Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a method for checking terminal validity. The embodiment of the invention also provides a corresponding device and a communication system. The following are detailed below.
The first embodiment,
The present embodiment will be described from the perspective of a network-side device.
A terminal validity checking method includes receiving terminal operation result A and terminal device identification sent by a terminal, and checking terminal validity according to terminal operation result A and terminal device identification. The terminal operation result A is a result obtained by the terminal according to the random number and the terminal information or a result obtained by the terminal according to the random number, the terminal information and the terminal equipment identification; the random number can be generated by the terminal and sent to the network side equipment, and then the network side receives the random number; or, the random number may also be generated by the network side device, and sent to the terminal, and then the terminal receives the random number; for convenience of description, the following embodiments are described by taking random numbers generated by network side devices as examples. As shown in fig. 1, the specific process is as follows:
101. generating and sending a random number to a terminal; for example, the authentication Request message may be sent to the terminal, and the authentication Request message carries a random number, where the sent authentication Request message may be an Identity Request (Identity Request) message in a Global System for Mobile Communications (GSM) or a Universal Mobile Telecommunications System (UMTS), or may be an Identity Request (Status Request) message in a CDMA System, and the random number may be a time of the terminal, or a random number generated by a random number generator, or the like.
102. Receiving a terminal operation result A and a terminal equipment identifier sent by a terminal, wherein the terminal operation result A is a result obtained by the terminal according to terminal information and received random number operation, or a result obtained by the terminal according to the terminal information, the terminal equipment identifier and the received random number operation;
for example, an identity authentication response message returned by the terminal may be received, where the identity authentication response message carries the terminal operation result a and the terminal device identifier, and certainly, if the terminal device identifier is obtained before, the terminal device identifier may not be carried; the Identity authentication Response message may be an Identity Response (Identity Response) message in the GSM system or an Identity Response (Status Response) message in the CDMA system.
The terminal information may be a baseband Chip identifier, or a Chip identifier (Chip ID), or a central processing unit identifier (CPU ID), and the like, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device identifier (device ID), or a Media Access Control (MAC) address, or a terminal device serial number, and the like.
103. And checking the legality of the terminal according to the terminal operation result A and the terminal equipment identifier. For example, the network side device also performs operation by using the same algorithm (which may be a predetermined algorithm) as the terminal to obtain a server operation result B, then compares the server operation result B with the received terminal operation result a, and determines whether the terminal is legal according to the comparison result, which may specifically adopt any one of the following several ways:
(1) when the terminal operation result A is a result obtained by the terminal operation according to the random number and the terminal information:
firstly, searching terminal information corresponding to the terminal equipment identifier and a random number which is sent to a terminal in advance, calculating according to the random number and the terminal information to obtain a server calculation result B, then comparing the server calculation result B with the terminal calculation result A received in the step 102, and if the server calculation result B is consistent with the terminal calculation result A, determining that the terminal is a legal terminal, namely the terminal which has the terminal equipment identifier legally; and if the terminal identity is inconsistent with the terminal identity, determining that the terminal is an illegal terminal, namely the terminal with the terminal equipment identity is illegally held.
(2) When the terminal operation result A is a result obtained by the terminal operation according to the random number, the terminal information and the terminal equipment identification:
firstly, searching terminal information corresponding to the terminal equipment identification and a random number which is sent to a terminal in advance, calculating according to the random number, the terminal information and the terminal equipment identification to obtain a server calculation result B, then comparing the server calculation result B with the terminal calculation result A received in the step 102, and if the server calculation result B is consistent with the terminal calculation result A, determining that the terminal is a legal terminal and the terminal which has the terminal equipment identification in a legal mode; and if the terminal identity is inconsistent with the terminal identity, determining that the terminal is an illegal terminal, namely the terminal with the terminal equipment identity is illegally held.
(3) When the terminal operation result A is a result obtained by the terminal operation according to the random number and the terminal information:
firstly, searching terminal information B1 corresponding to the terminal equipment identifier and a random number previously sent to a terminal, performing operation according to the random number and the terminal operation result A received in the step 102 to obtain estimated terminal information A1, then comparing the calculated estimated terminal information A1 with the searched terminal information B1, and if the estimated terminal information A1 is consistent with the searched terminal information B1, determining that the terminal is a legal terminal and is a terminal with the terminal equipment identifier legally; and if the terminal identity is inconsistent with the terminal identity, determining that the terminal is an illegal terminal, namely the terminal with the terminal equipment identity is illegally held.
(4) When the terminal operation result A is a result obtained by the terminal operation according to the random number, the terminal information and the terminal equipment identification:
firstly, searching terminal information B1 corresponding to the terminal equipment identifier and a random number sent to a terminal before, performing operation according to the random number, the terminal operation result A received in the step 102 and the terminal equipment identifier to obtain estimated terminal information A1, then comparing the calculated estimated terminal information A1 with the searched terminal information B1, and if the calculated estimated terminal information A1 is consistent with the searched terminal information B1, determining that the terminal is a legal terminal and is a terminal with the terminal equipment identifier legally; and if the terminal identity is inconsistent with the terminal identity, determining that the terminal is an illegal terminal, namely the terminal with the terminal equipment identity is illegally held. Or,
firstly, searching terminal information corresponding to the terminal equipment identifier and a random number sent to a terminal in advance, carrying out operation according to the random number, the terminal operation result A received in the step 102 and the terminal information to obtain an estimated terminal equipment identifier A2, then comparing the calculated estimated terminal equipment identifier A2 with the received terminal equipment identifier B2, and if the estimated terminal equipment identifier A2 and the received terminal equipment identifier B2 are consistent, determining that the terminal is a legal terminal and is a terminal which legally holds the terminal equipment identifier; and if the terminal identity is inconsistent with the terminal identity, determining that the terminal is an illegal terminal, namely the terminal with the terminal equipment identity is illegally held.
Of course, the premise is that the network side device needs to store the relevant data of the corresponding relationship between the terminal device identifier and the terminal information, for example, the corresponding relationship between the IMEI and the CID, see table one.
Table one: data table of corresponding relation between IMEI and CID
Terminal equipment identification |
Terminal information |
Others |
IMEI=60025896 |
12345678 |
A terminal V720 |
IMEI=60025888 |
21215489 |
Terminal B V810 |
Thus, the network side device can obtain the terminal information corresponding to the received terminal device identifier by searching the corresponding relation data table so as to execute the subsequent terminal validity checking step.
It should be noted that after step 103, the checking (authentication) result can also be returned to the terminal.
The network side Device may specifically be a Server, and may include a Service Server (Service Server) and a Device authentication Server (Device authentication Server), where the Service Server is mainly used for performing signaling interaction between the terminal and the Device authentication Server when performing Service control, and specifically may be an exchange (MSC), a subscriber location register (VLR), an Application Server (AS), or the like. The device Authentication server is mainly used for storing the terminal identifier and the terminal information data and performing data Authentication, and may specifically be an EIR or an Authentication Authorization Accounting (AAA) server.
For the sake of clarity, in the following embodiments, the terminal calculation result is a, the server calculation result is B, the calculated terminal information is a1, and the found terminal information is referred to as B1.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network-side device, and the operation is performed by using the terminal information, the terminal device identifier, and the random number, or the operation is performed by using the terminal information and the random number, and then the terminal sends the operation result to the network-side device, compares the operation result with the self-operation result of the network-side device, and determines whether the terminal is legal or not according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example II,
The present embodiment will be described from the perspective of a network-side device.
A terminal validity checking method includes firstly carrying out operation according to random numbers and terminal information or carrying out operation according to random numbers, terminal information and terminal equipment identification to obtain terminal operation results, and then sending terminal equipment identification and the calculated terminal operation results to network side equipment so that the network side equipment can check terminal validity according to the terminal operation results and the terminal equipment identification. The method for the network side device to check the validity of the terminal can be specifically referred to as embodiment one, and is not cumbersome here.
The random number can be generated by the terminal and sent to the network side equipment, and then the network side receives the random number; or, the random number may also be generated by the network side device, and sent to the terminal, and then the terminal receives the random number; for convenience of description, the following embodiments are described by taking random numbers generated by network side devices as examples.
As can be seen from the above, the terminal of this embodiment may perform an operation by using the terminal information and the random number, or perform an operation according to the random number, the terminal information, and the terminal device identifier to obtain a terminal operation result, and then send the terminal operation result to the network side device, so that the network side device can implement a verification of the terminal validity according to the terminal operation result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example III,
The method according to the embodiments one and two will be described in further detail below by way of example.
In this embodiment, both the terminal and the network side perform operation according to the random number and the terminal information by using the same algorithm, and then the network side device compares the operation results of the two sides, and if the operation results are consistent, the terminal is determined to be a legal terminal, and if the operation results are not consistent, the terminal is determined to be an illegal terminal. Referring to fig. 2, the specific process is as follows:
201. the network side device generates a random number, such as time r of the terminal (or the random number r generated by the random number generator, etc.), and sends the generated random number to the terminal; for example, the authentication Request message may be sent to the terminal by sending the authentication Request message, and the authentication Request message carries the random number, and the sent authentication Request message may be an Identity Request message in a GSM system or a UMTS system, or may be a Status Request message in a CDMA system.
202. After receiving the random number, the terminal performs an operation according to a preset algorithm, such as an a3 algorithm commonly used in a Subscriber Identity Module (SIM) card, based on the random number and the terminal information: f (r, CID) to obtain a terminal operation result A; wherein r represents a random number, and the CID is terminal information;
the terminal information may be a baseband Chip identifier, or a Chip ID (CID for short), or a CPU ID, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device ID, or an MAC address, or a terminal device serial number, and the like. The terminal information and the terminal device identifier may be selected according to a specific network or operator policy, and the algorithm may be set according to the operator policy.
203. The terminal sends the terminal operation result A to the network side equipment, and simultaneously can also send the terminal equipment identification to the network side equipment;
for example, the terminal may return an identity authentication response message, and carry the terminal operation result a and the terminal device identifier in the identity authentication response message, and certainly, if the terminal device identifier is obtained before, the terminal device identifier may not be carried; the Identity authentication Response message may be an Identity Response message in the GSM system or a Status Response message in the CDMA system.
204. The network side equipment searches corresponding terminal information according to the terminal equipment identification of the terminal, for example, inquires in a terminal equipment identification-terminal information corresponding relation data table stored in the network side equipment, and adopts the same algorithm as the terminal to carry out operation according to the searched terminal information and the random number sent to the terminal, such as F (r, CID), so as to obtain a server operation result B;
205. and the network side equipment compares the server operation result B with the received terminal operation result A, if the terminal operation result A is consistent with the server operation result B, the terminal is determined to be a legal terminal, and if the terminal operation result A is inconsistent with the server operation result B, the terminal is determined to be an illegal terminal.
After that, the network side device may also return the conclusion in step 205, that is, the result of checking (authenticating) the terminal validity to the terminal.
It should be noted that, the sequence of step 203 and step 204 does not have to be, that is, the network side device may calculate the server operation result after receiving the terminal operation result sent by the terminal, or the network side device may calculate the server operation result first (if the terminal device identifier is obtained before), and then the terminal sends the terminal operation result, or even, the two steps may be executed simultaneously, and so on.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network side device, the terminal information and the random number are used for performing the operation, then the terminal sends the operation result to the network side device, compares the operation result with the self-operation result of the network side device, and determines whether the terminal is legal or not according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example four,
In this embodiment, the terminal and the network side respectively perform operations according to the random number, the terminal information, and the terminal device identifier by using the same algorithm, and then the network side device compares the operation results of the two sides, and if the operation results are consistent, the terminal is determined to be a legal terminal, and if the operation results are not consistent, the terminal is determined to be an illegal terminal. Referring to fig. 3, the specific process is as follows:
301. the network side device generates a random number, such as time r of the terminal (or the random number r generated by the random number generator, etc.), and sends the generated random number to the terminal; for example, the authentication Request message may be sent to the terminal by sending the authentication Request message, and the authentication Request message carries the random number, and the sent authentication Request message may be an Identity Request message in a GSM system or a UMTS system, or may be a Status Request message in a CDMA system.
302. After receiving the random number, the terminal performs operation according to a preset algorithm, such as F (r, CID, IMEI), according to the random number, terminal information and a terminal equipment identifier to obtain a terminal operation result A; wherein r represents a random number, CID is terminal information, and IMEI is a terminal equipment identifier;
the terminal information may be a baseband Chip identifier, or a Chip ID (CID for short), or a CPU ID, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device ID, or an MAC address, or a terminal device serial number, and the like. The terminal information and the terminal device identifier may be selected according to a specific network or operator policy, and the algorithm may be set according to the operator policy.
303. The terminal sends the terminal operation result A to the network side equipment, and simultaneously can also send the terminal equipment identification to the network side equipment;
for example, the terminal may return an identity authentication response message, and carry the terminal operation result a and the terminal device identifier in the identity authentication response message, and certainly, if the terminal device identifier is obtained before, the terminal device identifier may not be carried; the Identity authentication Response message may be an Identity Response message in the GSM system or a Status Response message in the CDMA system.
304. The network side equipment searches corresponding terminal information according to the terminal equipment identification of the terminal, for example, inquires in a terminal equipment identification-terminal information corresponding relation data table stored in the network side equipment, and adopts the same algorithm as the terminal to carry out operation according to the searched terminal information, the random number sent to the terminal and the terminal equipment identification, such as F (r, CID and IMEI), so as to obtain a server operation result B;
305. and the network side equipment compares the server operation result B with the received terminal operation result A, if the terminal operation result A is consistent with the server operation result B, the terminal is determined to be a legal terminal, and if the terminal operation result A is inconsistent with the server operation result B, the terminal is determined to be an illegal terminal.
After that, the network side device may also return the conclusion in step 305, i.e. the result of checking (authenticating) the terminal validity, to the terminal.
It should be noted that, the sequence of step 303 and step 304 does not have to be, that is, the network side device may calculate the server operation result after receiving the terminal operation result sent by the terminal, or the network side device may calculate the server operation result first (if the terminal device identifier is obtained before), and then the terminal sends the terminal operation result, or even, the two steps may be executed simultaneously, and so on.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network side device, the terminal information, the terminal device identifier, and the random number are used for performing the operation, then the terminal sends the operation result to the network side device, compares the operation result with the self-operation result of the network side device, and determines whether the terminal is legal or not according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example V,
In this embodiment, the terminal performs operation according to the random number issued by the network side and the terminal information of the terminal, sends the obtained terminal operation result to the network side device, then the network side calculates estimated terminal information (using the same algorithm as the terminal) by using the random number and the received terminal operation result, compares the calculated estimated terminal information with the inquired terminal information, determines that the terminal is a legal terminal if the estimated terminal information is consistent with the inquired terminal information, and determines that the terminal is an illegal terminal if the estimated terminal information is inconsistent with the inquired terminal information. Referring to fig. 4, the specific process is as follows:
401. the network side device generates a random number, such as time r of the terminal (or the random number r generated by the random number generator, etc.), and sends the generated random number to the terminal; for example, the authentication Request message may be sent to the terminal by sending the authentication Request message, and the authentication Request message carries the random number, and the sent authentication Request message may be an Identity Request message in a GSM system or a UMTS system, or may be a Status Request message in a CDMA system.
402. After receiving the random number, the terminal performs operation according to a preset algorithm based on the random number and the terminal information, for example, a symmetric algorithm may be adopted, such as symmetric algorithm F (r, CID) ═ X:::::::::::::::::::::::, (X, r) ═ CID, to obtain X ═ a, that is, the terminal operation; wherein r represents a random number, and the CID is terminal information;
the terminal information may be a baseband Chip identifier, or a Chip ID (CID for short), or a CPU ID, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device ID, or an MAC address, or a terminal device serial number, and the like. The terminal information and the terminal device identifier may be selected according to a specific network or operator policy, and the algorithm may be set according to the operator policy.
403. The terminal sends the terminal operation result A to the network side equipment, and simultaneously can also send the terminal equipment identification to the network side equipment;
for example, the terminal may return an identity authentication response message, and carry the terminal operation result a and the terminal device identifier in the identity authentication response message, and certainly, if the terminal device identifier is obtained before, the terminal device identifier may not be carried; the Identity authentication Response message may be an Identity Response message in the GSM system or a Status Response message in the CDMA system.
404. On one hand, the network side device finds the corresponding terminal information B1 according to the terminal device identifier of the terminal, for example, it queries the terminal device identifier-terminal information correspondence data table stored in itself to find the terminal information B1, on the other hand, the network side device calculates the estimated terminal information a1 by using the same algorithm as the terminal according to the random number sent to the terminal and the terminal operation result a received in step 403, and calculates the estimated CID value if the symmetric algorithm F (r, CID) is a:: F' (a, r) is a CID;
it should be noted that the execution order of the two aspects does not require, that is, the terminal information B1 may be queried first, the estimated terminal information a1 may be calculated according to the random number and the terminal operation result, the estimated terminal information a1 may be calculated first according to the random number and the terminal operation result, and then the terminal information B1 may be queried, or even the two may be executed simultaneously.
405. The network side equipment compares the calculated estimated terminal information A1 with the searched terminal information B1, if the calculated estimated terminal information A1 is consistent with the searched terminal information B1, the terminal is determined to be a legal terminal, and if the calculated estimated terminal information A1 is inconsistent with the searched terminal information B1, the terminal is determined to be an illegal terminal.
After that, the network side device may also return the conclusion in step 405, that is, the result of checking (authenticating) the terminal validity to the terminal.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network side device, the terminal information and the random number are used for performing operation, then the terminal sends the terminal operation result to the network side device, the network side device calculates estimated terminal information according to the random number and the terminal operation result, compares the estimated terminal information with the terminal information queried by the network side, and determines whether the terminal is legal according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to rewrite the IMEI number to deceive the network to obtain an illegal identity to access the network, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so that the terminal can be naturally identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example six,
In this embodiment, the terminal performs operation according to the random number issued by the network-side device, its own terminal information, and the terminal device identifier, sends the obtained terminal operation result to the network-side device, and then the network-side calculates estimated terminal information (or estimated terminal device identifier) by using the random number, the received terminal operation result, and the terminal device identifier and using the same algorithm as that of the terminal, compares the calculated terminal information with the inquired terminal information (or compares the calculated estimated terminal device identifier with the received terminal device identifier), and if the calculated estimated terminal device identifier and the received terminal device identifier are consistent, it is determined that the terminal is a legal terminal, and if the estimated terminal identifier and the terminal identifier are not consistent, it is determined that the terminal is an illegal terminal. Referring to fig. 5, the specific process is as follows:
501. the network side device generates a random number, such as time r of the terminal (or the random number r generated by the random number generator, etc.), and sends the generated random number to the terminal; for example, the authentication Request message may be sent to the terminal by sending the authentication Request message, and the authentication Request message carries the random number, and the sent authentication Request message may be an Identity Request message in a GSM system or a UMTS system, or may be a Status Request message in a CDMA system.
502. After receiving the random number, the terminal performs operation according to a preset algorithm based on the random number, the terminal information and the terminal equipment identifier, and if a symmetric algorithm is adopted, for example, the symmetric algorithm F (r, CID, IMEI) is X:: F '(X, r, IMEI) is CID, or the symmetric algorithm F (r, CID, IMEI) is X:: F' (X, r, CID) is IMEI, and X is obtained as a, that is, the terminal operation result is a; wherein r represents a random number, CID is terminal information, and IMEI is a terminal equipment identifier;
the terminal information may be a baseband Chip identifier, or a Chip ID (CID for short), or a CPU ID, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device ID, or an MAC address, or a terminal device serial number, and the like. The terminal information and the terminal device identifier may be selected according to a specific network or operator policy, and the algorithm may be set according to the operator policy.
503. The terminal sends the terminal operation result A to the network side equipment, and simultaneously can also send the terminal equipment identification to the network side equipment;
for example, the terminal may return an identity authentication response message, and carry the terminal operation result a and the terminal device identifier in the identity authentication response message, and certainly, if the terminal device identifier is obtained before, the terminal device identifier may not be carried; the Identity authentication Response message may be an Identity Response message in the GSM system or a Status Response message in the CDMA system.
504. (1) the network side device finds corresponding terminal information B1 according to the terminal device identifier of the terminal, for example, searches in a terminal device identifier-terminal information correspondence data table stored in the network side device itself, and finds terminal information B1;
(2) the network side device calculates the estimated terminal information a1 by using the same algorithm as the terminal according to the random number sent to the terminal, the terminal device identifier and the terminal calculation result a received in step 403, and calculates the estimated CID value if F (r, CID, IMEI) is X:: F' (a, r, IMEI) is CID; or,
the network side device calculates the estimated terminal device identifier a2 by using the same algorithm as the terminal according to the random number sent to the terminal, the found terminal information and the terminal calculation result a received in step 403, and calculates the estimated IMEI value by using F (r, CID, IMEI): X:: F' (a, r, CID): IMEI.
It should be noted that the execution order of (1) and (2) in step 504 is not required.
505. The network side equipment compares the calculated terminal information A1 with the searched terminal information B1, if the calculated estimated terminal information A1 is consistent with the searched terminal information B1, the terminal is determined to be a legal terminal, and if the calculated estimated terminal information A1 is inconsistent with the searched terminal information B1, the terminal is determined to be an illegal terminal.
Alternatively, if the estimated terminal device identity a2 is calculated in step 504, the calculated estimated terminal device identity a2 is compared with the received terminal device identity B2, and if the calculated estimated terminal device identity a2 matches the received terminal device identity B2, the terminal is determined to be a legitimate terminal, and if the calculated estimated terminal device identity a2 does not match the received terminal device identity B2, the terminal is determined to be an illegitimate terminal.
After that, the network side device may also return the conclusion in step 505, that is, the result of checking (authenticating) the terminal validity to the terminal.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network side device, the terminal device identifier, the terminal information, and the random number are used for performing operation, then the terminal sends the terminal operation result to the network side device, the network side device calculates estimated terminal information according to the terminal device identifier, the random number, and the terminal operation result, compares the estimated terminal information with the terminal information queried by the network side, and determines whether the terminal is legal or not according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to rewrite the IMEI number to deceive the network to obtain an illegal identity to access the network, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so that the terminal can be naturally identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example seven,
In order to better implement the above method, an embodiment of the present invention further provides a network side device accordingly, as shown in fig. 6, the network side device includes a receiving unit 602 and a checking unit 603;
a receiving unit 602, configured to receive a terminal operation result a and a terminal device identifier sent by a terminal, where the terminal operation result a is a result obtained by a terminal through operation according to a random number and terminal information, or the terminal operation result a is a result obtained by a terminal through operation according to a random number, terminal information, and a terminal device identifier;
for example, the receiving unit 602 may receive an identity authentication response message returned by the terminal, where the identity authentication response message carries the terminal operation result a and the terminal device identifier, and certainly, if the terminal device identifier is obtained before, the terminal device identifier does not need to be carried; the Identity authentication Response message may be an Identity Response (Identity Response) message in the GSM system or an Identity Response (Status Response) message in the CDMA system. The terminal information may be a baseband Chip identifier, or a Chip ID (CID for short), or a CPU ID, and the terminal device identifier may be an IMEI, or an MEID, or an ESN, or a device ID, or an MAC address, or a terminal device serial number, and the like. The terminal information and the terminal device identifier may be selected according to the policy of a specific network or operator.
A checking unit 603, configured to check the validity of the terminal according to the terminal operation result a and the terminal device identifier received by the receiving unit 602.
The random number may be generated by the terminal and sent to the network side device, and then the receiving unit 602 of the network side device receives the random number; or, the random number may also be generated by the network side device, and sent to the terminal, and then the terminal receives the random number; for convenience of description, the embodiments of the present invention are described by taking the random number generated by the network side device as an example. Thus, as shown in fig. 6, the network side device may further include a transmitting unit 601;
a transmitting unit 601 (or called a random number generating and transmitting unit) for generating a random number and transmitting the generated random number to a terminal; for example, the sending unit 601 may send the authentication Request message to the terminal, where the authentication Request message carries the random number, and the sent authentication Request message may be an Identity Request message in a GSM system or a UMTS system, or a Status Request message in a CDMA system. The random number may be a time of the terminal, or a random number generated by a random number generator, or the like;
the receiving unit 602 is configured to receive a terminal operation result a and a terminal device identifier sent by a terminal, where the terminal operation result a is a result obtained by the terminal through operation according to the random number and the terminal information sent by the sending unit 601, or the terminal operation result a is a result obtained by the terminal through operation according to the random number and the terminal information sent by the sending unit 601 and the terminal device identifier.
The checking unit 603 may include a first storage unit 6031, a first lookup unit 6032, a first operation unit 6033, and a first comparison unit 6034;
a first storage unit 6031 for storing a correspondence relationship between the terminal device identification and the terminal information and the random number;
a first search unit 6032 configured to search the first storage unit 6031 for terminal information corresponding to the terminal device identifier received by the receiving unit 602;
a first operation unit 6033, configured to perform an operation according to a random number (for example, the random number sent by the sending unit 601 or the random number received by the receiving unit 602) and the terminal information searched by the first search unit 6032, so as to obtain a server operation result B; or, performing operation according to the random number, the terminal information searched by the first search unit and the terminal equipment identifier received by the receiving unit to obtain a server operation result B; it should be noted that what kind of algorithm is specifically adopted may be agreed with the terminal in advance to ensure that the algorithms adopted by the network side device and the terminal are the same, and reference may be specifically made to the description in the method embodiment, which is not redundant here.
A first comparing unit 6034, configured to compare the terminal operation result a received by the receiving unit 602 with the server operation result B calculated by the first operating unit 6033, determine that the terminal is a valid terminal if the terminal operation result a matches the server operation result B, and determine that the terminal is an invalid terminal if the terminal operation result a does not match the server operation result B.
Alternatively, as shown in fig. 7, the verifying unit 603 may also include a second storing unit 6035, a second searching unit 6036, a second computing unit 6037 and a second comparing unit 6038;
a second storage unit 6035 configured to store a correspondence between the terminal device identifier and the terminal information;
a second search unit 6036 configured to search the second storage unit 6035 for terminal information B1 corresponding to the terminal apparatus identification received by the reception unit 602;
a second operation unit 6037 configured to perform an operation based on a random number (for example, the random number transmitted by the transmission unit 601 or the random number received by the reception unit 602) and the terminal operation result a received by the reception unit 602 to obtain estimated terminal information a 1; or calculating according to the random number, the terminal calculation result received by the receiving unit and the terminal equipment identifier to obtain estimated terminal information A1; it should be noted that what kind of algorithm is specifically adopted may be agreed with the terminal in advance to ensure that the algorithms adopted by the network side device and the terminal are the same, and reference may be specifically made to the description in the method embodiment, which is not redundant here.
A second comparing unit 6038, configured to compare the estimated terminal information a1 calculated by the second calculating unit 6037 with the terminal information B1 searched by the second searching unit 6036, determine that the terminal is a legal terminal if the calculated estimated terminal information a1 is consistent with the searched terminal information B1, and determine that the terminal is an illegal terminal if the calculated estimated terminal information a1 is inconsistent with the searched terminal information B1.
Alternatively, as shown in fig. 8, the verifying unit 603 may include a third storage unit 6039, a third lookup unit 60310, a third operation unit 60311 and a third comparison unit 60312;
a third storage unit 6039 for storing the correspondence between the terminal device identification and the terminal information and the random number;
a third search unit 60310 configured to search the third storage unit 6039 for terminal information corresponding to the terminal device identifier received by the receiving unit 702;
a third operation unit 60311, configured to perform operation according to the random number sent by the sending unit 601, the terminal operation result received by the receiving unit 602, and the terminal information searched by the third searching unit 60310, so as to obtain an estimated terminal device identifier a 2;
a third comparing unit 60312, configured to compare the estimated terminal device identifier a2 calculated by the third calculating unit 60311 with the terminal device identifier B2 received by the receiving unit 602, and if the estimated terminal device identifier a2 is consistent with the terminal device identifier B2, determine that the terminal is a legal terminal, and if the estimated terminal device identifier a is not consistent with the terminal device identifier B2, determine that the terminal is an illegal terminal.
The network side device may specifically be a server, and may include a service server and a device authentication server, where the service server is mainly used for performing signaling interaction between the terminal and the device authentication server when performing service control, and specifically may be an exchange (MSC) or a VLR or an Application Server (AS). The device authentication server is mainly used for storing the terminal identifier and the terminal information data and performing data authentication and authentication, and specifically may be an EIR or an authentication server (AAA).
As can be seen from the above, the network-side device in this embodiment can check the validity of the terminal through the received terminal operation result (the result calculated by the terminal using the terminal information, the terminal device identifier, and the random number, or the result calculated by the terminal using the terminal information and the random number). Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Example eight,
Corresponding to the network side device provided in the sixth embodiment, the embodiment of the present invention further provides a terminal, as shown in fig. 9, where the terminal includes an operation unit 902 and a sending unit 903;
an operation unit 902, configured to perform an operation according to a preset algorithm based on the terminal information and the random number, so as to obtain a terminal operation result a; or calculating according to the terminal information, the terminal equipment identifier and the random number to obtain a terminal calculation result A; the operation unit 902 may include an operation information reading module for reading the terminal information and the terminal device identifier from the terminal for operation, and of course, the operation information reading module may also be made as a unit independent from the operation unit 902, and be used for reading the terminal information and the terminal device identifier from the terminal for operation by the operation unit 902.
It should be noted that, what type of algorithm is specifically adopted by the operation unit 902 for operation may be agreed with the network side device in advance to ensure that the algorithms adopted by the network side device and the terminal are the same, and reference may be specifically made to the description in the method embodiment, which is not redundant here.
A sending unit 903, configured to send the terminal device identifier and the terminal operation result a calculated by the operation unit 902 to a network side device.
The random number can be generated by the terminal and sent to the network side equipment, and then the network side equipment receives the random number; or, the random number may also be generated by the network side device, and sent to the terminal, and then the terminal receives the random number; to this end, as shown in fig. 9, the terminal may further include a receiving unit 901;
a receiving unit 901, configured to receive a random number sent by a network side device; wherein the random number may be a time of the terminal, or a random number generated by a random number generator, or the like;
at this time, the operation unit 902 is configured to perform an operation according to a preset algorithm based on the terminal information and the random number received by the receiving unit 901, so as to obtain a terminal operation result a;
and then, the network side equipment can check the legality of the terminal according to the received terminal operation result and the terminal equipment identification.
Or, the terminal may further include a generating unit, configured to generate a random number, and send the random number to the network side device. At this time, the operation unit 902 is configured to perform an operation according to a preset algorithm based on the terminal information and the random number generated by the generation unit, so as to obtain a terminal operation result a;
it should be noted that the receiving unit 901 and the sending unit 903 may be the same entity or may be separate entities.
These units described above may be located on the terminal device, or may be located on a smart Card of the terminal, such as a Universal Integrated Circuit Card (UICC), for example, a SIM Card or a Universal Subscriber Identity Module (USIM) Card.
As can be seen from the above, the terminal of this embodiment may utilize the terminal information and the random number to perform an operation to obtain a terminal operation result, or the terminal information, the random number and the terminal device identifier to perform an operation to obtain a terminal operation result, and then send the terminal operation result to the network side device, so that the network side device can implement the verification of the terminal validity according to the terminal operation result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Examples nine,
Correspondingly, the embodiment of the present invention further provides a communication system, as shown in fig. 10, the communication system includes a terminal 1001 and a network side device 1002;
the terminal 1001 is configured to receive a random number sent by the network side device 1002, perform operation according to a preset algorithm based on terminal information and the random number to obtain a terminal operation result a, and send a terminal device identifier and the terminal operation result a to the network side device 1002;
the network side device 1002 is configured to generate and send a random number to the terminal 1001, receive the terminal operation result a and the terminal device identifier sent by the terminal 1001, and check the validity of the terminal 1001 according to the terminal operation result and the terminal device identifier.
The network side device 1002 may be further configured to search for terminal information corresponding to the terminal device identifier, perform operation according to the random number and the terminal information by using the same algorithm as that of the terminal to obtain a server operation result B, compare the terminal operation result a with the server operation result B, determine that the terminal 1001 is a legal terminal if the server operation result a is consistent with the server operation result B, and determine that the terminal 1001 is an illegal terminal if the server operation result a is inconsistent with the server operation result B.
Or, the network side device 1002 may be further configured to search the terminal information B1 corresponding to the terminal device identifier, perform operation according to the terminal operation result a and the random number to obtain estimated terminal information a1, compare the calculated estimated terminal information a1 with the searched terminal information B1, determine that the terminal 1001 is a legal terminal if the estimated terminal information a1 is consistent with the searched terminal information a1, and determine that the terminal 1001 is an illegal terminal if the estimated terminal information a1 is inconsistent with the searched terminal information B1.
Specific operations can be found in examples one, two, three, five, seven and eight, and are not burdensome here.
Alternatively, the terminal and the network side device may also adopt another algorithm, in this case, the communication system may be as follows:
the terminal 1001 is configured to receive a random number sent by the network side device 1002, perform operation according to a preset algorithm based on terminal information, a terminal device identifier, and the random number to obtain a terminal operation result a, and send the terminal device identifier and the terminal operation result a to the network side device 1002;
the network side device 1002 is configured to generate and send a random number to the terminal 1001, receive a terminal operation result a and a terminal device identifier sent by the terminal 1001, and check the validity of the terminal 1001 according to the terminal operation result a and the terminal device identifier.
The network side device 1002 may be further configured to search for terminal information corresponding to the terminal device identifier, perform operation according to the random number, the terminal information, and the terminal device identifier to obtain a server operation result B, compare the terminal operation result a with the server operation result B, determine that the terminal 1001 is a legal terminal if the server operation result a is consistent with the terminal operation result B, and determine that the terminal 1001 is an illegal terminal if the server operation result a is inconsistent with the terminal operation result B.
Or, the network side device 1002 may be further configured to search the terminal information B1 corresponding to the terminal device identifier, perform operation according to the terminal operation result a, the random number, and the terminal device identifier to obtain estimated terminal information a1, compare the calculated estimated terminal information a1 with the searched terminal information B1, determine that the terminal 1001 is a legal terminal if the estimated terminal information a1 is consistent with the searched terminal information a1, and determine that the terminal 1001 is an illegal terminal if the estimated terminal information a1 is inconsistent with the searched terminal information B1.
Or, the network side device 1002 may be further configured to search terminal information corresponding to the terminal device identifier B2, perform operation according to the terminal operation result, the random number, and the searched terminal information to obtain an estimated terminal device identifier a2, compare the calculated estimated terminal device identifier a2 with the received terminal device identifier B2, determine that the terminal 1001 is a legal terminal if the estimated terminal device identifier a 3526 is consistent with the received terminal device identifier B2, and determine that the terminal 1001 is an illegal terminal if the estimated terminal device identifier a is inconsistent with the received terminal device identifier B2.
Specific operations can be found in examples one, two, four, six, seven and eight, and are not burdensome here.
The network-side device 1002 may include a receiving unit 602 and a checking unit 603, and may further include a transmitting unit 601, where the detecting unit 603 may include a first storage unit 6031, a first search unit 6032, a first operation unit 6033, and a first comparison unit 6034, or the detecting unit 603 may include a second storage unit 6035, a second search unit 6036, a second operation unit 6037, and a second comparison unit 6038; alternatively, the detection unit 603 may include a third storage unit 6039, a third lookup unit 60310, a third operation unit 60311, and a third comparison unit 60312; accordingly, the terminal 1001 may include an arithmetic unit 902 and a transmitting unit 903, and the terminal 1001 may further include a receiving unit 901 or a generating unit.
The network side device 1002 may be specifically a server, and may include a service server and a device authentication server, where the service server is mainly used for performing signaling interaction between a terminal and the device authentication server when performing service control, and specifically may be a switch (MSC) or a VLR or an Application Server (AS). The device authentication server is mainly used for storing the terminal identifier and the terminal information data and performing data authentication and authentication, and specifically may be an EIR or an authentication server (AAA).
The units in the terminal 1001 may be located on the terminal equipment or on a smart card of the terminal, such as a Universal Integrated Circuit Card (UICC), e.g. a SIM card or USIM card.
It should be noted that, the random number may be generated by the network side device and sent to the terminal, and then the terminal receives the random number, and may also be generated by the terminal and sent to the network side device, and then the network side device receives the random number; therefore, another communication system may also be provided in an embodiment of the present invention, including a terminal and a network side device, as follows:
the terminal is used for generating a random number, sending the random number to the network side equipment, calculating according to terminal information and the random number, or calculating according to the terminal information, the terminal equipment identifier and the random number to obtain a terminal calculation result, and sending the terminal equipment identifier and the terminal calculation result to the network side equipment;
and the network side equipment is used for receiving the random number sent by the terminal, receiving a terminal operation result and a terminal equipment identifier sent by the terminal and checking the legality of the terminal according to the terminal operation result and the terminal equipment identifier. The specific operation of checking the validity of the terminal according to the terminal operation result and the terminal device identifier is similar to that of the previous communication system, and specific reference may be made to the description of the first communication system and the previous embodiment, which is not redundant here.
The following description will be made by way of example (taking the generation of a random number by a network-side device as an example).
The terminal sends an access request to MSC/VLR or SGSN;
after receiving the access request, MSC/VLR or SGSN sends a random number r to the MS, and simultaneously requires the MS to send the IMEI (or ESN in CDMA system) and the equipment check value in the GSM or UMTS system;
after receiving a request (including a random number r) for sending an IMEI in a GSM or UMTS system (or an ESN in a CDMA system), the terminal performs an operation according to an agreed algorithm (see the above embodiment specifically);
the IMEI (or ESN in CDMA system) in GSM or UMTS system stored in the device and the calculated device check value, namely the terminal operation result (such as a) in the previous embodiment are sent to MSC/VLR or SGSN;
after receiving IMEI (or ESN in CDMA system) and equipment check value in GSM or UMTS system, MSC/VLR or SGSN forwards it to EIR to verify terminal validity;
the EIR performs operation and comparison between the IMEI in the GSM or UMTS system (or the ESN in the CDMA system) and the device check value, and determines the validity of the terminal according to the comparison result (see the above embodiment specifically);
the EIR sends the equipment authentication result to MSC/VLR or SGSN to decide whether to allow the terminal to enter the network.
As can be seen from the above, in this embodiment, the same algorithm is used on both sides of the terminal and the network-side device, and the operation is performed by using the terminal information, the terminal device identifier, and the random number, or the operation is performed by using the terminal information and the random number, and then the terminal sends the operation result to the network-side device, compares the operation result with the self-operation result of the network-side device, and determines whether the terminal is legal or not according to the comparison result. Because there is a corresponding relationship between the terminal device identifier and the terminal information when the terminal leaves the factory, and many terminal information can be considered as unchanged (i.e. cannot be stolen) in the life cycle of the terminal, when some terminals, for example, some terminals which do not obtain the IMEI number through a regular way, attempt to access the network to obtain an illegal identity by rewriting the IMEI number, the terminal information of the terminal which embezzles the IMEI number (illegal terminal) is different from the terminal information of the terminal which embezzles the IMEI number (legal terminal), so the terminal operation result sent by the terminal which embezzles the IMEI number to the network side device is certainly different from the server operation result, and thus the terminal can be identified. Meanwhile, the scheme can control the service required by the illegal terminal, such as forced network disconnection and other operations, without worrying about influencing the service performed by the legal terminal.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The method, the apparatus and the communication system for checking terminal validity provided by the embodiment of the present invention are described in detail above, and a specific example is applied in the present disclosure to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.