CN101132649A - Network access authentication method and its USIM card - Google Patents

Network access authentication method and its USIM card Download PDF

Info

Publication number
CN101132649A
CN101132649A CNA2007101754383A CN200710175438A CN101132649A CN 101132649 A CN101132649 A CN 101132649A CN A2007101754383 A CNA2007101754383 A CN A2007101754383A CN 200710175438 A CN200710175438 A CN 200710175438A CN 101132649 A CN101132649 A CN 101132649A
Authority
CN
China
Prior art keywords
authentication
network
network side
key
usim card
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007101754383A
Other languages
Chinese (zh)
Inventor
张志红
穆肇骊
王建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Microelectronics Technology Co Ltd
Original Assignee
Datang Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Microelectronics Technology Co Ltd filed Critical Datang Microelectronics Technology Co Ltd
Priority to CNA2007101754383A priority Critical patent/CN101132649A/en
Publication of CN101132649A publication Critical patent/CN101132649A/en
Pending legal-status Critical Current

Links

Images

Abstract

This invention relates to an authentication method for network access and its USIM card with a set of authentication keys in it same with the network side, in which, the method includes: a terminal starts up an access authentication request when the terminal logs onto the network or updates its position, the terminal side and the network side utilize mutual information and agreement to select same ones in the authentication key to access network authentication, in which, the message is the authentication token sent by the network side and the agreement is the corresponding relation of the special bit value of the authentication management domain and any authentication key in the set of keys, and it's not necessary to increase new signaling or change current authentication protocol to realize low cost based on the current 3G network access authentication process.

Description

A kind of network access authentication method and usim card thereof
Technical field
The present invention relates to the 3G (Third Generation) Moblie technology, be specifically related to a kind of network access authentication method and usim card thereof of supporting key agreement and negotiating algorithm.
Background technology
Network access authentication is the key character of 3G (Third Generation) Moblie (being called for short 3G) security system, and it is finished by mobile phone terminal side usim card, VLR/SGSN and HLR/AuC are collaborative.Its basic principle is based on mobile phone terminal side usim card and network side HLR/AuC shares permanent KI K.As shown in Figure 1, in 3G (Third Generation) Moblie network access authentication process, authentication is to be finished jointly by the built-in USIM of portable terminal, network side VLR/SGSN and HLR/AuC.Wherein permanent KI K is preset at respectively among mobile terminal side usim card and the network side HLR/AuC by secured fashion, and the two shares this key.Thereby can authenticate the access authentication of finishing the user mutually by KI K end side usim card and network side.3GPP user's access authentication process may further comprise the steps:
101) portable terminal ME carries body user part sign IMSI and sends the authentication vector request message to service network;
102) service network VLR/SGSN passes to HLR/AuC with User Identity IMSI simultaneously to HLR/AuC request five-tuple authentication vector AV;
103) HLR/AuC searches corresponding KI K (unique) according to family identify label IMSI, and calls authentication arithmetic (unique) generation five-tuple authentication vector AV (comprising random number RA ND, Expected Response value XRES, encryption key CK, Integrity Key IK and authentication-tokens AUTN);
104) HLR/AuC sends to VLR/SGSN with the authentication vector AV that generates;
105) VLR/SGSN keeps Expected Response value XRES, encryption key CK and the Integrity Key IK in the five-tuple authentication vector
106) VLR/SGSN sends to portable terminal ME with random number RA ND in the five-tuple authentication vector and authentication token AUTN then;
107) portable terminal ME is transmitted to usim card with random number RA ND and the authentication token AUTN that receives.Usim card uses legitimacy and the validity of inner KI K (unique) that preserves and authentication arithmetic (unique) checking AUTN.If the AUTN authentication is by (legitimacy of usim card authenticating network), then USIM uses KI K, RAND and authentication arithmetic to generate Authentication Response value RES and encryption key CK, Integrity Key IK;
108) portable terminal ME sends Authentication Response value RES to service network
109) whether the RES that relatively receives of VLR/SGSN equates with XRES, if equate that then network side thinks that usim card is a validated user.Thereby finished the mutual authentication process of mobile terminal side usim card and network side.
The concrete visible list of references 3GPP TS 33.102 of this authentication mechanism: " 3rd GenerationPartnership Project; Technical Specification Group Services and SystemAspects; 3G Security; Security architecture (Release 6) ".
Adopt the authentication mechanism of this single permanent key K of sharing to have certain safety defect, because the assailant is to intercept and capture the authentication vector (AUTN that network issues by the air interface monitoring, RAND) and usim card response results RES, after obtaining a large amount of authentication parameters and response results, calculate what the threat of key K always existed by algorithm being implemented attack.If the accidental disaster that key K is broken or reveals takes place, its harm is very serious.
Summary of the invention
The technical issues that need to address of the present invention provide a kind of network access authentication method and usim card thereof, can further strengthen the fail safe of mobile communication.
Above-mentioned first technical problem of the present invention solves like this, and a kind of network access authentication method is provided, and shares one group of KI in end side and network side, may further comprise the steps:
1.1) terminal steps on net or the position is upgraded to network initiation authentication request;
1.2) end side and mutual message of network side utilization and key agreement select the mutually same network access authentication that carries out in described one group of KI.
This many key agreements mechanism can strengthen the anti-attack ability of KI K.
According to key agreement method for authenticating provided by the invention, described selection comprises that the periodic replacement key is selected or the dynamic random key selects or class of user is not selected or their combination.
According to method for authenticating provided by the invention, described mutual message is the authentication-tokens that network side issues, described key agreement is the corresponding relation of arbitrary KI in the appointment place value of authentication management field in the described authentication-tokens and the described one group of KI, and this mode need not increase or change existing 3G authentication protocol and authentication parameter.
According to method for authenticating provided by the invention, described step 1.2) comprises that also end side and network side utilization message each other and algorithm agreement selects the mutually same network access authentication that carries out in end side and the one group of authentication arithmetic that network side is shared; This many negotiating algorithms mechanism cooperates with many key agreements mechanism, and further for network insertion provides more powerful safety assurance, many key agreements and many negotiating algorithms in time can be interlaced or first each other/after.
According to method for authenticating provided by the invention, described message each other is the authentication-tokens that network side issues, with the described mutual message of arranging key is identical, the corresponding relation of arbitrary algorithm in the setting place value that described algorithm agreement is an authentication management field in the described authentication-tokens and the described one group of algorithm, described setting position is different with described specific bit, and this mode need not increase or change existing 3G authentication protocol and authentication parameter.
According to method for authenticating provided by the invention, described authentication management field has 16, includes, but are not limited to use following agreement: most-significant byte is as reservation, and least-significant byte is used for consulting authentication arithmetic and KI
Described key agreement is: BIT0-BIT5 represents key identification, can correspondingly identify 64 different keys;
Described algorithm agreement is: BIT6-BIT7 represents the algorithm sign, can 4 kinds of algorithms of corresponding sign.
Do not changing on the 3GPP authentication protocol basis like this, realized that by authentication management field AMF authentication arithmetic is consulted and KI is consulted, thereby realize the present invention based on existing 3G network access authentication process, do not need to increase new signaling or change existing authentication protocol.。
According to method for authenticating provided by the invention, specifically may further comprise the steps:
5.1) terminal initiates network insertion, service access or position updating request and carry mobile subscriber identifier sign ISMI to network side;
5.2) network side VLR/SGSN is to network side HLR/AuC request mobile subscriber identifier sign IMSI user's authentication five-tuple; This authentication five-tuple comprises random number, Expected Response value, encryption key, Integrity Key and authentication-tokens;
5.3) network side HLR/AuC according to security strategy to the specific bit of authentication management field in the described authentication-tokens with set place value and carry out relative set and generate the authentication five-tuple according to the authentication arithmetic and the KI of correspondence simultaneously;
5.4) network side HLR/AuC sends to network side VLR/SGSN with the authentication five-tuple, network side VLR/SGSN preserves described Expected Response value, encryption key and Integrity Key;
5.5) network side VLR/SGSN is to terminal transmission authentication request and carry described random number and authentication-tokens;
5.6) terminal receives described authentication request and according to the specific bit of authentication management field in the described authentication-tokens with set place value and select corresponding authentication arithmetic and KI to carry out terminal to send the Authentication Response result to the authentication of network and to network side VLR/SGSN;
5.7) network side VLR/SGSN carries out the authentication of network to terminal according to described Authentication Response result.
According to method for authenticating provided by the invention, described security strategy promptly: periodic replacement is selected or dynamic random selects or class of user is not selected or their combination, also comprises default authentication arithmetic of direct use and KI.
According to method for authenticating provided by the invention, described step 5.3) relative set in is if complete zero, and the authentication arithmetic of described correspondence and KI are default authentication arithmetic and KI.
According to method for authenticating provided by the invention, described step 5.6) if middle terminal is invalid to sequence number SQN authentication to usim card in the verification process of network, then must carry out synchronizing process again, described end side usim card and network side directly use default KI and authentication arithmetic to carry out synchronous again.(be that usim card adopts default key and default algorithm to calculate authentication token AUTS synchronously again *, and HLR/AuC also adopts the same manner checking AUTS *)
Above-mentioned another technical problem of the present invention solves like this, and a kind of usim card is provided, the built-in one group KI identical with network side, and this usim card carries out network access authentication like this: usim card is received the authentication request order that its terminal sends; Usim card utilizes mutual message and the key agreement between end side and network side to select a KI in described one group of KI to carry out network access authentication.This many key agreements mechanism can strengthen the anti-attack ability of KI K.
According to usim card provided by the invention, preserve one group of KI tabulation the card planted agent, it is made up of key identification and key value two parts; Described mutual message is the authentication-tokens that network side issues, and described key agreement is the appointment place value of authentication management field in the described authentication-tokens and the corresponding relation of described key identification; This usim card carries out network access authentication like this: usim card is received the authentication request order that its terminal sends; Usim card parses authentication management field from authentication-tokens, search the key identification that matches according to described specific bit and described corresponding relation in described KI tabulation then, determines KI; Usim card carries out terminal according to the KI of determining and sends the Authentication Response result to the authentication of network and to network side.
According to usim card provided by the invention, this usim card also built-in with mutually same group authentication arithmetic of network side and authentication arithmetic identification list thereof, this usim card carries out network access authentication like this: usim card is received the authentication request order that its terminal sends; Usim card utilizes a KI in message between end side and the network side and key agreement and the described one group of KI of algorithm agreement corresponding selection and an authentication arithmetic in described one group of authentication arithmetic to carry out network access authentication.This many negotiating algorithms mechanism cooperates with many key agreements mechanism, and further for network insertion provides more powerful safety assurance, many key agreements and many negotiating algorithms in time can be interlaced or first each other/after.
According to usim card provided by the invention, described authentication arithmetic tabulation comprises the algorithm sign, and same algorithm is identified at the usim card authentication arithmetic corresponding identical with network side.
A kind of network access authentication method provided by the invention and usim card thereof, do not changing on the 3GPP authentication protocol basis, realized that by authentication management field AMF authentication arithmetic is consulted and KI is consulted, the compare security system of single key and single algorithm, this programme can improve the difficulty that KI is decrypted to a great extent, thereby reduces the security risk that causes because key reveals.In addition, this programme does not need to increase or change existing 3G authentication protocol and authentication parameter, and is less to existing terminal and network change amount.Therefore realize that cost is relatively low; And China has the cipher theory research and the cryptographic algorithm designed capacity of advanced level, the autonomous security algorithm of country's support employing.The negotiating algorithm ability that this programme is advocated provides possibility for China realizes autonomous authentication arithmetic.Adopt autonomous authentication arithmetic to interconnecting and not influence such as roaming, but therefore the safe precaution ability of operator can strengthen, thereby this programme have important real directive significance for the deploy and implement of 3G network.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is an existing network access authentication schematic flow sheet.
Fig. 2 is a network access authentication schematic flow sheet of the present invention.
Fig. 3 is a network access authentication of the present invention synchronizing process schematic diagram again.
Fig. 4 is that the present invention strengthens usim card KI negotiation schematic flow sheet.
Fig. 5 is that the present invention strengthens usim card authentication arithmetic negotiation schematic flow sheet.
Fig. 6 is that the present invention strengthens usim card KI and negotiating algorithm schematic flow sheet.
Embodiment
At first, characteristics of the present invention are described:
1. proposed to realize based on existing 3G network access authentication process, need not increase new signaling or change the specific implementation method that the 3G authentication arithmetic is consulted and KI is consulted of existing authentication protocol
2.3G in the synchronizing process, usim card and network side can adopt default key rather than arranging key to authenticate synchronously to authentication again again, thereby have guaranteed in full accord with existing VLR/SGSN equipment.
3. this programme has farthest been inherited former 3G authentication protocol.This programme only relates to does upgrading to AuC of AUC and usim card, to portable terminal and other network element without any influence.
4. this programme has also proposed the security strategy of key agreement and negotiating algorithm, and operator can be according to the business characteristic of self with to the security strategy of the demand arrangement network side AuC of AUC of safety.
In second step, security strategy of the present invention is described:
This programme has been set forth based on the authentication arithmetic in the 3G authentication process and has been consulted and the KI negotiation method.Each operator can formulate the full strategy that HLR/AuC implements negotiating algorithm and key agreement according to the business characteristic of self with to the demand of safety, can unify arrangement and also can dispose separately for the user.And each mobile terminal request HLR/AuC is when generating the authentication five-tuple, and HLR/AuC will generate authentication management field AMF automatically according to the security strategy configured list.
(1) key agreement strategy:
-when generating the authentication tuple at every turn, can adopt and from one group of KI, randomly draw one Dynamic Selection mode
-adopt periodic replacement key mode, for example, 3 months or change a secondary key half a year
Can only adopt single key authentication mode when the-phase I, 3G began commercialization; Later stage by upgrading usim card and network side HLR/AuC, can provide the dynamic negotiation cipher key service to new user during condition maturity.
(2) negotiating algorithm strategy:
Can consider only to adopt the MILENAGE authentication arithmetic when the-phase I, 3G began commercialization
The homemade autonomous authentication arithmetic of-second stage can adopt the operational version of MILENAGE authentication arithmetic and autonomous authentication arithmetic coexistence after usim card and network side HLR/AuC combined debugging are finished.The configurable preferred autonomous authentication arithmetic of network side.
In the 3rd step, the concrete definition of the present invention to authentication management field AMF is described:
(1) long 16 bytes of the authentication-tokens AUTN that issues of network side, it forms structure AUTN=SQN*AK ‖ AMF ‖ MAC, and wherein authentication management field AMF is long 16, and authentication management field AMF does not have the standardization definition at present, and default value is ' 0x0000 '.But principle of the present invention comes implementation algorithm to consult and key agreement by usim card and network to the agreement of AMF special bit, and as shown in Figure 3, operator can distribute 16 AMF resources effectively according to the network own characteristic with to the demand of safety.
(2) understand for convenient, illustrate below:
The most-significant byte of supposing definition AMF is as reservation, and least-significant byte is used for consulting authentication arithmetic and KI, agree as follows:
-BIT0-BIT5 represents key identification, can be used to identify 64 different keys, 000000 expression default key
-BIT6-BIT7 represents the algorithm sign, can support four kinds of algorithms at most, 00 expression default algorithm
Certainly, also the least-significant byte that can define AMF as required is as reservation, and most-significant byte is used for consulting authentication arithmetic and KI, and perhaps not necessarily 8, several that can choose wantonly in 16 are come as reserving or being used for consulting authentication arithmetic and KI.
In the 4th step, illustrate in the network access authentication that synchronization mechanism is to the processing of authentication management field AMF again
Again in the synchronization mechanism agreement AMF to adopt default KI and authentication arithmetic to carry out synchronous again, its objective is compatible existing VLR/SGSN equipment.Can guarantee that the present invention only carries out technological transformation end to end to usim card and HLR/AuC.
Specifically as shown in Figure 3, comprising: when VLR/SGSN receives | from the AUTS of portable terminal *After the synchronization message, directly send RAND ‖ AUTS again to HLR/AuC *, need not to transmit AMF.Can guarantee the complete compatibility with existing 3G VLR/SGSN equipment like this, because the probability that takes place of synchronization request is very low again, so also can not hang down its fail safe; Wherein, AUTS *Default KI K is used in expression, and RAND represents random number.HLR/AuC receives synchronization message RAND ‖ AUTS again *After, at first by default KI and authentication arithmetic authentication AUTS *Legitimacy, after authentication was passed through, HLR/AuC revised the SQN of its network side, the authentication vector Qi request usim card that resends a five-tuple is then done authentication once more.
The 5th step described KI negotiation of the present invention and authentication arithmetic in detail and consults flow process, as shown in Figure 2, specifically may further comprise the steps:
201) when portable terminal ME when service network is initiated request such as network insertion, service access or position renewal, need carry mobile subscriber identifier sign IMSI;
202) service network VLR/SGSN is to HLR/AuC request IMSI user's authentication five-tuple.The authentication five-tuple comprises random number RA ND, Expected Response value XRES, encryption key CK, Integrity Key IK and authentication-tokens AUTN (SQN *AK ‖ AMF ‖ MAC);
203) HLR/AuC judges according to security strategy (seeing 4.2) whether this IMSI user needs to carry out key agreement and negotiating algorithm:
1) if do not need to consult new authentication arithmetic and key, AMF then is set is ' 0x0000 ', adopt default algorithm and key to generate authentication five-tuple RAND ‖ XRES ‖ CK ‖ IK ‖ AUTN;
2) negotiation algorithm or key if desired then carry out relative set to AMF, and search corresponding KI K and authentication arithmetic according to AMF.Authentication arithmetic and key according to appointment generates authentication five-tuple RAND ‖ XRES ‖ CK ‖ IK ‖ AUTN then;
204) HLR/AuC sends to VLR/SGSN with the authentication five-tuple, and VLR/SGSN preserves XRES, CK and IK.Expected Response value XRES is used for authenticating the response RES that usim card returns, and encryption key CK and Integrity Key IK are used for the data of eating dishes without rice or wine are carried out encryption and decryption and integrity protection;
205) VLR/SGSN sends authentication request to portable terminal ME, carries random number RA ND and authentication-tokens AUTN;
206) after usim card receives authentication request message, judge by AMF whether network side requires negotiating algorithm or key agreement earlier:
1) if AMF is ' 0x0000 ', then carries out normal authorizing procedure;
2), then search corresponding KI K or authentication arithmetic by AMF if AMF represents to carry out algorithm or key agreement.Then according to KI K and the correctness of proof of algorithm message authentication code MAC and the validity of sequence number SQN of appointment.
If-mac authentication failure, then usim card directly returns failed authentication
If-mac authentication is passed through, the SQN checking is invalid, and then usim card uses default algorithm and default key K to calculate synchronization request authentication token AUTS again *(seeing notes)
Pass through if-MAC and SQN all verify, then usim card uses algorithm and K calculated response value RES, encryption key CK and the Integrity Key IK that this time consults.Thereby finished the verification process of usim card to network.
207) ME preserves CK and the IK that usim card returns, and is used for follow-up data encrypting and deciphering and the integrity protection of eating dishes without rice or wine.And send the Authentication Response result to VLR/SGSN, comprise three kinds of situations: the synchronization request AUTS of failed authentication/again */ correct response RES
208) after VLR/SGSN receives Authentication Response, carry out following operation:
1) if receive RES, RES and XRES are compared
If-RES equals XRES, then finished the verification process of network to terminal
If-RES is not equal to XRES, then network is failed to terminal authentication, and VLR/SGSN sends failed authentication message to HLR/AuC
2) if receive AUTS *, with AUTS *Send to HLR/AuC together with corresponding RAND
3), then send the authentication failed message to HLR/AuC if receive authentification failure message.
209) VLR/SGSN sends failed authentication message or synchronization message again to HLR/AuC
210) after HLR/AuC receives synchronization message again, at first by default KI and authentication arithmetic authentication AUTS *Legitimacy, after authentication was passed through, HLR/AuC revised the SQN of its network side, the authentication vector Qi request usim card that resends a five-tuple is then done authentication once more.The explanation of five-tuple authentication vector:
Message authentication code MAC=f1 K(SQN ‖ RAND ‖ AMF)
Expected Response XRES=f2K (RAND)
Encryption key CK=f3K (RAND)
Integrity Key IK=f4K (RAND)
Anonymity Key AK=f5K (RAND)
Authentication-tokens AUTN=SQN AK ‖ AMF ‖ MAC
Synchronous token AUTS=SQNMS  f5*K (RAND) ‖ MAC-S. again
Synchronous again authentication code MAC-S=f1*K (SQNMS ‖ RAND ‖ AMF)
Wherein:
F1 message authentication function is used for calculating MAC
F1 *The message authentication function is used for calculating MAC-S
F2 message authentication function is used for calculating RES and XRES
F3 key generating function is used for calculating CK
F4 key generating function is used for calculating IK
F5 key generating function is used for calculating AK in the normal flow
F5 *The key generating function is used for calculating AK in the flow process more synchronously
The key of specific implementation of the present invention is described at last: strengthen usim card technology specific implementation
(1) KI is consulted
Different with single KI way to manage, strengthen USIM and preserve one group of KI tabulation the card planted agent, it is made up of key identification and key value two parts.In the card personalization hair fastener stage, these key identifications and key value need to be preset in the card by secured fashion.In like manner, in the HLR/AuC database, also should there be one group of identical KI tabulation.During each authentication, usim card can be by AMF KI sign position index corresponding KI K in the card, and verifies AUTN and the calculated response value RES that network issues according to the KI K of appointment, realizes the key agreement function.
The usim card KI is consulted flow process (supposition puts aside the authentication arithmetic negotiation), and as shown in Figure 4, usim card is done as follows after receiving the authentication request order of terminal transmission:
1) at first from AUTN, parses authentication management field AMF, in the KI tabulation, search the key identification that matches according to AMF KI sign position then, determine KI K.
2) verify AUTN (SQN according to the KI of default authentication arithmetic and AMF appointment AK ‖ AMF ‖ MAC).
If-mac authentication failure, then usim card directly returns failed authentication
If-mac authentication is passed through, the SQN checking is invalid, and then usim card uses the synchronous again authentication token AUTS of default algorithm computation *
3) if MAC and SQN all verify to be passed through, then usim card uses KI compute authentication response RES, the encryption key CK and the Integrity Key IK of appointment, and result of calculation is returned to terminal.
(2) authentication arithmetic is consulted
Strengthen usim card and should support authentication arithmetic more than two kinds at least.And select which authentication arithmetic, just need in card, set up the corresponding relation of an AMF value and authentication arithmetic in code development phase and tabulate.This tabulation is based on operator the definition that the AMF algorithm identifies the position is produced.By AMF algorithm sign position, strengthen AUTN and calculated response value RES that USIM can adopt different authentication arithmetic checking networks to issue, thus the implementation algorithm negotiation functionality.
The usim card authentication arithmetic is consulted flow process (supposition puts aside the KI negotiation), and as shown in Figure 5, usim card is done as follows after receiving the authentication request order of terminal transmission:
1) at first parse authentication management field AMF from AUTN, the corresponding algorithm module is searched in AMF algorithm sign position according to a preconcerted arrangement then.
2) verify AUTN (SQN according to the algoritic module of default KI and AMF appointment AK ‖ AMF ‖ MAC).
If-mac authentication failure, then usim card directly returns failed authentication
If-mac authentication is passed through, the SQN checking is invalid, and then usim card uses the synchronous again authentication token AUTS of default algorithm computation *
3) if MAC and SQN all verify to be passed through, then usim card uses algorithm computation Authentication Response RES, encryption key CK and the Integrity Key IK of appointment, and result of calculation is returned to terminal.
(3) KI is consulted and the authentication arithmetic negotiation
As shown in Figure 6, based on above description above-mentioned () and (two), by but be not restricted to behind the first key agreement negotiating algorithm order and can in strengthening usim card, carry out key agreement and negotiating algorithm simultaneously.
Strengthen usim card and should support authentication arithmetic more than two kinds at least.And select which authentication arithmetic, just need in card, set up the corresponding relation of an AMF value and authentication arithmetic in code development phase and tabulate.This tabulation is based on operator the definition that the AMF algorithm identifies the position is produced.By AMF algorithm sign position, strengthen AUTN and calculated response value RES that USIM can adopt different authentication arithmetic checking networks to issue, thus the implementation algorithm negotiation functionality.
The usim card authentication arithmetic is consulted flow process, and as shown in Figure 6, usim card is done as follows after receiving the authentication request order of terminal transmission:
1) at first from AUTN, parses authentication management field AMF, in the KI tabulation, search the key identification that matches according to AMF KI sign position then, determine KI K.
2) parse authentication management field AMF from AUTN, the corresponding algorithm module is searched in AMF algorithm sign position according to a preconcerted arrangement then.
3) algoritic module and the KI K according to the AMF appointment verifies AUTN (SQN AK ‖ AMF ‖ MAC).
If-mac authentication failure, then usim card directly returns failed authentication
If-mac authentication is passed through, the SQN checking is invalid, and then usim card uses the synchronous again authentication token AUTS of default algorithm computation *
4) if MAC and SQN all verify to be passed through, then usim card uses algorithm computation Authentication Response RES, encryption key CK and the Integrity Key IK of appointment, and result of calculation is returned to terminal.
Based on above description, by but be not restricted to behind the first key agreement negotiating algorithm order and can in strengthening usim card, carry out key agreement and negotiating algorithm simultaneously.

Claims (10)

1. a network access authentication method is characterized in that, shares one group of KI in end side and network side, may further comprise the steps:
1.1) when terminal is stepped on net or position and is upgraded to the network requests authentication vector;
1.2) end side and the mutual message of network side utilization and key agreement select one in described one group of KI to carry out network access authentication.
2. according to the described method for authenticating of claim 1, it is characterized in that described selection is that periodic replacement is selected or dynamic random selects or class of user is not selected or their combination.
3. according to the described method for authenticating of claim 1, it is characterized in that described step 1.2) comprise that also end side and network side utilization message and algorithm agreement each other select one in one group of authentication arithmetic that end side and network side share to carry out network access authentication.
4. according to claim 1 or 3 described method for authenticating, it is characterized in that, described message all is the authentication-tokens that network side issues, described agreement is the corresponding relation of arbitrary KI or authentication arithmetic in the appointment place value of authentication management field in the described authentication-tokens and described one group of KI or the authentication arithmetic, and described key agreement is different with the corresponding specific bit of algorithm agreement.
5. according to each described method for authenticating of claim 1-3, it is characterized in that this method for authenticating specifically may further comprise the steps:
5.1) terminal initiates network insertion, service access or position updating request and carry mobile subscriber identifier sign to network side;
5.2) network side VLR/SGSN is to the authentication five-tuple of network side HLR/AuC request mobile subscriber identifier identifying user; This authentication five-tuple comprises random number, Expected Response value, encryption key, Integrity Key and authentication-tokens;
5.3) network side HLR/AuC according to security strategy to the specific bit of authentication management field in the described authentication-tokens with set place value and carry out relative set and generate the authentication five-tuple according to the authentication arithmetic and the KI of correspondence simultaneously;
5.4) network side HLR/AuC sends to network side VLR/SGSN with the authentication five-tuple, network side VLR/SGSN preserves described Expected Response value, encryption key and Integrity Key;
5.5) network side VLR/SGSN is to terminal transmission authentication request and carry described random number and authentication-tokens;
5.6) the terminal usim card receives described authentication request and according to the specific bit of authentication management field in the described authentication-tokens with set place value and select corresponding authentication arithmetic and KI to carry out terminal to send the Authentication Response result to the authentication of network and to network side VLR/SGSN;
5.7) network side VLR/SGSN carries out the authentication of network to terminal according to described Authentication Response result.
6. according to the described method for authenticating of claim 5, it is characterized in that described step 5.3) in the authentication management field setting be complete zero the time, the authentication arithmetic of described correspondence and KI are default authentication arithmetic and KI.
7. according to the described method for authenticating of claim 5, it is characterized in that, described step 5.6) if middle terminal is invalid to sequence number SQN authentication to usim card in the verification process of network, then described end side usim card and network side directly use default KI and algorithm to carry out synchronous again.
8. a usim card is characterized in that, the built-in one group KI identical with network side, and this usim card carries out network access authentication like this: receive the authentication request order that its terminal sends; Utilize mutual message and key agreement between end side and network side to select a KI in described one group of KI to carry out network access authentication.
9. described according to Claim 8 usim card is characterized in that, described one group of KI is arranged in the KI tabulation, and it is made up of key identification and key value two parts; Described mutual message is the authentication-tokens that network side issues, and described key agreement is the appointment place value of authentication management field in the described authentication-tokens and the corresponding relation of described key identification; This usim card carries out network access authentication like this: receive the authentication request order that its terminal sends; From authentication-tokens, parse authentication management field, in described KI tabulation, search the key identification that matches according to described specific bit and described corresponding relation then, determine KI; Carry out terminal according to the KI of determining and send the Authentication Response result to the authentication of network and to network side.
10. described according to Claim 8 usim card is characterized in that, also built-in identical with network side one group of authentication arithmetic of this usim card and authentication arithmetic identification list, and this usim card carries out network access authentication like this: receive the authentication request order that its terminal sends; Utilize a KI in the described one group of KI of message between end side and the network side and key agreement and algorithm agreement corresponding selection and an authentication arithmetic in described one group of authentication arithmetic to carry out network access authentication.
CNA2007101754383A 2007-09-29 2007-09-29 Network access authentication method and its USIM card Pending CN101132649A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007101754383A CN101132649A (en) 2007-09-29 2007-09-29 Network access authentication method and its USIM card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007101754383A CN101132649A (en) 2007-09-29 2007-09-29 Network access authentication method and its USIM card

Publications (1)

Publication Number Publication Date
CN101132649A true CN101132649A (en) 2008-02-27

Family

ID=39129727

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007101754383A Pending CN101132649A (en) 2007-09-29 2007-09-29 Network access authentication method and its USIM card

Country Status (1)

Country Link
CN (1) CN101132649A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102137397A (en) * 2011-03-10 2011-07-27 西安电子科技大学 Authentication method based on shared group key in machine type communication (MTC)
CN103179558A (en) * 2012-09-20 2013-06-26 中兴通讯股份有限公司 Method and system for cluster system implementing group calling encryption
CN103532963A (en) * 2013-10-22 2014-01-22 中国联合网络通信集团有限公司 IOT (Internet of Things) based equipment authentication method, device and system
CN103581153A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Encryption method and device in system of Internet of Things
CN103888942A (en) * 2014-03-14 2014-06-25 天地融科技股份有限公司 Data processing method based on negotiation secret keys
CN104506560A (en) * 2015-01-13 2015-04-08 中国人民解放军总参谋部工程兵科研三所 Dynamic parameter wireless test network security confidentiality keeping method
WO2016206387A1 (en) * 2015-06-26 2016-12-29 中兴通讯股份有限公司 Authentication method and system for accessing isolated network
CN107333263A (en) * 2017-06-12 2017-11-07 浙江神州量子网络科技有限公司 A kind of follow-on SIM card and mobile communication personal identification method and system
WO2021252014A1 (en) * 2020-06-08 2021-12-16 Google Llc Security token expiration using signing key rotation

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102137397A (en) * 2011-03-10 2011-07-27 西安电子科技大学 Authentication method based on shared group key in machine type communication (MTC)
CN103581153A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Encryption method and device in system of Internet of Things
CN103179558B (en) * 2012-09-20 2016-06-22 中兴通讯股份有限公司 Group system group exhales encryption implementation method and system
CN103179558A (en) * 2012-09-20 2013-06-26 中兴通讯股份有限公司 Method and system for cluster system implementing group calling encryption
WO2013185735A2 (en) * 2012-09-20 2013-12-19 中兴通讯股份有限公司 Encryption realization method and system
WO2013185735A3 (en) * 2012-09-20 2014-02-13 中兴通讯股份有限公司 Encryption realization method and system
US9667413B2 (en) 2012-09-20 2017-05-30 Zte Corporation Encryption realization method and system
CN103532963A (en) * 2013-10-22 2014-01-22 中国联合网络通信集团有限公司 IOT (Internet of Things) based equipment authentication method, device and system
CN103888942A (en) * 2014-03-14 2014-06-25 天地融科技股份有限公司 Data processing method based on negotiation secret keys
CN103888942B (en) * 2014-03-14 2017-04-19 天地融科技股份有限公司 Data processing method based on negotiation secret keys
CN104506560A (en) * 2015-01-13 2015-04-08 中国人民解放军总参谋部工程兵科研三所 Dynamic parameter wireless test network security confidentiality keeping method
CN104506560B (en) * 2015-01-13 2018-04-27 中国人民解放军总参谋部工程兵科研三所 A kind of safety security method of dynamic parameter wireless test network
WO2016206387A1 (en) * 2015-06-26 2016-12-29 中兴通讯股份有限公司 Authentication method and system for accessing isolated network
CN107333263A (en) * 2017-06-12 2017-11-07 浙江神州量子网络科技有限公司 A kind of follow-on SIM card and mobile communication personal identification method and system
WO2021252014A1 (en) * 2020-06-08 2021-12-16 Google Llc Security token expiration using signing key rotation

Similar Documents

Publication Publication Date Title
CN101123778A (en) Network access authentication method and its USIM card
US8265593B2 (en) Method and system of communication using extended sequence number
KR101485230B1 (en) Secure multi-uim authentication and key exchange
AU2011248610B2 (en) Wireless network authentication apparatus and methods
CN101132649A (en) Network access authentication method and its USIM card
EP2810418B1 (en) Group based bootstrapping in machine type communication
CN101969638B (en) Method for protecting international mobile subscriber identity (IMSI) in mobile communication
CN1929371B (en) Method for negotiating key share between user and peripheral apparatus
KR20170139093A (en) A method for a network access device to access a wireless network access point, a network access device, an application server, and a non-volatile computer readable storage medium
US8819765B2 (en) Security policy distribution to communication terminals
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
CN101378582B (en) User recognizing module, authentication center, authentication method and system
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
CN108683510A (en) A kind of user identity update method of encrypted transmission
CN111865603A (en) Authentication method, authentication device and authentication system
CN101777978A (en) Method and system based on wireless terminal for applying digital certificate and wireless terminal
CN103597799A (en) Service access authentication method and system
CN103533539A (en) Virtual SIM (subscriber identity module) card parameter management method and device
CN102318386A (en) Service-based authentication to a network
CN102685739B (en) Authentication method and system for Android enterprise applications
CN108012266B (en) Data transmission method and related equipment
CN104521213A (en) Manipulation and restoration of authentication challenge parameters in network authentication procedures
CN101990201B (en) Method, system and device for generating general bootstrapping architecture (GBA) secret key
CN102487506B (en) Access authentication method, system and server based on WAPI (wireless local access network authentication and privacy infrastructure) protocol
CN103313244A (en) Authentication method and device based on generic bootstrapping architecture (GBA)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20080227