CN104541533A - Anti-UICC-card-fraud detection and control for terminals accessing HRPD and EHRPD networks - Google Patents
Anti-UICC-card-fraud detection and control for terminals accessing HRPD and EHRPD networks Download PDFInfo
- Publication number
- CN104541533A CN104541533A CN201280075247.9A CN201280075247A CN104541533A CN 104541533 A CN104541533 A CN 104541533A CN 201280075247 A CN201280075247 A CN 201280075247A CN 104541533 A CN104541533 A CN 104541533A
- Authority
- CN
- China
- Prior art keywords
- network
- parameters
- communication session
- authentication set
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/126—Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
A method operational at network entity is provided for detecting concurrent use of authentication parameters from the same subscription on different networks. A first set of authentication parameters is received at the network entity from a first terminal seeking to establish a first communication session via a first network. A second set of authentication parameters is similarly received at the network entity from a second terminal seeking to establish a second communication session via a second network. The network entity may then ascertain whether the first and second sets of authentication parameters are from the same subscription. If the first and second sets of authentication parameters are determined to be from the same subscription, the network entity may cause at least one of the first communication session and/or the second communication session to be terminated.
Description
Technical field
Each feature relates to forbids different wireless terminals on different networks to the communication equipment of the illegal use for the customized parameters for authentication of identical wireless service, method and network.
Background technology
Evolution-Data Optimized or only evolution data (EV-DO, EV, EVDO etc.) are the 3G telecommunication standards of the data wireless transmission for being undertaken by wireless signal.It can use the multiplex technique comprising code division multiple access (CDMA) and time division multiplexing (TDM), all maximizes with the throughput and overall system throughput that make each user.EV-DO has been standardized as a part for CDMA2000 standard series by third generation partner program 2 (3GPP2).HRPD (high rate packet data) (HRPD) is defined by international standard IS-856, and is commonly called 1xEV-DO.HRPD represents " HRPD (high rate packet data) ", is by Qualcomm (high pass)
tMthe wireless data technologies based on high speed CDMA (such as, cdma2000) of exploitation.
Long Term Evolution (LTE) is the standard for wireless data communication technology, and is the evolution of GSM/UMTS standard.Exploitation LTE is capacity in order to increase radio data network and speed.LTE network is IP-based, and compared with 3G network framework, significantly decreases transmission delay.Along with operator is transitioned into LTE, some CDMA2000 operators have managed the existing investment utilizing them in 3GPP2 network infrastructure.In order to realize the progressively transition from HRPD (high rate packet data) (HRPD) to LTE, CDMA operator is solving LTE deployment request and while avoiding cdma network to arrive the complete upgrading of LTE network, is seeking the migration path of the existing HRPD network strengthening them.Depend on many factors to the selection of migration path, it comprises wireless access strategy, Internet resources strategy, the service of enabling, timing and cost.The common-denominator target of LTE while simplifying the intercommunication with non-3 gpp mobile network, carrys out enhancement service provide.
In order to utilize existing CDMA2000HRPD network design and technology, propose enhancement mode/evolved HRPD (eHRPD) pattern, for the graceful migration from HRPD to the LTE based on CDMA.EHRPD is the method allowing the existing HRPD packet-based core networks of element to them of cdma network operator use LTE core network (that is, realizing the System Architecture Evolution SAE of evolution block core EPC framework) to upgrade.EHRPD has some new subtypes in the air interface (that is, physical layer is to application layer) identical with HRPD and IP layer and function.While HRPD wireless access network (RAN) accesses 3GPP2 core net (that is, for cdma network), eHRPDRAN accesses 3GPP evolution block core (EPC) core net (that is, for LTE network).
Due to air interface relation closely between HRPD and eHRPD, any HRDP/eHRDP terminal (such as, mobile device, radio telephone etc.) can at any time operate in HRPD network or eHRPD network, but whether operate in two networks simultaneously.Due to this nonoverlapping network architecture design, be in position A place and preside over do not know when the second terminal has used identical UICC card parameter to establish eHRPD session in the eHRPD network being in B place, position for the HRPD network of the HRPD session of first terminal.That is, may use for first customized (such as, customized or the user account of wireless service) parameters for authentication establish HRPD session for first terminal, and the second terminal uses and is used for first customized those identical parameters for authentication and sets up eHRPD session.Because HRPD network itself does not initiate certification again, even if so after setting up new eHRPD session with the second terminal, also still maintain old (that is, illegal) HRPD session with first terminal.Therefore, first terminal and the second terminal can (but one after the other) use respectively from same UICC card parameter (such as, the parameters for authentication of or account customized for same wireless service), successfully open and keep HRPD session and eHRPD session.In this example embodiment, once UICC card is removed from first terminal, or once use identical parameters for authentication (for same customized/account) establish eHRPD session concomitantly and this eHRPD session should be released, HRPD session just becomes illegal.Because illegal HRPD session may be there is in these cases, if so the user of legal UICC card carrys out subscribed services bag with monthly fixed rate, then operator (such as, mobile phone service provider) possible loss income.
Therefore, need scheme as described below: the program allows to detect carries out the terminal that operates and when UICC card (or parameters for authentication wherein and/or subscriber account information) used together with session concomitantly in different networks, and therefore discharges a session or this two sessions.
Summary of the invention
Provide a kind of network entity/device place operation, for detecting the method to the concurrent use from same customized parameters for authentication on different networks.The first parameters for authentication set is received from the first terminal attempting to set up via first network the first communication session at described network entity place.Similarly, at described network entity place from attempting to receive the second parameters for authentication set via second network to the second terminal setting up second communication session.Then described network entity can find out that whether described first parameters for authentication set and described second parameters for authentication set are from same customized.If determine that described first parameters for authentication set and described second parameters for authentication set are from same customized, then described network entity can impel in described first communication session and/or described second communication session at least one be terminated.
In one example in which, described first network can be HRPD (high rate packet data) (HRPD) network based on code division multiple access (CDMA), and described second network is the enhancement mode HRPD network based on CDMA, and vice versa.Described HRPD network is connected to 3GPP2 core net, and described eHRPD network is connected to 3GPP evolution block core net.
In an example, if for described first parameters for authentication set and described both second parameters for authentication set, at least user identifier is identical, then described first parameters for authentication set and described second parameters for authentication set are from same customized.
In one implementation, described first parameters for authentication set can be used to carry out certification to described first terminal.Only when certification is successful, and when described first parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just can grant the foundation of described first communication session.
In another implementation, described second parameters for authentication set can be used to carry out certification to described second terminal.Only when certification is successful, and when described second parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just can grant the foundation of described second communication session.
According to the first example, described network entity/device can be family's Access Network authentication, authorization, accounting (AN-AAA) server communicated with described first network and described both second networks.In an example, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then at least one in Access Network described first communication session of instruction and described second communication session of the enhancement mode Access Network of described first network or described second network of described family AN-AAA server should be terminated.In another example, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described family AN-AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
According to second example, described network entity/device can be the integrated 3GPP/3GPP2 home AAA server between described first network and described second network.In an example, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described 3GPP/3GPP2 home AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
According to the 3rd example, described network entity/device can be coupled to the HRPD gateway (HSGW) of described first network and the packet data serving node (PDSN) of described second network by correspondence.
According to the 4th example, network entity/device can be coupled to the 3GPP home AAA server of described first network and the 3GPP2 home AAA server of described second network by correspondence.
Accompanying drawing explanation
By the detailed description provided below in conjunction with accompanying drawing, each feature, essence and advantage can become apparent, and in the accompanying drawings, identical Reference numeral correspondingly identifies in the whole text.
Fig. 1 illustrates example network environment, and in this example network environment, when the network components HRPD/eHRPD session gone on identification heterogeneous networks is using the identical voucher from UICC card concomitantly.
Fig. 2 illustrates that the session can how followed the tracks of for HRPD network and eHRPD network is to find out that concurrent/overlapping HRPD/eHRPD session is using the block diagram of identical parameters for authentication.
Fig. 3 illustrates the first illustrative methods, in this illustrative methods, the family's Access Network AAA server (family AN-AAA server) combined from Access Network (AN)/enhancement mode Access Network (eAN) is for forbidding concurrent the reusing to identical parameters for authentication (such as, being derived from same UICC card) on different networks of different terminals.
Fig. 4 illustrates the second illustrative methods, in this illustrative methods, from packet data serving node (PDSN) and family's Access Network AAA server that HRPD gateway (HSGW) combines (family AN-AAA server) for forbidding that different terminals is reused the concurrent of identical parameters for authentication (such as, be derived from same UICC card and/or to be customizedly associated with same wireless service/corresponding) on different networks.
Fig. 5 illustrates the 3rd illustrative methods, in this illustrative methods, integrated 3GPP/PP2 Home Authentication, mandate and accounting server (home AAA server) obtain log-on message from both HRPD network and eHRPD network, thus multiple wireless terminal can be detected whether using identical parameters for authentication (such as, belonging to same UICC card and/or the customized identifier of wireless service).
Fig. 6 is the block diagram that example home AN-AAA servers/devices is shown, wherein family AN-AAA servers/devices goes for performing across a network session tracking and the termination to invalid session.
Fig. 7 is the block diagram that exemplary integrated 3GPP/3GPP2 home AAA server/equipment is shown, wherein integrated 3GPP/3GPP2 home AAA server/equipment goes for performing across a network session tracking and the termination to invalid session.
Fig. 8 illustrates the 4th illustrative methods, in this illustrative methods, new UbiLocator parts are connected to both packet data serving node (PDSN) and HRPD gateway (HSGW), and for forbidding, same authenticated parameter concurrent is reused (such as, belonging to same UICC card and/or the customized identifier of wireless service).
Fig. 9 illustrates the 5th illustrative methods, in this illustrative methods, between 3GPP2AAA server and 3GPP HSS/H-AAA are served, introduces new UbiLocator parts, to be recorded in user registration state in HRPD network and eHRPD network and exit state.
Figure 10 is the block diagram that exemplary UbiLocator parts/devices is shown, wherein UbiLocator parts/devices goes for performing across a network session tracking and the termination to invalid session.
Figure 11 illustrates to operate at network entity place, for detecting on different networks the flow chart from the method used while same customized user authentication parameter.
Embodiment
In the following description, in order to provide the thorough understanding to embodiment, detail is given.But those of ordinary skill in the art will be appreciated that when not having these details, also can realize these embodiments.Such as, in order to avoid these embodiments fuzzy in unnecessary details, with block diagram, circuit can be shown.In other example, in order to avoid these embodiments fuzzy, known circuit, structure and technology are not shown in detail.
Use " exemplary " one word means " as example, example or explanation " herein.Be described to any implementation of " exemplary " or embodiment herein must not be interpreted as than other embodiment more preferably or have more advantage.Equally, term " embodiment " does not require that all embodiments all comprise discussed feature, advantage or operator scheme.
General introduction
In order to solve the problem reusing the identical parameters for authentication from UICC card in the concurrent and/or overlapping HRPD/eHRPD session of two or more terminals in heterogeneous networks, distribute existing or new network components to the HRPD network interconnected and eHRPD network.Particularly, this existing or new network components may be used for recording, follow the tracks of and/or whether comparison terminal is using the parameter that is associated with same UICC card (such as concomitantly, authentication information, subscriber account information etc.), with certification on different networks and/or set up independent data communication session.If so concurrent or overlapping use detected, so network components can send the order for discharging a session or two sessions.In one example in which, network components can discharge HRPD/eHRPD session the earliest.In another example, network components can infer that the accounts information in UICC card is compromised, and discharges both HRPD session and eHRPD session, and/or makes accounts information invalid, so that it cannot be used for setting up HRPD/eHRPD session in the future.
Exemplary network operating environment
Fig. 1 shows example network environment, and in this example network environment, when the network components HRPD/eHRPD session gone on identification heterogeneous networks is using the identical voucher from UICC card concomitantly.First subscriber's wireless network 101 can comprise one or more access point 106 (such as, Access Network, base station etc.), wherein one or more access points 106 are coupled to 3GPP2 core net 110, and it is for providing wireless service to the one or more wireless terminals 108 in first area 102.Similarly, second subscriber's wireless network 103 can comprise one or more access point 114 (such as, evolved Access Network, base station etc.), wherein one or more access points 114 are coupled to 3GPPEPC core net 116, and it is for providing wireless service to the one or more wireless terminals 112 in second area 104.For purposes of illustration, first subscriber's wireless network 101 can be called " HRPD network ", this is because it supports the foundation to HRPD session, and second subscriber's wireless network 103 can be called " eHRPD network ", this is because it supports the foundation to eHRPD session.
First subscriber's wireless network 101 (such as, HRPD network) and second subscriber's wireless network 103 is (such as, eHRPD network) can depend on and be stored in parameter in the UICC card of wireless terminal (such as, with customized that be associated or corresponding subscriber account information, authentication information etc.), to carry out certification to subscriber's (and/or wireless terminal), and set up communication session (such as, HRPD session or eHRPD session).For the terminal of carrying out operating in HRPD network and eHRPD network, there is the certification of two types: Access Network certification and core net certification.
If eHRPD network (such as, second subscriber's wireless network 103) certification of request Access Network, then wireless terminal AT-B 112 uses the following to perform A12 certification (that is, for the Access Network certification of 1xEV-DO): HRPD network access identifier (NAI), HRPD shared key (shared secret) and the MD5 safety function applied from the CDMA subscriber identification module (CSIM) in Universal Integrated Circuit Card (UICC) card of user.Wireless terminal AT-B 112 uses the following to perform the certification of EPC core net: evolution block core (EPC) network access identifier (NAI), key and Authentication and Key Agreement (AKA) safety function applied from the USIM (USIM) in the UICC card of user.
By contrast, HRPD network (such as, first subscriber's wireless network 101) use from CDMA subscriber identification module (CSIM) application (such as, wireless terminal, in the UICC card of user) NAI and shared key (SS), perform Access Network certification and core net certification.
When eHRPD network (such as, second subscriber's wireless network 103), core net certification is more crucial, and when HRPD network (such as, first subscriber's wireless network 101), Access Network certification is more crucial.In the network system that HRPD and eHRPD coexists, for HRPD and the eHRPD Access Network certification for same subscriber, the same family Access Network authentication, authorization, accounting (family AN-AAA) entity of network side (such as, the part of core net 110 and 116) can be related to.It is noted that independent Access Network certification can not be depended on detect illegal use to the parameters for authentication for UICC card (such as, for same customized).First, operator for eHRPD, do not require Access Network certification, so can select to forbid the Access Network certification for eHRPD.Therefore, in some cases, such certification can not be performed.Secondly, even if enable Access Network certification in eHRPD network, typical family AN-AAA also only knows new visiting AN-AAA (such as, be associated with new AN or new eAN) attempt to perform Access Network certification that is customized for special services or account, and do not know and/or do not pay close attention to use the previous session of identical parameters (such as, use same wireless service customized) whether to be released.It is noted that for the AN-AAA server of Access Network certification with for the normally different logic entity of the aaa server of core net certification and physical entity.In addition, in traditional network, for the certification of HRPD and eHRPD core net, be usually directed to different authentication, authorization, accounting (AAA) entities (such as, for the 3GPP2 family AAA of HRPD network and the 3GPP family AAA for eHRPD network).Therefore, because so traditional HRPD/eHRPD network performs independently core net certification, so the identical parameter that they cannot find out from same UICC card (or subscriber account information wherein, or customized corresponding from the same wireless service to Virtual network operator or service provider) is being used to set up HRPD session and the eHRPD session of concurrent or overlap on different networks.
In order to detect, forbid and/or prevent from using subscriber/device authentication parameter (such as, be associated from specific UICC card, customized and/or wherein the subscriber/equipment accounts information of wireless service) on different networks, unlawfully set up HRPD session and the eHRPD session of concurrent or overlap, introduce network entity and/or functional unit 116.Network 101 and 103 that network entity and/or functional unit 116 can allow two or more different is verified or their Access Network certification of cross reference and/or core net certification.If this network entity and/or functional unit 116 find more than one terminal concurrence ground, side by side, the same period ground and/or during the time period of overlap, use the identical subscriber/parameters for authentication be associated with same UICC card to access HRPD and eHRPD network 101 and 103, then its impel the release to session the earliest, the release to up-to-date session, the release to two sessions and/or to those parameters used (such as, being customizedly associated with particular wireless service/corresponding UICC card in the certification found and/or account parameters) invalid.
Although it is noted that show for independent geographic area respectively by the first and second regions 102 and 104, in some implementations, they can be geographic areas that is overlapping and/or co-extensive.
There is the various ways performing following operation: wireless network can determine different wireless terminals whether just on other networks concomitantly and/or unlawfully by identical subscriber/device authentication parameter (such as, with specific UICC card or wherein customized/subscriber/equipment accounts information is associated) for concurrent/overlapping HRPD/eHRPD session.In a kind of example implementations, existing network entity or parts (such as, family AN-AAA, 3GPP/3GPP2 family AAA etc.) can be reused or strengthened to perform such inspection.In another example implementations, can distribute or arrange new network entity or parts and concurrent/overlapping HRPD/eHRPD session is checked.
Fig. 2 illustrates that the session can how followed the tracks of for HRPD and eHRPD network 204 and 202 is to find out whether concurrent/overlapping HRPD/eHRPD session is using the block diagram of identical parameters for authentication.EHRPD network 202 can comprise enhancement mode Access Network (eAN) 210, HRPD gateway (HSGW) 212, eHRPD 3GPP2 proxy AAA server 214 and 3GPP home subscriber server and Home Authentication, mandate and accounting server (3GPP HSS/H-AAA) 216.HRPD network 204 can comprise Access Network 220, packet data serving node (PDSN) 222, HRPD 3GPP2 proxy AAA server 224 and 3GPP2 Home Authentication, mandate and accounting server (3GPP2H-AAA) 226.Family's Access Network AAA server (family AN-AAA server) 228 can by both HRPD/eHRPD networks 204/202 for Access Network certification.Across a network session tracker 230 can realize with existing network components or new network components, to follow the tracks of the session on HRPD/eHRPD network 204/202.
First wireless terminal 206 can legally/by rights obtain parameters for authentication 232 (such as, from its oneself UICC card).Such as, except for identify subscriber, subscriber account other and/or device identifier (such as, IMSI International Mobile Subscriber Identity) outside, such parameters for authentication can also comprise network access identifier (NAI) and key and Authentication and Key Agreement (AKA) safety function.First wireless terminal 206 can be attempted, by request eHRPD session 234, to initiate data session via eHRPD network 202.This can relate to, and to use in parameters for authentication one or more, the Access Network authentication request 236 to family AN-AAA 228 and the core net authentication request 238 to 3GPP HSS/H-AAA 216.If Access Network certification 236 and core net certification 238 are successful, then set up eHRPD session 254.When setting up eHRPD session 254, across a network session tracker 230 can follow the tracks of such session 240 based on parameters for authentication and/or wireless terminal.
Second wireless terminal 208 may unlawfully obtain parameters for authentication 242 or for wireless service customized/out of Memory of account.Such as, some in these parameters for authentication may be replicated from the UICC card for the first wireless terminal 206.Another example of the situation of illegal use can be maintain session, when then using effective UICC card in the second wireless terminal 208 in the effective UICC card replaced in the first wireless terminal 206 by the UICC card of forging.Second wireless terminal 208 can be attempted, by using at least in part and previously asking HRPD session 244 by the first wireless terminal 206 for the parameters for authentication that the parameters for authentication of eHRPD session 254 is identical, to initiate data session via HRPD network 204.This can relate to, and to use in parameters for authentication one or more, the Access Network authentication request 246 to family AN-AAA 228 and the core net authentication request 248 to 3GPP2H-AAA 226.When setting up or attempt to set up HRPD session 256, across a network session tracker 230 can follow the tracks of such session 240 based on parameters for authentication and/or wireless terminal.
Before setting up HRPD session 256, with set up HRPD session 256 concomitantly (such as, when there is Access Network certification and/or core net certification), and/or after setting up HRPD session 256, the use to the parameters for authentication for data session can be monitored and/or detect to across a network session tracker 230.Such as, across a network session tracker 230 can detect with by the first wireless terminal 206 for the identical parameters for authentication (Params-A) of the parameters for authentication of its still movable eHRPD session 254 by the second wireless terminal 208 for its HRPD session 256.Therefore, across a network session tracker 230 can stop at least one (such as, termination session the earliest, stops up-to-date session, stop this two sessions, and/or the session started by the wireless terminal unconnected with parameters for authentication) in session.
Although the example in Fig. 2 shows first set up eHRPD session 254, if first set up HRPD session 256, across a network session tracker 230 also operates in an identical manner.Such as, first the second wireless terminal 208 can set up HRPD session 256, and so trial utilizes and sets up illegal eHRPD session 254 that is concurrent or overlap from same customized parameters for authentication by the first wireless terminal 206.Across a network session tracker 230 can monitor and/or detect to the data session for existing and/or new request (such as, HRPD/eHRPD session) the use of parameters for authentication, and operation with stop in session at least one (such as, stop session the earliest, stop up-to-date session, stop this two sessions, and/or the session started by the wireless terminal unconnected with parameters for authentication).
Exemplary the reusing of network entity/parts detects illegal HRPD/eHRPD session
In various example implementations, existing network entity/parts (such as, family AN-AAA, 3GPP/3GPP2 family AAA etc.) can be revised or are configured to detect in heterogeneous networks concurrent/when overlapping HRPD/eHRPD session be established or be in the process be established.
Fig. 3 illustrates the first illustrative methods, in this illustrative methods, the family's Access Network AAA server (family AN-AAA server) 316 combined from Access Network (AN) 328/ enhancement mode Access Network (eAN) 314 is for forbidding concurrent the reusing to identical parameters for authentication (such as, being derived from same UICC card) on different networks of different terminals.First can be eHRPD network 302 based on the network of CDMA, and second can be HRPD network 304 based on the network of CDMA, and vice versa.
EHRPD network 302 can comprise evolved Access Network (eAN) 314, HRPD gateway (HSGW) 312, family's Access Network authentication, authorization and accounting server (family AN-AAA server) 316, eHRPD 3GPP2 proxy AAA server 310, grouped data network gateway (PDN-GW) 318 and 3GPP home subscriber server and Home Authentication, mandate and accounting server (3GPPHSS/H-AAA server) 320.EAN 314 can provide one or more access node (such as, base station etc.), wherein one or more access nodes are provided to wireless access and/or the connectivity of the first wireless terminal 306, thus the first wireless terminal is communicated via eHRPD network 302.In the Access Network certification for eHRPD and HRPD network 302 and 304, family AN-AAA server 316 can be related to.For in the core net certification of eHRPD network 302, eHRPD3GPP2 proxy AAA server 310 can be related to.HSGW 312 may be used for converging the mobile management between HRPD network and LTE network.HSGW 312 can provide the intercommunication between HRPD access node and grouped data network gateway (PDN-GW) 318 (it is the part of the SAE/EPC of LTE network).PDN-GW 318 can be the terminating point of packet data interface towards the session of LTE network 319 (such as, packet data network).3GPP HSS/H-AAA server 320 can perform home subscriber server (HSS) function, such as, store and upgrade user's customized information, and from user ID secret generating security information, and comprising the Home Authentication of core net certification, mandate and billing function.
HRPD network 304 can comprise Access Network (AN) 328, packet data serving node (PDSN) 322, family's Access Network authentication and authorization charging server (family AN-AAA server) 316, HRPD3GPP2 proxy AAA server 324 and the mandate of 3GPP2 Home Authentication and accounting server (3GPP2H-AAA server) 326.AN 328 can provide one or more access node (such as, base station etc.), wherein one or more access nodes are provided to wireless access and/or the connectivity of the second wireless terminal 308, thus the second wireless terminal can be communicated via HRPD network 304.PDSN 322 can serve as the tie point between wireless access network 328 and IP network 323, and can be in charge of peer-peer protocol (PPP) session between core IP network and the second wireless terminal 308.For in the core net certification of HRPD network 304, HRPD 3GPP2 proxy AAA server 324 can be related to.3GPP2H-AAA server 326 can perform comprise core net certification Home Authentication, mandate and billing function.
First wireless terminal 306 can according to the parameter be stored in the first UICC card 307 (such as, for subscriber information, accounts information, authentication information etc. that wireless service is customized) operate, to utilize eHRPD network 302 to carry out certification to subscriber and/or equipment, and set up session.Similarly, second wireless terminal 308 can according to the parameter be stored in the second UICC card 309 (such as, for wireless customized subscriber information, accounts information, authentication information etc.) operate, to utilize HRPD network 304 to carry out certification to subscriber and/or equipment, and set up session.Usually, different wireless devices has the UICC card with different parameters for authentication (such as, that be associated or corresponding parameter customized from the different wireless service of service provider).But, in some cases, may replicate the parameter the second UICC card 309 from the first UICC card 307 (or wireless service customized/accounts information), or the first UICC card 307 may be moved on to the second wireless terminal 308 from the first wireless terminal 306.
In the example implementations of Fig. 3, eAN 314 (for eHRPD network 302) and AN328 (for HRPD network 304) all communicates with the same AN-AAA 316 (the family AN-AAA of user) for Access Network certification (such as, A12 certification).Suppose that eHRPD network 302 has also enabled Access Network certification (such as, A12 certification) herein.
In one example in which, eAN 314 to the first wireless terminal 306 certification (such as, Access Network certification and core net certification), and may set up the eHRPD session 315 being used for the first wireless terminal 306 with eHRPD network 302.When AN 328 sends access request subsequently to the family AN-AAA 316 representing the second wireless terminal 308, to perform Access Network certification (such as identical user identifier, be used in the identical parameters for authentication found in a UICC 307) time, family AN-AAA 316 is configured at new access authentication by afterwards, and the eAN 314 of notice earlier registration discharges ongoing eHRPD session 315.After the new access authentication success for the second wireless terminal 308 sometime, this release command can be sent.This will be avoided the potential ping-pong between two (e) AN 314 and 328.It is to be noted that, terminal 306 and 308 utilizes same customized identical parameters for authentication (such as, HRPD network access identifier NAI) access eAN 314 and AN 328 respectively, make family AN-AAA 316 by being the CDMA pattern that can embed in HRPD NAI and the international mobile subscriber identification (IMSI) that distributes, each wireless terminal 306 and 308 (and/or UICC card 307 and 309) can be identified.
Similarly, in another example, AN 328 to the second wireless terminal 308 certification (such as, Access Network certification and core net certification), and may set up HRPD session 329 with HRPD network 304.When eAN 314 sends access request subsequently to the family AN-AAA 316 representing the first wireless terminal 306, to perform Access Network certification (such as identical user identifier, be used in the identical parameters for authentication found in the second UICC card 309) time, family AN-AAA 316 is configured at new access authentication by afterwards, and the AN 328 of notice earlier registration discharges/stop ongoing HRPD session 329.
Fig. 4 illustrates the second illustrative methods, in this illustrative methods, from packet data serving node (PDSN) 322 and family's Access Network AAA server that HRPD gateway (HSGW) 312 combines (family AN-AAA server) 316 for forbidding that different terminals is reused the concurrent of identical parameters for authentication (such as, be derived from same UICC card and/or to be customizedly associated with same wireless service/corresponding) on different networks.The method in Fig. 4 is similar to the method shown in Fig. 3, but family AN-AAA 316 has one or more extra interface, to connect from different network componentses.By being connected to PDSN 322 and HSGW 312 selects 3GPP2AN-AAA 316.In one example in which, once user utilizes user identifier successfully to set up PPP connect (or main A10 connects), PDSN 322 is with regard to (or service aaa functionality unit that is integrated by it or that connect) the family AN-AAA transmission RADIUS/DIAMETER message (such as, charging starts) to user.Once user discharges PPP session, PDSN (or service aaa functionality unit that is integrated by it or that connect) utilizes another RADIUS/DIAMETER message to notify that user nullifies to family AN-AAA316 again.By this way, family AN-AAA server 316 correctly recording user in HRPD network 304, be in the state of registration or the state of cancellation.Similarly, HSGW 312 operates similarly and follows the tracks of user with auxiliary family AN-AAA server 316 in eHRPD network 302, be in the state of registration or the state of cancellation.Herein, eHRPD network 302 is not needed to enable A12 certification.But can provide all user identifiers of each UICC subscriber card in advance to HSGW 312, the NAI of the EPC-AKA of especially same user and (e) HRPD accesses the mapping between NAI, or HSGW312 has the access to such information.
Therefore, whether the family AN-AAA 316 of user can find out two or more wireless terminals 306 and 308 and utilize and belong to same UICC card or the customized identical parameter set of wireless service to set up multiple HRPD/eHRPD session.If family AN-AAA 316 finds that more than one terminal is using from same UICC card or customized parameter in HRPD network and eHRPD network 304 and 302, then it can send RADIUS/DIAMETER message (such as to AN 328/eAN 314 and/or HSGW 312/PDSN 322, disconnect or access-refusal), with release session the earliest, discharge/stop up-to-date session, discharge this two sessions.Or if for each customized, equipment records maintained to parameter or is available to family AN-AAA 316, so can stop the session from the wireless device unconnected with parameters for authentication.Wish that the wireless terminal re-establishing discharged session must perform certification again, this is cannot be successful for the wireless terminal with UICC card that is illegal or that forge.
Fig. 5 illustrates the 3rd illustrative methods, in this illustrative methods, integrated 3GPP/PP2 Home Authentication, mandate and accounting server (home AAA server) 327 obtain log-on message from both HRPD network 304 and eHRPD network 302, thus multiple wireless terminal can be detected whether using identical parameters for authentication (such as, belonging to same UICC card and/or the customized identifier of wireless service).In one example in which, when the PDSN 322 in HRPD network 304 comes registered user (or be associated with this user customized) by 3GPP2 proxy AAA server 324, integrated 3GPP/PP2 home AAA server 327 can send message to HSGW 312 (its previously have registered in eHRPD network 302 identical user/customized), described message is used for requiring that HSGW 312 discharges the eHRPD session 315 (such as, PPP session or main A10 connect) corresponding with this user (or be associated with this user customized).
Similarly, in another example, when the HSGW 312 in eHRPD network 302 comes registered user (or be associated with this user customized) by 3GPP2 proxy AAA server 310, integrated 3GPP/PP2 home AAA server 327 can send message to PDSN 322 (its previously have registered on HRPD network 304 identical user/customized), described message is used for requiring/ask that PDSN322 discharges the HRPD session 329 (such as, PPP session or main A10 connect) corresponding with this user (or be associated with this user customized).
It is noted that in various alternative implementation, integrated 3GPP/PP2 home AAA server 327 can be selected to cancel, stop or refusal session according to different standards.Such as, replace the session only stopped the earliest, integrated 3GPP/PP2 home AAA server 327 can operate to stop, refuse and/or stop up-to-date session or two sessions.Or, if wireless service provider/operator's maintenance record of the equipment (or device id) that/account customized with particular wireless service (and/or corresponding parameters for authentication) is associated, so integrated 3GPP/PP2 home AAA server 327 can stop by the session started with parameters for authentication and/or corresponding customized unconnected wireless terminal.
In order to check that whether user (what be associated with this user is customized) is by another network registry, integrated 3GPP/PP2 family AAA 327 can know parameter/identifier/UICC card binding information in advance.There are at least two kinds of modes and obtain this information: be pre-configured in family AAA 327, or HSGW312 is sent in a message and has the two the message of NAI (USIM from UICC card applies) that (e) HRPD accesses NAI (CSIM from UICC card applies) and EAP-AKA.
Fig. 6 is the block diagram that example home AN-AAA servers/devices is shown, wherein, family's AN-AAA servers/devices goes for performing across a network session tracking and the termination to invalid session.Such as, family AN-AAA server goes for or is configured to performing relative to one or more in the function described by Fig. 2,3 and/or 4.Family AN-AAA server 602 can comprise one or more treatment circuit 606, and wherein one or more treatment circuits 606 are coupled to network communication interface/circuit 604 and/or memory/storage 608.Network communication interface/circuit 604 goes for allowing family AN-AAA server 602 and such as HRPD network 601 (such as, AN and/or PDSN) and/or eHRPD network 603 (such as, eAN and/or HSGW) to communicate.Treatment circuit 606 can comprise Access Network authentication module/circuit/functional unit 610, across a network session tracking modules/circuits/functional unit 612, invalid session detector module/circuit/functional unit 614 and/or session termination device modules/circuits/functional unit 616.The wireless terminal that Access Network authentication module/circuit/functional unit 610 goes for for attempting to set up session on HRPD network 601 and/or eHRPD network 603 performs Access Network certification.Across a network session tracking modules/circuits/functional unit 612 may be used for following the tracks of the session of setting up on HRPD network 610 and/or eHRPD network 603, wherein session comprises parameter for setting up such session (such as, parameters for authentication, accounts information, NAI, customized etc.).Whether this parameters for authentication that invalid session detector module/circuit/functional unit 614 goes for determining the new session in first network used by the session (such as, by different wireless devices) of the current active in second network.If, then session termination device modules/circuits/functional unit 616 go for making in session at least one be terminated (such as, stop session the earliest, stop up-to-date session, stop this two sessions, and/or the session started by the wireless terminal unconnected with parameters for authentication).Alternatively, memory/storage 608 can also store across a network session 618 (such as, session on HRDP network 601 and/or eHRDP network 603) record, to assist across a network tracking module/circuit/functional unit 612 and/or invalid session detector module/circuit/functional unit 614.
Fig. 7 is the block diagram that exemplary integrated 3GPP/3GPP2 home AAA server/equipment 702 is shown, wherein integrated 3GPP/3GPP2 home AAA server/equipment 702 goes for performing across a network session tracking and the termination to invalid session.Such as, integrated 3GPP/3GPP2 home AAA server/equipment 702 goes for or is configured to performing relative to one or more in the function described by Fig. 2 and/or 5.Integrated 3GPP/3GPP2 home AAA server/equipment 702 can comprise one or more treatment circuit 706, and wherein one or more treatment circuits 706 are coupled to network communication interface/circuit 704 and/or memory/storage 708.Network communication interface/circuit 704 goes for allowing integrated 3GPP/3GPP2 family AN-AAA servers/devices 702 and such as HRPD network 701 (such as, HRPD 3GPP2 proxy AAA server and/or PDSN) and/or eHRPD network 703 (such as, eHRPD 3GPP2 proxy AAA server and/or HSGW) communicate.Treatment circuit 706 can comprise or realize 3GPP2H-AAA modules/circuits/functional unit 710,3GPPHSS/H-AAA modules/circuits/functional unit 712, session registration collection module/circuit/functional unit 714, invalid session detector module/circuit/functional unit 716 and/or session termination device modules/circuits/functional unit 718.Session registration collection module/circuit/functional unit 714 goes for obtaining/receive session log-on message from HRPD network 701 and eHRPD network 703.Whether the parameters for authentication that invalid session detector module/circuit/functional unit 716 goes for the new session determined in first network used by the session (such as, by the different network equipments) of the current active in second network.If, then session termination device modules/circuits/functional unit 718 go for making in session at least one be terminated (such as, stop session the earliest, stop up-to-date session, stop this two sessions, and/or the session started by the wireless terminal unconnected with parameters for authentication).Alternatively, memory/storage 708 can also store the record of across a network session 720 (such as, the session log-on message that collection module/circuit/functional unit 714 obtains is registered by session), to assist invalid session detector module/circuit/functional unit 716 and/or session termination device modules/circuits/functional unit 718 to perform their function.
The exemplary increase of new network entity/parts is to detect illegal HRPD/eHRPD session
In various example implementations, new network entity/parts can be increased, identical parameter (such as, parameters for authentication, customized information, services account information etc.) when has been utilized to be established or to be in the process be established with concurrent/overlapping HRPD/eHRPD session detected in heterogeneous networks.
Fig. 8 illustrates the 4th illustrative methods, in this illustrative methods, new UbiLocator parts 802 are connected to both packet data serving node (PDSN) 322 and HRPD gateway (HSGW) 312, and for forbidding concurrent the reusing to identical parameters for authentication (such as, belonging to same UICC card and/or the customized identifier of wireless service).A lot of parts in parts shown in Fig. 8 are similar to those parts described in Fig. 3.UbiLocator parts 802 go for being recorded in the user registration state in HRPD network 304 and eHRPD network 302 and exit state.UbiLocator parts 802 can have use RADIUS/DIAMETER message or some new information, to the direct interface of PDSN 322 and HSGW 312.Once user successfully sets up PPP session, PDSN 322 and HSGW 312 just can send notice, for registration to UbiLocator parts 802.Therefore, UbiLocator parts 802 safeguard the record of the existing session in HRPD network 304 and eHRPD network 302.Once those PPP sessions are released, PDSN 322 and HSGW 312 just sends another message (such as, logout message) to UbiLocator parts 802, notifies that those users are in the state of cancellation now.
The preconfigured all identifiers for storing each UICC card in advance of the method hypothesis UbiLocator parts 802.If UbiLocator parts 802 find that more than one wireless terminal is using parameter from same UICC card to access HRPD network 304 and eHRPD network 302, then it sends RADIUS message (such as, access-refusal, disconnection) to discharge illegal (such as, the earliest) session.Wish that those wireless terminals re-establishing discharged session must perform certification again, if they use UICC card that is illegal or that forge, then this can not be successful.
Fig. 9 illustrates the 5th illustrative methods, in this illustrative methods, new UbiLocator parts 902 are introduced, to record user registration state in HRPD network 304 and eHRPD network 302 and exit state between 3GPP2AAA server 326 and 3GPP HSS/H-AAA server 320.A lot of parts in parts shown in Fig. 9 are similar to those parts described in Fig. 3.UbiLocator parts 902 can have use RADIUS/DIAMETER message or some new information and direct interface between 3GPP2H-AAA server 326 and 3GPP HSS/H-AAA server 320.Once user successfully sets up PPP session, 3GPP2H-AAA server 326 and 3GPP HSS/H-AAA server 320 just can send a notification message, for registration to UbiLocator parts 902.Once PPP session is released, 3GPP2H-AAA server 326 and 3GPPHSS/H-AAA server 320 just send another message to UbiLocator parts 902, notify that those users are in exit state now.
The preconfigured all identifiers for storing each UICC card in advance of the method hypothesis UbiLocator parts 902.If UbiLocator parts 902 find that more than one terminal is using the parameter from same UICC card, then it sends RADIUS message (such as, disconnecting or access-refusal), to discharge invalid session.If the wireless terminal disconnected wishes to re-establish its session, then it must perform certification again, if it uses UICC card that is illegal or that forge, then this is cannot be successful.
Figure 10 is the block diagram that exemplary UbiLocator parts/devices 1002 is shown, wherein UbiLocator parts/devices 1002 goes for performing across a network session tracking and the termination to invalid session.Such as, UbiLocator parts/devices 1002 goes for or is configured to performing relative to one or more in the function described by Fig. 2,8 and/9.UbiLocator parts/devices 1002 can comprise one or more treatment circuit 1006, and wherein one or more treatment circuits 1006 are coupled to network communication interface/circuit 1004 and/or memory/storage 1008.Network communication interface/circuit 1004 goes for allowing UbiLocator parts/devices 1002 and such as HRPD network 1001 (3GPP2H-AAA server and/or PSDN) and/or eHRPD network 1003 (such as, 3GPP HSS/H-AAA server and/or HSGW) to communicate.Treatment circuit 1006 can comprise or realize session registration collection module/circuit/functional unit 1012, invalid session detector module/circuit/functional unit 1014 and/or session termination device modules/circuits/functional unit 1016.Session registration collection module/circuit/functional unit 1012 goes for from HRPD network 1001 (such as, 3GPP2H-AAA server and/or PSDN) and the two acquisition of eHRPD network 1003 (such as, 3GPP HSS/H-AAA server and/or HSGW)/receive session log-on message.Whether the parameters for authentication that invalid session detector module/circuit/functional unit 1014 goes for the new session determined in first network used by the session (such as, by different wireless devices) of the current active in second network.If, session termination device modules/circuits/functional unit 1016 go for making in session at least one be terminated (such as, stop session the earliest, stop up-to-date session, stop this two sessions, and/or the session started by the wireless terminal unconnected with parameters for authentication).Alternatively, memory/storage 1008 can also store the record of across a network session 1018 (such as, the session log-on message that collection module/circuit/functional unit 1012 obtains is registered by session), to assist invalid session detector module/circuit/functional unit 1014 and/or session termination device modules/circuits/functional unit 1016 to perform their function.
Figure 11 illustrates to operate at network entity place, for detecting on different networks the flow chart from the method used while same customized user authentication parameter.According to each example, the method can by family AN-AAA server (such as, as in Fig. 3,4 and 6), integrated 3GPP/3GPP2 home AAA server (such as, as in Fig. 5 and 7) and/or UbiLocator parts (such as, as in Fig. 8,9 and/or 10) realize.Can receive/obtain the first parameters for authentication set 1102 from the first terminal attempting to set up via first network the first communication session.Similarly, in the time subsequently, can from attempting to receive the second parameters for authentication set 1104 via second network to the second terminal setting up second communication session.Such as, the first communication session can be HRPD session, and second communication session can be eHRPD session, and vice versa.According to each example, these parameters for authentication (such as, network access identifier NAI etc.) can from other network entity requests, or sent by other network entity.Then network entity can find out that whether the first parameters for authentication set and the second parameters for authentication set are from same customized 1106.Such as, so customized can be for the wireless service of specific/exclusive parameters for authentication of its distribution is customized or account, make Access Network to identify subscriber, to carry out certification to customized and/or provide radio communication service.If the first parameters for authentication set and the second parameters for authentication set are from same customized (such as, replicate parameter, or move the first UICC card etc. between two terminals), so network entity stops the first communication session 1108.It is to be noted that, in various implementations, first and/or second parameters for authentication set can refer to by Access Network for certification (such as, Access Network certification) and/or the one or more parameters being used for certification (such as, for core net certification) by core net.In one example in which, if for two parameters for authentication set, at least network access identifier (NAI) is identical, and all can by Access Network certification and/or core net certification both them, then the first parameters for authentication set and the second parameters for authentication set are from same customized.
One or more in parts shown in figure, step, feature and/or function can be rearranged and/or be combined into single parts, step, feature or function, or be embodied in multiple parts, step or function.When not departing from novel features disclosed herein, extra element, parts, step and/or function can also be increased.It is one or more that device shown in figure, equipment and/or parts can be configured in method, feature or the step described in execution figure.Novel algorithms described herein can also effectively realize with software and/or embed within hardware.
In addition, it should be noted that and embodiment can be described as process, wherein, process is illustrated as flow chart, flow graph, structure chart or block diagram.Although operation can be described as the process of order by flow chart, a lot of operation can perform concurrently or concomitantly.In addition, the order of operation can be rearranged.When the operation of process completes, this procedure ends.Process can be corresponding with method, function, process, subroutine, subprogram etc.When process function is corresponding, it stops corresponding to returning of call function or principal function with this function.
In addition, storage medium can represent the one or more equipment for storing data, and it comprises read-only memory (ROM), random access memory (RAM), magnetic disk storage medium, optical storage media, flash memory device and/or other machine readable media, processor readable medium and/or computer-readable medium for storing information.Term " machine readable media ", " computer-readable medium " and/or " processor readable medium " can include but not limited to non-transitory medium, such as, portable or fixed memory device, light storage device and can store, comprise or carry other media various of instruction and/or data.Therefore, each method described herein can by can be stored in " machine readable media ", " computer-readable medium " and/or " processor readable medium " and the instruction performed by one or more processor, machine and/or equipment and/or data completely or partially realize.
In addition, embodiment can be realized by hardware, software, firmware, middleware, microcode or its combination in any.When realizing by software, firmware, middleware or microcode, the program code or code segment that perform necessary task can be stored in the machine readable media of such as storage medium or other memory device.Processor can perform these necessary tasks.Code segment can represent the combination in any of process, function, subprogram, program, routine, subroutine, module, software kit, class or instruction, data structure or program declares.By transmitting and/or reception information, data, independent variable, parameter or memory content, code segment can be coupled to another code segment or hardware circuit.Via any applicable mode (comprising Memory Sharing, Message Transmission, alternative space, Internet Transmission etc.), information, independent variable, parameter, data etc. can be transmitted, forward or sent.
Be designed to perform the general processor of function described herein, digital signal processor (DSP), application-specific integrated circuit (ASIC) (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components or its combination in any, can realize or perform in conjunction with various illustrative box, module, circuit, element and/or the parts described by example disclosed herein.General processor can be microprocessor, or this processor also can be the processor of any routine, controller, microcontroller or state machine.Processor also can be implemented as the combination of computing equipment, such as, and the combination of the combination of DSP and microprocessor, multi-microprocessor, one or more microprocessor and DSP kernel, or other such configuration any.
Can directly with processing unit, programming instruction or other form indicated in conjunction with the method described by example disclosed herein or algorithm, be presented as hardware, the software module performed by processor or the combination of the two, and can comprise in one single or cross over multiple equipment to distribute.Software module can be arranged in the storage medium of RAM memory, flash memory, ROM memory, eprom memory, eeprom memory, register, hard disk, removable dish, CD-ROM or other form any known in the art.Storage medium can be coupled to processor, thus enables processor from this read information, and to this storage medium written information.Or storage medium also can be the part of processor.
Those skilled in the art be to be further appreciated that, all can be embodied as electronic hardware, computer software or the combination of the two in conjunction with various illustrative box, module, circuit and the algorithm steps described by embodiment disclosed herein.In order to this interchangeability between hardware and software is clearly described, all around its function, describe, in general terms is carried out to various illustrative parts, frame, module, circuit and step above.Be embodied as hardware as this function or be embodied as software, the design constraint depended on specific application and whole system is applied.
Without departing from the present invention, each feature of the present invention described herein can be realized in different systems.It should be noted that previous embodiment is only example, be not interpreted as limiting the present invention.Be intended to be illustrative to the description of embodiment, instead of the protection range of restriction claim.Therefore, this instruction easily can be applied to the device of other type, and to those skilled in the art, a lot of replacement, modifications and variations will be all apparent.
Claims (38)
1. network entity place operation, for detecting the method to the concurrent use from same customized parameters for authentication on different networks, comprising:
The first parameters for authentication set is received from the first terminal attempting to set up via first network the first communication session;
From attempting to receive the second parameters for authentication set via second network to the second terminal setting up second communication session;
Find out that at described network entity place whether described first parameters for authentication set and described second parameters for authentication set are from same customized; And
If described first parameters for authentication set and described second parameters for authentication set from same customized, then stop at least one in described first communication session and/or described second communication session.
2. method according to claim 1, wherein, described first network is HRPD (high rate packet data) (HRPD) network based on code division multiple access (CDMA), and described second network is the enhancement mode HRPD network based on CDMA.
3. method according to claim 2, wherein, described HRPD network is connected to 3GPP2 core net, and described eHRPD network is connected to 3GPP evolution block core net.
4. method according to claim 1, wherein, if for described first parameters for authentication set and described both second parameters for authentication set, at least user identifier is identical, then described first parameters for authentication set and described second parameters for authentication set are from same customized.
5. method according to claim 1, also comprises:
Described first parameters for authentication set is used to carry out certification to described first terminal; And
Only when certification is successful, and when described first parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just grant the foundation of described first communication session.
6. method according to claim 1, also comprises:
Described second parameters for authentication set is used to carry out certification to described second terminal; And
Only when certification is successful, and when described second parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just grant the foundation of described second communication session.
7. method according to claim 1, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop the session of setting up the earliest in described first communication session and described second communication session.
8. method according to claim 1, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop the most newly-established session in described first communication session and described second communication session.
9. method according to claim 1, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop described first communication session and described both second communication sessions.
10. method according to claim 1, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Depend on according to service provider, described customized be that there is with the first wireless terminal or the second wireless terminal associating of setting up in advance, stop described first communication session or described second communication session.
11. methods according to claim 1, wherein, described network entity is family's Access Network authentication, authorization, accounting (AN-AAA) server communicated with described first network and described both second networks.
12. methods according to claim 11, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then at least one in Access Network described first communication session of instruction and described second communication session of the enhancement mode Access Network of described first network or described second network of described family AN-AAA server should be terminated.
13. methods according to claim 11, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described family AN-AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
14. methods according to claim 1, wherein, described network entity is the integrated 3GPP/3GPP2 home AAA server between described first network and described second network.
15. methods according to claim 14, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described 3GPP/3GPP2 home AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
16. methods according to claim 1, wherein, described network entity is the equipment being coupled to the HRPD gateway (HSGW) of described first network and the packet data serving node (PDSN) of described second network by correspondence.
17. methods according to claim 1, wherein, described network entity is the equipment being coupled to the 3GPP home AAA server of described first network and the 3GPP2 home AAA server of described second network by correspondence.
18. 1 kinds of network equipments, comprising:
Communication interface, it is applicable to communicate with second network with first network;
Treatment circuit, it is coupled to described communication interface, and described treatment circuit is applicable to:
The first parameters for authentication set is received from the first terminal attempting to set up via described first network the first communication session;
From attempting to receive the second parameters for authentication set via described second network to the second terminal setting up second communication session;
Find out that whether described first parameters for authentication set and described second parameters for authentication set are from same customized; And
If described first parameters for authentication set and described second parameters for authentication set from same customized, then stop at least one in described first communication session and/or described second communication session.
19. network equipments according to claim 18, wherein, described first network is HRPD (high rate packet data) (HRPD) network based on code division multiple access (CDMA), and described second network is the enhancement mode HRPD network based on CDMA.
20. network equipments according to claim 19, wherein, described HRPD network is connected to 3GPP2 core net, and described eHRPD network is connected to 3GPP evolution block core net.
21. network equipments according to claim 18, wherein, if for described first parameters for authentication set and described both second parameters for authentication set, at least user identifier is identical, then described first parameters for authentication set and described second parameters for authentication set are from same customized.
22. network equipments according to claim 18, wherein, described treatment circuit is also applicable to:
Described first parameters for authentication set is used to carry out certification to described first terminal; And
Only when certification is successful, and when described first parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just grant the foundation of described first communication session.
23. network equipments according to claim 18, wherein, described treatment circuit is also applicable to:
Described second parameters for authentication set is used to carry out certification to described second terminal; And
Only when certification is successful, and when described second parameters for authentication set is different from the parameter sets of the existing communication session on described first network and described second network, just grant the foundation of described second communication session.
24. network equipments according to claim 18, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop the session of setting up the earliest in described first communication session and described second communication session.
25. network equipments according to claim 18, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop the most newly-established session in described first communication session and described second communication session.
26. network equipments according to claim 18, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Stop described first communication session and described both second communication sessions.
27. network equipments according to claim 18, wherein, at least one termination in described first communication session and/or described second communication session comprises:
Depend on according to service provider, described customized be that there is with the first wireless terminal or the second wireless terminal associating of setting up in advance, stop described first communication session or described second communication session.
28. network equipments according to claim 18, wherein, the described network equipment is family's Access Network authentication, authorization, accounting (AN-AAA) server communicated with described first network and described both second networks.
29. network equipments according to claim 28, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then at least one in Access Network described first communication session of instruction and described second communication session of the enhancement mode Access Network of described first network or described second network of described family AN-AAA server should be terminated.
30. network equipments according to claim 28, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described family AN-AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
31. network equipments according to claim 18, wherein, the described network equipment is the integrated 3GPP/3GPP2 home AAA server between described first network and described second network.
32. network equipments according to claim 31, wherein, if described first parameters for authentication set and described second parameters for authentication set are from same customized, then described 3GPP/3GPP2 home AAA server to the HRPD gateway (HSGW) of described first network or the packet data serving node (PDSN) of described second network indicate in described first communication session and described second communication session at least one should be terminated.
33. network equipments according to claim 18, wherein, the described network equipment is coupled to the HRPD gateway (HSGW) of described first network and the packet data serving node (PDSN) of described second network by correspondence.
34. network equipments according to claim 18, wherein, described network entity is coupled to the 3GPP home AAA server of described first network and the 3GPP2 home AAA server of described second network by correspondence.
35. 1 kinds of network equipments, comprising:
For receiving the unit of the first parameters for authentication set from the first terminal attempting to set up the first communication session via first network;
For from attempting the unit receiving the second parameters for authentication set via second network to the second terminal setting up second communication session;
For finding out that at described network entity place whether described first parameters for authentication set and described second parameters for authentication set are from same customized unit; And
If for described first parameters for authentication set and described second parameters for authentication set from same customized, then stop the unit of at least one in described first communication session and/or described second communication session.
36. network equipments according to claim 35, wherein, described first network is HRPD (high rate packet data) (HRPD) network based on code division multiple access (CDMA), and described second network is the enhancement mode HRPD network based on CDMA.
37. network equipments according to claim 35, wherein, if for described first parameters for authentication set and described both second parameters for authentication set, at least user identifier is identical, then described first parameters for authentication set and described second parameters for authentication set are from same customized.
38. 1 kinds of processor readable storage mediums, it has the one or more instructions operated in the network device, and described one or more instruction makes below described one or more processor execution operation when being performed by one or more processor:
The first parameters for authentication set is received from the first terminal attempting to set up via first network the first communication session;
From attempting to receive the second parameters for authentication set via second network to the second terminal setting up second communication session;
Find out that at described network entity place whether described first parameters for authentication set and described second parameters for authentication set are from same customized; And
If described first parameters for authentication set and described second parameters for authentication set from same customized, then stop at least one in described first communication session and/or described second communication session.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2012/080033 WO2014026315A1 (en) | 2012-08-13 | 2012-08-13 | Anti-uicc-card-fraud detection and control for terminals accessing hrpd and ehrpd networks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104541533A true CN104541533A (en) | 2015-04-22 |
Family
ID=50101175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201280075247.9A Pending CN104541533A (en) | 2012-08-13 | 2012-08-13 | Anti-UICC-card-fraud detection and control for terminals accessing HRPD and EHRPD networks |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN104541533A (en) |
| WO (1) | WO2014026315A1 (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645826A (en) * | 2004-07-05 | 2005-07-27 | 华为技术有限公司 | Method for building session connection to wireless local network user |
| CN101159624A (en) * | 2007-10-31 | 2008-04-09 | 中兴通讯股份有限公司 | Account use monitoring method |
| CN101895997A (en) * | 2010-06-09 | 2010-11-24 | 中国电信股份有限公司 | Method and system for preventing logout users from using network resources |
| CN102325325A (en) * | 2011-06-29 | 2012-01-18 | 中兴通讯股份有限公司 | Illegal terminal detection method and device |
-
2012
- 2012-08-13 CN CN201280075247.9A patent/CN104541533A/en active Pending
- 2012-08-13 WO PCT/CN2012/080033 patent/WO2014026315A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1645826A (en) * | 2004-07-05 | 2005-07-27 | 华为技术有限公司 | Method for building session connection to wireless local network user |
| CN101159624A (en) * | 2007-10-31 | 2008-04-09 | 中兴通讯股份有限公司 | Account use monitoring method |
| CN101895997A (en) * | 2010-06-09 | 2010-11-24 | 中国电信股份有限公司 | Method and system for preventing logout users from using network resources |
| CN102325325A (en) * | 2011-06-29 | 2012-01-18 | 中兴通讯股份有限公司 | Illegal terminal detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2014026315A1 (en) | 2014-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200037161A1 (en) | Methods and apparatus for access control client assisted roaming | |
| JP5588017B2 (en) | Evolved packet system and emergency call attachment processing method | |
| US7950045B2 (en) | Techniques for managing security in next generation communication networks | |
| CN101682630B (en) | Methods and apparatus for providing pmip key hierarchy in wireless communication networks | |
| EP2536186B1 (en) | Assignment of a temporary identity to a mobile equipment | |
| CN101577908B (en) | User equipment verification method, device identification register and access control system | |
| CN102282889B (en) | Gateway relocation in communication networks | |
| US8401552B2 (en) | Telecommunications networks and devices | |
| CN111885585B (en) | Communication service opening method and communication device | |
| US20140086177A1 (en) | End-to-end architecture, api framework, discovery, and access in a virtualized network | |
| US20120263298A1 (en) | Method and system for supporting security in a mobile communication system | |
| EP2731382A2 (en) | Method for setting terminal in mobile communication system | |
| US20080108321A1 (en) | Over-the-air (OTA) device provisioning in broadband wireless networks | |
| US9215582B2 (en) | Node selection in a communication network | |
| RU2463710C2 (en) | Simplified method for ims registration in event of emergency calls | |
| CN105392116A (en) | System and method for location reporting in an untrusted network environment | |
| CN103517252A (en) | Packet gateway identification information updating method, AAA server and packet gateway | |
| US20080235185A1 (en) | Communication system and method of accessing therefor | |
| EP3169033A1 (en) | Support of imei checking procedure for wlan access by an user equipment to 3gpp evolved packet core | |
| CN109479051B (en) | Supporting a dedicated core network for WLAN access | |
| CN104541533A (en) | Anti-UICC-card-fraud detection and control for terminals accessing HRPD and EHRPD networks | |
| US20220386104A1 (en) | On-device physical sim to esim conversion | |
| WO2018036514A1 (en) | Method and device for sending message | |
| CN102273170B (en) | The credible judgement carried out for access authentication | |
| CN110933669A (en) | Method for quickly registering cross-RAT user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20200110 |
|
| AD01 | Patent right deemed abandoned |