CN108076460B - Method and terminal for authentication - Google Patents
Method and terminal for authentication Download PDFInfo
- Publication number
- CN108076460B CN108076460B CN201611027014.8A CN201611027014A CN108076460B CN 108076460 B CN108076460 B CN 108076460B CN 201611027014 A CN201611027014 A CN 201611027014A CN 108076460 B CN108076460 B CN 108076460B
- Authority
- CN
- China
- Prior art keywords
- authentication
- parameter
- terminal
- network side
- side equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Abstract
The invention discloses an authentication method and a terminal, which are used for solving the problem that a security enhancement technical scheme in the prior art cannot effectively discover a pseudo base station. When a terminal needs to access network side equipment in the embodiment of the invention, the network side equipment determines an authentication parameter according to a first random parameter, the network side equipment sends the authentication parameter to the terminal, and the terminal receives the authentication parameter sent by the network side equipment; the terminal authenticates the network side equipment according to the received authentication parameters; and after the terminal is determined to pass the authentication, accessing the network side equipment. By adopting the mode of the embodiment of the invention, the terminal authenticates the network side equipment, which is different from the prior method that only the network side authenticates the terminal; the terminal is accessed to the network side equipment after passing the authentication, the pseudo base station cannot pass the terminal authentication, the pseudo base station can be effectively found, and the pseudo base station is prevented from being accessed.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a terminal for performing authentication.
Background
The authentication process between the terminal and the base station in the GSM (Global System for Mobile Communication) network (2G) belongs to one-way authentication, i.e. the base station authenticates the terminal when the terminal accesses the base station, the terminal does not authenticate the base station, so under the GSM network, or when the 4G (the 4th Generation Mobile Communication Technology, fourth Generation Mobile Communication Technology) network is switched to the 2G network, the terminal is easily connected to the pseudo base station, and some security enhancement technologies for the pseudo base station mainly include smart card enhancement Technology, Technology for monitoring user signal switching on the terminal side, LAC (Location Area Code) determination Technology, Technology for statistical analysis of signaling characteristics, and method for determining short message content on the basis of the client or the cloud. The existing technology and method for discovering the pseudo base station have certain defects, for example, the smart card enhancement technology can prevent the pseudo base station from cracking a Subscriber Identity Module (SIM) card to a certain extent, but cannot prevent a terminal from accessing the pseudo base station; monitoring the user signal switching condition based on the terminal side can effectively prevent the terminal from accessing the pseudo base station, but the method requires the terminal chip to be modified; the technology of LAC judgment is only suitable for monitoring, and the prior art is only suitable for 2G network environment; based on the signaling characteristic statistical analysis technology, misjudgment is easy to generate; the method for judging the content of the short message based on the client or the cloud is not perfect and has poor accuracy.
In summary, the existing security enhancement technical solution cannot effectively discover the fake base station.
Disclosure of Invention
The invention provides an authentication method and a terminal, which are used for solving the problem that a security enhancement technical scheme in the prior art cannot effectively discover a pseudo base station.
The embodiment of the invention provides an authentication method, which comprises the following steps:
when a terminal needs to access network side equipment, receiving authentication parameters sent by the network side equipment;
the terminal authenticates the network side equipment according to the received authentication parameters;
and the terminal accesses the network side equipment after the authentication is determined to pass.
The embodiment of the invention provides an authentication method, which comprises the following steps:
the network side equipment determines an authentication parameter according to the first random parameter;
and the network side equipment sends the authentication parameters to a terminal so that the terminal authenticates the network side equipment according to the authentication parameters.
The embodiment of the invention provides a terminal for authentication, which comprises:
the first transmission module is used for receiving the authentication parameters sent by the network side equipment when the network side equipment needs to be accessed;
the authentication module is used for authenticating the network side equipment according to the received authentication parameters;
and the processing module is used for accessing the network side equipment after the authentication is determined to be passed.
The embodiment of the invention provides a network side device for authentication, which comprises:
the determining module is used for determining an authentication parameter according to the first random parameter;
and the second transmission module is used for sending the authentication parameters to a terminal so that the terminal authenticates the network side equipment according to the authentication parameters.
When a terminal needs to access network side equipment in the embodiment of the invention, the network side equipment determines an authentication parameter according to a first random parameter, the network side equipment sends the authentication parameter to the terminal, and the terminal receives the authentication parameter sent by the network side equipment; the terminal authenticates the network side equipment according to the received authentication parameters; and after the terminal is determined to pass the authentication, accessing the network side equipment. By adopting the mode of the embodiment of the invention, the terminal authenticates the network side equipment, which is different from the prior method that only the network side authenticates the terminal; the terminal is accessed to the network side equipment after passing the authentication, the pseudo base station cannot pass the terminal authentication, the pseudo base station can be effectively found, and the pseudo base station is prevented from being accessed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic diagram of a system for performing authentication according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a terminal in the system for performing authentication according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network-side device in a system for performing authentication according to an embodiment of the present invention;
fig. 4 is a flowchart of a method for authenticating a terminal according to an embodiment of the present invention;
fig. 5 is a flowchart of a method for authenticating by a network side device according to an embodiment of the present invention;
fig. 6 is a flowchart of a complete method for performing authentication according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiments of the present invention will be described in further detail with reference to the drawings attached hereto.
In the following description, the implementation of the terminal-side device and the network-side device is described first, and finally the implementation of the terminal-side device and the network-side device is described separately, but this does not mean that the two devices must be implemented in cooperation, and in fact, when the terminal-side device and the network-side device are implemented separately, the problems of the terminal-side device and the network-side device are solved. When only the two are used in combination, a better technical effect can be obtained.
As shown in fig. 1, the system for performing authentication according to the embodiment of the present invention includes a terminal 10 and a network-side device 20.
The terminal 10 is configured to receive an authentication parameter sent by the network-side device 20 when the network-side device 20 needs to be accessed; authenticating the network side device 20 according to the received authentication parameters; and accessing the network side device 20 after the authentication is determined to be passed.
The network side device 20 is configured to determine an authentication parameter according to the first random parameter; and sending the authentication parameters to the terminal 10, so that the terminal 10 authenticates the network side device 20 according to the authentication parameters.
It should be noted that, when the terminal 10 needs to access the network-side device 20, the terminal sends an authentication request to the network-side device 20 that needs to access, and the network-side device 20 determines the authentication parameters after receiving the authentication request.
The condition that the terminal 10 needs to access the network-side device 20 may be that the terminal 10 needs to access the network-side device 20 after being powered on, or that the terminal 10 needs to access the corresponding network-side device 20 after receiving an instruction to access the network-side device 20, or that the terminal 10 accesses the network-side device 20 after performing cell reselection (or cell handover), where the condition that the terminal 10 needs to access the network-side device 20 is applicable to the embodiment of the present invention.
The process of determining the authentication parameter by the network side device 20 is as follows:
the network side device 20 randomly selects first random parameters of N bytes;
the network side device 20 determines a third random parameter according to the first random parameter and the authentication key;
the network side device 20 selects M bytes from the third random parameter, and uses the selected M bytes as a check parameter;
the network side device 20 determines the authentication parameter according to the check parameter and the first random parameter.
The authentication key is a key known to the network side device 20 and the terminal 10, and may be a key of a smart card in the terminal 10, or may be a key already set by the network side device 20 and the terminal 10.
The network side device 20 determines the third random parameter through an encryption algorithm by using the first random parameter and the authentication key, for example, the encryption algorithm may be a symmetric encryption algorithm or a cryptographic hash function, and all encryption algorithms that perform encryption by using a key are suitable for the embodiment of the present invention.
After the network side device 20 determines the third random parameter, M bytes are selected from the third random parameter, the selected M bytes are used as a check parameter, the check parameter is spliced with the first random parameter, and the spliced parameter is used as an authentication parameter.
It should be noted that there are many ways to select M bytes from the third random parameter, for example, M bytes may be selected in sequence, M bytes may be selected from the third random parameter at a certain interval, or M bytes may be selected from the head and the tail of the third random parameter. For example, the third random parameter is 1234567890987654321, M is 6, and the 6-byte number of 123456 can be sequentially selected for splicing with the first random parameter; the numbers of the 6 bytes of 135799 can be selected at intervals to be spliced with the first random parameter; the number of the 6 bytes 123321 can be selected from beginning to end to be spliced with the first random parameter. The above examples are illustrative and may vary from practice. All the ways of selecting M bytes are applicable to the embodiment of the invention.
There are also many ways to concatenate the verification parameters with the first random parameters. For example, the check parameter may be connected end to end with the first random parameter, or the numbers of the two parameters may be arranged at intervals. For example, the verification parameter is 222222, the first random parameter is 333333, the first random parameter is 222222333333 after head-to-tail connection, and the first random parameter is 232323232323 after interval arrangement. All the splicing modes that the check parameter and the first random parameter can be spliced into one parameter are suitable for the embodiment of the invention.
In practical applications, M + N may be 16, that is, the last authentication parameter is 16 bytes, so as to ensure that the size of the information is consistent when the information is interacted with the information specified in the existing standard.
After the network side device 20 determines the authentication parameters according to the check parameters and the first random parameters, that is, the authentication parameters include the first random parameters and the check parameters, the network side device 20 sends the authentication parameters to the terminal 10, and after receiving the authentication parameters, the terminal 10 authenticates the network side device 20, where the authentication process is as follows:
the terminal 10 determines a first random parameter in the authentication parameters;
the terminal 10 determines a second random parameter according to the first random parameter and the authentication key;
the terminal 10 determines M bytes of the second random parameter;
the terminal 10 determines whether the check parameter in the authentication parameter is consistent with the value of M bytes of the second random parameter;
if the authentication is consistent, the authentication is determined to be passed; otherwise, determining that the authentication is not passed.
It should be noted that the authentication may be performed by a smart card inserted into the terminal 10, or may be performed by directly authenticating the received authentication parameters through the terminal 10.
The terminal 10 determines the first random parameter of the authentication parameters after receiving the authentication parameters. The determination mode corresponds to the splicing mode of the first random parameter and the check parameter of the network side device 20. For example, if the splicing manner of the first random parameter and the check parameter of the network side device 20 is end-to-end, the terminal 10 determines that the first random number is the latter part of the authentication parameter; if the splicing manner of the first random parameter and the check parameter of the network side device 20 is interval arrangement, the terminal 10 determines that the first random parameter is a byte in the interval selection authentication parameter. For example, the splicing manner of the first random parameter and the check parameter of the network side device 20 is end-to-end connection, the first random parameter is 6 bits, and the authentication parameter sent by the network side device 20 is 222222333333, and the terminal 10 determines that the first random number is the last 6 bits of the authentication parameter 3333; the first random parameter and the check parameter of the network-side device 20 are spliced in an interval arrangement, the first random parameter is 6 bits, and the authentication parameter sent by the network-side device 20 is 232323232323, so that the terminal 10 determines that the first random parameter is a byte 3333333 in the interval selected authentication parameter.
After the terminal 10 determines the first random parameter, the second random parameter is determined using the determined first random parameter and the authentication key. The second random parameter is determined by obtaining the second random parameter through an encryption algorithm, and the encryption algorithm used by the terminal 10 is the same as the encryption algorithm used by the network-side device 20.
After the terminal 10 determines the second random parameter, M bytes in the second random parameter, that is, M bytes in the second random parameter, are selected and compared with the check parameter in the authentication parameter. The selection manner of selecting M bytes in the second random parameter is the same as the selection manner of selecting M bytes from the third random parameter by the network side device 20. For example, if M bytes of the third random parameter are selected in order, then M bytes in the second random parameter also adopt a way of selecting in order; if the M bytes of the third random parameter are selected from the third random parameter according to a certain interval, the M bytes in the second random parameter also adopt the same interval selection mode; if the M bytes of the third random parameter are M bytes selected from the head and the tail of the third random parameter, the M bytes in the second random parameter also adopt a head and tail selection mode. For example, M bytes of the third random parameter are sequentially selected, M is 6, the second random parameter is 1234567890987654321, and the terminal 10 may sequentially select 123456 6 bytes from the second random parameter; m bytes of the third random parameter are selected at intervals, M is 6, the second random parameter is 1234567890987654321, and the terminal 10 may select 135799 bytes at intervals from the second random parameter; the M bytes of the third random parameter are selected head and tail, M is 6, the second random parameter is 1234567890987654321, and the terminal 10 may select the 6 bytes of 123321 from the head and tail of the second random parameter.
If the authentication is performed by the smart card inserted into the terminal 10, the smart card is a smart card capable of verifying the signature, and the smart card not supporting verification of the signature cannot be authenticated, but the received authentication parameters can be fed back according to the algorithm specified in the prior art, that is, the smart card not supporting verification of the signature can be normally used under the authentication scheme.
The way of determining the first random parameter by the terminal 10 and the way of splicing the M bytes of the first random parameter and the third random parameter by the network side device 20 are already determined before the terminal 10 is connected. If the network-side device 20 is a valid network-side device 20, the two modes are corresponding, so that the obtained first random parameters are the same; however, if the network-side device 20 is an invalid network-side device 20, such as a pseudo base station, since the pseudo base station cannot determine the splicing manner of the first random parameter and the third random parameter of the valid base station and the encryption algorithm when determining the second random parameter, the terminal 10 side determines the first random parameter and then determines that the second random parameter determined by the authentication key is different from that determined by the pseudo base station. The terminal 10 can determine whether the network side device currently required to be accessed passes the authentication according to the comparison of the two parameters.
If the network-side device 20 is an invalid network-side device 20, such as a pseudo base station, since the pseudo base station cannot acquire the authentication key, M bytes of the third random parameter determined by the pseudo base station must be different from M bytes of the second random parameter determined by the terminal 10.
When the authentication fails, the terminal 10 selects a new random parameter, and the terminal 10 sends interference information including the new random parameter to the network side device 20. The terminal 10 may convert the selected new random parameter into interference information through the authentication algorithm A3 and the encryption key generation algorithm A8, and send the interference information to the network-side device 20.
When the authentication is not passed, the terminal 10 does not access the network-side device 20, and at the same time, the device information of the network-side device 20, such as LAC (Location Area Code) information, Location information, and the like of the network-side device 20, may be stored, and when the network-side device 20 is accessed next time, the network-side device 20 is prohibited from being accessed. The terminal 10 may also report the stored device information of the network-side device 20 that fails to pass the authentication, and send the reported device information to the network-side device that passes the authentication, so as to broadcast the device information of the network-side device 20 that fails to pass the authentication to other terminals 10, thereby preventing other terminals 10 from accessing the network-side device 20.
Since the interference information includes wrong information, after receiving the interference information, the network-side device 20 that fails in authentication cannot pass the authentication when authenticating the terminal 10 using the interference information, and cannot acquire the information of the terminal 10.
If the authentication is passed, the terminal 10 determines feedback information according to the authentication parameter, and sends the feedback information to the network side device 20.
For example, the terminal 10 may convert the authentication parameters into feedback information by using the authentication key through the authentication algorithm A3 and the encryption key generation algorithm A8, and send the feedback information to the network-side device 20.
The terminal 10 sends the feedback information to the network side device 20, so that the network side device 20 authenticates the terminal 10 according to the feedback information.
After receiving the feedback information, the network side device 20 compares the feedback information with the relevant parameters determined by the network side device 20 through the authentication parameters to determine whether the terminal 10 passes the authentication, if yes, the network side device 20 determines that the terminal 10 passes the authentication, the terminal 10 is allowed to access, otherwise, the access is prohibited. The method in which the network-side device 20 determines the relevant parameters through the authentication parameters is consistent with the method in which the terminal 10 determines the feedback information. For example, if the terminal 10 obtains the feedback information by converting the authentication parameters through the authentication algorithm A3 and the encryption key generation algorithm A8 using the authentication key, the network-side device 20 also converts the authentication parameters into related parameters through the authentication algorithm A3 and the encryption key generation algorithm A8.
In fact, in practical applications, the network-side device 20 may be divided into an HLR (Home Location Register) and a VLR (Visitor Location Register). The VLR receives an authentication request sent by the terminal 10 and sends the authentication request to the HLR, the HLR determines an authentication parameter (SigRand) and converts the SigRand into a relevant parameter (XRes) by using an authentication key (Ki) through algorithms A3 and A8, and the HLR sends the SigRand, the XRes and a communication encryption temporary key (Kc) used for communication encryption to the VLR in a vector form; the VLR sends the authentication parameters to the terminal 10; and after receiving the feedback information sent by the terminal, the VLR compares the feedback information with the XRes sent by the HLR and determines whether the terminal passes the authentication.
Based on the same inventive concept, the embodiment also provides a terminal for authentication. Because the principle of the terminal for solving the problem is similar to that of the authentication system in the embodiment of the invention, the implementation of the terminal can refer to the implementation of the system, and repeated details are not repeated.
As shown in fig. 2, the terminal in the system for performing authentication according to the embodiment of the present invention includes a first transmission module 200, an authentication module 201, and a processing module 202.
A first transmission module 200, configured to receive an authentication parameter sent by a network side device when the network side device needs to be accessed;
an authentication module 201, configured to authenticate the network side device according to the received authentication parameter;
and the processing module 202 is configured to access the network side device after determining that the authentication is passed.
It should be noted that, when the terminal needs to access the network-side device, the first transmission module 200 sends an authentication request to the network-side device that needs to be accessed.
After the first transmission module 200 receives the authentication parameters, the authentication module 201 authenticates the network side device, and the authentication process is as follows:
the authentication module 201 determines a first random parameter in the authentication parameters;
the authentication module 201 determines a second random parameter according to the first random parameter and the authentication key;
the authentication module 201 determines M bytes of the second random parameter;
the authentication module 201 determines whether the check parameter in the authentication parameters is consistent with the value of M bytes of the second random parameter;
if the authentication is consistent, the authentication is determined to be passed; otherwise, determining that the authentication is not passed.
It should be noted that the authentication may also be performed by a smart card inserted into the terminal, or may be performed by directly authenticating the received authentication parameters through the authentication module 201.
After the first transmission module 200 receives the authentication parameters, where the authentication parameters include a first random parameter and a check parameter, the authentication module 201 determines the first random parameter in the authentication parameters. The determining mode corresponds to a splicing mode of the first random parameter and the check parameter of the network side equipment.
After the authentication module 201 determines the first random parameter, it determines a second random parameter using the determined first random parameter and the authentication key. The second random parameter is determined by obtaining the second random parameter through an encryption algorithm, and the encryption algorithm used by the authentication module 201 is the same as the encryption algorithm used by the network side device.
After the authentication module 201 determines the second random parameter, M bytes in the second random parameter, that is, M bytes in the second random parameter, are selected and compared with the check parameter in the authentication parameter. The selection mode of selecting the M bytes in the second random parameter is the same as the selection mode of selecting the M bytes from the third random parameter by the network side device.
When the authentication fails, the processing module 202 selects a new random parameter, and the processing module 202 sends interference information containing the new random parameter to the network side device.
When the authentication is not passed, the terminal does not access the network side device, and the processing module 202 may store device information of the network side device, such as LAC information and location information of the network side device, and prohibit the terminal from accessing the network side device when accessing the network side device next time. The processing module 202 may also report the stored device information of the network-side device that fails to pass the authentication, and send the reported device information to the network-side device that passes the authentication, so as to broadcast the device information of the network-side device that fails to pass the authentication to other terminals, thereby preventing the other terminals from accessing the network-side device.
If the authentication is passed, the processing module 202 determines feedback information according to the authentication parameter, and sends the feedback information to the network side device.
The processing module 202 sends the feedback information to the network side device, so that the network side device authenticates the terminal according to the feedback information.
Based on the same inventive concept, the embodiment of the present disclosure further provides a network side device for performing authentication. Because the principle of the terminal for solving the problem is similar to that of the system for authenticating according to the embodiment of the present invention, the implementation of the network side device may refer to the implementation of the system, and repeated details are not described again.
As shown in fig. 3, the network side device in the system for performing authentication according to the embodiment of the present invention includes a determining module 300 and a second transmitting module 301.
A determining module 300, configured to determine an authentication parameter according to the first random parameter;
a second transmission module 301, configured to send the authentication parameter to a terminal, so that the terminal authenticates the network side device according to the authentication parameter.
The determining module 300 determines the authentication parameters upon receiving the authentication request.
The process of determining the authentication parameters by the determination module 300 is as follows:
the determining module 300 randomly selects first random parameters of N bytes;
the determining module 300 determines a third random parameter according to the first random parameter and the authentication key;
the determining module 300 selects M bytes from the third random parameter, and uses the selected M bytes as a check parameter;
the determining module 300 determines the authentication parameter according to the verification parameter and the first random parameter.
The determining module 300 determines the third random parameter through an encryption algorithm using the first random parameter and the authentication key, for example, the encryption algorithm may be a symmetric encryption algorithm or a cryptographic hash function, and all encryption algorithms using a key for encryption are suitable for the embodiment of the present invention.
After the determining module 300 determines the third random parameter, M bytes are selected from the third random parameter, the selected M bytes are used as a check parameter, the check parameter is spliced with the first random parameter, and the spliced parameter is used as an authentication parameter.
It should be noted that there are many ways to select M bytes from the third random parameter, for example, M bytes may be selected in sequence, M bytes may be selected from the third random parameter at a certain interval, or M bytes may be selected from the head and the tail of the third random parameter.
There are also many ways to concatenate the verification parameters with the first random parameters. For example, the first check parameter and the first random parameter may be connected end to end, or the numbers of the two parameters may be arranged at intervals.
After the determining module 300 determines the authentication parameter according to the verification parameter and the first random parameter, that is, the authentication parameter includes the first random parameter and the verification parameter, the second transmitting module 301 sends the authentication parameter to the terminal.
After the network side device that fails in authentication receives the interference information sent by the terminal, the second transmission module 301 cannot pass the authentication when authenticating the terminal by using the interference information, and cannot acquire the information of the terminal.
After receiving the feedback information, the second transmission module 301 compares the feedback information with the related parameters determined by the second transmission module 301 through the authentication parameters to determine whether the terminal passes the authentication, and if the authentication of the terminal passes the authentication, the second transmission module 301 determines that the terminal passes the authentication, the terminal is allowed to access, otherwise, the terminal is prohibited from accessing. The method for determining the relevant parameters by the second transmission module 301 is consistent with the method for determining the feedback information by the terminal.
Based on the same inventive concept, the embodiment also provides an authentication method. Because the principle of solving the problem of the method is similar to the system for authenticating the embodiment of the invention, the implementation of the method can refer to the implementation of the system, and repeated parts are not described again.
As shown in fig. 4, a method for performing authentication according to an embodiment of the present invention includes:
step 401: when a terminal needs to access network side equipment, receiving authentication parameters sent by the network side equipment;
step 402: the terminal authenticates the network side equipment according to the received authentication parameters;
step 403: and after the terminal is determined to pass the authentication, accessing the network side equipment.
It should be noted that, when the terminal needs to access the network side device, the terminal sends an authentication request to the network side device that needs to be accessed.
After receiving the authentication parameters, the terminal authenticates the network side equipment, wherein the authentication parameters comprise a first random parameter and a check parameter, and the authentication process is as follows:
the terminal determines a first random parameter in the authentication parameters;
the terminal determines a second random parameter according to the first random parameter and the authentication key;
the terminal determines M bytes of a second random parameter;
the terminal judges whether the values of M bytes of the check parameter in the authentication parameter and the second random parameter are consistent or not;
if the authentication is consistent, the authentication is determined to be passed; otherwise, determining that the authentication is not passed.
It should be noted that the authentication may also be performed by a smart card inserted into the terminal, or may be performed by the terminal directly for authenticating the received authentication parameters.
And the terminal determines a first random parameter in the authentication parameters after receiving the authentication parameters. The determining mode corresponds to a splicing mode of the first random parameter and the check parameter of the network side equipment.
After the terminal determines the first random parameter, the terminal determines a second random parameter by using the determined first random parameter and the authentication key. The mode for determining the second random parameter is to obtain the second random parameter through an encryption algorithm, and the encryption algorithm adopted by the terminal is the same as the encryption algorithm adopted by the network side equipment.
After the terminal determines the second random parameter, the terminal selects M bytes in the second random parameter, that is, determines M bytes in the second random parameter, and compares the M bytes with M bytes selected by a third random parameter in the authentication parameter. The selection mode of selecting the M bytes in the second random parameter is the same as the selection mode of selecting the M bytes from the third random parameter by the network side device.
When the authentication is not passed, the terminal selects a new random parameter, and the terminal 10 sends interference information including the new random parameter to the network side device 20.
When the authentication is not passed, the terminal does not access the network side device, and simultaneously, the device information of the network side device, such as LAC information, location information and the like of the network side device, can be stored, and when the network side device is accessed next time, the network side device is prohibited from being accessed. The terminal may also report the stored device information of the network-side device that fails to pass the authentication, and send the reported device information to the network-side device that passes the authentication, so as to broadcast the device information of the network-side device that fails to pass the authentication to other terminals, thereby preventing other terminals from accessing the network-side device.
And if the authentication is passed, the terminal determines feedback information according to the authentication parameters and sends the feedback information to the network side equipment. (ii) a
And the terminal sends the feedback information to the network side equipment so that the network side equipment authenticates the terminal according to the feedback information.
Based on the same inventive concept, the embodiment also provides an authentication method. Because the principle of solving the problem of the method is similar to the system for authenticating the embodiment of the invention, the implementation of the method can refer to the implementation of the system, and repeated parts are not described again.
As shown in fig. 5, a method for performing authentication according to an embodiment of the present invention includes:
step 501: the network side equipment determines an authentication parameter according to the first random parameter;
step 502: and the network side equipment sends the authentication parameters to a terminal so that the terminal authenticates the network side equipment according to the authentication parameters.
And the network side equipment determines the authentication parameters after receiving the authentication request.
The process of determining the authentication parameters by the network side equipment is as follows:
network side equipment randomly selects first random parameters of N bytes;
the network side equipment determines a third random parameter according to the first random parameter and the authentication key;
the network side equipment selects M bytes from the third random parameter, and takes the selected M bytes as a check parameter;
and the network side equipment determines the authentication parameter according to the verification parameter and the first random parameter.
It should be noted that the authentication key is a key known by the network side device and the terminal, and may be a key of a smart card in the terminal, or may be a key already set by the network side device and the terminal.
The network side device determines the third random parameter through an encryption algorithm by using the first random parameter and the authentication key, for example, the encryption algorithm may be a symmetric encryption algorithm or a cryptographic hash function, and all encryption algorithms that use keys for encryption are suitable for the embodiment of the present invention.
After the network side equipment determines the third random parameter, M bytes are selected from the third random parameter, the selected M bytes are used as a check parameter, the check parameter is spliced with the first random parameter, and the spliced parameter is used as an authentication parameter.
It should be noted that there are many ways to select M bytes from the third random parameter, for example, M bytes may be selected in sequence, M bytes may be selected from the third random parameter at a certain interval, or M bytes may be selected from the head and the tail of the third random parameter.
There are also many ways to concatenate the verification parameters with the first random parameters. For example, the check parameter may be connected end to end with the first random parameter, or the numbers of the two parameters may be arranged at intervals.
After receiving the interference information, the network side device that fails in authentication cannot pass the authentication when authenticating the terminal by using the interference information, and cannot acquire the information of the terminal.
After receiving the feedback information, the network side equipment compares the feedback information with relevant parameters determined by the network side equipment through authentication parameters to determine whether the terminal passes the authentication, if so, the network side equipment determines that the terminal passes the authentication, the terminal is allowed to access, otherwise, the access is forbidden.
As shown in fig. 6, taking authentication pass as an example, the schematic diagram of the authentication process performed in the embodiment of the present invention includes the following steps:
step 601: the terminal sends the authentication request to the network side equipment;
step 602: network side equipment randomly selects first random parameters of N bytes;
step 603: the network side equipment determines a third random parameter according to the first random parameter and the authentication key;
step 604: the network side equipment selects M bytes from the third random parameter, and takes the selected M bytes as a check parameter;
step 605: the network side equipment determines an authentication parameter according to the check parameter and the first random parameter;
step 606: the network side equipment sends the authentication parameters to the terminal;
step 607: the terminal determines a first random parameter in the authentication parameters;
step 608: the terminal determines a second random parameter according to the first random parameter and the authentication key;
step 609: the terminal determines M bytes of a second random parameter;
step 610: the terminal judges whether the check parameters in the authentication parameters are consistent with the values of the M bytes of the second random parameter, and if so, the authentication is determined to be passed; otherwise, the authentication is not passed;
step 611: if the authentication is passed, the terminal determines feedback information according to the authentication parameters;
step 612: the terminal sends the feedback information to the network side equipment;
step 613: the network side equipment authenticates the terminal according to the feedback information;
step 614: and after the network side equipment determines that the authentication is passed, allowing the terminal to access.
If the authentication is not passed, step 611 is to select a new random parameter, and determine interference information according to the random parameter, and step 612 is to send the interference information to the network side device for the terminal.
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the subject application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method of performing authentication, the method comprising:
when a terminal needs to access network side equipment, receiving authentication parameters sent by the network side equipment;
the terminal authenticates the network side equipment according to the received authentication parameters;
the terminal accesses the network side equipment after the authentication is determined to pass;
the authentication parameters comprise a first random parameter and a check parameter;
the terminal authenticates the network side equipment according to the received authentication parameters, and the authentication comprises the following steps:
the terminal determines a first random parameter in the authentication parameters;
the terminal determines a second random parameter according to the first random parameter and the authentication key;
the terminal judges whether the values of M bytes of the verification parameter in the authentication parameter and the second random parameter are consistent or not;
if the authentication is consistent, the authentication is determined to be passed; otherwise, determining that the authentication is not passed;
the authentication parameter is determined by the network side equipment according to the first random parameter and an authentication key, M bytes are selected from the third random parameter as a check parameter, and the authentication parameter is determined according to the check parameter and the first random parameter.
2. The method as claimed in claim 1, wherein after the terminal authenticates the network-side device according to the received authentication parameter, the method further comprises:
if the authentication is not passed, the terminal selects a new random parameter;
and the terminal sends interference information containing new random parameters to the network side equipment.
3. The method as claimed in claim 1, wherein after the terminal authenticates the network-side device according to the received authentication parameter, the method further comprises:
if the authentication is passed, the terminal determines feedback information according to the authentication parameters;
and the terminal sends the feedback information to the network side equipment so that the network side equipment authenticates the terminal according to the feedback information.
4. A method of performing authentication, the method comprising:
the network side equipment determines an authentication parameter according to the first random parameter;
the network side equipment sends the authentication parameters to a terminal so that the terminal authenticates the network side equipment according to the authentication parameters;
the network side device determines an authentication parameter according to the first random parameter, and the method includes:
the network side equipment determines a third random parameter according to the first random parameter and the authentication key;
the network side equipment selects M bytes from the third random parameter, and takes the selected M bytes as a check parameter;
and the network side equipment determines the authentication parameter according to the verification parameter and the first random parameter.
5. The method of claim 4, wherein after the network-side device sends the authentication parameters to the terminal, the method further comprises:
the network side equipment receives feedback information sent by the terminal;
the network side equipment authenticates the terminal according to the feedback information;
and the network side equipment allows the terminal to access after the authentication is determined to be passed.
6. A terminal for performing authentication, the terminal comprising:
the first transmission module is used for receiving the authentication parameters sent by the network side equipment when the network side equipment needs to be accessed;
the authentication module is used for authenticating the network side equipment according to the received authentication parameters;
the processing module is used for accessing the network side equipment after the authentication is determined to pass;
the authentication parameters comprise a first random parameter and a check parameter;
the authentication module is specifically configured to:
determining a first random parameter in the authentication parameters;
determining a second random parameter according to the first random parameter and the authentication key;
judging whether the values of M bytes of the verification parameter in the authentication parameter and the second random parameter are consistent or not;
if the authentication is consistent, the authentication is determined to be passed; otherwise, determining that the authentication is not passed;
the authentication parameter is determined by the network side equipment according to the first random parameter and an authentication key, M bytes are selected from the third random parameter as a check parameter, and the authentication parameter is determined according to the check parameter and the first random parameter.
7. The terminal of claim 6, wherein the processing module is further configured to:
if the authentication is not passed, selecting a new random parameter;
and sending interference information containing new random parameters to the network side equipment.
8. The terminal of claim 6, wherein the processing module is further configured to: if the authentication is passed, determining feedback information according to the authentication parameters;
and sending the feedback information to the network side equipment so that the network side equipment authenticates the terminal according to the feedback information.
9. A network side device for performing authentication, the network side device comprising:
the determining module is used for determining an authentication parameter according to the first random parameter;
the second transmission module is used for sending the authentication parameters to a terminal so that the terminal authenticates the network side equipment according to the authentication parameters;
wherein the determining module is specifically configured to:
determining a third random parameter according to the first random parameter and the authentication key;
selecting M bytes from the third random parameter, and taking the selected M bytes as a check parameter;
and determining the authentication parameter according to the verification parameter and the first random parameter.
10. The network-side device of claim 9, wherein the second transmission module is further configured to:
receiving feedback information sent by the terminal;
authenticating the terminal according to the feedback information;
and after the authentication is determined to be passed, allowing the terminal to access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027014.8A CN108076460B (en) | 2016-11-15 | 2016-11-15 | Method and terminal for authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611027014.8A CN108076460B (en) | 2016-11-15 | 2016-11-15 | Method and terminal for authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108076460A CN108076460A (en) | 2018-05-25 |
| CN108076460B true CN108076460B (en) | 2021-07-30 |
Family
ID=62161028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611027014.8A Active CN108076460B (en) | 2016-11-15 | 2016-11-15 | Method and terminal for authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108076460B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112335272A (en) | 2018-06-22 | 2021-02-05 | 苹果公司 | Enhanced security for access stratum transmissions |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812620A (en) * | 2005-01-28 | 2006-08-02 | 华为技术有限公司 | Method for realizing right discriminating to network by terminal in CDMA network |
| CN101378582A (en) * | 2007-08-29 | 2009-03-04 | 中国移动通信集团公司 | User recognizing module, authentication center, authentication method and system |
| CN105939517A (en) * | 2016-06-29 | 2016-09-14 | 努比亚技术有限公司 | Method and device for preventing mobile terminal from accessing pseudo base station |
| CN106028331A (en) * | 2016-07-11 | 2016-10-12 | 华为技术有限公司 | Pseudo base station identifying method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3058692B1 (en) * | 2013-10-17 | 2019-08-21 | Telefonaktiebolaget LM Ericsson (publ) | Authentication of wireless device entity |
-
2016
- 2016-11-15 CN CN201611027014.8A patent/CN108076460B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812620A (en) * | 2005-01-28 | 2006-08-02 | 华为技术有限公司 | Method for realizing right discriminating to network by terminal in CDMA network |
| CN101378582A (en) * | 2007-08-29 | 2009-03-04 | 中国移动通信集团公司 | User recognizing module, authentication center, authentication method and system |
| CN105939517A (en) * | 2016-06-29 | 2016-09-14 | 努比亚技术有限公司 | Method and device for preventing mobile terminal from accessing pseudo base station |
| CN106028331A (en) * | 2016-07-11 | 2016-10-12 | 华为技术有限公司 | Pseudo base station identifying method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108076460A (en) | 2018-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105119939B (en) | The cut-in method and device, providing method and device and system of wireless network | |
| CN111669276B (en) | Network verification method, device and system | |
| CN106559783B (en) | Authentication method, device and system for WIFI network | |
| CN103108327B (en) | Checking terminal unit and the method for subscriber card security association, Apparatus and system | |
| US10588015B2 (en) | Terminal authenticating method, apparatus, and system | |
| CN107006049A (en) | A kind of smart machine and its set up the method for equipment room bluetooth connection, device | |
| CN107086979B (en) | User terminal verification login method and device | |
| US20200228981A1 (en) | Authentication method and device | |
| KR102424142B1 (en) | Method and apparatus for certificating information related payment in a mobile communication system | |
| CN108024243B (en) | A kind of eSIM is caught in Network Communication method and its system | |
| CN101378582A (en) | User recognizing module, authentication center, authentication method and system | |
| CN101754215A (en) | Authentication method and system | |
| CN111800377B (en) | Mobile terminal identity authentication system based on safe multi-party calculation | |
| CN109729000B (en) | Instant messaging method and device | |
| CN104935435A (en) | Login methods, terminal and application server | |
| WO2018010480A1 (en) | Network locking method for esim card, terminal, and network locking authentication server | |
| CN103581154A (en) | Authentication method and device in system of Internet of Things | |
| CN109451504B (en) | Internet of things module authentication method and system | |
| CN107508784B (en) | Application login method and terminal equipment | |
| CN113302895B (en) | Method and apparatus for authenticating a group of wireless communication devices | |
| CN108076460B (en) | Method and terminal for authentication | |
| CN110087338B (en) | Method and equipment for authenticating narrowband Internet of things | |
| CN111246464B (en) | Identity authentication method, device and system, and computer readable storage medium | |
| CN111182512B (en) | Terminal connection method, device, terminal and computer readable storage medium | |
| CN105025548B (en) | A kind of the connection control method and device of SIM card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |