CN108882233B - IMSI encryption method, core network and user terminal - Google Patents

IMSI encryption method, core network and user terminal Download PDF

Info

Publication number
CN108882233B
CN108882233B CN201810786676.6A CN201810786676A CN108882233B CN 108882233 B CN108882233 B CN 108882233B CN 201810786676 A CN201810786676 A CN 201810786676A CN 108882233 B CN108882233 B CN 108882233B
Authority
CN
China
Prior art keywords
key
network element
user terminal
encryption
encryption protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810786676.6A
Other languages
Chinese (zh)
Other versions
CN108882233A (en
Inventor
李京辉
乔自知
郭省力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201810786676.6A priority Critical patent/CN108882233B/en
Publication of CN108882233A publication Critical patent/CN108882233A/en
Application granted granted Critical
Publication of CN108882233B publication Critical patent/CN108882233B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides an IMSI encryption method, a core network and a user terminal, relates to the field of communication, and can avoid the IMSI of a user from being leaked in the network-accessing process on the basis of not increasing the load of a base station. The method comprises the following steps: the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station; the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a CA certificate carrying a public key to the user terminal through the base station; the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station; the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element; the public key corresponds to the private key.

Description

IMSI encryption method, core network and user terminal
Technical Field
The present invention relates to the field of communications, and in particular, to an encryption method for an International Mobile Subscriber Identity (IMSI), a core network, and a user terminal.
Background
The information of the Subscriber IMSI (International Mobile Subscriber identity Number) is a unique identifier of the Subscriber, and plays an important role in a communication network. The IMSI information is transmitted over the air interface, which may cause privacy leakage of the user and affect reputation of the operator. At present, both the attach message and the user identification message before authentication in the current network may carry the IMSI information of the user, and because these messages need to identify the IMSI information of the user before authentication, the messages are not encrypted, i.e. transmitted over the air interface. In order to solve the problem, in the prior art, a base station generally negotiates a key and then encrypts NAS layer messages of a user. However, if the key negotiation is performed over the air interface, there is a risk of key leakage, and IMSI information leakage is still caused. If the secret key is built in a Subscriber Identity Module (SIM) card, the complexity of card replacement is increased, and the base station is used as a transmitting and receiving device for wireless signals and is not suitable for being used as a network element for authentication and encryption.
Disclosure of Invention
Embodiments of the present invention provide an IMSI encryption method, a core network, and a user terminal, which can avoid leakage of an IMSI of a user in an online process without increasing a base station load.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, a method for encrypting an IMSI is provided, including:
the user terminal sends the own encryption Protocol list and the version information corresponding to the encryption Protocol in the encryption Protocol list to an HTTP AUSF (Hypertext Transfer Protocol Authentication System) network element through a base station;
the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a CA (Certificate Authority) Certificate carrying a public key to the user terminal through the base station;
the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station;
the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to an MME (Mobility Management Entity) network element; the public key corresponds to the private key.
Optionally, before the user terminal generates the key according to the target encryption protocol, the method includes:
the user terminal judges whether the CA certificate is legal or not by using a prestored root certificate;
when the user terminal determines that the CA certificate is illegal, the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to a hypertext transfer protocol authentication system function HTTP AUSF network element through the base station;
and when the user terminal determines that the CA certificate is legal, generating a secret key according to the target encryption protocol.
Optionally, after the sending, by the HTTP AUSF network element, the key to the MME network element, the method further includes:
and the MME network element generates a confirmation message and sends the confirmation message to the user terminal through the HTTP AUSF network element and the base station.
Optionally, the sending, by the user terminal, the own encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element via the base station includes:
the user terminal sends a SSL connection request of a secure socket layer to a base station on a resource control RRC layer; the SSL connection request comprises an encryption protocol list of the user terminal and version information corresponding to an encryption protocol in the encryption protocol list;
and the base station sends the encryption protocol list in the SSL connection request and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element.
Optionally, any message sent by the base station carries temporary user identification information set by the base station;
the message comprises: the system comprises an encryption protocol list, version information corresponding to the encryption protocols in the encryption protocol list, a target encryption protocol, a digital certificate authentication Center (CA) certificate carrying a public key and a key packet.
In a second aspect, a hypertext transfer protocol authentication system function HTTP AUSF network element is provided, including: the device comprises a receiving module, a processing module, a sending module and a storage module;
the receiving module is used for receiving an encryption protocol list sent by a user terminal through a base station and version information corresponding to an encryption protocol in the encryption protocol list;
the processing module is used for selecting a target encryption protocol from the encryption protocol list according to the version information received by the receiving module;
the sending module is used for sending the target encryption protocol selected by the processing module and the CA certificate carrying the public key and stored by the storage module to the user terminal through the base station so that the user terminal generates a secret key according to the target decryption protocol and encrypts the secret key by using the public key in the CA certificate to generate a secret key package;
the processing module is also used for decrypting the key package according to the private key stored by the storage module to obtain a key when the receiving module receives the key package sent by the user terminal; the public key corresponds to the private key;
the sending module is further configured to send the key obtained by the processing module to the MME network element.
In a third aspect, a mobility management entity MME network element is provided, including: the device comprises a receiving module, a processing module and a sending module;
the receiving module is used for receiving the key sent by the HTTP AUSF network element;
the processing module is used for generating a confirmation message when the receiving module receives the key;
and the sending module is used for sending the confirmation message generated by the processing module to the user terminal through the HTTP AUSF network element and the base station.
In a fourth aspect, a user terminal is provided, which includes: the device comprises a sending module, a receiving module, a storage module and an encryption module;
the sending module is used for sending the encrypted protocol list stored by the storage module and the version information corresponding to the encrypted protocol in the encrypted protocol list to the HTTP AUSF network element through the base station;
the receiving module is used for receiving a target encryption protocol and a CA (certificate authority) certificate carrying a public key, which are sent by the HTTP AUSF network element;
the encryption module is used for generating a key according to the target encryption protocol received by the receiving module;
the encryption module is also used for encrypting the secret key to generate a secret key package by using the public key in the CA certificate received by the receiving module;
and the sending module is used for sending the key packet generated by the encryption module to the HTTP AUSF network element through the base station.
Optionally, the user terminal further includes a determining module;
the judging module is used for judging whether the CA certificate received by the receiving module is legal or not according to the root certificate stored by the storage module before the encryption module generates the key according to the target encryption protocol received by the receiving module;
when the judging module judges that the CA certificate is illegal, the sending module is used for sending the encrypted protocol list stored by the storage module and the version information corresponding to the encrypted protocol in the encrypted protocol list to the HTTP AUSF network element through the base station;
and when the judging module judges that the CA certificate is legal, the encryption module is used for generating a secret key according to the target encryption protocol received by the receiving module.
Optionally, the receiving module is further configured to receive an acknowledgement message sent by the MME network element.
Optionally, the sending module is specifically configured to: and sending a security socket layer SSL connection request containing an encryption protocol list and version information corresponding to the encryption protocol in the encryption protocol list to the base station in a resource control RRC layer, so that the base station sends the encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element.
In a fifth aspect, a core network is provided, which includes the HTTP AUSF network element provided in the second aspect and the MME network element provided in the third aspect.
The embodiment of the invention provides an IMSI encryption method, a core network and a user terminal, wherein the method comprises the following steps: the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station; the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a digital certificate authentication Center (CA) certificate carrying a public key to the user terminal through the base station; the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station; the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element; the public key corresponds to the private key. Because the technical scheme provided by the embodiment of the invention adds the HTTP AUSF network element in the core network structure, the authenticated public key and private key are prestored in the HTTP AUSF network element, before the user terminal accesses the internet for authentication, the HTTP AUSF network element is used for sending the key generated by the user terminal to the MME network element by using the asymmetric encryption technology, so that the key used in the subsequent information interaction process between the user terminal and the core network through the base station is kept perfectly secret, and further, the signaling of the user terminal containing the IMSI information in the information interaction process with the core network can be encrypted by the key agreed by the user terminal and the core network, thereby avoiding the IMSI leakage condition in the authentication process of the user terminal and the core network in the prior art; furthermore, because the existing base station is not changed in the technical scheme, the increase of the operation burden of the base station is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of an IMSI encryption method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another IMSI encryption method according to an embodiment of the present invention;
fig. 3 is a network signaling interaction diagram of an IMSI encryption method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a core network structure according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an http ausf network element according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an MME network element structure according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a user terminal according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
It should be noted that, in the embodiments of the present invention, "of", "corresponding" and "corresponding" may be sometimes used in combination, and it should be noted that, when the difference is not emphasized, the intended meaning is consistent.
The existing IMSI encryption method can increase the use load of a base station and does not meet the planning requirement of an operator.
In view of the above problem, referring to fig. 1, an embodiment of the present invention provides an IMSI encryption method, including:
101. and the user terminal sends the own encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station.
102. And the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information and sends the target encryption protocol and the CA certificate carrying the public key to the user terminal through the base station.
103. And the user terminal generates a key according to the target encryption protocol.
104. And the user terminal encrypts the key by using the public key in the CA certificate to generate a key packet and sends the key packet to the HTTP AUSF network element through the base station.
105. And the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element.
Specifically, the public key and the private key are a pair of asymmetric keys obtained by authenticating the HTTP AUSF network element to the digital certificate authentication center, and information encrypted by the public key can only be decrypted by the private key, so that information leakage after the key packet is intercepted is avoided.
It should be noted that, when the base station forwards the information sent by the user terminal, it needs to determine which user terminal is, so that temporary user identifier information is added to all information base stations corresponding to the same user terminal to distinguish information belonging to different user terminals, and optionally, any message sent by the base station carries temporary user identifier information set by the base station; the message comprises: the system comprises an encryption protocol list, version information corresponding to the encryption protocols in the encryption protocol list, a target encryption protocol, a digital certificate authentication Center (CA) certificate carrying a public key and a key packet.
The IMSI encryption method provided in the foregoing embodiment includes: the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station; the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a digital certificate authentication Center (CA) certificate carrying a public key to the user terminal through the base station; the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station; the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element; the public key corresponds to the private key. Because the technical scheme provided by the embodiment of the invention adds the HTTP AUSF network element in the core network structure, the authenticated public key and private key are prestored in the HTTP AUSF network element, before the user terminal accesses the internet for authentication, the HTTP AUSF network element is used for sending the key generated by the user terminal to the MME network element by using the asymmetric encryption technology, so that the key used in the subsequent information interaction process between the user terminal and the core network through the base station is kept perfectly secret, and further, the signaling of the user terminal containing the IMSI information in the information interaction process with the core network can be encrypted by the key agreed by the user terminal and the core network, thereby avoiding the IMSI leakage condition in the authentication process of the user terminal and the core network in the prior art; furthermore, because the existing base station is not changed in the technical scheme, the increase of the operation burden of the base station is avoided.
Referring to fig. 2, an embodiment of the present invention further provides another IMSI encryption method as a further supplementary description to the IMSI encryption method provided in the above embodiment, where the method includes:
201. and the user terminal sends a secure socket layer SSL connection request to the base station at a resource control RRC layer.
The SSL connection request comprises an encryption protocol list of the user terminal and version information corresponding to the encryption protocol in the encryption protocol list.
202. And the base station sends the encryption protocol list in the SSL connection request and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element.
203. And the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and the CA certificate carrying the public key to the user terminal through the base station.
204. And the user terminal judges whether the CA certificate is legal or not by using the prestored root certificate.
When the user terminal determines that the CA certificate is legal, 205 is executed; when the user terminal determines that the CA certificate is illegal, 201 is executed;
because, when the CA certificate is illegal, it indicates that a problem may occur in the process of sending the CA certificate by the HTTP AUSF network element, at this time, the encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list need to be sent to the HTTP AUSF network element again so as to send the target encryption protocol and the CA certificate to the user terminal again; of course, the pseudo base station when the user terminal passes through the base station when connecting to the core network is not excluded, and in this case, the process of repeating 201 and 204 is not effective, and only the position of the user terminal is changed and the user terminal is connected to the correct base station.
205. And the user terminal generates a key according to the target encryption protocol.
206. And the user terminal encrypts the key by using the public key in the CA certificate to generate a key packet and sends the key packet to the HTTP AUSF network element through the base station.
207. And the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element.
The public key and the private key correspond to each other and are a pair of asymmetric keys.
208. And the MME network element generates a confirmation message and sends the confirmation message to the user terminal through the HTTP AUSF network element and the base station.
Specifically, the authentication process may be started after the user terminal receives the confirmation message.
After a shared symmetric key (in the embodiment) is negotiated between the MME and the ue, IMSI information in any signaling of the ue during interaction with information of the core network is not revealed.
The IMSI encryption method provided by the embodiment of the invention comprises the following steps: the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station; the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a digital certificate authentication Center (CA) certificate carrying a public key to the user terminal through the base station; the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station; the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element; the public key corresponds to the private key. Because the technical scheme provided by the embodiment of the invention adds the HTTP AUSF network element in the core network structure, the authenticated public key and private key are prestored in the HTTP AUSF network element, before the user terminal accesses the internet for authentication, the HTTP AUSF network element is used for sending the key generated by the user terminal to the MME network element by using the asymmetric encryption technology, so that the key used in the subsequent information interaction process between the user terminal and the core network through the base station is kept perfectly secret, and further, the signaling of the user terminal containing the IMSI information in the information interaction process with the core network can be encrypted by the key agreed by the user terminal and the core network, thereby avoiding the IMSI leakage condition in the authentication process of the user terminal and the core network in the prior art; furthermore, because the existing base station is not changed in the technical scheme, the increase of the operation burden of the base station is avoided.
Referring to fig. 3, in an actual signaling transmission process of a UE (User Equipment), a base station eNB, an MME network element, and an HTTP AUSF network element, the IMSI security method provided in the above embodiment includes:
UE downloads root certificate through address provided by official; the official provided address here refers to the network address.
2. And establishing RRC layer connection between the UE and the ENB.
3, the UE initiates an SSL (Secure Sockets Layer) connection request on a well-established RRC (Radio Resource Control) Layer, wherein the SSL request carries an encryption protocol (specifically a list formed by a plurality of encryption protocols) supported by the UE and version information corresponding to the encryption protocol one by one; and the eNB transparently transmits the received message and the temporary user identification information to the HTTP AUSF network element through S1-AUSF.
Wherein S1-AUSF refers to the interface connection between the eNB and the HTTP AUSF network element.
And 4, the HTTP AUS network element selects a proper encryption protocol from the sent encryption protocols, and sends the proper encryption protocol and the CA certificate which is authenticated by the HTTP AUSF and carries the public key to the UE through the base station.
And 5, the UE verifies the validity of the CA certificate sent by the HTTP AUSF by using the root certificate of the UE. The next step was performed as a rule.
And 6, the UE generates a symmetric key, encrypts the symmetric key through a public key and then sends the encrypted symmetric key to the HTTP AUSF network element.
And 7, the HTTP AUSF network element decrypts by using the private key to obtain a symmetric key, and the symmetric key is sent to the MME network element through an S2 interface.
And 8, the MME network element sends the confirmation message of the acquired key to the UE through the HTTP AUSF network element and the base station.
And 9, the UE and the MME network element are encrypted and attached through the symmetric key to acquire the user identification information and then transmit the user identification information, so that the IMSI information is not leaked, and the normal information interaction between the UE and the MME network element does not pass through the HTTP AUSF network element.
Referring to fig. 4, an embodiment of the present invention further provides a core network 01, including an HTTP AUSF network element 41 and an MME network element 42;
the HTTP AUSF network element 41 is connected to the base station 03 through an S1-AUSF interface, the HTTP AUSF network element 41 is connected to the MME network element 42 through an S2 interface, the base station 03 is connected to the MME network element 42 through an S1-MME interface, and the user terminal 02 is connected to the base station 03 through a UU interface.
Referring to fig. 5, an HTTP AUSF network element 41 in a core network according to an embodiment of the present invention includes: a receiving module 411, a processing module 412, a sending module 413 and a storage module 414;
a receiving module 411, configured to receive the encrypted protocol list sent by the user terminal 02 via the base station 03 and version information corresponding to the encrypted protocol in the encrypted protocol list;
a processing module 412, configured to select a target encryption protocol from the encryption protocol list according to the version information received by the receiving module 411;
a sending module 413, configured to send the target encryption protocol selected by the processing module 412 and the CA certificate carrying the public key and stored by the storage module 414 to the user terminal 02 via the base station 03, so that the user terminal 02 generates a key according to the target decryption protocol and encrypts the key with the public key in the CA certificate to generate a key package;
the processing module 412 is further configured to, when the receiving module 411 receives the key package sent by the user terminal 02, decrypt the key package according to the private key stored in the storage module 414 to obtain a key; the public key corresponds to the private key;
the sending module 413 is further configured to send the key obtained by the processing module 412 to the MME network element 42.
Referring to fig. 6, an MME network element 42 in a core network according to an embodiment of the present invention includes: a receiving module 421, a processing module 422, and a transmitting module 423;
a receiving module 421, configured to receive the key sent by the HTTP AUSF network element 41;
a processing module 422, configured to generate a confirmation message when the receiving module 421 receives the key;
a sending module 423, configured to send the confirmation message generated by the processing module 422 to the user terminal 02 via the HTTP AUSF network element 41 and the base station 03.
Referring to fig. 7, an embodiment of the present invention further provides a user terminal 02, including: the system comprises a sending module 021, a receiving module 022, a storage module 023 and an encryption module 024;
a sending module 021, configured to send the encrypted protocol list stored by the storage module 023 and version information corresponding to the encrypted protocol in the encrypted protocol list to the HTTP AUSF network element 41 via the base station 03;
a receiving module 022, configured to receive a target encryption protocol and a CA certificate carrying a public key sent by the HTTP AUSF network element 41;
a cryptographic module 024 configured to generate a key according to the target cryptographic protocol received by the receiving module 022;
the encrypting module 024 is further configured to encrypt the key using the public key in the CA certificate received by the receiving module 022 to generate a key package;
and a sending module 021, configured to send the key packet generated by the encrypting module 024 to the HTTP AUSF network element 41 via the base station 03.
Optionally, referring to fig. 7, the user terminal 02 further includes a determining module 025;
a judging module 025, configured to judge whether the CA certificate received by the receiving module 022 is legal according to the root certificate stored by the storing module 023 before the encrypting module 024 generates the key according to the target encryption protocol received by the receiving module 022;
when the judging module 025 judges that the CA certificate is illegal, the sending module 021 is configured to send the encryption protocol list stored by the storage module 023 and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element 41 through the base station 03 again;
when the judging module 025 judges that the CA certificate is legitimate, the encrypting module 024 is configured to generate a key according to the target encryption protocol received by the receiving module 022.
Optionally, the receiving module 022 is further configured to receive an acknowledgement message sent by the MME network element 42.
Optionally, the sending module 021 is specifically configured to: and sending a Secure Socket Layer (SSL) connection request containing the encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list to the base station 03 at the resource control RRC layer, so that the base station 03 sends the encryption protocol list and the version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element 41.
To sum up, in the IMSI encryption method, the core network, and the user terminal provided in the embodiments of the present invention, the scheme newly sets an HTTP AUSF network element dedicated to negotiating a key between the user terminal and an MME network element in the core network, and specifically includes, during negotiation: the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to the HTTP AUSF network element through the base station; the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a digital certificate authentication Center (CA) certificate carrying a public key to the user terminal through the base station; the user terminal generates a key according to a target encryption protocol, simultaneously uses a public key encryption key in the CA certificate to encrypt a key packet, and sends the key packet to the HTTP AUSF network element through the base station; the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain a key, and sends the key to the MME network element; the public key corresponds to the private key. Because the technical scheme provided by the embodiment of the invention adds the HTTP AUSF network element in the core network structure, the authenticated public key and private key are prestored in the HTTP AUSF network element, before the user terminal accesses the internet for authentication, the HTTP AUSF network element is used for sending the key generated by the user terminal to the MME network element by using the asymmetric encryption technology, so that the key used in the subsequent information interaction process between the user terminal and the core network through the base station is kept perfectly secret, and further, the signaling of the user terminal containing the IMSI information in the information interaction process with the core network can be encrypted by the key agreed by the user terminal and the core network, thereby avoiding the IMSI leakage condition in the authentication process of the user terminal and the core network in the prior art; furthermore, because the existing base station is not changed in the technical scheme, the increase of the operation burden of the base station is avoided.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units or modules is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (11)

1. An encryption method for International Mobile Subscriber Identity (IMSI), comprising:
the user terminal sends an own encryption protocol list and version information corresponding to an encryption protocol in the encryption protocol list to a hypertext transfer protocol authentication system (HTTP AUSF) network element through a base station;
the HTTP AUSF network element selects a target encryption protocol from the encryption protocol list according to the version information, and sends the target encryption protocol and a digital certificate authentication Center (CA) certificate carrying a public key to the user terminal through the base station;
the user terminal generates a key according to the target encryption protocol, encrypts the key by using a public key in the CA certificate to generate a key packet, and sends the key packet to the HTTP AUSF network element through the base station;
the HTTP AUSF network element decrypts the key packet by using a private key prestored by the HTTP AUSF network element to obtain the key, and sends the key to a Mobile Management Entity (MME) network element;
the public key corresponds to the private key;
the MME network element generates a confirmation message and sends the confirmation message to the user terminal through the HTTP AUSF network element and the base station;
and transmitting a signaling encrypted by the key between the user terminal and the MME network element, wherein the signaling comprises IMSI.
2. The method of claim 1, wherein the step of the user terminal generating the key according to the target encryption protocol comprises:
the user terminal judges whether the CA certificate is legal or not by using a prestored root certificate;
when the user terminal determines that the CA certificate is illegal, the user terminal sends an encryption protocol list of the user terminal and version information corresponding to an encryption protocol in the encryption protocol list to a hypertext transfer protocol authentication system (HTTP AUSF) network element through a base station;
and when the user terminal determines that the CA certificate is legal, generating a secret key according to the target encryption protocol.
3. The IMSI encryption method according to claim 1, wherein the user terminal sends its own encryption protocol list and version information corresponding to the encryption protocols in the encryption protocol list to the HTTP AUSF network element via the base station includes:
the user terminal sends a secure socket layer SSL connection request to the base station on a resource control RRC layer; the SSL connection request comprises an encryption protocol list of the user terminal and version information corresponding to an encryption protocol in the encryption protocol list;
and the base station sends the encryption protocol list in the SSL connection request and version information corresponding to the encryption protocol in the encryption protocol list to the HTTP AUSF network element.
4. An IMSI encryption method according to claim 1, characterized in that any message sent via the base station carries temporary user identification information set by the base station;
the message comprises: the encryption protocol list and version information corresponding to the encryption protocols in the encryption protocol list, the target encryption protocol, a CA (certificate authority) certificate carrying a public key and the key packet.
5. A hypertext transfer protocol authentication system function HTTP AUSF network element, comprising: the device comprises a receiving module, a processing module, a sending module and a storage module;
the receiving module is used for receiving an encryption protocol list sent by a user terminal through a base station and version information corresponding to an encryption protocol in the encryption protocol list;
the processing module is used for selecting a target encryption protocol from the encryption protocol list according to the version information received by the receiving module;
the sending module is configured to send the target encryption protocol selected by the processing module and the CA certificate carrying the public key and stored by the storage module to the user terminal through the base station, so that the user terminal generates a secret key according to the target encryption protocol and encrypts the secret key by using the public key in the CA certificate to generate a secret key packet;
the processing module is further configured to decrypt the key package according to the private key stored in the storage module to obtain the key when the receiving module receives the key package sent by the user terminal; the public key corresponds to the private key;
the sending module is further configured to send the key obtained by the processing module to an MME network element, and transmit a signaling encrypted by the key between the MME network element and the user terminal, where the signaling includes an IMSI.
6. A mobility management entity, MME, network element, comprising: the device comprises a receiving module, a processing module and a sending module;
the receiving module is used for receiving a key sent by the HTTP AUSF network element;
the processing module is used for generating a confirmation message when the receiving module receives the key;
the sending module is configured to send the confirmation message generated by the processing module to the user terminal through the HTTP AUSF network element and the base station;
the sending module is further configured to send the signaling after the key encryption to the user terminal, where the signaling includes an IMSI.
7. A user terminal is applied to the IMSI information encryption process of a user, and is characterized by comprising the following steps: the device comprises a sending module, a receiving module, a storage module and an encryption module;
the sending module is used for sending the encrypted protocol list stored by the storage module and the version information corresponding to the encrypted protocol in the encrypted protocol list to the HTTP AUSF network element through the base station;
the receiving module is used for receiving a target encryption protocol and a CA (certificate authority) certificate carrying a public key, which are sent by the HTTP AUSF network element;
the encryption module is used for generating a key according to the target encryption protocol received by the receiving module;
the encryption module is further used for encrypting the secret key by using a public key in the CA certificate received by the receiving module to generate a secret key package;
the sending module is configured to send the key packet generated by the encryption module to the HTTP AUSF network element through a base station;
the sending module is further configured to send the signaling after the key encryption to an MME network element, where the signaling includes an IMSI.
8. The user terminal according to claim 7, further comprising a determining module;
the judging module is used for judging whether the CA certificate received by the receiving module is legal or not according to the root certificate stored by the storage module before the encryption module generates the key according to the target encryption protocol received by the receiving module;
when the judging module judges that the CA certificate is illegal, the sending module is used for sending the encrypted protocol list stored by the storage module and the version information corresponding to the encrypted protocol in the encrypted protocol list to the HTTP AUSF network element through the base station again;
and when the judging module judges that the CA certificate is legal, the encryption module is used for generating a key according to the target encryption protocol received by the receiving module.
9. The ue of claim 7, wherein the receiving module is further configured to receive an acknowledgement message sent by an MME network element.
10. The ue of claim 7, wherein the sending module is specifically configured to:
and sending a Security Socket Layer (SSL) connection request containing the encryption protocol list and the version information corresponding to the encryption protocols in the encryption protocol list to a base station in a resource control (RRC) layer, so that the base station sends the encryption protocol list and the version information corresponding to the encryption protocols in the encryption protocol list to an HTTP AUSF network element.
11. A core network comprising the HTTP AUSF network element of claim 5 and the MME network element of claim 6.
CN201810786676.6A 2018-07-17 2018-07-17 IMSI encryption method, core network and user terminal Active CN108882233B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810786676.6A CN108882233B (en) 2018-07-17 2018-07-17 IMSI encryption method, core network and user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810786676.6A CN108882233B (en) 2018-07-17 2018-07-17 IMSI encryption method, core network and user terminal

Publications (2)

Publication Number Publication Date
CN108882233A CN108882233A (en) 2018-11-23
CN108882233B true CN108882233B (en) 2021-05-25

Family

ID=64302717

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810786676.6A Active CN108882233B (en) 2018-07-17 2018-07-17 IMSI encryption method, core network and user terminal

Country Status (1)

Country Link
CN (1) CN108882233B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112134831B (en) * 2019-06-25 2023-02-21 中兴通讯股份有限公司 Method and device for sending and processing access request
CN110621016B (en) * 2019-10-18 2022-08-12 中国联合网络通信集团有限公司 User identity protection method, user terminal and base station
CN110730447B (en) * 2019-10-18 2022-02-22 中国联合网络通信集团有限公司 User identity protection method, user terminal and core network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741555A (en) * 2008-11-12 2010-06-16 中兴通讯股份有限公司 Method and system for identity authentication and key agreement
CN105306406A (en) * 2014-05-26 2016-02-03 中国移动通信集团公司 Negotiation method of authentication and key negotiation algorithm, network side equipment and user equipment
CN107566115A (en) * 2016-07-01 2018-01-09 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN108156120A (en) * 2016-12-06 2018-06-12 阿里巴巴集团控股有限公司 Encrypted transmission data, cryptographic protocol control and detected method, apparatus and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888626B (en) * 2009-05-15 2013-09-04 中国移动通信集团公司 Method and terminal equipment for realizing GBA key
CN104581710B (en) * 2014-12-18 2018-11-23 中国科学院信息工程研究所 It is a kind of in the method and system of upper safe transmission LTE user IMSI of eating dishes without rice or wine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741555A (en) * 2008-11-12 2010-06-16 中兴通讯股份有限公司 Method and system for identity authentication and key agreement
CN105306406A (en) * 2014-05-26 2016-02-03 中国移动通信集团公司 Negotiation method of authentication and key negotiation algorithm, network side equipment and user equipment
CN107566115A (en) * 2016-07-01 2018-01-09 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN108156120A (en) * 2016-12-06 2018-06-12 阿里巴巴集团控股有限公司 Encrypted transmission data, cryptographic protocol control and detected method, apparatus and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于非对称密钥密码体制的IMSI保护方案;曾勇;《通信技术》;20081231;第41卷(第9期);正文第152-154页 *

Also Published As

Publication number Publication date
CN108882233A (en) 2018-11-23

Similar Documents

Publication Publication Date Title
US8295488B2 (en) Exchange of key material
CN107317674B (en) Key distribution and authentication method, device and system
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
US9668230B2 (en) Security integration between a wireless and a wired network using a wireless gateway proxy
CN111052672B (en) Secure key transfer protocol without certificate or pre-shared symmetric key
KR101350538B1 (en) Enhanced security for direct link communications
TWI418194B (en) Mobile station and base station and method for deriving traffic encryption key
US20110320802A1 (en) Authentication method, key distribution method and authentication and key distribution method
CN109075973B (en) Method for carrying out unified authentication on network and service by using ID-based cryptography
CN111865603A (en) Authentication method, authentication device and authentication system
CN105554747A (en) Wireless network connecting method, device and system
CN105577680A (en) Key generation method, encrypted data analyzing method, devices and key managing center
JP2018532325A (en) User equipment UE access method, access device, and access system
CN102333309B (en) Method, equipment system for key transmission in wireless local area network
CN109076058B (en) Authentication method and device for mobile network
KR20150051568A (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
CN108882233B (en) IMSI encryption method, core network and user terminal
WO2023083170A1 (en) Key generation method and apparatus, terminal device, and server
CN113872755A (en) Key exchange method and device
US20240080316A1 (en) Methods and apparatus for provisioning, authentication, authorization, and user equipment (ue) key generation and distribution in an on-demand network
CN110166410B (en) Method and terminal for safely transmitting data and multimode communication terminal
US11652625B2 (en) Touchless key provisioning operation for communication devices
KR100330418B1 (en) Authentication Method in Mobile Communication Environment
CN115412909A (en) Communication method and device
WO2001022685A1 (en) Method and arrangement for communications security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant