CN108901018B - Method for hiding user identity of mobile communication system initiated by terminal - Google Patents
Method for hiding user identity of mobile communication system initiated by terminal Download PDFInfo
- Publication number
- CN108901018B CN108901018B CN201810839413.7A CN201810839413A CN108901018B CN 108901018 B CN108901018 B CN 108901018B CN 201810839413 A CN201810839413 A CN 201810839413A CN 108901018 B CN108901018 B CN 108901018B
- Authority
- CN
- China
- Prior art keywords
- supi
- imsi
- user
- terminal
- mobile communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
Abstract
The invention discloses a method for hiding user identity of a mobile communication system initiated by a terminal, which is characterized in that the terminal dynamically generates new legal IMSI or SUPI, and the terminal uses the new IMSI or SUPI to update, synchronize and eliminate collision information to a network, thereby changing the identity of the user in the communication process and decoupling the user identity from the communication identity. The invention only needs to customize the USIM/eSIM card of the terminal or the customizable firmware part in the communication processor, and slightly modifies the HSS or AUSF/UDM/UDR at the rear end, so that the user or special industry with high security requirement can achieve the effect of random change of the corresponding relation between the same user and IMSI or SUPI in a mode of not changing the mobile communication standard architecture and the standard protocol flow, and the difficulty of tracking the user or deducing the identity of the user in the real space by capturing the IMSI or SUPI by an attacker is increased.
Description
Technical Field
The invention relates to a method for hiding the user identity of a mobile communication system initiated by a terminal.
Background
Currently, standards of a first phase of a 5G mobile communication system are determined, but as a complex ecosystem, a 5G network has multiple types of participants such as an infrastructure provider, a mobile communication network operator, a virtual operator and the like, and user data is stored, transmitted and processed in the complex network interacted by multiple access technologies, multiple devices and multiple participants, so that a great deal of privacy leakage risks are faced.
A great deal of virtualization technology is introduced into the 5G network, various vertical industry applications are supported, the network security boundary is more fuzzy while flexibility is brought, and private data of a user is more easily attacked and leaked under the condition that computing resources are shared by multiple tenants. Compared with the traditional network, the privacy disclosure generated by the situation has wider influence range and greater danger. Therefore, privacy protection for 5G networks poses a higher challenge. Some privacy problems, such as leakage of International Mobile Subscriber Identifier (IMSI) and leakage of location information, are also exposed in the existing 4G network and need to be solved. The leakage of the permanent identifier directly leads to the leakage of the user identity information.
In 4G and 5G networks, the user identity is uniquely identified mainly by a globally unique IMSI or a subscription permanent identifier (SUPI), and is further associated with privacy information such as the identity, location, phone number, etc. of the user. The mobile payment which is increasingly developed also needs to extract the IMSI/SUPI of the user as one of the bases for determining the identity of the user. Protecting the IMSI/SUPI of the user is therefore an important aspect of protecting the user's private information.
In a 4G network, the IMSI is transmitted in a clear text when being authenticated for the first time, and the risk of leakage exists; in 5G, a method of encrypting SUPI to obtain a subscription hidden identity identifier (SUCI) is adopted to avoid over-the-air plaintext transmission of SUPI. However, international standards stipulate that a mobile communication network must meet the requirements of national security, and although 5G encrypts the SUPI of a user, a serving network is required to be able to identify the true identity of the user in order to conveniently implement a specific national security policy, that is, in a serving network where the user is roaming, the true IMSI or SUPI information of the user is still obtained and recorded from a home network, and the rules in the 5G standard flow are compared with the SUPI provided by the terminal. Therefore, an attacker can obtain the IMSI or SUPI of the user through attacking the service network or the service network disguised as legitimate and other channels, thereby further obtaining the privacy information of the user, including GUTI (globally unique temporary identifier, colloquially called temporary identity), security context information (including various keys), and the like, and providing for further attack.
With the development of mobile internet and internet of things, the penetration of mobile communication networks into the society is deeper and deeper. Mobile communication systems are no longer only intended for general public users, but also require special industry users and services that carry high security requirements. These users are sensitive to information, and leakage can cause serious consequences or economic losses, and is the main target of an attacker rather than an organized attacker. The mobile communication network mainly faces public users, and the security measures provided by the mobile communication network are difficult to meet the requirements of high-security users and cannot resist organized attacks or APT attacks. With the trend of mobile communication networks from closed to open, particularly after 5G adopts a service-oriented architecture (SBA), a network virtualization technology and a supporting network capability is opened, a network attack surface is expanded, more threats or attacks are received, and the hiding of user identities, particularly high-security user identities, is very important.
Therefore, there is an urgent need to provide a solution for privacy protection of a user from a network level by a hiding method for providing an identity such as IMSI or SUPI to an important user on the premise of conforming to an international standard of a mobile communication system.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a method for hiding the user identity of a mobile communication system initiated by a terminal, a terminal (UE) initiates the hiding of the IMSI or SUPI identity information of a user, under the premise of meeting 4G/5G related standards and flows, the hiding and updating of the user identity are realized through less change and customization, the difficulty of an attacker for tracking the user identity through the IMSI or SUPI is increased, and the requirement of a user in a high-security special industry on user privacy protection is met.
The technical scheme adopted by the invention for solving the technical problems is as follows: a method for hiding the user identity of a mobile communication system initiated by a terminal comprises the following contents:
firstly, the terminal generates a new IMSI or SUPI:
step S101, a specific industry applies for available IMSI or SUPI number resources to an operator and delivers customized services, wherein the number of the available number resources is more than 2 times of the number of users;
step S102, the customization service segments the available number resources, and the number of each segment of number resources is more than or equal to the number of users;
step S103, a special user applies for identity hiding service to a specific industry to which the special user belongs, the application is transferred to a customized service after the specific industry passes the audit, the customized service allocates initial IMSI or SUPI to the user from number section 1, and determines a hopping algorithm and hopping control parameters of the user, and determines a hopping trigger condition;
step S104, the customized service writes the initial IMSI or SUPI into a USIM card or an eSIM of a user, writes the trigger condition and the jump control parameter into the UE, and simultaneously writes the jump algorithm and the number field information into a customizable component of the user terminal;
step S105, the UE uses the initial IMSI or SUPI to carry out initial attachment and registration, if the registration fails, the UE restarts the initial attachment process; if the registration is successful, normal communication is started until a triggering condition arrives;
step S106, when the triggering condition is reached, the UE generates the detaching behavior, and the current user is logged off to the mobile network by using the standard flow and protocol;
secondly, the terminal uses the new IMSI or SUPI to update, synchronize and eliminate collision to the network:
step S201, the terminal initiates a detach process, cancels the old IMSI or SUPI, the message is informed to HSS or UDM/UDR for customizing service in specific industry through standard protocol, the HSS or UDM/UDR marks the state of the user as off-line after receiving the message, and simultaneously stores the IMSI or SUPI of the user in off-line state until the user is replaced by the newly generated IMSI or SUPI;
step S202, the terminal obtains IMSI or SUPI and initiates a registration process to the network according to the standard process;
step S203, the AMF/MME sends the attachment message to HSS or AUSF/UDM/UDR which performs customized service for a specific industry according to the received IMSI or SUCI and related indicators;
in step S204, the HSS or UDM/UDR performs collision check on IMSI or SUCI in the received attach message: if collision occurs, the HSS or UDM/UDR notifies the terminal that the registration is failed, the terminal generates a new IMSI or SUPI in the hop number segment with a new hop parameter again, and then goes to step S202; if no collision occurs, the HSS or UDM/UDR matches the newly generated IMSI or SUPI with the IMSI or SUPI in the received registration message, if matching is successful, modifies the user state corresponding to the IMSI or SUPI to online, returns an authentication vector according to the protocol standard, continues the subsequent standard flow, and if matching fails, goes to step S202.
Compared with the prior art, the invention has the following positive effects:
the invention only needs to customize USIM/eSIM card of the terminal or software customization of the customizable firmware part in the Communication Processor (CP) and slightly modify HSS or AUSF/UDM/UDR of the back end serving for specific industries by adopting the IMSI or SUPI hiding method initiated by the terminal for the mobile communication system, so that a user or a special industry with high security requirement can achieve the effect of random change of the corresponding relation between the same user and the IMSI or SUPI in a mode of not changing the standard architecture and the standard protocol flow of mobile communication, and the difficulty of an attacker tracking the user or deducing the identity of the user in real space by capturing the IMSI or SUPI is increased. The method has wide application range, and is not only suitable for 5G networks, but also suitable for 4G networks and future mobile communication systems taking IMSI or SUPI as permanent identity. The method can meet the privacy protection requirement when users in special industries, large enterprises and public institutions users in national key industries and high-value user groups use the public infrastructure of the mobile communication system to develop high-security application, so that the mobile communication system can better serve all the industries of the society.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of a terminal-initiated user identity hiding process.
Detailed Description
Aiming at the problem that the true IMSI or SUPI of the UE is difficult to hide in a service network in the prior art, the invention provides a method for terminal-initiated IMSI or SUPI hiding in a mobile communication system, which is based on the following steps: users (special users for short) needing the identity hiding belong to the same industry or the same organization or the same group, and can be a specific user group (special industry for short) established by specific industries, parties and politics, government departments, large enterprises or operators aiming at the users needing special safety services, and have the same identity information hiding requirement, and the subscription information of the users cannot be seen to a mobile operator when the subscription information is not authorized; the operator is willing to provide the support of identity hiding for special users, provide extra IMSI or SUPI number resources, and do not interfere and know the specific allocation of the number resources when not authorized, and the operator is responsible for the special industry; the method is characterized in that a specific industry customizes IMSI or SUPI distribution rules and hopping algorithms, necessary modification or customization can be carried out on UE and USIM cards (or eSIM cards), and necessary customization modification (customization service for short) can be carried out on entity HSS or AUSF/UDM/UDR which governs the user group in a network.
The method for hiding the user identity of the mobile communication system initiated by the terminal comprises two interrelated methods and processes, wherein the first method is that the terminal generates a new IMSI or SUPI, and the second method is that the terminal uses the new IMSI or SUPI to carry out information updating, synchronization and collision elimination processes to the network.
The generation of the new IMSI or SUPI by the terminal specifically comprises the following steps:
step S101, a specific industry applies for available IMSI or SUPI number resources to an operator according to the number of users in the industry and transmits customized services, and the number of the available number resources is required to be more than 2 times of the number of the users;
step S102, the customized service segments the available number resources according to the number of users, and divides the available number resources into an initial number segment (assumed to be called number segment 1) and a jump number segment, wherein the number of the number resources of each segment is more than or equal to the number of the users, the number segments are continuous as much as possible to reduce subsequent calculation amount, one number is selected as the initial number in the number segment 1 when the users sign, and the number is released and added into the jump number segment after the users jump to increase jump space;
step S103, a special user applies for identity hiding service to a specific industry to which the special user belongs, the application is transferred to a customized service after the specific industry passes the audit, the customized service allocates initial IMSI or SUPI to the user from number section 1, and determines a hopping algorithm and hopping control parameters of the user, and determines a hopping trigger condition;
step S104, the customizing service writes the initial IMSI or SUPI into a USIM card (or eSIM card) of the user, writes the trigger condition and the jump control parameter into the UE, and simultaneously writes the jump algorithm, number segment information and the like into a customizable component of the user terminal, wherein the customizable component comprises the customized USIM card (or eSIM card) and can also be a customizable firmware part in a Communication Processor (CP) of the UE;
step S105, the UE uses the initial IMSI or SUPI (in 5G, the code SUCI encrypted by the SUPI) to carry out initial attachment and registration, if the registration is successful, normal communication is started until the triggering condition comes; if the registration fails, go to step S107;
step S106, when the triggering condition is reached, the UE generates the detaching behavior, and the current user is logged off to the mobile network by using the standard flow and protocol;
step S107, the UE restarts the initial attach procedure, first, the UE regenerates a new jump control parameter, inputs the new jump control parameter into a customizable component of the UE, the customizable component calls a jump algorithm to obtain a random new IMSI or SUPI number (marked as IMSI or SUPI) from the jump number segment to which the current IMSI or SUPI belongs according to the jump control parameter, and the UE restarts the new attach registration procedure by using the IMSI or SUPI.
In the method, a hopping algorithm is mainly used for randomly selecting a new IMSI or SUPI number for the UE, so that an attacker cannot derive the new IMSI or SUPI from the last IMSI or SUPI of the UE, wherein the hopping algorithm can be a rule of number dynamic random mapping or an encryption algorithm with a reserved format, but the value of the same number segment is only ensured when different hopping control parameters are adopted. The jump control parameter is a control variable used for calculating IMSI or SUPI, when the same number segment takes a value, the value output by the control jump algorithm is unique and does not conflict with each other, and the parameter is related to the current IMSI or SUPI, the key (or random number seed, offset) corresponding to the user and a unique state variable (such as time or sequence number) available in the whole network, and is used for controlling the same user to generate the same IMSI or SUPI at the UE side and the HSS or UDM/UDR of the network, and the different users do not conflict with each other. The trigger condition refers to the opportunity of the terminal for number hopping, and may be time if the terminal performs periodic hopping, or may be an event preset by the terminal or a notification issued by the network if the terminal is triggered. The terminal UE and the HSS or UDM/UDR for the network side subscription service should keep the same hopping algorithm and hopping control parameters to keep synchronization.
The terminal performs information updating, synchronization and collision elimination procedures to the network using the new IMSI or SUPI as follows:
step S201, the terminal initiates a detach process, and cancels the old IMSI or SUPI, the message will inform HSS or UDM/UDR of the customized service in the specific industry through the standard protocol, and the information will mark the state of the user as off-line, otherwise, the information is marked as on-line, the HSS or UDM/UDR will still store the IMSI or SUPI of the user in off-line state until the IMSI or SUPI replaces the user;
step S202, the terminal obtains IMSI or SUPI, and initiates a registration process to the network according to the standard process, the process is the same as the first registration, and is consistent with the process and protocol specified by the 4G/5G standard, if it is the 4G network, the IMSI is directly used for registration, if it is the 5G network, the SUPI is encrypted to become a new SUCI, the encryption algorithm can adopt the standard algorithm, and can also be customized by the specific industry;
step S203, the AMF/MME sends the attachment message to HSS or AUSF/UDM/UDR which performs customized service for a specific industry according to the received IMSI or SUCI and related indicators;
step S204, the HSS or UDM/UDR of the customized service performs collision check on IMSI or SUCI in the received attach message, and directly uses the IMSI to search whether the user in the online state is already registered and occupied for the 4G network, and for the 5G network, the UDM/UDR is required to decrypt the SUCI and restore to SUPI, and uses the SUPI to search whether the user in the online state is already registered and occupied;
step S205, if the terminal is registered, collision occurs, HSS or UDM/UDR notifies the terminal of registration failure, the terminal generates new IMSI or SUPI in the hop number segment by using new hop parameter again, and then step S202 is carried out;
step S206, if no collision occurs, the HSS or UDM/UDR of the customized service calls the corresponding jump function and the current jump control parameter to all users in the off-line state, generates IMSI or SUPI, matches the IMSI or SUPI received in the registration message with the calculated IMSI or SUPI, if the matching is successful, modifies the user state corresponding to the IMSI or SUPI to be on-line, returns an authentication vector according to a protocol standard, and the like, continues the subsequent standard flow, and if the matching is failed, goes to step S202.
In step S206, an alternative method is to directly use the non-colliding IMSI or SUPI to reversely decrypt the IMSI or SUPI to complete the registration, so that it is not necessary to perform the jump calculation for all offline users.
The invention also provides an alternative method for generating the jump number, which is briefly described as follows in order to reduce the requirement on the unique state variable or serial number which can be obtained in the jump control parameter through the whole network: firstly, all available numbers are segmented according to the number of users, such as number segments 1, 2 and 3, and a user side and a network are specified to jump to take values according to the sequence at the same time, namely, the value space is in the number segment 1 when the user jumps for the first time, the value space is in the number segment 2 when the user jumps for the second time, the value space is in the number segment 3 for the third time, and then the round is carried out; the hopping algorithm ensures that the value of each user in the same number segment is unique and not conflicted, but the values of different rounds are random; HSS or UDM/UDR stores two values, current number and next hop number, for each user, periodically calculates the value of each user and stores it in the next hop number of the user, the purpose of periodic calculation is to ensure that the mapping relation of users is one-to-one correspondence, the length of the period is determined by specific industry, and the hop is faster if the period is shorter; when the terminal registers, if the IMSI or the SUPI collides with the current number of the online user or is unsuccessfully matched with the next hop numbers of all the offline users, the terminal and the network are out of synchronization, the authentication fails, the terminal regenerates a new number and takes values again in the next number segment until the authentication succeeds. Therefore, synchronization can be completed by re-registering authentication for limited times (the maximum times is the number of the number segments minus 1), and the unique state variable of the whole network which can be simultaneously acquired by the terminal and the network in the jumping control parameter can be cancelled and replaced by the number segments and the value sequence thereof. The main modified flow is as follows:
1) in step S102, the customized service segments the available number resources according to the number of users, where the number of each segment of number resources is greater than or equal to the number of users, the number segments are continuous as much as possible to reduce the subsequent calculation amount, and are called number segment 1 and number segment 2 … …, and one number segment is selected as an initial number segment (assumed to be called number segment 1);
2) in step S104, the number segment information and the sequence are written into the UE together as part of the hopping control parameter;
3) in step S107, the hopping algorithm generates and registers IMSI or SUPI from the next sequential number segment of the number segment to which the current IMSI or SUPI belongs;
4) in step S204, the current number of the online subscriber is searched by using IMSI or SUPI in the registration message to determine whether the current number is already occupied by registration;
5) in step S206, if no collision occurs, the HSS or UDM/UDR of the customized service searches for the next hop number of the offline user and matches the next hop number with the IMSI or SUPI received in the registration message, if the matching is successful, writes the IMSI or SUPI into the current number table, modifies the corresponding user state to online, returns an authentication vector and the like according to the protocol standard, continues the subsequent standard process, and if the matching is failed, processes according to the collision.
The rest of the processes are basically the same, and are not described herein again. The benefit of this alternative approach is that the UE and the network HSS or UDM/UDR do not have to be synchronized by a network-wide unique state variable, but rather by periodic calculations of the network HSS or UDM/UDR, with the disadvantage that the probability of UE registration failure increases.
The invention also discloses a system for protecting IMSI or SUPI identity in mobile communication system, which is characterized in that it follows international standard architecture, the functional entity includes UE (including USIM/eSIM card), service AMF/MME, credible HSS of special industry or AUSF/UDM/UDR. The UE is used for executing IMSI or SUPI change and initiating a network attachment/detachment request, the service AMF/MME is used for correctly forwarding the message to the credible HSS or AUSF/UDM/UDR, and the credible HSS or AUSF/UDM/UDR is used for generating new IMSI or SUPI information for the UE according to the strategy of a special user in a specific industry, and performing collision detection, synchronization and the like.
By adopting the technical scheme, the beneficial effects of the invention are embodied in several aspects: firstly, the effect of random change of the corresponding relation between the same user and the IMSI or the SUPI is achieved by changing the IMSI or the SUPI, and the difficulty that an attacker tracks the user or deduces the identity of the user in a real space by capturing the IMSI or the SUPI is increased; all added processing is performed on a specific component of the terminal and a network rear end to serve a storage management network element of a specific industry, intermediate protocol interaction, signaling formats and the like completely meet related mobile communication protocol standards, no additional requirements are newly added on a service network element, the implementation is easy in the industry, and the construction and operation cost required to be added in the specific industry is not high; thirdly, the terminal initiates, an explicit whole network synchronization flow is not needed, network communication cost is low, personalized customization can be realized more easily according to industry characteristics and scale through control of number segments and selection of a hopping algorithm, and requirements of different specific industries are better met; fourthly, the method has wide application range, is not only suitable for 5G networks, but also suitable for 4G networks and future mobile communication systems taking IMSI or SUPI as permanent identity.
The invention provides a method and a system for hiding user identity of a mobile communication system initiated by a terminal, which are further described in detail by taking a 5G network as an example in combination with the attached drawings and an embodiment. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
In this embodiment, the functional entities using the method for hiding the user identity in the mobile communication system initiated by the terminal include: the system comprises a mobile terminal UE, a radio access network RAN, a visited network function, a home network general function and a home network unified data management/authentication service function UDM/AUSF.
The mobile terminal UE is used for generating a new jump parameter, obtaining a new shield SUPI number through jump algorithm operation according to the parameter, generating corresponding SUCI based on the SUPI, and initiating a network detachment/attachment process.
The general functions of the access network, the visit network and the home network are completely consistent with the standard, and the passive cooperation with the safety terminal completes the network detachment and attachment process.
And the home network UDM/AUSF is used for judging whether the new SUPI number of the user conflicts or collides with the SUPI numbers of other users according to a certain strategy, and responding to the UE to fail authentication if the new SUPI number of the user conflicts or collides with the SUPI numbers of other users.
As shown in fig. 1, after the mobile terminal UE triggers the hopping condition, the UE initiates and executes the SUPI change process; if it is an alternative method of the present invention, the UDM will periodically calculate the SUPI for the next hop (see dashed box 1 of fig. 1);
firstly, UE initiates a network detachment process for removing traces of old SUPI in a mobile communication network;
after the detach process is completed, the UE generates a new jump parameter, generates a new SUPI number based on a jump algorithm and generates corresponding SUCI based on the new SUPI number;
the UE initiates a network attach procedure using SUCI;
the home network UDM/AUSF decrypts SUCI to obtain a new SUPI number;
the home network UDM/AUSF checks whether the new SUPI number of the user conflicts or collides with other users, if no conflict occurs, the authentication is successful, otherwise, the authentication is failed;
if the UE receives the authentication success, the attachment process is continuously completed; otherwise, regenerating new SUPI number and then initiating the attaching process again.
Claims (9)
1. A method for hiding the user identity of a mobile communication system initiated by a terminal is characterized in that: the method comprises the following steps:
firstly, the terminal generates a new IMSI or SUPI:
step S101, a specific industry applies for available IMSI or SUPI number resources to an operator and delivers customized services, wherein the number of the available number resources is more than 2 times of the number of users;
step S102, the customization service segments the available number resources, and the number of each segment of number resources is more than or equal to the number of users;
step S103, a special user applies for identity hiding service to a specific industry to which the special user belongs, the application is transferred to a customized service after the specific industry passes the audit, the customized service allocates initial IMSI or SUPI to the user from number section 1, and determines a hopping algorithm and hopping control parameters of the user, and determines a hopping trigger condition;
step S104, the customized service writes the initial IMSI or SUPI into a USIM card or an eSIM of a user, writes the trigger condition and the jump control parameter into the UE, and simultaneously writes the jump algorithm and the number field information into a customizable component of the user terminal;
step S105, the UE uses the initial IMSI or SUPI to carry out initial attachment and registration, if the registration fails, the UE restarts the initial attachment process; if the registration is successful, normal communication is started until a triggering condition arrives;
step S106, when the triggering condition is reached, the UE generates the detaching behavior, and the current user is logged off to the mobile network by using the standard flow and protocol;
secondly, the terminal uses the new IMSI or SUPI to update, synchronize and eliminate collision to the network:
step S201, the terminal initiates a detach process, cancels the old IMSI or SUPI, the message is informed to HSS or UDM/UDR for customizing service in specific industry through standard protocol, the HSS or UDM/UDR marks the state of the user as off-line after receiving the message, and simultaneously stores the IMSI or SUPI of the user in off-line state until the user is replaced by the newly generated IMSI or SUPI;
step S202, the terminal obtains IMSI or SUPI and initiates a registration process to the network according to the standard process;
step S203, the AMF/MME sends the attachment message to HSS or AUSF/UDM/UDR which performs customized service for a specific industry according to the received IMSI or SUCI and related indicators;
in step S204, the HSS or UDM/UDR performs collision check on IMSI or SUCI in the received attach message: if collision occurs, the HSS or UDM/UDR notifies the terminal that the registration is failed, the terminal generates a new IMSI or SUPI in the hop number segment with a new hop parameter again, and then goes to step S202; if no collision occurs, the HSS or UDM/UDR matches the newly generated IMSI or SUPI with the IMSI or SUPI in the received registration message, if matching is successful, modifies the user state corresponding to the IMSI or SUPI to online, returns an authentication vector according to the protocol standard, continues the subsequent standard flow, and if matching fails, goes to step S202.
2. The method of claim 1, wherein the method comprises: when the available number resource is segmented, the available number resource is divided into an initial number segment and a jump number segment, one number is selected as an initial number in the initial number segment when a user signs a contract, and the number is released and added into the jump number segment after the user jumps.
3. The method of claim 2, wherein the mobile communication system comprises a mobile communication terminal, and a mobile communication: the UE restarting the initial attach procedure means: firstly, UE regenerates new jump control parameter, inputs it into the customizable component of UE, the customizable component calls jump algorithm to obtain a random new IMSI or SUPI number from the jump number segment of the current IMSI or SUPI according to the jump control parameter, and records it as IMSI or SUPI, the UE restarts new attachment registration process by using the IMSI or SUPI.
4. A terminal-initiated method for concealing a subscriber identity in a mobile communication system according to claim 3, wherein: the method for generating a new IMSI or SUPI in step S204 includes: and the HSS or the UDM/UDR calls the corresponding jump function and the current jump control parameter for all the users in the off-line state to generate a new IMSI or SUPI.
5. The method of claim 1, wherein the method comprises: in step S204, if no collision occurs, the HSS or UDM/UDR directly uses the non-collided IMSI or SUPI to reversely decrypt the IMSI or SUPI to complete registration.
6. The method of claim 1, wherein the method comprises: when available number resources are segmented, a number segment is selected as an initial number segment, and the number segment information and the sequence are written into the UE together as a part of the hopping control parameters by the customized service.
7. The method of claim 6, wherein the mobile communication system comprises: in step S105, when the registration fails, the hopping algorithm generates IMSI or SUPI from the segment next to the segment to which the current IMSI or SUPI belongs and registers.
8. The method of claim 7, wherein the mobile communication system further comprises a mobile communication terminal for receiving the mobile communication terminal, and the mobile communication terminal is further configured to: in step S204, if no collision occurs, the HSS or UDM/UDR searches for the next hop number of the offline user, and matches the next hop number with the IMSI or SUPI in the received registration message, and if the matching is successful, writes the IMSI or SUPI into the current number table, then modifies the corresponding user state to online, returns an authentication vector according to the protocol standard, and continues the subsequent standard process.
9. The method of claim 1, wherein the method comprises: the customizable component comprises a customized USIM card or an eSIM card, and a customizable firmware part in a communication processor of the UE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810839413.7A CN108901018B (en) | 2018-07-27 | 2018-07-27 | Method for hiding user identity of mobile communication system initiated by terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810839413.7A CN108901018B (en) | 2018-07-27 | 2018-07-27 | Method for hiding user identity of mobile communication system initiated by terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108901018A CN108901018A (en) | 2018-11-27 |
| CN108901018B true CN108901018B (en) | 2021-02-12 |
Family
ID=64352148
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810839413.7A Active CN108901018B (en) | 2018-07-27 | 2018-07-27 | Method for hiding user identity of mobile communication system initiated by terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108901018B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111314899B (en) * | 2018-12-11 | 2021-10-26 | 华为技术有限公司 | Message processing method, related device and system |
| CN111431839B (en) * | 2019-01-09 | 2024-03-19 | 中兴通讯股份有限公司 | Processing method and device for hiding user identification |
| CN110049483A (en) * | 2019-04-09 | 2019-07-23 | 中国电子科技集团公司第三十研究所 | Mobile communication system user network identity jumps the implementation method for hiding network function |
| CN109842877B (en) * | 2019-04-09 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Method for realizing IMSI changing function in SIM card |
| EP3959909A4 (en) * | 2019-04-25 | 2022-06-15 | Telefonaktiebolaget LM Ericsson (publ.) | Methods and network nodes for tracing user equipment |
| CN115835218A (en) * | 2019-06-17 | 2023-03-21 | 华为技术有限公司 | Secondary authentication method and device |
| CN112105021B (en) * | 2019-06-17 | 2022-05-10 | 华为技术有限公司 | Authentication method, device and system |
| CN111405557B (en) * | 2020-03-19 | 2022-03-15 | 中国电子科技集团公司第三十研究所 | Method and system for enabling 5G network to flexibly support multiple main authentication algorithms |
| CN113453212B (en) * | 2020-03-26 | 2022-07-01 | 中国移动通信集团吉林有限公司 | Disaster tolerance HSS (home subscriber server) subscription information method, device, storage medium and computer equipment |
| CN113873492B (en) * | 2020-06-15 | 2022-12-30 | 华为技术有限公司 | Communication method and related device |
| CN114079924A (en) * | 2020-08-10 | 2022-02-22 | 中国移动通信有限公司研究院 | Message processing method and device, related equipment and storage medium |
| CN112261640B (en) * | 2020-09-29 | 2024-03-15 | 深圳市广和通无线股份有限公司 | Method and device for eliminating SIM card firmware miscwitch, electronic equipment and storage medium |
| CN117177238B (en) * | 2023-11-02 | 2024-01-23 | 中国电子科技集团公司第三十研究所 | Method and system for initiating control instruction by terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105898735A (en) * | 2016-03-24 | 2016-08-24 | 南京佰联信息技术有限公司 | Method for obtaining SIM information and equipment |
| EP3125593A1 (en) * | 2015-07-31 | 2017-02-01 | BlackBerry Limited | System and method for automatic detection and enablement of a virtual sim on a mobile device |
| CN107580324A (en) * | 2017-09-22 | 2018-01-12 | 中国电子科技集团公司第三十研究所 | A kind of method for GSM IMSI secret protections |
| CN108200007A (en) * | 2017-11-24 | 2018-06-22 | 中国科学院信息工程研究所 | A kind of mobile network's dynamic ID management method and system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015157933A1 (en) * | 2014-04-16 | 2015-10-22 | Qualcomm Incorporated | System and methods for dynamic sim provisioning on a dual-sim wireless communication device |
| CN104618887A (en) * | 2015-02-04 | 2015-05-13 | 王家城 | Method and device for wirelessly sharing SIM card by multiple communication terminals |
| CN105554728A (en) * | 2015-12-10 | 2016-05-04 | 深圳市迪讯飞科技有限公司 | Cloud SIM card pool system |
| CN107911814B (en) * | 2017-11-24 | 2020-08-25 | 中国科学院信息工程研究所 | HSS (home subscriber server) -enhanced user identity information protection method and system |
-
2018
- 2018-07-27 CN CN201810839413.7A patent/CN108901018B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3125593A1 (en) * | 2015-07-31 | 2017-02-01 | BlackBerry Limited | System and method for automatic detection and enablement of a virtual sim on a mobile device |
| CN105898735A (en) * | 2016-03-24 | 2016-08-24 | 南京佰联信息技术有限公司 | Method for obtaining SIM information and equipment |
| CN107580324A (en) * | 2017-09-22 | 2018-01-12 | 中国电子科技集团公司第三十研究所 | A kind of method for GSM IMSI secret protections |
| CN108200007A (en) * | 2017-11-24 | 2018-06-22 | 中国科学院信息工程研究所 | A kind of mobile network's dynamic ID management method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108901018A (en) | 2018-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108901018B (en) | Method for hiding user identity of mobile communication system initiated by terminal | |
| EP2666316B1 (en) | Method and apparatus for authenticating a communication device | |
| US11882442B2 (en) | Handset identifier verification | |
| KR102325912B1 (en) | Holistic module authentication with a device | |
| Khan et al. | Defeating the downgrade attack on identity privacy in 5G | |
| CN108260102B (en) | LTE-R vehicle-ground communication non-access layer authentication method based on proxy signature | |
| US20210328797A1 (en) | Systems and methods for user-based authentication | |
| Saeed et al. | A comprehensive review on the users’ identity privacy for 5G networks | |
| Khan et al. | Improving air interface user privacy in mobile telephony | |
| CN110417563A (en) | A kind of methods, devices and systems of network slice access | |
| Saeed et al. | Pseudonym Mutable Based Privacy for 5G User Identity. | |
| Saeed et al. | A novel variable pseudonym scheme for preserving privacy user location in 5G networks | |
| CA3159134A1 (en) | Method, device, and system for anchor key generation and management in a communication network for encrypted communication with service applications | |
| CN111385794B (en) | Mobile communication network privacy protection method and system for industry users | |
| CN108737390A (en) | Protect the authentication method and system of user name privacy | |
| CN111314919B (en) | Enhanced 5G authentication method for protecting user identity privacy at authentication server | |
| CN116684869B (en) | IPv 6-based park wireless network trusted access method, system and medium | |
| Ginzboorg et al. | Privacy of the long-term identities in cellular networks | |
| CN116235462A (en) | Method for protecting encrypted user identity from replay attacks | |
| CN109842554B (en) | Routing method, device, equipment and storage medium of equipment service | |
| CN109190725B (en) | RFID bidirectional authentication method | |
| EP3518491A1 (en) | Registering or authenticating user equipment to a visited public land mobile network | |
| CN113038477B (en) | Slice routing rule tamper-proof method, terminal and medium | |
| US8380165B1 (en) | Identifying a cloned mobile device in a communications network | |
| Khan et al. | On de-synchronization of user pseudonyms in mobile networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |