CN101841814A - Terminal authentication method and system - Google Patents
Terminal authentication method and system Download PDFInfo
- Publication number
- CN101841814A CN101841814A CN201010145176A CN201010145176A CN101841814A CN 101841814 A CN101841814 A CN 101841814A CN 201010145176 A CN201010145176 A CN 201010145176A CN 201010145176 A CN201010145176 A CN 201010145176A CN 101841814 A CN101841814 A CN 101841814A
- Authority
- CN
- China
- Prior art keywords
- authentication
- terminal
- authorization data
- user
- personal information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a terminal authentication method and terminal authentication system. In the method, an authentication server performs primary authentication of a terminal according to first authentication data sent by the terminal, wherein the first authentication data is generated according to the user characteristic information of the terminal; the authentication server performs secondary authentication of the terminal according to second authentication data sent by the terminal, wherein the second authentication data is generated according to an authentication secret key, a terminal parameter and a network parameter; and when both the primary authentication and the secondary authentication are successful, the authentication server determines that the terminal authentication is successful. When the technical scheme of the invention is adopted, the safety of the use of the network of the user is improved, the protection of the individual privacy of the user is improved, and the legal right and interests of an operator are protected.
Description
Technical field
The present invention relates to moving communicating field, in particular to a kind of terminal authentication method and system.
Background technology
Along with the develop rapidly of mobile communication technology with popularize, the fail safe of mechanics of communication more and more becomes the much-talked-about topic that people pay close attention to.The fail safe of communication, protection terminal use's individual privacy and interests are not encroached on most important, the main at present fail safe of adopting following method to strengthen the terminal use:
One, terminal and mobile communication system interactive signaling and data (voice, note etc.) are encrypted by specific security algorithm, prevent from expressly to transmit to be monitored.
Two, adopt international travelling carriage identification code IMSI (International Mobile StationIdentity) or Electronic Serial Number ESN (Electronic Serial Number) sign as travelling carriage.
Three, introduced terminal authentication mechanism.The common process of authentication is that the base station sends a random number in forward channel to travelling carriage, travelling carriage is according to the random number of receiving and private data relevant with authentication and the identification code (for example ESN, IMSI etc.) oneself stored, and specific prefabricated network parameter is (as the Key in the CDAM system, the perhaps Ki in the gsm system) calculates an authenticating result by authentication arithmetic, and this authenticating result is issued the base station by backward channel.The AC of AUC (Authentication Centre) calculates authenticating result with identical method, and above-mentioned two authenticating result is compared according to the travelling carriage private data of storage, determines whether terminal authentication is successful.Authentication is actually a kind of algorithm based on private data, as long as private data is not leaked, even appropriator has obtained the sign of travelling carriage, also can't calculate correct authenticating result, thereby can't access network.
For convenience of the user, operator adopts the separation between machine and card scheme usually, be cured to some particular network parameters in the subscriber identification card (for example SIM card) or before terminal sale, be cured in the nonvolatile memory cell of terminal, like this user use network the time, as long as the parameter in the subscriber identification card is legal, terminal is normally using system service just.The fail safe of subscriber identification card also is to protect by specific cryptographic algorithm, and the security algorithm of card itself also constantly upgrades in upgrading.
But, the instrument of stealing card has appearred much duplicating in the market, by this class instrument, can very simple realization, and crack SIM card and copying on the other card the data integrity in the card.All parameters all can be replicated, and have comprised needed all important parameters of authentication arithmetic and voice encryption.If user's SIM card is lost because of carelessness or stolen by the people like this, individual's privacy and interests (illegally stealing user telephone fee) just may be invaded.If the user has obtained this instrument, the own random card that duplicates such as one-card multi-number function (move the card that this function is arranged at present, but will collect extra-pay), perhaps is copied into many cards with a card, brings harm also for the management and the interests of operator.
In sum, existing terminal authentication mechanism is not enough to guarantee that the terminal use uses the fail safe at networking and the legitimate rights and interests and the interests of operator.
Summary of the invention
Main purpose of the present invention is to provide a kind of terminal authentication method and system, is not enough to guarantee that to solve existing terminal authentication mechanism at least the terminal use uses fail safe and the legitimate rights and interests of operator and the problem of interests at networking.
According to an aspect of the present invention, provide a kind of terminal authentication method, having comprised: authentication server carries out first authentication according to first authorization data that terminal sends to terminal, and wherein, first authorization data generates according to the user's characteristic information of terminal; Authentication server carries out second authentication according to second authorization data that terminal sends, and wherein, second authorization data generates according to KI, terminal parameter and network parameter; Under first authentication and the equal case of successful of second authentication, authentication server is determined the terminal authentication success.
According to a further aspect in the invention, a kind of terminal authentication system is provided, comprise: terminal and authentication server, wherein, terminal comprises: the first authorization data module, be used to generate first authorization data, and send first authorization data to authentication server, wherein, first authorization data generates according to the user's characteristic information of terminal; The second authorization data module is used to generate second authorization data, and sends second authorization data to authentication server, and wherein, second authorization data generates according to KI, terminal parameter and network parameter; Authentication server comprises first authentication module, is used for according to first authorization data terminal being carried out first authentication, and exports first authenticating result; Second authentication module is used for carrying out second authentication according to second authorization data under the first authentication case of successful, and exports second authenticating result; Authentication success judge module is connected with second authentication module with first authentication module respectively, is used to judge first authenticating result and second authenticating result of input, under first authenticating result and the equal case of successful of second authenticating result, determines the authentication success of terminal.
By technical scheme provided by the invention; portable terminal is when normally using Network; such as registering; call out; note; operations such as data service; on existing authentication mechanism; increase a user's characteristic information authentication, twice of terminal carried out authentication, and under twice equal case of successful of authentication; authentication server could be determined the authentication success of this terminal; thereby strengthened the fail safe that the user uses network, also strengthened protection, and can protect the legitimate rights and interests and the interests of operator the individual subscriber privacy.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the mobile communication network system configuration schematic diagram that is used for terminal authentication according to the embodiment of the invention;
Fig. 2 is the terminal authentication method flow chart according to the embodiment of the invention;
Fig. 3 is the first authorizing procedure figure according to the embodiment of the invention;
Fig. 4 is the flow chart that described terminal is carried out first authentication according to first authorization data that the employing of the embodiment of the invention is encrypted;
Fig. 5 is the flow chart according to the terminal authentication of the embodiment of the invention one;
Fig. 6 is the terminal authentication flow chart according to the embodiment of the invention two;
Fig. 7 is the structural representation according to the terminal authentication system of the embodiment of the invention;
Fig. 8 is the structural representation according to the first authorization data module of the embodiment of the invention;
Fig. 9 A is the structural representation according to first authentication module of the embodiment of the invention;
Fig. 9 B is the structural representation according to preferred first authentication module of the embodiment of the invention.
Embodiment
Hereinafter will describe the present invention with reference to the accompanying drawings and in conjunction with the embodiments in detail.Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.
Fig. 1 is the mobile communication network system configuration schematic diagram that is used for terminal authentication according to the embodiment of the invention, as shown in Figure 1, comprise in this network system, terminal 10, base station 20 and authentication server 30, terminal is being carried out in the authentication process, terminal 10 sends first authorization data and second authorization data by base station 20 to authentication server, after authentication server receives above-mentioned two authorization datas, carry out twice authentication respectively, under twice equal case of successful of authentication, allow the user to use current business, need to prove, above-mentioned mobile communications network can be present any one mobile communications network, for example GSM, CDMA, WCDMA or TD-SCDMA.
According to the embodiment of the invention, provide a kind of terminal authentication method.Fig. 2 is the terminal authentication method flow chart according to the embodiment of the invention, and as shown in Figure 2, this method comprises:
Step S202, authentication server carry out first authentication according to first authorization data that terminal sends to terminal, and wherein, first authorization data generates according to the user's characteristic information of terminal;
Step S204, authentication server carry out second authentication according to second authorization data that terminal sends, and wherein, second authorization data generates according to KI, terminal parameter and network parameter;
Step S206, under first authentication and the equal case of successful of second authentication, authentication server is determined terminal authentication success.
As mentioned before, existing terminal authentication mechanism, the important parameter that terminal is carried out authentication is to be solidificated in the user ID card by operator, or before terminal, sell and be solidificated in the terminal, in case the user loses user ID card or terminal accidentally, the disabled user just can crack the authorization data in user ID card or the terminal, usurps user's card or terminal.
The present invention considers that emphatically the safety issue that may bring is improved terminal authentication mechanism because the authorization data of user ID card or terminal is cracked.Increase is to the checking of user's preset user characteristic information.Be that authentication server utilizes first authorization data that terminal is carried out the authentication of user's characteristic information, authentication server utilizes second authorization data, adopts existing authentication mechanism that terminal is carried out the key authentication.Adopt above-mentioned twice authentication,, also can't use user ID card that duplicates or the terminal that cracks to carry out normal network service even the disabled user has obtained to have cracked user ID card or terminal.
In specific implementation process, the sequencing that does not have execution between above-mentioned steps S202 and the step S204, as long as guarantee that above-mentioned first authentication and second authentication all obtain carrying out, whether authentication is successful can to determine terminal according to twice authenticating result, if each failure, then failed authentication of this terminal in above-mentioned twice authentication.First authentication can be selected to carry out earlier according to business features or demand by operator, and the success of first authentication triggers second authentication again; Also can select to carry out earlier second authentication, the success of second authentication triggers first authentication again; Also can select first authentication and the concurrent execution of second authentication.
Equally, there is not sequencing in terminal at transmission first authorization data and second authorization data yet, business characteristic or agreement according to operator, terminal can send first authorization data earlier, also second authorization data be can send earlier, also can first authorization data and second authorization data be sent simultaneously with same packet.
In concrete implementation process, at network registry, conversation, note in the time of data service, all may relate to terminal mirror, above-mentioned first authentication can but be not limited to carry out in following situation: one, all need to carry out in each network authentication; Two, can be optimized control according to the setting of communication network, carry out in the needs checking at random or by the requirement of appointment, it is too much to reduce the checking number of times like this, the overhead that brings.
The above-mentioned terminal authentication method that adopts the embodiment of the invention to provide; integrated on the basis of existing authentication mechanism; increased the predefined user's characteristic information of user has been carried out authentication; make the terminal use also become a decisive factor of terminal authentication; thereby protected user's legitimate rights and interests and interests, strengthened the fail safe of user terminal.
Preferably, user's characteristic information comprises: personal information that the user sets in advance and user's identification information.
In specific implementation process, the user can set in advance personal information according to the personal like, for example personal information is arranged to passport NO., name, birthday or other character strings.User's identification information, can select the identification information (for example ICCID, UMID or user's telephone number) of tag card on the terminal, also can select terminal identification information (for example IMSI or ESN) or, for safer, user's identification information had both comprised the identification information of tag card, the identification information that also comprises terminal, the identification information of tag card or the identification information of terminal can utilize existing resource to set user's identification information easily.
By personal information and user's identification information is set in user's characteristic information, be equivalent to be provided with user's the identification information and the binding relationship of personal information, make things convenient for authentication server after receiving first authorization data, in database, obtain the in advance stores authentication data corresponding according to wherein user totem information, by the legitimacy that compares to determine user's characteristic information to above-mentioned two authorization datas with this user totem information.
Fig. 3 is the first authorizing procedure figure according to the embodiment of the invention, and preferably, as shown in Figure 3, first authorization data that authentication server sends according to terminal carries out first authentication to described terminal and comprises:
Step S302, reception come first authorization data of self terminal;
Step S304, obtain user's identification information, obtain personal information as first personal information;
Step S306, in the database of authentication server, obtain second personal information corresponding with identification information;
Step S308, comparison first personal information and second personal information, if identical, then first authentication success, otherwise, first failed authentication.
Adopt above-mentioned flow process to carry out first authentication, judge whether second personal information corresponding to same user ID that first personal information that terminal sends and authentication server preserve is identical, whether user that just can a definite current terminal is legal.If the disabled user user ID card that duplicates, but owing to lack correct personal information, cause pass through first authentication, thus the personal interests and the interests of assurance validated user.
Preferably, can generate first authorization data in the following manner: adopt predetermined encryption rule, personal information that the user is set in advance and user's identification information are encrypted and are generated described first authorization data.
Because first authorization data is in transmission course, also may be obtained by the disabled user, to there be very big potential safety hazard if transmit first authorization data in mode expressly, therefore, in concrete implementation process, personal information that can set in advance the user and user's identification information carry out encryption and generate first authorization data.Operator and the terminal manufacturer concrete encryption rule of can reaching an agreement on, perhaps safer method in concrete business procedure, is consulted concrete encryption rule by terminal and authentication server.Therefore, by cipher mode being obtained first authorization data, guaranteed that further the user uses the fail safe of terminal.
If first authorization data adopts cipher mode to generate, then authentication server carry out the flow process of first authentication can be different, to be first authorization data encrypted according to the employing of the embodiment of the invention carry out the flow chart of first authentication to described terminal to Fig. 4, preferably, as shown in Figure 4, this flow process comprises:
Step S402, reception come first authorization data of self terminal;
Step S404, according to predetermined deciphering rule parsing first authorization data, obtain user's identification information and personal information, and with the personal information obtained as first personal information;
Step S406, in the database of authentication server, obtain second personal information corresponding with user's identification information;
Step S408, comparison first personal information and second personal information, if identical, then first authentication success, otherwise, first failed authentication.
In concrete implementation process, the deciphering rule is corresponding with above-mentioned encryption rule, by operator and terminal manufacturer agreement, is perhaps consulted by terminal and authentication server together.By to encryption, manner of decryption transmission user characteristic information, guaranteed that further the user uses the fail safe of terminal.
Preferably, before authentication server carried out first authentication, method also comprised: authentication server obtains and stores the userspersonal information and the user totem information of above-mentioned terminal.
For realizing above-mentioned first authentication, authentication server must be set up the user's characteristic information database in advance before carrying out terminal authentication, preserve registered user's personal information in this database, and the userspersonal information and the user ID of storage was bound one by one.
In concrete implementation process, need the user to operator's report of user characteristic information, it is multiple to report mode to have, for example can but be not limited to when terminal networks, submit user's characteristic information to.Perhaps land the operator website, the typing user's characteristic information, in case information typing network side system, user's personal information just and user user ID card or the terminal used realize binding one to one, as long as judging user totem information and user profile is not the relation of binding, just think that the user is illegal.
In concrete implementation process, the user also can upgrade user's characteristic information by specific mode, for example, and with way of short messages, login operator website or directly change by outlet of operator.
The user's characteristic information that authentication server obtained before terminal authentication and the maintenance customer provides, it is the prerequisite of carrying out first authentication, have only authentication server to preserve the correct personal information and the binding relationship of user totem information, first authentication just can smooth implementation.
One of below preferably, described user's identification information comprises at least: the identification information of the smart card of described terminal, the identification information of described terminal.
User's identification information, can select the identification information (for example ICCID, UMID or user's telephone number) of tag card on the terminal, also can select terminal identification information (for example IMSI or ESN) or, for safer, user's identification information had both comprised the identification information of tag card, the identification information that also comprises terminal, the identification information of tag card or the identification information of terminal can utilize existing resource to set user's identification information easily.
Preferably, the personal information that sets in advance of user can be stored in the internal memory of terminal or other storage mediums of being connected with terminal on.Because the userspersonal information is not stored on the tag card (for example SIM card) of terminal, therefore, even tag card is lost, the userspersonal information can not reveal yet.
Preferably, terminal can be sent to authentication server with first authorization data by short message or communication signaling.
In concrete implementation process, no matter adopt which kind of mode to send first authorization data, authentication server all can receive and carry out first authentication operations, and various send mode makes terminal authentication more flexible, makes things convenient for operator to implement.
Below in conjunction with other embodiment above-mentioned terminal authentication method is described in detail.
Embodiment one
In the present embodiment, select authentication server to carry out first authentication earlier, under the first authentication case of successful, trigger second authentication.Fig. 5 is the terminal authentication flow chart according to the embodiment of the invention one, and as shown in Figure 5, this flow process comprises:
Step S501, starting up of terminal.
Step S502, terminal are used communication network service (network registry, voice, note, data etc.).
The system message that step S503, basis are returned, terminal judges confirms whether will carry out first authentication.
If step S504 network requirement terminal is carried out first authentication, terminal comprises terminal information according to the personal information that the user presets, and the information of card and in conjunction with specific cryptographic algorithm generates first authorization data, and execution in step S505; Otherwise, execution in step S510.
Step S505, terminal send first authorization data to authentication server.
First authorization data of step S506, authentication server receiving terminal feedback parses userspersonal information and user totem information, and according to the userspersonal information of terminal to report, with stored personal information in the database relatively, generate first authenticating result.
Step S507, authentication server issue first authenticating result and give terminal.
Step S508, terminal judges first authenticating result, if failure, execution in step S509, otherwise, execution in step 510.
Step S509, terminal notifying user ban use of the network service, finish this operating process.
Step S510, terminal send second authorization data, and authentication server is carried out second authentication operations, if the success of second authentication, the user normally uses Network, otherwise the prompting user bans use of Network.
Embodiment two
In the present embodiment, select authentication server to carry out second authentication earlier, under the second authentication case of successful, trigger first authentication.Fig. 6 is the terminal authentication flow chart according to the embodiment of the invention two, and as shown in Figure 6, this flow process comprises:
Step S601, starting up of terminal.
Step S602, terminal are used communication network service (network registry, voice, note, data etc.).
Step S603, terminal send second authorization data, and authentication server is carried out second authentication operations, if the success of second authentication, execution in step S604, otherwise the prompting user bans use of Network.
The system message that step S604, basis are returned, terminal judges confirms whether will carry out first authentication.
If step S605 network requirement terminal is carried out first authentication, terminal comprises terminal information according to the personal information that the user presets, and the information of card and in conjunction with specific cryptographic algorithm generates first authorization data; If do not need to carry out first authentication, then terminal authentication success, the user normally uses Network.
Step S606, terminal send first authorization data to authentication server.
First authorization data of step S607, authentication server receiving terminal feedback parses userspersonal information and user totem information, and according to the userspersonal information of terminal to report, with stored personal information in the database relatively, generate first authenticating result.
Step S608, authentication server issue first authenticating result and give terminal.
Step S609, terminal judges first authenticating result, if failure, the terminal notifying user bans use of the network service, finishes this operating process, otherwise terminal authentication passes through, and the user normally uses the network service.
According to the embodiment of the invention, a kind of terminal authentication system also is provided, Fig. 7 is the structural representation according to the terminal authentication system of the embodiment of the invention, as shown in Figure 7, this system comprises: terminal 71, authentication server 72.
Wherein, terminal 71 comprises: the first authorization data module 711, the second authorization data module 712.The first authorization data module 711 is used to generate first authorization data, and sends first authorization data to authentication server 72, and wherein, first authorization data generates according to the user's characteristic information of terminal.The second authorization data module 711 is used to generate second authorization data, and sends second authorization data to authentication server 72, and wherein, second authorization data generates according to KI, terminal parameter and network parameter.
Authentication server 72 comprises: first authentication module 721, second authentication module 722, authentication success judge module 723.First authentication module 721 is used for according to first authorization data terminal being carried out first authentication, and exports first authenticating result; Second authentication module 722 is used for carrying out second authentication according to second authorization data under the first authentication case of successful, and exports second authenticating result; Authentication success judge module 723, be connected with second authentication module 722 with first authentication module 721 respectively, be used to judge first authenticating result and second authenticating result of input, under first authenticating result and the equal case of successful of second authenticating result, determine the authentication success of terminal 71.
Fig. 8 is the structural representation according to the first authorization data module of the embodiment of the invention, preferably, as shown in Figure 8, the first authorization data module 711 comprises: sub module stored 801, generation submodule 802 and transmission submodule 803, wherein, sub module stored 801 is used to store personal information that the user sets in advance and user's identification information; Generate submodule 802, be connected with sub module stored 801, the identification information that is used to obtain personal information and user generates first authorization data; Send submodule 803, be connected, be used to obtain first authorization data and be sent to authentication server 72 with generation submodule 802.
Fig. 9 A is the structural representation according to first authentication module of the embodiment of the invention, preferably, shown in Fig. 9 A, first authentication module 721 comprises: storage submodule 901, reception submodule 902, first obtain submodule 903, second and obtain submodule 904 and comparison sub-module 905.Data memory module 901 is used to store the personal information that the user provides; Receive submodule 902, be used to receive first authorization data; First obtains submodule 903, be connected with reception submodule 902, be used to obtain the user's of first authorization data identification information, and export second to and obtain submodule 904, and the personal information of obtaining first authorization data exports comparison sub-module 905 to as first personal information; Second obtains submodule 904, obtaining submodule 903 with data memory module 901, first respectively is connected with comparison sub-module 905, be used for obtaining the personal information corresponding as second personal information, and export comparison sub-module 905 to the user's who imports identification information at data memory module 901; Comparison sub-module 905 is obtained submodule 903 and second and is obtained submodule 904 and be connected with first respectively, first personal information that is used for relatively importing and second personal information, and generate first authenticating result.
Preferably, shown in Fig. 9 B, if first authorization data adopts predetermined encryption rule to encrypt and generates, then first authentication module 721 also comprises: analyzing sub-module 906, obtaining submodule 903 with reception submodule 902 and first is connected, be used to resolve and receive first authorization data that submodule 902 receives, and first authorization data after will resolving exports first to and obtains submodule 903.
In sum; technical scheme provided by the invention; adopt dual authentication mechanism; on the basis of having inherited existing method for authenticating; increased the authentication operations of the user's characteristic information that user oneself is provided with; not only strengthened the fail safe that the user uses network, also strengthened protection, and can protect the legitimate rights and interests and the interests of operator the individual subscriber privacy.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, and in some cases, can carry out step shown or that describe with the order that is different from herein, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a terminal authentication method is characterized in that, comprising:
Authentication server carries out first authentication according to first authorization data that terminal sends to described terminal, and wherein, described first authorization data generates according to the user's characteristic information of described terminal;
Described authentication server carries out second authentication according to second authorization data that described terminal sends, and wherein, described second authorization data generates according to KI, terminal parameter and network parameter;
Under described first authentication and the equal case of successful of described second authentication, described authentication server is determined described terminal authentication success.
2. method according to claim 1, its spy is being that described user's characteristic information comprises: personal information that the user sets in advance and user's identification information.
3. method according to claim 2 is characterized in that, first authorization data that authentication server sends according to terminal carries out first authentication to described terminal and comprises:
Reception is from first authorization data of described terminal;
Obtain described user's identification information, obtain described personal information as first personal information;
In the database of described authentication server, obtain second personal information corresponding with described identification information;
More described first personal information and described second personal information, if identical, then first authentication success, otherwise, first failed authentication.
4. method according to claim 2, it is characterized in that, generate described first authorization data in the following manner: adopt predetermined encryption rule, personal information that described user is set in advance and user's identification information are encrypted and are generated described first authorization data.
5. method according to claim 4 is characterized in that, first authorization data that authentication server sends according to terminal carries out first authentication to described terminal and comprises:
Reception is from first authorization data of described terminal;
According to predetermined described first authorization data of deciphering rule parsing, obtain described user's identification information and described personal information, and the described personal information that will obtain is as first personal information;
In described authentication server, obtain second personal information corresponding with described user's identification information;
More described first personal information and described second personal information, if identical, then first authentication success, otherwise, first failed authentication.
6. according to claim 3 or 5 described methods, it is characterized in that before described authentication server carried out described first authentication, described method also comprised: described authentication server obtains and stores the userspersonal information and the user totem information of described terminal.
One of 7. according to each described method of claim 2 to 5, it is characterized in that, below described user's identification information comprises at least: the identification information of the tag card of described terminal, the identification information of described terminal.
8. according to each described method of claim 2 to 5, it is characterized in that, the personal information storage that described user sets in advance in the internal memory of described terminal or with other storage mediums that described terminal is connected on.
9. according to each described method of claim 1 to 5, it is characterized in that described terminal is sent to described authentication server by short message or communication signaling with first authorization data.
10. a terminal authentication system is characterized in that, comprising:
Terminal comprises:
The first authorization data module is used to generate first authorization data, and sends described first authorization data to authentication server, and wherein, described first authorization data generates according to the user's characteristic information of described terminal;
The second authorization data module is used to generate second authorization data, and sends described second authorization data to authentication server, and wherein, described second authorization data generates according to KI, terminal parameter and network parameter;
Described authentication server comprises
First authentication module is used for according to described first authorization data described terminal being carried out first authentication, and exports first authenticating result;
Second authentication module is used for carrying out second authentication according to described second authorization data, and exporting second authenticating result under the described first authentication case of successful;
Authentication success judge module, be connected with described second authentication module with described first authentication module respectively, be used to judge described first authenticating result and described second authenticating result of input, under described first authenticating result and the equal case of successful of second authenticating result, determine the authentication success of described terminal.
11. system according to claim 10 is characterized in that, the described first authorization data module comprises:
Sub module stored is used to store personal information that the user sets in advance and user's identification information;
Generate submodule, be connected with described sub module stored, the identification information that is used to obtain described personal information and user generates first authorization data;
Send submodule, be connected, be used to obtain first authorization data and be sent to described authentication server with described generation submodule.
12. system according to claim 10 is characterized in that, described first authentication module comprises:
The storage submodule is used to store the personal information that the user provides;
Receive submodule, be used to receive described first authorization data;
First obtains submodule, be connected with described reception submodule, be used to obtain the user's of described first authorization data identification information, and export second to and obtain submodule, and the personal information of obtaining described first authorization data exports comparison sub-module to as first personal information;
Described second obtains submodule, obtain submodule with described storage submodule, described first respectively and described comparison sub-module is connected, be used for obtaining the personal information corresponding as second personal information, and export described comparison sub-module to the described user's who imports identification information at described storage submodule;
Described comparison sub-module is obtained submodule and described second and is obtained submodule and be connected with described first respectively, described first personal information that is used for relatively importing and described second personal information, and generate described first authenticating result.
13. system according to claim 10, it is characterized in that, if described first authorization data adopts predetermined encryption rule to encrypt and generates, then described first authentication module also comprises: analyzing sub-module, obtaining submodule with described reception submodule and first is connected, be used to resolve described first authorization data that described reception submodule receives, and first authorization data after will resolving exports described first to and obtains submodule.
One of 14. according to each described system of claim 10 to 13, it is characterized in that, below described user's identification information comprises at least: the identification information of the smart card of described terminal, the identification information of described terminal.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010145176.8A CN101841814B (en) | 2010-04-06 | 2010-04-06 | Terminal authentication method and system |
| PCT/CN2010/075640 WO2011124051A1 (en) | 2010-04-06 | 2010-08-02 | Method and system for terminal authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010145176.8A CN101841814B (en) | 2010-04-06 | 2010-04-06 | Terminal authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101841814A true CN101841814A (en) | 2010-09-22 |
| CN101841814B CN101841814B (en) | 2014-07-02 |
Family
ID=42744856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010145176.8A Active CN101841814B (en) | 2010-04-06 | 2010-04-06 | Terminal authentication method and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101841814B (en) |
| WO (1) | WO2011124051A1 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102158863A (en) * | 2011-02-18 | 2011-08-17 | 惠州Tcl移动通信有限公司 | System and method for authenticating JAVA-based mobile terminal, server and terminal |
| CN102158856A (en) * | 2011-02-21 | 2011-08-17 | 惠州Tcl移动通信有限公司 | Mobile terminal identification code authentication system and method, server and terminal |
| CN102469451A (en) * | 2010-11-16 | 2012-05-23 | 深圳市雄帝科技股份有限公司 | Method and system for phone card real-name authentication |
| CN104378203A (en) * | 2013-08-15 | 2015-02-25 | 腾讯科技(深圳)有限公司 | Information authentication method, device and terminal |
| CN105873059A (en) * | 2016-06-08 | 2016-08-17 | 中国南方电网有限责任公司电网技术研究中心 | United identity authentication method and system for power distribution communication wireless private network |
| CN106897631A (en) * | 2017-02-03 | 2017-06-27 | 广东欧珀移动通信有限公司 | Data processing method, apparatus and system |
| CN108616511A (en) * | 2018-04-03 | 2018-10-02 | 深圳市宝尔爱迪科技有限公司 | A kind of means of communication and third-party application installation method of the terminal device with encryption system |
| WO2023097961A1 (en) * | 2021-11-30 | 2023-06-08 | 北京小米移动软件有限公司 | Battery authentication method and apparatus for terminal, electronic device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1620165A (en) * | 2003-11-21 | 2005-05-25 | 华为技术有限公司 | Identification method of mobile terminal user legalness |
| CN1684411A (en) * | 2004-04-13 | 2005-10-19 | 华为技术有限公司 | Method for verifying user's legitimate of mobile terminal |
| US20050289643A1 (en) * | 2004-06-28 | 2005-12-29 | Ntt Docomo, Inc. | Authentication method, terminal device, relay device and authentication server |
| CN101521886A (en) * | 2009-01-21 | 2009-09-02 | 北京握奇数据系统有限公司 | Method and device for authenticating terminal and telecommunication smart card |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656958B (en) * | 2009-08-13 | 2012-07-25 | 北京握奇数据系统有限公司 | Telecommunication intelligent card in Code Division Multiple Access (CDMA) network and authentication method thereof |
-
2010
- 2010-04-06 CN CN201010145176.8A patent/CN101841814B/en active Active
- 2010-08-02 WO PCT/CN2010/075640 patent/WO2011124051A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1620165A (en) * | 2003-11-21 | 2005-05-25 | 华为技术有限公司 | Identification method of mobile terminal user legalness |
| CN1684411A (en) * | 2004-04-13 | 2005-10-19 | 华为技术有限公司 | Method for verifying user's legitimate of mobile terminal |
| US20050289643A1 (en) * | 2004-06-28 | 2005-12-29 | Ntt Docomo, Inc. | Authentication method, terminal device, relay device and authentication server |
| CN101521886A (en) * | 2009-01-21 | 2009-09-02 | 北京握奇数据系统有限公司 | Method and device for authenticating terminal and telecommunication smart card |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102469451A (en) * | 2010-11-16 | 2012-05-23 | 深圳市雄帝科技股份有限公司 | Method and system for phone card real-name authentication |
| CN102469451B (en) * | 2010-11-16 | 2015-06-17 | 深圳市雄帝科技股份有限公司 | Method and system for phone card real-name authentication |
| CN102158863A (en) * | 2011-02-18 | 2011-08-17 | 惠州Tcl移动通信有限公司 | System and method for authenticating JAVA-based mobile terminal, server and terminal |
| CN102158856A (en) * | 2011-02-21 | 2011-08-17 | 惠州Tcl移动通信有限公司 | Mobile terminal identification code authentication system and method, server and terminal |
| CN104378203A (en) * | 2013-08-15 | 2015-02-25 | 腾讯科技(深圳)有限公司 | Information authentication method, device and terminal |
| CN104378203B (en) * | 2013-08-15 | 2018-04-27 | 腾讯科技(深圳)有限公司 | Information authentication method, apparatus and terminal |
| CN105873059A (en) * | 2016-06-08 | 2016-08-17 | 中国南方电网有限责任公司电网技术研究中心 | United identity authentication method and system for power distribution communication wireless private network |
| CN106897631A (en) * | 2017-02-03 | 2017-06-27 | 广东欧珀移动通信有限公司 | Data processing method, apparatus and system |
| CN108616511A (en) * | 2018-04-03 | 2018-10-02 | 深圳市宝尔爱迪科技有限公司 | A kind of means of communication and third-party application installation method of the terminal device with encryption system |
| WO2023097961A1 (en) * | 2021-11-30 | 2023-06-08 | 北京小米移动软件有限公司 | Battery authentication method and apparatus for terminal, electronic device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101841814B (en) | 2014-07-02 |
| WO2011124051A1 (en) | 2011-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768988B (en) | Block chain access control method, block chain access control equipment and computer readable storage medium | |
| CN101841814B (en) | Terminal authentication method and system | |
| CN101641976B (en) | An authentication method | |
| CN102790674B (en) | Auth method, equipment and system | |
| CN101167388B (en) | Limited supply access to mobile terminal features | |
| JP4263384B2 (en) | Improved method for authentication of user subscription identification module | |
| US7886355B2 (en) | Subsidy lock enabled handset device with asymmetric verification unlocking control and method thereof | |
| US20080003980A1 (en) | Subsidy-controlled handset device via a sim card using asymmetric verification and method thereof | |
| TWI632798B (en) | Server, mobile terminal, and network real-name authentication system and method | |
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| EP2879421B1 (en) | Terminal identity verification and service authentication method, system, and terminal | |
| CN103155614A (en) | Authentication of access terminal identities in roaming networks | |
| JP2004326796A (en) | Method for securing terminal and application, communication terminal and identification module in method of executing application requiring high degree of security protection function | |
| CN109101795A (en) | A kind of account number safe login method, apparatus and system | |
| CN101926188A (en) | Security policy distribution to communication terminals | |
| CN107623907B (en) | eSIM card network locking method, terminal and network locking authentication server | |
| CN102647279B (en) | Encryption method, encrypted card, terminal equipment and interlocking of phone and card device | |
| CN105898743A (en) | Network connection method, device and system | |
| CN107516364A (en) | Method for unlocking, bluetooth lock and the unlocking terminal of bluetooth lock | |
| CN106060034A (en) | Account login method and device | |
| CN101990201B (en) | Method, system and device for generating general bootstrapping architecture (GBA) secret key | |
| CN102821112A (en) | Mobile equipment, server and mobile equipment data verification method | |
| KR101281099B1 (en) | An Authentication method for preventing damages from lost and stolen smart phones | |
| CN102567903B (en) | A kind of Web applications subscribe method, Apparatus and system | |
| CN103152178A (en) | Cloud computing verification method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200818 Address after: 210012 Nanjing, Yuhuatai District, South Street, Bauhinia Road, No. 68 Patentee after: Nanjing Zhongxing Software Co.,Ltd. Address before: 518057 Nanshan District science and technology, Guangdong Province, South Road, No. 55, No. Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right |