side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of terminal; Among the step C, authentication entity goes out described authenticating result N1 according to the terminal of end side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of system; Among the step D, travelling carriage goes out described authenticating result N2 according to the terminal of end side authentication parameter and self storage to the authentication arithmetic and the cipher key calculation of system.
4, method according to claim 1 is characterized in that, in steps A, the step that described travelling carriage obtains the system side authentication parameter comprises:
A11, travelling carriage send business request information by base station sub-system and core network entity to authentication entity on backward channel;
After A12, authentication entity received business request information, generation system side authentication parameter at random was sent to travelling carriage by the service response message that core network entity and base station sub-system will be carried the system side authentication parameter then.
5, method according to claim 1, it is characterized in that, in steps A, the step that described travelling carriage obtains the system side authentication parameter is: travelling carriage receives the broadcast that base station sub-system sends, and obtains the system side authentication parameter from received broadcast.
6, method according to claim 1 is characterized in that, among the step C, the step that described authentication entity obtains the end side authentication parameter comprises:
C11, authentication entity send to travelling carriage with the authentication success message by core network entity and base station sub-system;
C12, travelling carriage produce the end side authentication parameter after receiving the authentication success message at random, by base station sub-system and core network entity this end side authentication parameter are sent to authentication entity then.
7, method according to claim 1, it is characterized in that, in steps A, travelling carriage produces the end side authentication parameter at random when obtaining the system side authentication parameter, by base station sub-system and core network entity authenticating result M1 and this end side authentication parameter that calculates is sent to authentication entity together, preserves this end side authentication parameter by authentication entity;
Among the step C, authentication entity is by self obtaining described end side authentication parameter.
8, method according to claim 1, it is characterized in that, described authenticating result M1 and authenticating result N1 are carried in the message of redetermination to transmit, or transmit, or be carried at and transmit in arbitrary message on forward control channel or the service access channel with the message that Data Burst Message encapsulation sends.
9, method according to claim 8 is characterized in that, described authenticating result M1 is carried in the request of applying for registration of and transmits.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100702227A CN100550729C (en) | 2004-07-30 | 2004-07-30 | A kind of method for authenticating when in code division multiple access system, using for digital clustering operation |
| PCT/CN2005/001171 WO2006010343A1 (en) | 2004-07-30 | 2005-08-01 | A method and system for authenticating digital cluster service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100702227A CN100550729C (en) | 2004-07-30 | 2004-07-30 | A kind of method for authenticating when in code division multiple access system, using for digital clustering operation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1728635A CN1728635A (en) | 2006-02-01 |
| CN100550729C true CN100550729C (en) | 2009-10-14 |
Family
ID=35785914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100702227A Active CN100550729C (en) | 2004-07-30 | 2004-07-30 | A kind of method for authenticating when in code division multiple access system, using for digital clustering operation |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100550729C (en) |
| WO (1) | WO2006010343A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100433861C (en) * | 2006-09-30 | 2008-11-12 | 华为技术有限公司 | Method for disposing colony user and colony user disposing system |
| CN101141711B (en) * | 2007-10-12 | 2010-11-10 | 中兴通讯股份有限公司 | Parallel processing method of cluster system resource establishment |
| CN103096317B (en) * | 2011-11-08 | 2016-04-20 | 中国电信股份有限公司 | A kind of bi-directional authentification method and system based on Shared Secret Data |
| CN103108291B (en) * | 2011-11-15 | 2016-04-27 | 中国电信股份有限公司 | Note transmission method, mobile switching centre and mobile communication system |
| CN104253806B (en) * | 2013-06-29 | 2017-11-17 | 华为终端有限公司 | Method for authenticating, client and server |
| CN111479270B (en) * | 2020-04-15 | 2021-10-12 | 青岛交互物联科技有限公司 | Network access bidirectional authentication method and device |
| CN112565285B (en) * | 2020-12-16 | 2023-03-24 | 卡斯柯信号(成都)有限公司 | Communication encryption method suitable for rail transit |
| CN112910652B (en) * | 2021-01-18 | 2022-11-08 | 湖南海格力士智能科技有限公司 | Remote controller identification method and remote controller identification device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FI106605B (en) * | 1997-04-16 | 2001-02-28 | Nokia Networks Oy | authentication method |
| KR100506076B1 (en) * | 2000-03-23 | 2005-08-04 | 삼성전자주식회사 | Method for mutual authentication and key exchange based on the user's password and apparatus thereof |
| CN1467943A (en) * | 2002-07-10 | 2004-01-14 | ����ͨѶ�ɷ�����˾ | CDMA system and method for implementing bi-directional authentification |
-
2004
- 2004-07-30 CN CNB2004100702227A patent/CN100550729C/en active Active
-
2005
- 2005-08-01 WO PCT/CN2005/001171 patent/WO2006010343A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| CN1728635A (en) | 2006-02-01 |
| WO2006010343A1 (en) | 2006-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sauter | From GSM to LTE-advanced Pro and 5G: An introduction to mobile networks and mobile broadband | |
| CN101031143B (en) | Method and system for mobile communications | |
| CN1960567B (en) | Communication method for terminal to enter to and exit from idle mode | |
| CN101163003A (en) | System and method for authenticating network for terminal when SIM card use UMTS terminal and UMTS system | |
| CN111885602A (en) | Heterogeneous network-oriented batch switching authentication and key agreement method | |
| CN103139769B (en) | A kind of wireless communications method and network subsystem | |
| CN104244229B (en) | A kind of virtual-number network authentication processing system and method based on intelligent terminal | |
| CN103581839A (en) | Broadband trunking service realizing method and broadband trunking service realizing system | |
| CN100550729C (en) | A kind of method for authenticating when in code division multiple access system, using for digital clustering operation | |
| CN101128061A (en) | Method and system for mobile management unit, evolving base station and identifying whether UI is encrypted | |
| KR101178272B1 (en) | Protocol expansion of a signaling message | |
| CN102340842A (en) | Resource control method and device and base station | |
| CN100473000C (en) | Authentication in a hybrid communications network | |
| CN1553610B (en) | Authentication for roaming between CDMA to GSM | |
| CN101155328A (en) | Method for deleting/amending multicast broadcasting service in communication system | |
| WO2023004683A1 (en) | Communication method, apparatus, and device | |
| CN101247630B (en) | System and method for implementing multimedia broadcasting service cryptographic key negotiation | |
| CN101094531A (en) | Decision method of not carrying out encryption on customers | |
| CN112866994B (en) | Encryption communication method and system for carrying narrowband speech coding by LTE (Long term evolution) | |
| CN108882235A (en) | A kind of network verification method and device | |
| US20100304713A1 (en) | Technique for restricting access to a wireless communication service | |
| CN101742418A (en) | Method, system and equipment for informing short data capacity of group calling | |
| KR20100021690A (en) | Method and system for supporting authentication and security protected non-access stratum protocol in mobile telecommunication system | |
| CN100531034C (en) | Method for distributing one time ciphers for access networks | |
| KR102593167B1 (en) | Operation method of a communication network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220118 Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province Patentee after: Super fusion Digital Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |