Background technology
Mobile phone TV services are with multimedia, data message various contents such as (transport information, news), by the mode of multicast/broadcast, are transferred on the mobile phone.Mobile TV provides brand-new business experience-TV reception on mobile phone as a kind of emerging medium to users.Cellphone subscriber's the reception of roaming and move makes mobile TV than traditional tv bigger influence power be arranged, and it can offer the user to various information at faster speed.
In mobile phone TV services,, need set up the authentication system that a cover mobile phone television user inserts handset television service system in order to realize having only normally TV reception of authorized user.Terminal is carried out authentication by login key to multi-media broadcasting service control centre, after authentication is passed through, just can carry out follow-up mobile phone TV services access authentication process.
In the GSM/GPRS of 3GPP system, WCDMA network, user's login key obtains by general bootstrapping architecture GBA (Generic Bootstrapping Architecture) process, as shown in Figure 1.
When not having shared user's login key between terminal and the handset television service system, one of terminal initiation and authentication service module bootstrapping service function (Bootstrapping Service Function, BSF) the GBA process between:
At first, terminal is initiated the GBA request; BSF (for GSM/GPRS) from attaching position register HLR obtains authentification of user vector tlv triple, or (for WCDMA) obtains authentification of user vector five-tuple from home subscriber server HSS; Also can produce identical authentification of user vector among terminal user ID card (U) SIM, according to the authentification of user vector, by mutual with the HTTP Digest AKA (HTTP digest authentication) of BSF, terminal and BSF generate and share key;
Then, BSF will share key and send to handset television service system, and terminal and handset television service system are according to sharing the login key that each self-generating of key is shared.Set up between terminal and the handset television service system like this and finish identical login key.
In the CDMA of 3GPP2 system 1X, CDMA EV-DO network, terminal/card presets identical login key with network HLR/AAA.Handset television service system can obtain login key from HLR/AAA.
Fig. 2 is the flow chart that obtains login key in the prior art.After terminal is finished the mobile network access authentication, initiate the authentication registration process to handset television service system, handset television service system judges whether local this user's of preservation login key is effective: if effectively, then handset television service system and terminal are shared login key, by (verification process is seen Fig. 4) after the user authentication process, user's register requirement is got permission, and finishes derive subsequent keys and consults; If invalid, then system and terminal generate login key respectively, and handset television service system and terminal are shared login key, and after user authentication process, user's register requirement is got permission, and finish derive subsequent keys and consult.
After generating login key, can use this login key to initiate HTTP Digest authentication (HTTP digest authentication) process to handset television service system.Verification process is as shown in Figure 4:
1. terminal/card is initiated authentication request to handset television service system;
2. handset television service system generates random number;
3. handset television service system response authentication request, and random number sent to terminal/card;
4. terminal/card is according to user identity (as international mobile subscriber identifier IMSI, InternationalMobile Subscriber Identifier), login key and random number calculated response value Response;
5. terminal/card is uploaded to handset television service system with response Response;
6. handset television service system is according to user identity, login key and random number calculated response value Response, and with the 5th step in the response that reports of terminal/card compare, as if identical then authentication success, otherwise authentification failure.
Because in the 3GPP system, obtaining login key needs network to increase BSF network element, the newly-increased GBA support function of terminal/card newly, bigger to the change of network and terminal/card; In the 3GPP2 system, terminal/card and HLR/AAA need preset extra login key, also be handset television service system and increase a login key at mobile phone television user, terminal/card and HLR/AAA need safeguard the key of more subscription authentication registration usefulness, increased the complexity of key code system, implementation method is also more dumb relatively.
Summary of the invention
In order to solve above-mentioned technical problem, a kind of method of obtaining login key of handset television service system is provided, its purpose is, for the mobile phone TV services access authentication provides login key.
The invention provides a kind of method of obtaining login key of handset television service system, may further comprise the steps:
Step 1, terminal/card use the encryption key of mobile radio communication to generate the mobile phone TV services login key;
Step 2, described terminal/card is to the handset television service system register and authentication;
Step 3, described handset television service system is at the described mobile phone TV services login key of the described terminal of local search/card, if described mobile phone TV services login key does not exist, then described handset television service system obtains the described encryption key of described terminal/card from AUC, and uses described encryption key to generate described mobile phone TV services login key.
In the described step 1, described terminal/card mends 0 with described encryption key, and generating length is the described mobile phone TV services login key of 128 bits.
In the described step 3, after described handset television service system obtains the described encryption key of described terminal/card from AUC, described encryption key is mended 0, generating length is the described mobile phone TV services login key of 128 bits.
Described encryption key is encryption key Kc or encryption key SSD-B.
In the described step 1, described terminal/card is with voice encryption key PLCM, signaling encryption key SMEKEY and carry out CAVE by PLCM and SSD-B and calculate the AUTHR that generates and splice, and mend 0, generating length is the described mobile phone TV services login key of 128 bits.
In the described step 3, after described handset television service system obtains voice encryption key PLCM, the signaling encryption key SMEKEY and SSD-B of described terminal/card from AUC, use PLCM, SMEKEY and calculate the AUTHR that generates and splice by described PLCM and SSD-B execution CAVE, and mend 0, generating length is the described mobile phone TV services login key of 128 bits.
Terminal/card generates described mobile phone TV services login key according to 128 bits among the rule intercepting voice encryption key VPM.
In the described step 3, after described handset television service system obtained the voice encryption key VPM of described terminal/card from AUC, 128 bits according among the described voice encryption key VPM of described rule intercepting generated described mobile phone TV services login key.
If described handset television service system is invalid at the described login key that local search arrives, the encryption key that then described terminal/card produces when generating the mobile radio communication access authentication, the encryption key that described handset television service system produces when obtaining the mobile radio communication access authentication again.
The present invention proposes the existing mobile communication network users access authentication system of a kind of utilization, the method for login key is provided for the mobile phone TV services access authentication.Make full use of existing mobile communications network, the HLR/AAA in the existing network does not make any changes, and need not newly-increased extra network element and presets the mobile phone television user key code system, reaches to reduce investment outlay, dispose handset television service system fast, be easy to the purpose of operation management.
Embodiment
The present invention uses the encryption key that has generated in 3GPP system or 3GPP2 system but do not had to use in the existing at home mobile radio communication to provide login key as handset television service system.
In existing GSM/GPRS network, (symbol response (Signed Response, SRES)) realizes subscription authentication for encryption key Kc, random number RA ND to use authentication three parameter group.When user-network access, the permanent key K i of subscription authentication, IMSI are distributed to the user together, be kept in the SIM card.Be stored among the AuC of AUC at network terminal Ki.Authentication parameter is generated by the AuC of AUC, carries out corresponding algorithm and produce authentication three parameter group in AuC:
Generate random number RA ND by a randomizer;
Use the A3 algorithm, and generation symbol response SRES=A3 (RAND, Ki);
Use the A8 algorithm, and generation encryption key Kc=A8 (RAND, Ki).
AuC answers the request of MSC/VLR, and generate several three parameter group (Kc), and three parameter group that will generate are stored among the HLR for RAND, SRES at every turn.HLR stores each user's three parameter group, and sends it to when MSC/VLR asks, and can obtain three parameter group that insert the user to guarantee this locality/field network, finishes the authentication of this locality/field network butt joint access customer.When the user needed access authentication, MSC/VLR sent RAND to travelling carriage (MS), MS use be stored in the SIM card with AuC in the same Ki and algorithm, calculate SRES.Give MSC/VLR the SRES loopback then, verify its legitimacy, whether allow its access network.Upgrade in the MS position, do caller or called, the activation of supplementary service or deactivation all need authentication before location registers or the deletion.
Network is encrypted user's data, to prevent eavesdropping.Encryption is controlled by the encryption key Kc that produces in the authentication process, encryption key is generated by key algorithm A8 and cryptographic algorithm A3, because key algorithm A8 has identical input parameter RAND and Ki with cryptographic algorithm A3, thereby two algorithms can be combined into an algorithm, be used for compute sign response and encryption key.Encryption key Kc does not transmit on wave point, but exists among SIM card and the AuC.
Encrypted process is: the frame number of the encryption key Kc that the A8 algorithm is generated and the TDMA Frame of carrying user data stream generates pseudo-random data stream as the input parameter of A5 algorithm.Again pseudo-random data stream and unencrypted data flow are made mould two and add computing, obtain encrypting traffic.Finish in base station transceiver (BTS) in network side realization encryption, have the A5 cryptographic algorithm among the BTS, encryption key Kc sends BTS to by MSC/VLR in authentication process.
Though in user's access authentication, produced encryption key Kc in the existing network, do not adopt Kc to be used as the encryption of communication, i.e. the communication of existing network does not have encipherment protection.The present invention is with the live part of the long encryption key Kc of 64 bits as the login key in the mobile phone television user authentication, suitably mend 0 after, generate the mobile phone TV services login key.Terminal/card is also with the live part of encryption key Kc as the login key in the mobile phone television user authentication, suitably mend 0 after, generate the login key of terminal.After terminal/card is finished the mobile radio communication access authentication, when carrying out the mobile phone TV services authentication, if this user's login key or login key are not invalid on the handset television service system, then handset television service system will obtain the new encryption key Kc of this user's correspondence from AUC, benefit 0 back is kept at this locality as the login key of mobile phone television user, and is used for the authentication registration to mobile phone television user.
In CDMA 1X network, key A-KEY is terminal/card and the AC of network side AUC cipher key shared, and other entity haves no right to know the value of A-KEY.The length of A-KEY is 64 bits, and the value of A-KEY is to be set as complete zero binary value when terminal is dispatched from the factory, and the value of A-KEY is decided by operator.The value of A-KEY is written into the back and just no longer makes change usually.Because A-KEY is the basis that produces other secret data, so the safety of A-KEY is very important, AC except and terminal (UIM card) can not with other entity sharing A-KEY.
(Shared Secret Data SSD) is the value of 128 bits to the shared secret data, and it is shared by terminal/card and AC.SSD is that network carries out authentication to terminal, and the significant data in the information encryption process.
SSD aloft oral instructions send, and SSD generates or renewal process is to be initiated by AC, uses identical algorithm to calculate as input parameter with A-KEY in terminal with AC and finishes, and renewal process can carry out also can carrying out in Traffic Channel at control channel.AC can send SSD to VLR Visitor Location Register VLR (Visit Location Register), by identification authentication and the communication encryption of access zone network realization to the roamer.SSD is divided into two parts SSD-A and each 64 bit of SSD-B.SSD-A is used for authentication, and SSD-B is used for encrypting.
Terminal/Cali SSD-B and cellular authentication and voice security (Celluar Authentication andVoice Encryption, CAVE) algorithm produces private long code mask (the Private Long CodeMask of 40 bits, PLCM), the Signaling Message Encryption key of 64 bits (Signaling Message Encryption Key, SMEKEY), the voice encryption key of 520 bits (Voice Privacy Mask, VPM).SMEKEY is as the signaling encryption key in the mobile communication, and PLCM and VPM are as the voice encryption key in the mobile communication.
Though produce encryption key SSD-B, PLCM, SMEKEY and VPM in the existing network in user's access authentication, encipherment protection is not carried out in the communication of existing network.
In order to generate the login key of mobile phone TV services, the invention provides 3 kinds of execution modes, concrete scheme is as follows:
Scheme one: the present invention with encryption key SSD-B as the login key in the mobile phone television user authentication, because of the login key length requirement is 128 bits, preceding 64 bits of user's login key can be filled out SSD-B, back 64 bits of login key are filled out 0.Terminal/card is also with the live part of encryption key SSD-B as the login key in the mobile phone television user authentication, suitably mend 0 after, generate login key.After terminal/card is finished the mobile radio communication access authentication, when carrying out the mobile phone TV services authentication, if this user's login key or user's login key is not invalid on the handset television service system, then handset television service system will obtain the new encryption key SSD-B of this user's correspondence from AC, mend 0 back and be kept at this locality, and be used for authentication registration mobile phone television user as the mobile phone television user login key.
Scheme two: the present invention is with encryption key PLCM, SMEKEY, and the login key of forming 128 bits by the Authentication Response AUTHR that PLCM and SSD-B generate according to the rule splicing.Process is as follows:
1. when terminal communicates network access authentication, share SSD-A, SSD-B in AC and the UIM card; SSD-B further generates PLCM and SMEKEY, and wherein PLCM, SMEKEY send to terminal after the UIM card generates;
2. handset television service system obtains PLCM, SMEKEY, SSD-B from AC;
3. terminal sends to the UIM card with PLCM as random number RA ND, and the UIM card as parameter, is carried out the CAVE algorithm with RAND and SSD-B, generates the AUTHR of 18 bits, and AUTHR is returned to terminal; Handset television service system also possesses the CAVE computing function,, as parameter, carries out CAVE and calculates with RAND and SSD-B as random number RA ND with PLCM, generates AUTHR;
4. terminal/card and handset television service system go on foot the AUTHR splicing of 18 bits that produce with the PLCM of 40 bits, the SMEKEY and the 3rd of 64 bits respectively, and mend the login key of 0 composition, 128 bits.The login key that terminal/card and handset television service system generate respectively is identical, therefore reaches the purpose of sharing login key.
Terminal/be stuck in when carrying out the mobile phone TV services authentication, if this user's login key or user's login key is not invalid on the handset television service system, then handset television service system will obtain PLCM, SMEKEY, the SSD-B of this user's correspondence from AC, using PLCM and SSD-B to carry out CAVE calculates, generate AUTHR, be spliced into login key with PLCM, SMEKEY and AUTHR then.
Scheme three: as the login key in the mobile phone television user authentication, because of the login key length requirement is 128 bits, and VPM is greater than 128 bits with the VPM of 520 bits in the present invention.Can from VPM, intercept 128 bits as the login key of mobile phone television user (for example can intercept preceding 128, or intercept back 128, or the like) according to certain rule.After terminal/card is finished the mobile radio communication access authentication, when carrying out the mobile phone TV services authentication, if this user's login key or user's login key is not invalid on the handset television service system, then handset television service system will obtain the new voice encryption key VPM of this user's correspondence from AC, the intercepting back is kept at this locality as the login key of mobile phone television user, and is used for the authentication registration to mobile phone television user.
Fig. 3 is the flow chart of generation login key provided by the invention.When terminal when handset television service system is initiated the authentication registration process, handset television service system judges that local login key or the login key of not preserving this user is out of date, and then handset television service system and terminal/card will generate the operation of login key.In the GSM/GPRS network, handset television service system obtains mobile communication encryption key Kc from AuC, and terminal is obtained identical Kc from card, and handset television service system is carried out 0 operation of identical benefit with terminal to identical Kc, generates the login key of sharing.In the cdma network, handset television service system obtains the mobile communication encryption key from AC, terminal is obtained identical encryption key from card, handset television service system and terminal are carried out identical operations to encryption key, generate the login key of sharing, in three kinds of different schemes of aforementioned generation login key, required mobile communication encryption key and the operation of being done are different.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.