CN107396359A - A kind of method and apparatus for controlling access mobile data network - Google Patents
A kind of method and apparatus for controlling access mobile data network Download PDFInfo
- Publication number
- CN107396359A CN107396359A CN201710652803.9A CN201710652803A CN107396359A CN 107396359 A CN107396359 A CN 107396359A CN 201710652803 A CN201710652803 A CN 201710652803A CN 107396359 A CN107396359 A CN 107396359A
- Authority
- CN
- China
- Prior art keywords
- intelligent hardware
- hardware devices
- data network
- mobile data
- imsi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of method and apparatus for controlling access mobile data network, method includes:Obtain the digital certificate of intelligent hardware devices, the digital certificate of acquisition is sent to mobile data network carrier server, receive the unique mark for the intelligent hardware devices that mobile data network carrier server is sent, mobile data network parameter and international mobile subscriber identity IMSI, IMSI is to be distributed by mobile data network carrier server for intelligent hardware devices, mobile data network parameter and IMSI are sent to the intelligent hardware devices of corresponding unique mark, mobile data network is accessed after being authenticated for intelligent hardware devices using IMSI and mobile data network parameter.The technical scheme of the embodiment of the present invention meets the demand of intelligent hardware devices access mobile data network, improves Consumer's Experience.
Description
Technical field
The present invention relates to network technique field, and in particular to a kind of method and apparatus for controlling access mobile data network.
Background technology
With the development of technology, intelligent hardware devices are more and more, and intelligent hardware devices generally have access internet and base
The demand of better services is provided a user in internet, at present, intelligent hardware devices can be by accessing wireless network or shifting
Dynamic data network accesses the purpose of internet to reach, but by way of wireless network accesses internet, suitable for those
The intelligent hardware devices fixed using position, when using for roving intelligent hardware devices, access mobile data
Network could meet demand.It is by being installed in intelligent hardware devices to have some intelligent hardware devices access mobile data network
Subscriber identification card SIM card, is only mounted with the card, and mobile data communication network could be verified to intelligent hardware devices
And communication, but some intelligent hardware devices are limited to volume, and cost and product design etc. are not intended to install SIM card, then this intelligence
Energy hardware device just can not access mobile data network, cause Consumer's Experience bad.
The content of the invention
The invention provides a kind of method and apparatus for controlling access mobile data network, solving intelligent hardware devices can not
The problem of access mobile data network causes Consumer's Experience bad.
According to an aspect of the invention, there is provided a kind of method for controlling access mobile data network, including:
The digital certificate of intelligent hardware devices is obtained, the digital certificate of acquisition is sent to mobile data network operator and taken
Business device, digital certificate include the unique mark of intelligent hardware devices and affiliated company-information;
The Intelligent hardware that mobile data network carrier server is sent after intelligent hardware devices are verified is received to set
Standby unique mark, mobile data network parameter and international mobile subscriber identity IMSI, wherein, IMSI is by mobile data network
Network carrier server is intelligent hardware devices distribution, and mobile data network carrier server is to pass through intelligent hardware devices
What the server of affiliated producer was verified to intelligent hardware devices, mobile data network parameter include authentication key and for shifting
The Connecting quantity that dynamic data network carrier server is attached;
Mobile data network parameter and IMSI are sent to the intelligent hardware devices of corresponding unique mark, set for Intelligent hardware
It is standby authenticated using IMSI and mobile data network parameter after access mobile data network.
According to another aspect of the present invention, there is provided a kind of method for controlling access mobile data network, including:
The digital certificate of acquisition for mobile terminal and the intelligent hardware devices sent is received, digital certificate includes Intelligent hardware
The unique mark of equipment and affiliated company-information;
Digital certificate is sent to the server of the affiliated producer of corresponding intelligent hardware devices, for belonging to intelligent hardware devices
The server by utilizing digital certificate authentication intelligent hardware devices of producer;
The intelligence that the server of the affiliated producer of reception intelligent hardware devices is sent after intelligent hardware devices are verified is hard
The unique mark of part equipment;
, will intelligence for IMSI corresponding to intelligent hardware devices distribution according to the unique mark of the intelligent hardware devices received
The unique mark of hardware device, mobile data network parameter and IMSI are sent to mobile terminal, for mobile terminal by mobile data
Network parameter and IMSI are sent to corresponding intelligent hardware devices, access mobile data network;Mobile data network parameter bag
Include authentication key and Connecting quantity.
According to a further aspect of the invention, there is provided a kind of device for controlling access mobile data network, including processing
Device and machinable medium, machinable medium are stored with the machine-executable instruction that can be executed by processor,
Computing device machine-executable instruction promotes:Realize the method and step of one aspect of the invention.
According to a further aspect of the invention, there is provided a kind of device for controlling access mobile data network, including processing
Device and machinable medium, machinable medium are stored with the machine-executable instruction that can be executed by processor,
Computing device machine-executable instruction promotes:Realize the method and step of another aspect of the present invention.
The beneficial effect of the embodiment of the present invention is:The method and dress of the control access mobile data network of the embodiment of the present invention
Put, by a mobile terminal that mobile data network operator can be connected to by mobile data network, it is hard to obtain each intelligence
The digital certificate of part equipment, digital certificate include unique mark and the information of affiliated producer, by the numeral of intelligent hardware devices
Certificate is sent to mobile data network carrier server, then is sent by mobile data network carrier server to intelligence firmly
The server of the affiliated producer of part equipment, intelligent hardware devices are tested according to the digital certificate by the server of affiliated producer
Card, after being verified, returns to mobile data network carrier server by the result being verified, is transported by mobile data network
It is that intelligent hardware devices distribute IMSI to seek business server, and by mobile data corresponding to the mobile data network carrier server
Network parameter and the IMSI of distribution are sent to intelligent hardware devices so that intelligent hardware devices utilize IMSI and mobile data network
Network parameter accesses mobile data network after being authenticated.Meeting intelligent hardware devices and need not installing SIM card just can access shifting
The demand of dynamic data network, avoids the managerial inconvenience of multiple SIM cards, improves Consumer's Experience, improve the efficiency of networking,
In particular for be limited to volume, cost and product design etc. be not intended to install SIM card intelligent hardware devices.In addition, only
The intelligent hardware devices being verified could access mobile data network, ensure that the security of network.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the method for the control access mobile data network of one embodiment of the invention;
Fig. 2 is the schematic flow sheet of the method for the control access mobile data network of one embodiment of the invention;
Fig. 3 is the timing diagram of the method for the control access mobile data network of one embodiment of the invention;
Fig. 4 is the block diagram of the device of the control access mobile data network of one embodiment of the invention.
Embodiment
The design concept of the present invention is:In view of the development trend of intelligent hardware devices, following each user may have
Multiple intelligent hardware devices, these intelligent hardware devices generally have the demand of access mobile data network, if according to existing intelligence
Energy mobile phone access mobile data network is such, and user identity identification SIM is installed in each intelligent hardware devices
(Subscriber Identification Module) blocks, mobile data communication network (such as global system for mobile communications
GSM) by completing the identification to user to the authentication of SIM card, for there was only data service without the intelligence of telephone service
For energy hardware device, and it is inconvenient.And a user may be caused to possess numerous SIM cards, management is got up also very not square
Just.For the demand of intelligent hardware devices access mobile data network, the application proposes that one kind need not be in intelligent hardware devices
Middle installation SIM card is the technical scheme that can be achieved to access intelligent hardware devices mobile data network.Below in conjunction with specific reality
Example is applied to illustrate.
Fig. 1 is the schematic flow sheet of the method for the control access mobile data network of one embodiment;Referring to Fig. 1, this reality
The method for applying the control access mobile data network of example, comprises the following steps:
Step S101, the digital certificate of intelligent hardware devices is obtained, the digital certificate of acquisition is sent to mobile data network
Network carrier server,
Here digital certificate includes the unique mark of intelligent hardware devices and affiliated company-information;
Step S102, receive the intelligence that mobile data network carrier server is sent after intelligent hardware devices are verified
The unique mark of energy hardware device, mobile data network parameter and international mobile subscriber identity IMSI,
Wherein, MISI is that mobile data network carrier server distributes for intelligent hardware devices, mobile data network
Carrier server is that intelligent hardware devices are verified by the server of the affiliated producer of intelligent hardware devices, mobile number
Include authentication key and the Connecting quantity for being attached with mobile data network carrier server according to network parameter;Here
Authentication key Ki (Key identifier) refers to encryption data transmission between intelligent hardware devices and mobile data network operator
Key.Connecting quantity is for example including frequency range, APN and password.
Step S103, mobile data network parameter and IMSI are sent to the intelligent hardware devices of corresponding unique mark, supplied
Intelligent hardware devices access mobile data network after being authenticated using IMSI and mobile data network parameter.
Method shown in Fig. 1 is applied in mobile terminal,
The method of the present embodiment utilizes the mobile terminal for being connected to mobile data network operator through mobile data network to obtain
The digital certificate of intelligent hardware devices is taken, the digital certificate of acquisition is sent to mobile data network carrier server, then
Receive the unique of the intelligent hardware devices that mobile data network carrier server is sent after intelligent hardware devices are verified
Mark, mobile data network parameter and mobile data network carrier server are the IMSI of intelligent hardware devices distribution, mobile
The mobile data network parameter and IMSI that receive are sent to intelligent hardware devices by terminal, and such intelligent hardware devices are receiving shifting
Dynamic data network parameter and IMSI, after being authenticated using mobile data network parameter and IMSI, you can be linked into mobile data
Network.
It follows that the method for the present embodiment, first, it is not necessary to which each intelligent hardware devices install SIM card, meet
Only data service does not install SIM card without the intelligent hardware devices of telephone service can connect the need of mobile data network
Ask, avoid the inconvenience for managing multiple SIM cards, improve Consumer's Experience.Secondly, the intelligence that only digital certificate authentication passes through is hard
Part equipment could access mobile data network, improve the security of network, prevent unregistered intelligent hardware devices from networking.
Finally, the mobile terminal of the present embodiment is, for example, smart mobile phone, and smart mobile phone is mounted with SIM card and has access to mobile data network
Network.In the case where almost everybody is owned by the background of smart mobile phone at present, the technical scheme of the present embodiment utilizes the existing intelligence of user
Mobile phone can be achieved, and avoids user's extra purchase hardware, reduces implementation cost.
It should be noted that including baseband chip in the intelligent hardware devices of the present embodiment, it is hard that baseband chip reads intelligence
Part equipment mobile data network operator there registration unique mark (i.e. IMSI), then with the base station of mobile data network
Communicated, after the authentication of mobile data network, intelligent hardware devices are considered as validated user, can use mobile number
According to network.
IMSI (International Mobile Subscriber Identification Number) is international movement
CUSTOMER ID, it is the mark that mobile operator distinguishes mobile subscriber, is generally stored inside in SIM card.
There is a kind of scheme that intelligent hardware devices are connected to mobile data network by mobile phone, i.e. intelligent hardware devices lead to
Bluetooth connection is crossed to mobile phone, and then mobile data network, intelligent hardware devices and mobile data network are indirectly connected with by mobile phone
Data transfer between network carrier server is forwarded by mobile phone, i.e., the data flow of intelligent hardware devices in this scheme
Amount all need by mobile phone, be substantially mobile phone flow.This scheme is limited to Bluetooth transmission situation, and communication efficiency is low, no
Can meet the needs of user.
Scheme shown in Fig. 1, intelligent hardware devices are to obtain to enter mobile data network using mobile terminal (such as mobile phone)
Authority, once obtaining authority, intelligent hardware devices just no longer send data by mobile phone, but send the data directly to movement
Data network, data traffic is without mobile phone.The demand that intelligent hardware devices directly communicate with mobile data network is met, is carried
High communication efficiency.
In order to improve the security of network, in the present embodiment, the digital certificate of intelligent hardware devices is the numeral card of encryption
Book, that is to say, that acquisition for mobile terminal is the digital certificate encrypted, and the digital certificate is existed by the affiliated producer of intelligent hardware devices
Generated after being encrypted when intelligent hardware devices dispatch from the factory using AES.
For example, the affiliated producer of intelligent hardware devices is used for for each intelligent hardware devices distribution one of its production first
The unique mark of intelligent hardware devices is distinguished, then utilizes DES Cipher (Data Encryption Standard)
The information of the unique mark of intelligent hardware devices and producer is encrypted with default encryption key, the numeral card encrypted
Book.The encryption key of corresponding intelligent hardware devices is all preserved when each intelligent hardware devices dispatch from the factory.
DES is a kind of symmetric encipherment algorithm encrypted using key, and the same key of symmetric encipherment algorithm can be simultaneously
Encryption and decryption as information, i.e. encryption and decryption use same key.It should be noted that the present embodiment is with DES
Schematically illustrated, but the AES that can be used is not limited.
Mobile data network carrier server is received in abovementioned steps S102 to send out after intelligent hardware devices are verified
The mobile data network parameter and IMSI sent include:The encrypted cipher text that mobile data network carrier server is sent is received, is added
Ciphertext utilizes data encryption standards and the clothes from the affiliated producer of intelligent hardware devices by mobile data network carrier server
The encryption key that business device receives obtains after mobile data network parameter and IMSI are encrypted.
In order to prevent mobile data network parameter and this kind of important information of IMSI to be compromised, caused damage to user,
In the present embodiment, mobile terminal receives the encrypted cipher text that mobile data network carrier server is sent, by moving in encrypted cipher text
What dynamic data network carrier server was received using data encryption standards and from the server of the affiliated producer of intelligent hardware devices
Encryption key obtains after mobile data network parameter and IMSI are encrypted.That is, mobile data network operator takes
Device be engaged according to the encryption key received, to the parameter of mobile data network and intelligence is distributed to firmly using DES Cipher
The IMSI of part equipment is then forwarded to mobile terminal after generation ciphertext is encrypted.
Abovementioned steps S103, which sends mobile data network parameter and IMSI to intelligent hardware devices, to be included:By encrypted cipher text
Send to intelligent hardware devices, for intelligent hardware devices receive decryption after encrypted cipher text obtain mobile data network parameter and
IMSI, and authenticated using mobile data network parameter and IMSI.
Accordingly, the encrypted cipher text received is sent to intelligent hardware devices by mobile terminal, and intelligent hardware devices utilize certainly
The encryption key decryption ciphertext that oneself preserves, obtains mobile data network parameter and the IMSI in ciphertext, then utilizes mobile data
Network parameter and IMSI access mobile data network after being authenticated.
In one embodiment, method also includes shown in Fig. 1:The instruction of user's input is obtained by intelligent hardware devices from shifting
The instruction deleted in dynamic data network, according to instruction, corresponding digital certificate is sent to mobile data network carrier service
Device, after receiving digital certificate for mobile data network carrier server, IMSI corresponding to intelligent hardware devices is found out, and will
Service GPRS (the General Packet Radio Service) supporting node SGSN (Serving of IMSI from responsible authentication
GPRS Support Node) in delete.SGSN is a large-scale, multi-functional interchanger, in mobile data network operator
It is responsible for authentication in server.Authentication refers to verify whether user possesses the authority for accessing network, mobile data network operator one
As be to be authenticated using IMSI.
Intelligent hardware devices can be removed from mobile data network.For example, Intelligent hardware is set by mobile terminal
Standby corresponding ciphertext and the unique mark of Intelligent hardware return to mobile data network carrier server.Mobile data network is transported
The unique mark of battalion's business's server by utilizing Intelligent hardware finds the key of corresponding DES algorithms in operator database, unties
Ciphertext, IMSI is obtained from ciphertext.Mobile data network carrier server checking IMSI legitimacy after, by IMSI from be responsible for
Removed in the SGSN network elements of authentication, such intelligent hardware devices cannot access mobile data network.
Explanation is needed exist for, when intelligent hardware devices are removed from mobile data network, mobile terminal needs
Ciphertext corresponding to the intelligent hardware devices received is passed back into mobile data network carrier server together.So do be for
Prevent undesirable person from stealing the unique mark of intelligent hardware devices, utilize intelligent hardware devices unique marks to remove Intelligent hardware
Equipment.And by returning ciphertext, mobile data network carrier server can untie ciphertext (because mobile data network operation
Business's server saves the key of the intelligent hardware devices from the server acquisition of the affiliated producer of intelligent hardware devices), and verify
Remove the identity of request promoter.
The digital certificate of acquisition being sent to mobile data network carrier service in the present embodiment abovementioned steps S101
Device includes:The digital certificate of the encryption of acquisition is sent to mobile data network carrier server by HTTPS agreements.
HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) is with safely for target
HTTP passages, it is HTTP safe version.SSL (Secure Socket Layer) layer, SSL layers is added below in http protocol layer
Provide encipherment protection.
The digital certificate of acquisition intelligent hardware devices in the present embodiment abovementioned steps S101 includes:It is hard to scan indicating intelligent
The coding pattern of the digital certificate of part equipment obtains the digital certificate of intelligent hardware devices;For example, mobile terminal, which utilizes, scans work(
Can, the Quick Response Code of the designation number certificate to being printed on intelligent hardware devices is scanned, and obtains digital certificate.
In addition, mobile data network parameter and IMSI, which are sent to corresponding intelligent hardware devices, to be included:Movement will be included
Data network parameter and IMSI encrypted cipher text are sent to intelligent hardware devices by bluetooth, or will include mobile data network
Parameter and IMSI encrypted cipher text are sent to intelligent hardware devices by near-field communication NFC.
That is, bluetooth module and/or near-field communication NFC (Near are installed in the intelligent hardware devices of the present embodiment
Field Communication) module.Likewise, mobile terminal is also provided with bluetooth module and/or NFC module.Mobile terminal
Communicated by bluetooth module (either NFC module) with the bluetooth module (or NFC module) of intelligent hardware devices, realization will include
Mobile data network parameter and IMSI encrypted cipher text are sent to intelligent hardware devices.
Thus, the method for the control access mobile data network of the present embodiment, when intelligent hardware devices need to access movement
During data network, the acquisition for mobile terminal Intelligent hardware of mobile data network operator is connected to by means of mobile data network
The digital certificate of intelligent hardware devices is sent to mobile operator server, mobile operator server by the digital certificate of equipment
Digital certificate is sent to the server of the affiliated producer of intelligent hardware devices again, by the server of the affiliated producer of intelligent hardware devices
Intelligent hardware devices are verified, it is the Intelligent hardware of the manufacturer production then to illustrate the intelligent hardware devices if the verification passes
Equipment, at this moment the server of the affiliated producer of intelligent hardware devices the unique mark of intelligent hardware devices and key are sent to movement
Carrier server, mobile operator server are that the intelligence is hard according to the unique mark and key of the intelligent hardware devices received
Part equipment distributes IMSI, i.e. intelligent hardware devices are registered in mobile data network.Then, mobile operator server will
IMSI and mobile data network parameter are sent to mobile terminal, by mobile terminal by IMSI and mobile data network parameter send to
Intelligent hardware devices so that intelligent hardware devices complete access mobile data network using IMSI and mobile data network parameter.
Fig. 2 is the schematic flow sheet of the method for the control access mobile data network of one embodiment;Referring to Fig. 2, this reality
The method for applying the control access mobile data network of example comprises the following steps:
Step S201, the digital certificate of acquisition for mobile terminal and the intelligent hardware devices sent is received, is wrapped in digital certificate
Include the unique mark of intelligent hardware devices and affiliated company-information;
Step S202, digital certificate is sent to the server of the affiliated producer of corresponding intelligent hardware devices, it is hard for intelligence
The server by utilizing digital certificate authentication intelligent hardware devices of the affiliated producer of part equipment;
Step S203, the server for receiving the affiliated producer of intelligent hardware devices are sent after intelligent hardware devices are verified
Intelligent hardware devices unique mark;
Step S204, according to the unique mark of the intelligent hardware devices received, for corresponding to intelligent hardware devices distribution
IMSI, by the unique mark of intelligent hardware devices, mobile data network parameter and IMSI are sent to mobile terminal, for mobile terminal
Mobile data network parameter and IMSI are sent to corresponding intelligent hardware devices, access mobile data network;Mobile data
Network parameter includes authentication key and Connecting quantity.Connecting quantity is used to be attached with mobile data network carrier server.
Method shown in Fig. 2 is applied to mobile data network carrier server.Understand as shown in Figure 2, the present embodiment
Method, the digital certificate for the intelligent hardware devices that mobile terminal is sent is received, digital certificate is sent to intelligent hardware devices institute
Belong to the server of producer, verified by the server of the affiliated producer of intelligent hardware devices, it is hard that intelligence is received after being verified
The unique mark and encryption key for the intelligent hardware devices that the server of the affiliated producer of part equipment is sent, receive intelligent hardware devices
Unique mark after, distribute IMSI for the intelligent hardware devices, the IMSI of distribution sent to SGSN gateways for being subsequently used for
Authentication.
Method in the present embodiment shown in Fig. 2 also includes:It is hard in intelligence to receive the affiliated producer's server of intelligent hardware devices
Part device authentication is by the encryption key of rear transmission, using data encryption standards and encryption key to mobile data network parameter
And generation encrypted cipher text is encrypted for the IMSI of intelligent hardware devices distribution, encrypted cipher text is sent to mobile terminal.
That is, mobile data network carrier server utilizes encryption key to IMSI and mobile data network parameter
Ciphertext is obtained after being encrypted, the unique mark of ciphertext and intelligent hardware devices is sent to mobile terminal, a mobile terminal
In can preserve multiple ciphertexts, that is, preserve ciphertext corresponding to multiple intelligent hardware devices, after mobile terminal receives ciphertext, establish close
The corresponding relation of the unique mark of text and intelligent hardware devices, ciphertext is sent to corresponding intelligent hardware devices.So, intelligence
Hardware device is received the secret key decryption preserved after ciphertext using oneself and obtains IMSI and mobile data network parameter, recycles movement
Authentication key in data network parameter IMSI is encrypted after to mobile data network carrier server send authentication request
Authenticated.
In the present embodiment, method also includes shown in Fig. 2:Instruction that mobile terminal is sent is received by intelligent hardware devices from shifting
The instruction deleted in dynamic data network, instruction include the unique mark of encrypted cipher text and intelligent hardware devices;Utilize key
Ciphertext is decrypted, obtains IMSI corresponding to intelligent hardware devices, IMSI legitimacy corresponding to intelligent hardware devices is verified and is testing
After card passes through, IMSI corresponding to intelligent hardware devices is deleted from the SGSN of responsible authentication.
In the present embodiment, intelligent hardware devices can be deleted from mobile data network, when intelligent hardware devices damage or
In the case of loss, the finger for deleting intelligent hardware devices from mobile data network of user can be received by mobile terminal
Order, mobile terminal sends the instruction to mobile data network carrier server, by mobile data network carrier server
IMSI legitimacy corresponding to checking intelligent hardware devices and after being verified, by IMSI corresponding to intelligent hardware devices from being responsible for
Deleted in the SGSN of authentication.Here IMSI legitimacy corresponding to checking intelligent hardware devices, for example, comparing the IMSI received
Whether consistent with the IMSI preserved in the database of mobile data network operator, it is legal to be determined if consistent, otherwise determines
It is illegal.
In one embodiment of the invention, the method shown in Fig. 2 also includes:According to the intelligent hardware devices received
Unique mark searches IMSI databases and determines whether intelligent hardware devices were allocated IMSI, when intelligent hardware devices are unassigned
When crossing IMSI, for after IMSI, IMSI recorded in IMSI databases corresponding to intelligent hardware devices distribution, and by Intelligent hardware
IMSI corresponding to equipment is sent to the SGSN of responsible authentication.That is, mobile data network carrier server is only not have
The IMSI distributed intelligent hardware devices distribution IMSI, ensure that IMSI uniqueness, convenient management.
Fig. 3 is the timing diagram of the method for the control access mobile data network of one embodiment, below in conjunction with Fig. 3 to control
That accesses the method for mobile data network realizes that step is stressed.Here mobile terminal is, for example, mobile phone, here
Intelligent hardware devices include intelligent alarm clock, intelligent bicycle, intelligent chopsticks, intelligent washing machine, Intelligent shoe etc..
Mobile terminal performs step 301:Obtain the digital certificate of intelligent hardware devices.
Here the digital certificate obtained, e.g. using the digital certificate of encryption keys, acquisition modes are, for example, to sweep
Retouch the coding pattern (such as Quick Response Code) of the digital certificate of indicating intelligent hardware device.
Mobile terminal performs step 302:Upload the digital certificate of intelligent hardware devices;
The digital certificate of the intelligent hardware devices of acquisition is uploaded to mobile data network carrier server by mobile terminal.
Here when mobile terminal is mobile phone, SIM card and baseband chip are installed in mobile phone, can be taken with mobile data network operator
Business device connection is communicated.Preferably, mobile terminal is sent the digital certificate of intelligent hardware devices to shifting by HTTPS passages
Dynamic data network carrier server, prevents that digital certificate is compromised, ensure that the security of data transfer.
Mobile data network carrier server performs step 303:Send checking request;
After mobile data network carrier server receives the digital certificate of intelligent hardware devices, to intelligent hardware devices
The server of affiliated producer sends checking request, and checking request includes the digital certificate, due in practical application, Intelligent hardware
The affiliated producer of equipment may have a lot, and the intelligent hardware devices produced here by each producer to oneself are verified, more just
Just and accurately.
The server of the affiliated producer of intelligent hardware devices performs step 304:Verify intelligent hardware devices;
Here emphasis illustrates to the process of the server authentication intelligent hardware devices of the affiliated producer of intelligent hardware devices.
The server of the affiliated producer of intelligent hardware devices is when producing each intelligent hardware devices, to each Intelligent hardware
Equipment distributes a unique mark that will not be repeated.The producer of intelligent hardware devices preserves the unique mark of intelligent hardware devices
In the product database of oneself.The unique mark of intelligent hardware devices has two states in product database:Effective and nothing
Effect.The producer of intelligent hardware devices generates a word when the unique mark of intelligent hardware devices is saved in into product database
Key of the symbol string as DES algorithms, and unique mark intelligent hardware devices and key are saved in product database together.Intelligence
The unique mark of intelligent hardware devices is encrypted using AES by the producer of energy hardware device, and generating digital certificate simultaneously will be intelligent
State change of the unique mark of hardware device in product database is effective status.Preserved in intelligent hardware devices a
The key of DES algorithms.
After mobile data network carrier server receives the digital certificate of intelligent hardware devices, access Intelligent hardware and set
The server of standby affiliated producer, the digital certificate of intelligent hardware devices is passed to the service of the affiliated producer of intelligent hardware devices
Device, the legitimacy of intelligent hardware devices is verified by the cloud service on the server of the affiliated producer of intelligent hardware devices.Intelligence is hard
The server of the affiliated producer of part equipment decrypts digital certificate first with encryption key, obtains unique mark of intelligent hardware devices
Know.Then, the whois lookup product database of the affiliated producer of intelligent hardware devices, effective shape is in product data library lookup
The unique mark of the intelligent hardware devices of state.If the unique mark of intelligent hardware devices is in disarmed state, illustrate this intelligence
Energy hardware device was verified, it is impossible to is verified repeatedly.This is to come from mobile data network carrier service to reduce
The redundant data of device, because the transmission of digital certificate is carried out on the internet, communication process is unreliable, in fact it could happen that retransmits
The problems such as caused redundant data.
The server of the affiliated producer of intelligent hardware devices finds the unique mark of the intelligent hardware devices in effective status,
The state for changing the unique mark of intelligent hardware devices is disarmed state.The server handle of the affiliated producer of intelligent hardware devices and only
The key for the DES algorithms that one mark is saved together, the unique mark of intelligent hardware devices return to mobile data network together
Carrier server.
In view of the possibility for deleting intelligent hardware devices from mobile data network present in practice, and according to this implementation
The scheme intelligent hardware devices of example can not then be linked into mobile data network (reason again once being deleted from mobile data network
Be the affiliated producer of intelligent hardware devices server only can to the digital certificate authentications of same intelligent hardware devices once, second
Secondary checking digital certificate of attempting will fail).In order to prevent third party's malice from verifying the digital certificate of intelligent hardware devices, intelligence is firmly
The server of the affiliated producer of part equipment can be verified to the authenticity of mobile data network carrier server.It is for example, logical
The safety certificate for the cloud service crossed on the server to mobile data network operator is verified that to realize safety certificate indicates
The identity of mobile data network operator.Specifically, mobile data network operator announces the safety certificate of oneself, intelligence is hard
The safety certificate of the server installation mobile data network operator of the affiliated producer of part equipment.Mobile data network is come from when receiving
During the data that the cloud service of operator is sent, decrypted, solved using the public key in the safety certificate of mobile data network operator
Close success, the then data for illustrating to receive come from mobile data network operator, and decryption is unsuccessful, then it is to forge to illustrate data,
Discarding.
The server of the affiliated producer of intelligent hardware devices performs step 305:It is verified and returns to unique mark and key;
The server of the affiliated producer of intelligent hardware devices, intelligent hardware devices are returned when intelligent hardware devices are verified
Unique mark and the key that preserves to mobile data network carrier server.
Mobile data network carrier server performs step 306:Encryption generation ciphertext;
Mobile data network carrier server is after the unique mark of intelligent hardware devices and key is received, for intelligence
Hardware device is distributed IMSI and IMSI, mobile data network parameter is encrypted using key and DEA, is generated
Ciphertext.
Mobile data network carrier server performs step 307:Return to unique mark and ciphertext;
Mobile data network carrier server returns to the unique mark of intelligent hardware devices and the ciphertext of generation to movement
Terminal.
Mobile terminal performs step 308:Send ciphertext;
After mobile terminal receives ciphertext, ciphertext is sent to intelligent hardware devices.
Intelligent hardware devices perform step 309:Decryption ciphertext obtains mobile data network parameter and IMSI, is sent out according to IMSI
Play authentication request;
The secret key decryption ciphertext that intelligent hardware devices are preserved using oneself obtains mobile data network parameter and IMSI, according to
IMSI initiates authentication request;
Mobile data network carrier server performs step 310:Intelligent hardware devices are authenticated;
After mobile data network carrier server receives authentication request, determine whether the IMSI is mobile data network fortune
The legal effective IMSI of business's server-assignment is sought, if it is determines that authentication passes through, otherwise determines that authentication does not pass through.
Mobile data network carrier server performs step 311:The authentication notification message legal by returning to user.
Mobile data network carrier server returns to the legal notice of intelligent hardware devices user and disappeared when authentication passes through
Breath.The notification message that the baseband chip of intelligent hardware devices passes through according to authentication can access mobile data network.
In addition, it is corresponding with the method shown in earlier figures 1, as shown in figure 4, a kind of hardware for the application mobile terminal
Structure chart, in addition to processor and memory shown in Fig. 4, according to the actual functional capability of the mobile terminal, it can also be included
His hardware, is repeated no more to this.
In Fig. 4, memory:Store machine-executable instruction code.
Processor:With memory communication, the instruction code stored in memory is read and performed, realizes that the application is above-mentioned and shows
The operation of the disclosed control access mobile data network of example.
Here, memory can be any electronics, magnetic, optics or other physical storage devices, can include or store
Information, such as executable instruction, data, etc..For example, machinable medium can be:RAM(Radom Access
Memory, random access memory), volatile memory, nonvolatile memory, flash memory, memory driver (such as hard drive
Device), solid state hard disc, any kind of storage dish (such as CD, DVD), either similar storage medium or their group
Close.
Functionally divide, the device of control access mobile data network includes:
Certificate acquisition module, for obtaining the digital certificate of intelligent hardware devices, the digital certificate of acquisition is sent to shifting
Dynamic data network carrier server, digital certificate include the unique mark of intelligent hardware devices and affiliated company-information;
Receiving module, sent for receiving mobile data network carrier server after intelligent hardware devices are verified
Intelligent hardware devices unique mark, mobile data network parameter and mobile data network carrier server are Intelligent hardware
The international mobile subscriber identity IMSI of equipment distribution, wherein, mobile data network carrier server is to pass through Intelligent hardware
What the server of the affiliated producer of equipment was verified to intelligent hardware devices, mobile data network parameter includes authentication key and is used for
The Connecting quantity being attached with mobile data network carrier server;
Control module, the Intelligent hardware for mobile data network parameter and IMSI to be sent to corresponding unique mark are set
It is standby, access mobile data network after being authenticated for intelligent hardware devices using IMSI and mobile data network parameter.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not
In the case of paying creative work, you can to understand and implement.
The foregoing is only a specific embodiment of the invention, under the above-mentioned teaching of the present invention, those skilled in the art
Other improvement or deformation can be carried out on the basis of above-described embodiment.It will be understood by those skilled in the art that above-mentioned tool
The purpose of the present invention is simply preferably explained in body description, and protection scope of the present invention is defined by scope of the claims.
Claims (10)
- A kind of 1. method for controlling access mobile data network, it is characterised in that including:The digital certificate of intelligent hardware devices is obtained, the digital certificate of acquisition is sent to mobile data network carrier service Device, the digital certificate include the unique mark of intelligent hardware devices and affiliated company-information;It is hard to receive the intelligence that the mobile data network carrier server is sent after the intelligent hardware devices are verified The unique mark of part equipment, mobile data network parameter and international mobile subscriber identity IMSI, wherein, the IMSI is mobile Data network carrier server is intelligent hardware devices distribution, and the mobile data network carrier server is to pass through institute State what the server of the affiliated producer of intelligent hardware devices was verified to intelligent hardware devices, the mobile data network parameter bag Include authentication key and the Connecting quantity for being attached with mobile data network carrier server;The mobile data network parameter and the IMSI are sent to the intelligent hardware devices of corresponding unique mark, it is hard for intelligence IMSI described in part equipment utilization and mobile data network parameter access mobile data network after being authenticated.
- 2. according to the method for claim 1, it is characterised in that receive the mobile data network carrier server in institute Stating the mobile data network parameter sent after intelligent hardware devices are verified and IMSI includes:The encrypted cipher text that the mobile data network carrier server is sent is received,The encrypted cipher text is by mobile data network carrier server using data encryption standards and from intelligent hardware devices institute The encryption key that the server of category producer receives obtains after mobile data network parameter and the IMSI are encrypted,Described send mobile data network parameter and the IMSI to intelligent hardware devices includes:The encrypted cipher text is sent to the intelligent hardware devices, decrypted after receiving encrypted cipher text for the intelligent hardware devices Mobile data network parameter and IMSI are obtained, and is authenticated using mobile data network parameter and IMSI.
- 3. according to the method for claim 1, it is characterised in that also include:The instruction that the instruction of user's input deletes intelligent hardware devices from mobile data network is obtained,According to the instruction, corresponding digital certificate is sent to mobile data network carrier server, for the mobile number After receiving digital certificate according to network operator server, IMSI corresponding to intelligent hardware devices is found out, and by IMSI from being responsible for Deleted in the Serving GPRS Support Node SGSN of authentication.
- 4. according to the method for claim 1, it is characterised in that obtaining the digital certificate of intelligent hardware devices includes:Obtain The digital certificate of the encryption of intelligent hardware devices,The digital certificate of acquisition, which is sent to mobile data network carrier server, to be included:By the digital certificate of the encryption of acquisition Sent by HTTPS agreements to mobile data network carrier server.
- 5. according to the method for claim 2, it is characterised in that obtaining the digital certificate of intelligent hardware devices includes:The coding pattern for scanning the digital certificate of indicating intelligent hardware device obtains the digital certificate of the intelligent hardware devices;The mobile data network parameter and the IMSI, which are sent to corresponding intelligent hardware devices, to be included:Encrypted cipher text including the mobile data network parameter and the IMSI is sent to the Intelligent hardware by bluetooth Equipment, or by the encrypted cipher text including the mobile data network parameter and the IMSI by near-field communication NFC send to The intelligent hardware devices.
- A kind of 6. method for controlling access mobile data network, it is characterised in that including:The digital certificate of acquisition for mobile terminal and the intelligent hardware devices sent is received, the digital certificate includes Intelligent hardware The unique mark of equipment and affiliated company-information;The digital certificate is sent to the server of the affiliated producer of corresponding intelligent hardware devices, for belonging to intelligent hardware devices Intelligent hardware devices described in digital certificate authentication described in the server by utilizing of producer;Receive the intelligence that the server of the affiliated producer of the intelligent hardware devices is sent after the intelligent hardware devices are verified The unique mark of energy hardware device;It is IMSI corresponding to intelligent hardware devices distribution, by Intelligent hardware according to the unique mark of the intelligent hardware devices received The unique mark of equipment, mobile data network parameter and IMSI are sent to the mobile terminal, for the mobile terminal by described in Mobile data network parameter and IMSI are sent to corresponding intelligent hardware devices, access mobile data network;The mobile number Include authentication key and Connecting quantity according to network parameter.
- 7. according to the method for claim 6, it is characterised in that also include:Receive the affiliated producer of the intelligent hardware devices The encryption key that server is sent after the intelligent hardware devices are verified,To mobile data network parameter and it is the intelligent hardware devices using data encryption standards and the encryption key Generation encrypted cipher text is encrypted in the IMSI of distribution, and the encrypted cipher text is sent to the mobile terminal.
- 8. according to the method for claim 7, it is characterised in that also include:The instruction that the instruction that mobile terminal is sent deletes intelligent hardware devices from mobile data network is received, in the instruction Unique mark including encrypted cipher text and intelligent hardware devices;Using encrypted cipher text described in the encryption key decryption, IMSI corresponding to intelligent hardware devices is obtained,IMSI legitimacy corresponding to the intelligent hardware devices is verified and after being verified, by corresponding to intelligent hardware devices IMSI deletes from the SGSN of responsible authentication;Also include:IMSI databases are searched according to the unique mark of the intelligent hardware devices received and determine the intelligent hardware devices Whether IMSI was allocated,It is IMSI corresponding to intelligent hardware devices distribution by IMSI when the intelligent hardware devices are unassigned crosses IMSI It recorded in IMSI databases, and IMSI corresponding to the intelligent hardware devices sent to the SGSN of responsible authentication.
- A kind of 9. device for controlling access mobile data network, it is characterised in that including processor and machinable medium, The machinable medium is stored with can be by the machine-executable instruction of the computing device, the computing device The machine-executable instruction promotes:Realize the method and step described in claim any one of 1-5.
- 10. a kind of device for controlling access mobile data network, it is characterised in that be situated between including processor and machine readable storage Matter, the machinable medium is stored with can be by the machine-executable instruction of the computing device, the processor The machine-executable instruction is performed to promote:Realize the method and step described in claim any one of 6-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710652803.9A CN107396359A (en) | 2017-08-02 | 2017-08-02 | A kind of method and apparatus for controlling access mobile data network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710652803.9A CN107396359A (en) | 2017-08-02 | 2017-08-02 | A kind of method and apparatus for controlling access mobile data network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107396359A true CN107396359A (en) | 2017-11-24 |
Family
ID=60344153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710652803.9A Pending CN107396359A (en) | 2017-08-02 | 2017-08-02 | A kind of method and apparatus for controlling access mobile data network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107396359A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113735A (en) * | 2019-04-17 | 2019-08-09 | 广东电网有限责任公司信息中心 | A kind of mobile network's safe encryption method based on near-field communication |
| CN113329041A (en) * | 2021-08-03 | 2021-08-31 | 北京紫光青藤微系统有限公司 | Method, apparatus, electronic device and storage medium for controlling a secure element |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103141126A (en) * | 2010-09-29 | 2013-06-05 | 诺基亚公司 | Methods and apparatuses for access credential provisioning |
-
2017
- 2017-08-02 CN CN201710652803.9A patent/CN107396359A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103141126A (en) * | 2010-09-29 | 2013-06-05 | 诺基亚公司 | Methods and apparatuses for access credential provisioning |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110113735A (en) * | 2019-04-17 | 2019-08-09 | 广东电网有限责任公司信息中心 | A kind of mobile network's safe encryption method based on near-field communication |
| CN110113735B (en) * | 2019-04-17 | 2023-03-24 | 广东电网有限责任公司信息中心 | Mobile network security encryption method based on near field communication |
| CN113329041A (en) * | 2021-08-03 | 2021-08-31 | 北京紫光青藤微系统有限公司 | Method, apparatus, electronic device and storage medium for controlling a secure element |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104703170B (en) | Methods and equipment for downloading file of operator | |
| US10638314B2 (en) | Method and apparatus for downloading a profile in a wireless communication system | |
| US9532223B2 (en) | Method for downloading a subscription from an operator to a UICC embedded in a terminal | |
| KR102398276B1 (en) | Method and apparatus for downloading and installing a profile | |
| CN106161359B (en) | It authenticates the method and device of user, register the method and device of wearable device | |
| CN102523578B (en) | Over-the-air card writing method, apparatus and system | |
| CN102204299B (en) | Method for securely changing mobile device from old owner to new owner | |
| CN101641976B (en) | An authentication method | |
| US20090217038A1 (en) | Methods and Apparatus for Locating a Device Registration Server in a Wireless Network | |
| US20100009659A1 (en) | System and Method to Enable Subscriber Self-Activation of Wireless Data Terminals | |
| CN101577906B (en) | Smart card and terminal capable of realizing machine card security authentication | |
| US11989543B2 (en) | Method for interoperating between bundle download process and eSIM profile download process by SSP terminal | |
| CN107873137A (en) | For managing the technology of the profile in communication system | |
| CN109756447A (en) | A kind of safety certifying method and relevant device | |
| US8781131B2 (en) | Key distribution method and system | |
| CN101919220A (en) | Virtual subscriber identity module | |
| CN113785532B (en) | Method and apparatus for managing and verifying certificates | |
| CN105373919A (en) | Safety certification device and method for user identity based on far and near field data interaction | |
| KR20200028786A (en) | Apparatus and methods for ssp device and server to negociate digital certificates | |
| EP2232905A1 (en) | A method for loading credentials into a mobile communication device such as a mobile phone | |
| CN104660567A (en) | D2D terminal access authentication method as well as D2D terminal and server | |
| US20200045549A1 (en) | Iot device connectivity provisioning | |
| KR20200044629A (en) | Apparatus, method for handling execptions in remote profile management | |
| US11871227B2 (en) | Device changing method and apparatus of wireless communication system | |
| CN107396359A (en) | A kind of method and apparatus for controlling access mobile data network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171124 |